### Critical Vulnerability Information #### Vulnerability Location - In the `SysGeneratorController.java` class, at the `@RequestMapping("/code")` endpoint, specifically at the `JSON.parseArray(tables)` call. #### Vulnerability Description - The code uses the Fastjson library without enabling SafeMode or disabling AutoType functionality. - The `JSON.parseArray()` method directly parses unvalidated user input (the `tables` parameter). - When using Fastjson version ≤1.2.83, attackers can craft malicious JSON data to achieve Remote Code Execution (RCE). #### Impact - Remote Code Execution (RCE) - Leakage of sensitive server data - Full server compromise #### POC ```http GET /api/dev/admin/sys/generator/code?X-Token=0a5e525684de5999d8c8e713c7bc50a&tables=[{"tableName":"test"}] HTTP/1.1 Host: 172.20.10.3:8889 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.20.10.3:8889/api/dev/admin/sys/generator.html Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=efcfa4b7-4f4a-4889-701256c9f1cc x-forwarded-for: 127.0.0.1 Connection: close ``` #### Proof of Vulnerability - Set up an LDAP service and load malicious code to exploit the deserialization vulnerability. #### Exploitation Method - Exploit via malicious `tables` parameter.