| Title | https://www.qiyuesuo.com/ electronic signature platform <=4.34 RCE |
|---|
| Description | In this exploit, the attacker used the platform's scheduled task feature to upload custom Java class files and bypassed the Runtime/Process blacklist detection mechanism by concatenating strings and using reflection. Ultimately, the attacker successfully executed system commands on the server side, completing remote command execution (RCE). |
|---|
| Source | ⚠️ https://github.com/nn0nkey/nn0nkey/blob/main/QYS/QYS_task.md |
|---|
| User | nn0nkey (UID 74287) |
|---|
| Submission | 07/30/2025 10:40 (11 months ago) |
|---|
| Moderation | 08/08/2025 22:26 (9 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 319298 [Qiyuesuo Eelectronic Signature Platform up to 4.34 Scheduled Task /api/code/upload execute File unrestricted upload] |
|---|
| Points | 0 |
|---|