|漏洞信息
近日,监测到帆软官方网站上爆出一则channel接口反序列化漏洞
https://help.fanruan.com/finereport/doc-view-4833.html
该接口接受序列化数据并对其进行反序列化。配合帆软内置CB链导致任意代码执行。该漏洞在FineBI V5.1.10测试下通过,V5.1.18测试下未通过。原因是高版本的帆软采用了反序列化黑名单机制。
|漏洞环境搭建
官网下载即可 https://www.finebi.com/product/download
|漏洞分析
首先需要定位漏洞路由webroot/decision/remote/design/channel 查看日志。可以查看所有装载的路由
很容易就能定位到类名
全局搜一下。定位到FineBI5.1webappswebrootWEB-INFlibfine-decision-report-10.0.jar
这里会读入post进来的数据,然后传递给 WorkContext.handleMessage(var3) 我们跟进
继续跟进handleMessage
到这里会进入deserializeInvocation
到这里会传入两个参数给SerializerHelper.deserialize 用InvocationSerializer来包装了GZipSerializerWrapper类。这个待会构造的时候会用到。
继续跟进SerializerHelper.deserialize
这里比较普通,把传入的序列化字符进行deserialize 此时的var1是我们刚才传入的GZipSerializerWrapper类。
进入到GZipSerializerWrapper的deserialize函数。这里对inputstream用GZIPInputStream进行了一次包装。然后使用了this.serializer进行一次反序列化。刚才我们所说用InvocationSerializer来包装了GZipSerializerWrapper类。
根据这两张图,我们知道这里的this.serializer现在的值是InvocationSerializer。因此这里调用的是InvocationSerializer的deserialize函数。因此继续跟进。
到这里就是真正的反序列化的地方了,这里对inputstream又进行了CustomObjectInputStream的包装。在以后的漏洞修复版本中,对反序列化的黑名单也是写在CustomObjectInputStream的类加载器里的。最后对序列化对象进行了Map var4 = (Map)var2.readObject();造成了反序列化漏洞。
|漏洞利用
刚才我们分析了漏洞的流程。现在我们来思考一下如何编写恶意的序列化字符。根据刚才所说,我们传入的inputstream要进行两次包装。这里我们有几种选择,CB链或者c3p0链都可以打。因为c3p0需要加载远程字节码。比较麻烦,所以这里考虑使用CB链来执行任意代码。
EXP已删除
这里构造出exp。
运行CB.java得到base64字符串。对其进行加密并post提交。简单写个脚本
import base64
import requests
burp0_url = "http://127.0.0.1:37799/webroot/decision/remote/design/channel"
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
proxies={
"https":"http://127.0.0.1:8080"
}
b = b"******"
burp0_data = base64.b64decode(b)
res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data,proxies=proxies, verify=False)
print(res.text)
测试,发现成功RCE。
成功复现。
|修复方式
刚才也提到了。新版本在反序列化的时候,在CustomObjectInputStream的类加载器中加了黑名单。这里新版用的是FineBI V5.1.18。中间版本暂未检测。
blacklist.txt
br.com.anteros.dbcp.AnterosDBCPConfig
br.com.anteros.dbcp.AnterosDBCPDataSource
bsh.Interpreter
bsh.XThis
ch.qos.logback.core.db.DriverManagerConnectionSource
ch.qos.logback.core.db.JNDIConnectionSource
clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a
clojure.lang.PersistentArrayMap
com.alibaba.fastjson.TypeReference
com.caucho.config.types.ResourceRef
com.fr.third.apache.log4j.receivers.db.DriverManagerConnectionSource
com.fr.third.apache.log4j.receivers.db.JNDIConnectionSource
com.fr.third.net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup
com.fr.third.net.sf.ehcache.transaction.manager.selector.GenericJndiSelector
com.fr.third.net.sf.ehcache.transaction.manager.selector.GlassfishSelector
com.fr.third.org.apache.commons.beanutils.BeanComparator
com.fr.third.org.apache.commons.codec.binary.Base64
com.fr.third.org.apache.commons.collections.comparators.TransformingComparator
com.fr.third.org.apache.commons.collections.functors.ChainedTransformer
com.fr.third.org.apache.commons.collections.functors.ConstantTransformer
com.fr.third.org.apache.commons.collections.functors.InstantiateTransformer
com.fr.third.org.apache.commons.collections.functors.InvokerTransformer
com.fr.third.org.apache.commons.collections.functors.MapTransformer
com.fr.third.org.apache.commons.collections.keyvalue.TiedMapEntry
com.fr.third.org.apache.commons.collections.map.LazyMap
com.fr.third.org.apache.commons.collections.Transformer
com.fr.third.org.apache.commons.collections4.comparators.TransformingComparator
com.fr.third.org.apache.commons.collections4.functors.ChainedTransformer
com.fr.third.org.apache.commons.collections4.functors.ConstantTransformer
