| عنوان | https://www.qiyuesuo.com/ electronic signature platform <=4.34 RCE |
|---|
| الوصف | In this exploit, the attacker used the platform's scheduled task feature to upload custom Java class files and bypassed the Runtime/Process blacklist detection mechanism by concatenating strings and using reflection. Ultimately, the attacker successfully executed system commands on the server side, completing remote command execution (RCE). |
|---|
| المصدر | ⚠️ https://github.com/nn0nkey/nn0nkey/blob/main/QYS/QYS_task.md |
|---|
| المستخدم | nn0nkey (UID 74287) |
|---|
| ارسال | 30/07/2025 10:40 AM (11 أشهر منذ) |
|---|
| الاعتدال | 08/08/2025 10:26 PM (9 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 319298 [Qiyuesuo Eelectronic Signature Platform حتى 4.34 Scheduled Task /api/code/upload execute ملف تجاوز الصلاحيات] |
|---|
| النقاط | 0 |
|---|