一些依赖的链子
Hessian2
1
2
3
4
5
6
7
| Hessian2Input.readObject -> readObjectDefinition -> readString -> expect -> xxx.toString
# (CVE-2020-11995)上面这个需要做一个特殊处理,在序列化的时候把tag改成67,参考:https://y4er.com/posts/wangdingbei-badbean-hessian2/
-----
Hessian2Input.readObject -> readMap -> MapDeserializer.readMap -> HashMap.put -> xx.hashCode
-----
Hessian2Input.readObject -> (配合hashTable的hashcode)hashMap.put -> putVal -> XString.equals -> xxx.toString
https://yml-sec.top/2023/04/26/aliyunctf%E9%83%A8%E5%88%86web%E9%A2%98%E8%A7%A3/
|
Method
readObject
1
2
3
4
| BadAttributeValueExpException#readObject -> xx#toString
HashMap#readObject -> xx#hashCode
HashMap#readObject -> putVal -> xx#equals
|
toString
1
2
3
4
5
6
7
8
9
10
| ----
com.caucho.naming.QName#toString -> javax.naming.spi.ContinuationContext#composeName -> getTargetContext -> NamingManager.getContext -> getObjectInstance -> getObjectFactoryFromReference -> helper.loadClass(factoryName, codebase) #用URLClassLoader
----
ToStringBean#toString -> xxx.getter # Rome1
PKCS9Attributes#toString -> getAttribute -> UIDefaults#get -> getFromHashtable -> SwingLazyValue#createValue -> 任意静态方法(SwingLazyValue没有继承serializeable无法直接利用,在hessian中可以
----
POJONode.toString -> xxx.getter (这个其实是 BaseJsonNode 的方法,如果POJONode Ban了可以找别的
----
(cc) TiedMapEntry.toString -> getValue -> Lazymap -> 任意transform|任意map.put
|
getter
1
2
3
4
| TemplatesImpl#getOutputProperties 加载字节码
JdbcRowSetImpl#getDatabaseMetaData 触发JNDI
SignedObject#getObject 二次反序列化
org.springframework.jndi.support.SimpleJndiBeanFactory#getBean 触发JNDI
|
equals
1
2
3
4
5
| com.sun.org.apache.xpath.internal.objects.XString#equals -> toString
----
org.springframework.aop.support.AbstractPointcutAdvisor#equals -> otherAdvisor#getAdvice -> AbstractBeanFactoryPointcutAdvisor#getAdvice -> xxx.getBean (上面有个getBean
---
|
一些静态方法
1
2
3
4
| System#load (加载任意so文件
DumpBytecode#dumpBytecode 写文件,可以结合上面的加载so
sun.reflect.misc.MethodUtil#invoke (可以用这个直接调用Runtime,不过要套用一下
JavaWrapper#_main (bcel 调用 _main 函数
|
构造函数
1
| TrAXFilter 构造函数参数可控的话可以调用 Templates.newTransformer
|
这里收藏一些代码
可以直接实例化一个类不需要传参(用UNSAFE也可以
1
2
3
4
5
6
7
8
|
public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
objCons.setAccessible(true);
Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
sc.setAccessible(true);
return (T) sc.newInstance(consArgs);
}
|
参考
0CTF/TCTF 2022 hessian-onlyJdk 几个静态类的利用可以参考这个