com.fr.third.org.apache.commons.collections4.functors.InstantiateTransformer
com.fr.third.org.apache.commons.collections4.functors.InvokerTransformer
com.fr.third.org.apache.commons.collections4.functors.MapTransformer
com.fr.third.org.apache.commons.collections4.keyvalue.TiedMapEntry
com.fr.third.org.apache.commons.collections4.map.LazyMap
com.fr.third.org.apache.commons.collections4.Transformer
com.fr.third.org.apache.commons.fileupload.disk.DiskFileItem
com.fr.third.org.apache.commons.io.FileUtils
com.fr.third.org.apache.commons.io.output.DeferredFileOutputStream
com.fr.third.org.apache.commons.io.output.ThresholdingOutputStream
com.fr.third.org.hibernate.engine.spi.TypedValue
com.fr.third.org.hibernate.engine.spi.TypedValue$1
com.fr.third.org.hibernate.engine.TypedValue
com.fr.third.org.hibernate.EntityMode
com.fr.third.org.hibernate.jmx.StatisticsService
com.fr.third.org.hibernate.property.access.spi.Getter
com.fr.third.org.hibernate.property.access.spi.GetterMethodImpl
com.fr.third.org.hibernate.property.BasicPropertyAccessor$BasicGetter
com.fr.third.org.hibernate.property.Getter
com.fr.third.org.hibernate.tuple.component.AbstractComponentTuplizer
com.fr.third.org.hibernate.tuple.component.PojoComponentTuplizer
com.fr.third.org.hibernate.tuple.entity.EntityEntityModeToTuplizerMapping
com.fr.third.org.hibernate.tuple.EntityModeToTuplizerMapping
com.fr.third.org.hibernate.type.AbstractType
com.fr.third.org.hibernate.type.ComponentType
com.fr.third.org.hibernate.type.Type
com.fr.third.org.apache.commons.collections.map.TransformedMap
com.fr.third.org.apache.commons.collections4.map.TransformedMap
com.fr.third.org.v2.apache.commons.collections4.map.TransformedMap
com.fr.third.org.quartz.utils.JNDIConnectionProvider
com.fr.third.org.reflections.Reflections
com.fr.third.org.springframework.aop.config.MethodLocatingFactoryBean
com.fr.third.org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor
com.fr.third.org.springframework.beans.factory.config.BeanReferenceFactoryBean
com.fr.third.org.springframework.beans.factory.config.PropertyPathFactoryBean
com.fr.third.slf4j.ext.EventData
com.fr.third.springframework.aop.framework.AdvisedSupport
com.fr.third.springframework.aop.framework.JdkDynamicAopProxy
com.fr.third.springframework.aop.target.SingletonTargetSource
com.fr.third.springframework.aop.TargetSource
com.fr.third.springframework.beans.factory.ObjectFactory
com.fr.third.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler
com.fr.third.springframework.core.SerializableTypeWrapper.$MethodInvokeTypeProvider
com.fr.third.springframework.transaction.jta.JtaTransactionManager
com.fr.third.springframework.web.servlet.handler.HandlerInterceptorAdapter
com.fr.third.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping
com.fr.third.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping
com.fr.third.springframework.web.servlet.support.RequestContextUtils
com.fr.third.sun.misc.BASE64Decoder
com.fr.third.sun.misc.BASE64Encoder
com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig
com.mchange.v2.c3p0.ComboPooledDataSource
com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase
com.mchange.v2.c3p0.JndiRefForwardingDataSource
com.mchange.v2.c3p0.PoolBackedDataSource
com.mysql.cj.jdbc.admin.MiniAdmin
com.mysql.cj.jdbc.MysqlConnectionPoolDataSource
com.mysql.cj.jdbc.MysqlXADataSource
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
com.nqadmin.rowset.JdbcRowSetImpl
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
com.p6spy.engine.spy.P6DataSource
