最近看到一个NC的任意文件上传漏洞,自己在复现的时候不知是版本问题还是姿势问题怎么都不成功,遂分析了一下。01.漏洞分析以下分析及复现均在NC6.3和NC6.5版本下进行。已知是saveDoc.ajax接口存在问题,先看存在漏洞的功能模块下的配置文件。config>action-mappings >action path="/getAllServices.ajax"type="nc.uap.ws.console.action.GetServicesAction" />action path="/login.ajax"type="nc.uap.ws.console.action.LoginAction" />action path="/getBasicInfo.ajax"type="nc.uap.ws.console.action.GetBasicInfoAction" />action path="/getWssInfo.ajax"type="nc.uap.ws.console.action.GetWssInfoAction" />action path="/getKSInfo.ajax"type="nc.uap.ws.console.action.GetKSInfoAction" />action path="/saveDoc.ajax"type="nc.uap.ws.console.action.SaveDocAction" />action path="/loadDoc.ajax"type="nc.uap.ws.console.action.LoadDocAction" />action path="/loadReqTemplete.ajax"type="nc.uap.ws.console.action.GenSoapRequestAction" />action
………………………………
