Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use JBoss deserialization to talk about Java deserialization vulnerabilities, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Some time ago, the school learned J2EE and used jboss. By the way, take a look at the deserialization of jboss, and then talk about deserialization vulnerabilities.

Java serialization, in short, is the process of converting java objects into byte sequences. Anti-sequence words are the process of restoring the byte sequence to java objects. However, in this process, the programmer's filtering is not strict, which can lead to the implementation of code constructed maliciously by the attacker.

To take a simple example, the deserialization vulnerability of jboss occurs in doFilter in the ReadOnlyAccessFilter.class file in the jboss\ server\ all\ deploy\ httpha-invoker.sar\ invoker.war\ WEB-INF\ classes\ org\ jboss\ invocation\ http\ servlet directory.

Public void doFilter (ServletRequest request,ServletResponse response,FilterChain chain) throw IOException,ServletException {HttpServletRequest httpRequest= (HttpServletRequest) request; Principal user=httpRequest.getUserPrincipal (); if ((user=null) & & (this.readOnlyContextual null)) {ServletInputStream sis=request.getInputStream (); ObjectInputStream ois=new ObjectInputStream (sis); MarshalledInvocation mi=null; try {mi= (MarshalledInvocation) ois.readObject ();} catch (ClassNotFountException e) {throw new ServletException ("Failed to read MarshalledInvocation", e) } request.serAttribute ("MarshalledInvocation", mi); mi.setMethodMap (this.namingMethodMap); Method m=mi.getMethod (); if (massively null) {validateAccess (mMagmi)}} chain.doFilter (request,response);}

Program access to http data saved to httpRequest, serialization saved to ois, and then no filtering operation, directly using readObject () for deserialization operation saved to mi variables, this is a typical java deserialization loophole.

Reproduce jboss deserialization vulnerability (CVE-2017-12149)

Target aircraft xp_sp3 10.10.1.34

The main scope of influence of CVE-2017-12149 is jbossas 5.x and 6.x, download jboss5.1.0 GA and install it (requires a java environment). If the runtime finds that it can only be accessed through localhost or 127.0.0.1, you can add the command run.bat-b 0.0.0.0 at run time, or create a new start.bat content run.bat-b 0.0.0.0

When this occurs, it means that it is already deployed and ready for access.

Can access the page

Visit 10.10.1.134:8080/invoker/readonly

When this page appears, it can be judged that there is a java deserialization vulnerability.

For vulnerability exploitation, I use the vanilla deserialization tool, and there are many tools on the Internet, including ysoserial, that can be exploited.

The file directory is listed

For fixing vulnerabilities, it is recommended that if you do not use this component, you can remove it. Or add code to monitor.

After reading the above, do you have any further understanding of how to talk about Java deserialization vulnerabilities through JBoss deserialization? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.