com.pastdev.httpcomponents.configuration.JndiConfiguration
com.sun.deploy.security.ruleset.DRSHelper
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor
com.sun.jmx.mbeanserver.JmxMBeanServer
com.sun.jmx.mbeanserver.NamedObject
com.sun.jmx.mbeanserver.Repository
com.sun.org.apache.bcel.internal.util.ClassLoader
com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool
com.sun.org.apache.xalan.internal.xslt.ObjectFactory
com.sun.org.apache.xalan.internal.xslt.Process
com.sun.org.apache.xalan.internal.xsltc.DOM
com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet
com.sun.org.apache.xalan.internal.xsltc.TransletException
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
com.sun.org.apache.xml.internal.dtm.DTMAxisIterator
com.sun.org.apache.xml.internal.serializer.SerializationHandler
com.sun.rowset.JdbcRowSetImpl
com.sun.syndication.feed.impl.ObjectBean
com.vaadin.data.Property
com.vaadin.data.util.NestedMethodProperty
com.vaadin.data.util.PropertysetItem
com.zaxxer.hikari.HikariConfig
com.zaxxer.hikari.HikariDataSource
flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor
groovy.lang.Closure
java.beans.EventHandler
java.lang.reflect.Proxy
java.net.Inet4Address
java.net.Inet6Address
java.net.InetAddress
java.net.InetSocketAddress
java.net.Socket
java.net.URL
java.net.URLStreamHandler
java.rmi.registry.Registry
java.rmi.RemoteObjectInvocationHandler
java.rmi.server.ObjID
java.rmi.server.RemoteObject
java.rmi.server.RemoteRef
java.rmi.server.UnicastRemoteObject
java.util.Base64
java.util.Comparator
java.util.logging.FileHandler
java.util.PriorityQueue
javax.el.ELContext
javax.faces.context.FacesContext
javax.management.BadAttributeValueExpException
javax.management.DynamicMBean
javax.management.MBeanServer
javax.management.MBeanServerInvocationHandler
javax.management.ObjectName
javax.management.openmbean.CompositeData
javax.management.openmbean.CompositeDataInvocationHandler
javax.management.openmbean.CompositeType
javax.management.openmbean.OpenDataException
javax.management.openmbean.OpenType
javax.management.openmbean.SimpleType
javax.management.openmbean.TabularDataSupport
javax.management.openmbean.TabularType
javax.net.SocketFactory
javax.servlet.http.HttpSession
javax.servlet.ServletContext
javax.servlet.ServletRequestEvent
javax.servlet.ServletRequestListener
javax.swing.JEditorPane
javax.swing.JTextPane
javax.xml.transform.Templates
jodd.db.connection.DataSourceConnectionProvider
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup
net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup
net.sf.ehcache.transaction.manager.selector.GenericJndiSelector
net.sf.ehcache.transaction.manager.selector.GlassfishSelector
net.sf.json.JSONObject
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource
oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource
oadd.org.apache.xalan.lib.sql.JNDIConnectionPool
om.mchange.v2.c3p0.WrapperConnectionPoolDataSource
om.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl
oracle.jdbc.connector.OracleManagedConnectionFactory
oracle.jdbc.pool.OraclePooledConnection
oracle.jdbc.rowset.OracleJDBCRowSet
oracle.jms.AQjmsQueueConnectionFactory
oracle.jms.AQjmsTopicConnectionFactory
oracle.jms.AQjmsXAConnectionFactory
oracle.jms.AQjmsXAQueueConnectionFactory
oracle.jms.AQjmsXATopicConnectionFactory
org..springframework.transaction.jta.JtaTransactionManager
org.aoju.bus.proxy.provider.remoting.RmiProvider
org.aoju.bus.proxy.provider.RmiProvider
org.apache.activemq.ActiveMQConnectionFactory
org.apache.activemq.ActiveMQXAConnectionFactory
