Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of CVE-2017-12149 JBOSS deserialization vulnerabilities, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Causes of 0x00 vulnerabilities

According to other leaders, the reason for this vulnerability is that the filter of / invoker/readonly is not written properly, and the file path is: server\ all\ deploy\ httpha-invoker.sar\ invoker.war\ WEB-INF\ classes\ org\ jboss\ invocation\ http\ servlet, in the ReadOnlyAccessFilter.class under this path.

Throw this class into IDEA to check the source code, and find that this filter does not do any verification when filtering, resulting in malicious users directly accessing this interface to POST data (see the code before 63 lines) the server gets the input stream, objectifies the input stream, and executes the objects in the data stream. This is the concept of serialization.

Recurrence of 0x01 vulnerabilities

So how to construct the POC of this vulnerability? version 3.1 of commons collections is used in the JBoss5.1 version.

Commons collections can be used to construct reflection chains. Reproduce it first and see how other people's POC is written:

Use ysoserial.jar as a tool to generate a variety of deserialized poc or exp, which contains a variety of libraries used by reflection chains.

Java-jar ysoserial.jar CommonsCollections6 "calc.exe" > poc.sercurl http://192.168.154.129:8080/invoker/readonly-- data-binary @ poc.ser

0x02 POC writing

After success, let's see how people play. The POC of the bigwigs says:

After learning the construction of the Java reflection chain, one more step is how to trigger the reflection chain during deserialization.

So the bosses who wrote POC/EXP found the readObject method of sun.reflect.annotation.AnnotationInvocationHandler.

Then take a look at the construction method getDeclaredConstructor () to get the construction method with parameters.

GetDeclaredConstructor (Class... ParameterTypes)

This method returns all constructors that specify the parameter type, including public and non-public, and of course private.

Let's take a look at getConstructor (Class...). ParameterTypes)

This method returns a subset of the results of the above method, only the constructor that specifies that the parameter type access is public.

Get the constructor object and instantiate it:

The constructor (Constructor) object is obtained through the class object's getConstructor () (the constructor method that gets the public property) or getDeclaredConstructor () (all types of constructors can be obtained) and the object is created by calling its newInstance () method, which is suitable for nonparametric and parameterized constructors.

Needless to say, take a look at the source code of the AnnotationInvocationHandler construction method

The first line of code: get all the interfaces implemented by the Target.class class

Then if determines whether the class is an annotation type, and it only implements one interface, determines whether its implemented interface is an annotation class, and assigns values respectively if it satisfies.

Now look at its readObject method, where it will trigger the entire reflection chain.

First, pass in the object input stream to read the object input stream, and then var2 parses the annotation class. After getting the value, it gets the value of the member type:

What value did you get?

Var3 refers to memberTypes, that is, var3 is of the same type as the incoming Map, and var4 is the set transformation of the incoming Map, and then determines whether there are elements in the var4. If an element obtains the set transformation of var4 for its var5, then var6 gets the key value of var5, and var7 gets the class object of var3. If var7 exists, then var8 getValue from var5, and finally, if var8 cannot be converted into var7, then setValue operation is performed on var5, if var5 carries out setValue operation. Then it will do the following:

Take a look at the checksetValue source code:

After the transform operation, if the bosses who know the reflection chain already know that the trigger of the reflection chain is here.

The values of var1-var7 are as follows:

Use your own POC to learn from others and play it again.

Copy the generated bin.ser into kali and send it to the JBOSS server using curl.

Curl http://192.168.154.129:8080/invoker/readonly-- data-binary @ bin.ser

Successfully eject the calculator:

The above content is CVE-2017-12149 JBOSS deserialization vulnerability example analysis, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.