一些依赖的链子
Hessian2
1 2 3 4 5 6 7
| Hessian2Input.readObject -> readObjectDefinition -> readString -> expect -> xxx.toString # (CVE-2020-11995)上面这个需要做一个特殊处理,在序列化的时候把tag改成67,参考:https://y4er.com/posts/wangdingbei-badbean-hessian2/ ----- Hessian2Input.readObject -> readMap -> MapDeserializer.readMap -> HashMap.put -> xx.hashCode ----- Hessian2Input.readObject -> (配合hashTable的hashcode)hashMap.put -> putVal -> XString.equals -> xxx.toString https://yml-sec.top/2023/04/26/aliyunctf%E9%83%A8%E5%88%86web%E9%A2%98%E8%A7%A3/
|
Method
readObject
1 2 3 4
| BadAttributeValueExpException#readObject -> xx#toString HashMap#readObject -> xx#hashCode HashMap#readObject -> putVal -> xx#equals
|
toString
1 2 3 4 5 6 7 8 9 10
| ---- com.caucho.naming.QName#toString -> javax.naming.spi.ContinuationContext#composeName -> getTargetContext -> NamingManager.getContext -> getObjectInstance -> getObjectFactoryFromReference -> helper.loadClass(factoryName, codebase) #用URLClassLoader ---- ToStringBean#toString -> xxx.getter # Rome1 PKCS9Attributes#toString -> getAttribute -> UIDefaults#get -> getFromHashtable -> SwingLazyValue#createValue -> 任意静态方法(SwingLazyValue没有继承serializeable无法直接利用,在hessian中可以
---- POJONode.toString -> xxx.getter (这个其实是 BaseJsonNode 的方法,如果POJONode Ban了可以找别的 ---- (cc) TiedMapEntry.toString -> getValue -> Lazymap -> 任意transform|任意map.put
|
getter
1 2 3 4
| TemplatesImpl#getOutputProperties 加载字节码 JdbcRowSetImpl#getDatabaseMetaData 触发JNDI SignedObject#getObject 二次反序列化 org.springframework.jndi.support.SimpleJndiBeanFactory#getBean 触发JNDI
|
equals
1 2 3 4 5
| com.sun.org.apache.xpath.internal.objects.XString#equals -> toString ---- org.springframework.aop.support.AbstractPointcutAdvisor#equals -> otherAdvisor#getAdvice -> AbstractBeanFactoryPointcutAdvisor#getAdvice -> xxx.getBean (上面有个getBean ---
|
一些静态方法
1 2 3 4
| System#load (加载任意so文件 DumpBytecode#dumpBytecode 写文件,可以结合上面的加载so sun.reflect.misc.MethodUtil#invoke (可以用这个直接调用Runtime,不过要套用一下 JavaWrapper#_main (bcel 调用 _main 函数
|
构造函数
1
| TrAXFilter 构造函数参数可控的话可以调用 Templates.newTransformer
|
这里收藏一些代码
可以直接实例化一个类不需要传参(用UNSAFE也可以
1 2 3 4 5 6 7 8
| public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes); objCons.setAccessible(true); Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); sc.setAccessible(true); return (T) sc.newInstance(consArgs); }
|
参考
0CTF/TCTF 2022 hessian-onlyJdk 几个静态类的利用可以参考这个