org.apache.activemq.jms.pool.JcaPooledConnectionFactory
org.apache.activemq.jms.pool.XaPooledConnectionFactory
org.apache.activemq.pool.JcaPooledConnectionFactory
org.apache.activemq.pool.PooledConnectionFactory
org.apache.activemq.pool.XaPooledConnectionFactory
org.apache.activemq.spring.ActiveMQConnectionFactory
org.apache.activemq.spring.ActiveMQXAConnectionFactory
org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory
org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory
org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl
org.apache.axis2.transport.jms.JMSOutTransportInfo
org.apache.bcel.internal.util.ClassLoader
org.apache.catalina.authenticator.AuthenticatorBase
org.apache.catalina.connector.Request
org.apache.catalina.connector.RequestFacade
org.apache.catalina.connector.Response
org.apache.catalina.core.ApplicationFilterConfig
org.apache.catalina.core.ApplicationServletRegistration
org.apache.catalina.core.StandardContext
org.apache.catalina.core.StandardService
org.apache.catalina.core.StandardWrapperValue.invoke
org.apache.catalina.deploy.FilterDef
org.apache.catalina.deploy.FilterMap
org.apache.catalina.loader.ParallelWebappClassLoader
org.apache.catalina.loader.WebappClassLoaderBase
org.apache.click.control.Column
org.apache.click.control.Column$ColumnComparator
org.apache.click.control.Table
org.apache.commons.beanutils.BeanComparator
org.apache.commons.codec.binary.Base64
org.apache.commons.collections.comparators.TransformingComparator
org.apache.commons.collections.functors.ChainedTransformer
org.apache.commons.collections.functors.ConstantTransformer
org.apache.commons.collections.functors.InstantiateTransformer
org.apache.commons.collections.functors.InvokerTransformer
org.apache.commons.collections.functors.MapTransformer
org.apache.commons.collections.keyvalue.TiedMapEntry
org.apache.commons.collections.map.LazyMap
org.apache.commons.collections.map.TransformedMap
org.apache.commons.collections.Transformer
org.apache.commons.collections4.comparators.TransformingComparator
org.apache.commons.collections4.functors.ChainedTransformer
org.apache.commons.collections4.functors.ConstantTransformer
org.apache.commons.collections4.functors.InstantiateTransformer
org.apache.commons.collections4.functors.InvokerTransformer
org.apache.commons.collections4.functors.MapTransformer
org.apache.commons.collections4.keyvalue.TiedMapEntry
org.apache.commons.collections4.map.LazyMap
org.apache.commons.collections4.map.TransformedMap
org.apache.commons.collections4.Transformer
org.apache.commons.configuration.JNDIConfiguration
org.apache.commons.configuration2.JNDIConfiguration
org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp.datasources.PerUserPoolDataSource
org.apache.commons.dbcp.datasources.SharedPoolDataSource
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
org.apache.commons.dbcp2.datasources.SharedPoolDataSource
org.apache.commons.fileupload.disk.DiskFileItem
org.apache.commons.io.FileUtils
org.apache.commons.io.output.DeferredFileOutputStream
org.apache.commons.io.output.ThresholdingOutputStream
org.apache.commons.jelly.impl.Embedded
org.apache.commons.proxy.provider.remoting.RmiProvider
org.apache.coyote.AbstractProtocol;
org.apache.coyote.ProtocolHandler
org.apache.coyote.Request
org.apache.coyote.Response
org.apache.cxf.jaxrs.provider.XSLTJaxbProvider
org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig
org.apache.ibatis.datasource.jndi.JndiDataSourceFactory
org.apache.ibatis.parsing.XPathParser
org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory
org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup
org.apache.log4j.receivers.db.DriverManagerConnectionSource
org.apache.log4j.receivers.db.JNDIConnectionSource
org.apache.myfaces.context.servlet.FacesContextImpl
org.apache.myfaces.context.servlet.FacesContextImplBase
org.apache.myfaces.el.CompositeELResolver
org.apache.myfaces.el.unified.FacesELContext
org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression
org.apache.openjpa.ee.JNDIManagedRuntime
org.apache.openjpa.ee.RegistryManagedRuntime
org.apache.openjpa.ee.WASRegistryManagedRuntime
org.apache.shiro.codec.Base64
org.apache.shiro.codec.CodecSupport
org.apache.shiro.crypto.AesCipherService
org.apache.shiro.io.DefaultSerializer
org.apache.shiro.jndi.JndiObjectFactory
org.apache.shiro.realm.jndi.JndiRealmFactory
org.apache.shiro.util.ByteSource
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
org.apache.tomcat.dbcp.dbcp2.BasicDataSourc
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
org.apache.tomcat.util.buf.ByteChunk
org.apache.tomcat.util.descriptor.web.FilterDef
org.apache.tomcat.util.descriptor.web.FilterMap
org.apache.tomcat.util.modeler.BaseModelMBean
org.apache.tomcat.util.modeler.Registry
org.apache.wicket.util.file.Files
org.apache.wicket.util.io.DeferredFileOutputStream
org.apache.wicket.util.io.ThresholdingOutputStream
org.apache.wicket.util.upload.DiskFileItem
org.apache.xalan.lib.sql.JNDIConnectionPool
org.apache.xalan.xslt.ObjectFactory
org.apache.xalan.xslt.Process
org.apache.xalan.xsltc.DOM
org.apache.xalan.xsltc.runtime.AbstractTranslet
org.apache.xalan.xsltc.TransletException
org.apache.xalan.xsltc.trax.TemplatesImpl
org.apache.xalan.xsltc.trax.TransformerFactoryImpl
org.apache.xbean.propertyeditor.JndiConverter
org.apache.xml.dtm.DTMAxisIterator
org.apache.xml.serializer.SerializationHandler
org.arrah.framework.rdbms.UpdatableJdbcRowsetImpl
org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap
org.codehaus.groovy.runtime.ConvertedClosure
org.codehaus.groovy.runtime.MethodClosure
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
org.hibernate.engine.spi.TypedValue
org.hibernate.engine.spi.TypedValue$1
org.hibernate.engine.TypedValue
org.hibernate.EntityMode
org.hibernate.jmx.StatisticsService
org.hibernate.property.access.spi.Getter
org.hibernate.property.access.spi.GetterMethodImpl
org.hibernate.property.BasicPropertyAccessor$BasicGetter
org.hibernate.property.Getter
org.hibernate.tuple.component.AbstractComponentTuplizer
org.hibernate.tuple.component.PojoComponentTuplizer
org.hibernate.tuple.entity.EntityEntityModeToTuplizerMapping
org.hibernate.tuple.EntityModeToTuplizerMapping
org.hibernate.type.AbstractType
org.hibernate.type.ComponentType
org.hibernate.type.Type
org.jboss.interceptor.builder.InterceptionModelBuilder
org.jboss.interceptor.builder.MethodReference
org.jboss.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.interceptor.proxy.InterceptorMethodHandler
org.jboss.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.interceptor.reader.DefaultMethodMetadata
org.jboss.interceptor.reader.ReflectiveClassMetadata
org.jboss.interceptor.reader.SimpleInterceptorMetadata
org.jboss.interceptor.spi.context.InvocationContextFactory
org.jboss.interceptor.spi.instance.InterceptorInstantiator
org.jboss.interceptor.spi.metadata.ClassMetadata
org.jboss.interceptor.spi.metadata.InterceptorReference
org.jboss.interceptor.spi.metadata.MethodMetadata
org.jboss.interceptor.spi.model.InterceptionModel
org.jboss.interceptor.spi.model.InterceptionType
org.jboss.remoting3.Channel
org.jboss.remoting3.Connection
org.jboss.remoting3.Endpoint
org.jboss.remoting3.OpenListener
org.jboss.remoting3.remote.HttpUpgradeConnectionProviderFactory
org.jboss.remoting3.Remoting
org.jboss.remoting3.spi.ConnectionHandler
org.jboss.remoting3.spi.ConnectionHandlerContext
org.jboss.remoting3.spi.ConnectionHandlerFactory
org.jboss.util.propertyeditor.DocumentEditor
org.jboss.weld.interceptor.builder.InterceptionModelBuilder
org.jboss.weld.interceptor.builder.MethodReference
org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory
org.jboss.weld.interceptor.proxy.InterceptorMethodHandler
org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference
org.jboss.weld.interceptor.reader.DefaultMethodMetadata
org.jboss.weld.interceptor.reader.ReflectiveClassMetadata
org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata
org.jboss.weld.interceptor.spi.context.InvocationContextFactory
org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator
org.jboss.weld.interceptor.spi.metadata.ClassMetadata
org.jboss.weld.interceptor.spi.metadata.InterceptorReference
org.jboss.weld.interceptor.spi.metadata.MethodMetadata
org.jboss.weld.interceptor.spi.model.InterceptionModel
org.jboss.weld.interceptor.spi.model.InterceptionType
org.jdom.Document
org.jdom.Element
org.jdom.input.SAXBuilder
org.jdom.transform.XSLTransformer
org.jdom2.transform.XSLTransformer
org.jsecurity.realm.jndi.JndiRealmFactory
org.mozilla.javascript.Callable
org.mozilla.javascript.ClassCache
org.mozilla.javascript.Context
org.mozilla.javascript.IdScriptableObject
org.mozilla.javascript.MemberBox
org.mozilla.javascript.NativeError
org.mozilla.javascript.NativeJavaArray
org.mozilla.javascript.NativeJavaMethod
org.mozilla.javascript.NativeJavaObject
org.mozilla.javascript.NativeObject
org.mozilla.javascript.Scriptable
org.mozilla.javascript.ScriptableObject
org.mozilla.javascript.tools.shell.Environment
org.python.core.PyBytecode
org.python.core.PyFunction
org.python.core.PyObject
org.python.core.PyString
org.python.core.PyStringMap
org.quartz.utils.JNDIConnectionProvider
org.reflections.Reflections
org.slf4j.ext.EventData
org.springframework.aop.config.MethodLocatingFactoryBean
org.springframework.aop.framework.AdvisedSupport
org.springframework.aop.framework.JdkDynamicAopProxy
org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor
org.springframework.aop.target.SingletonTargetSource
org.springframework.aop.TargetSource
org.springframework.beans.factory.config.BeanReferenceFactoryBean
org.springframework.beans.factory.config.PropertyPathFactoryBean
org.springframework.beans.factory.ObjectFactory
org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler
org.springframework.core.SerializableTypeWrapper.$MethodInvokeTypeProvider
org.springframework.web.servlet.handler.HandlerInterceptorAdapter
org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping
org.springframework.web.servlet.support.RequestContextUtils
org.xnio.FutureResult
org.xnio.IoFuture
org.xnio.OptionMap
org.xnio.Options
org.xnio.Result
org.xnio.ssl.JsseXnioSsl
org.xnio.Xnio
org.xnio.XnioWorker
sun.misc.BASE64Decoder
sun.misc.BASE64Encoder
sun.reflect.annotation.AnnotationInvocationHandler
sun.rmi.server.ActivationGroupImpl
sun.rmi.server.UnicastRef
sun.rmi.server.UnicastServerRef
sun.rmi.transport.LiveRef
sun.rmi.transport.tcp.TCPEndpoint-End-
原文始发于微信公众号(360漏洞研究院):技术前瞻|帆软channel接口反序列化漏洞分析
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论