大家好,又见面了,我是全栈君,祝每个程序员都可以多学几门语言。
Java安全之挖掘回显链
0x00 前言
前文中叙述反序列化回显只是为了拿到Request和Response对象。在这里说的的回显链其实就是通过一连串反射代码获取到该Request对象。
在此之前想吹爆一个项目,Java Object Searcher项目地址。
0x01 回显链挖掘
借助Java Object Searche工具根据工具说明文档,在tomcat中下断点,然后在IDEA的Evaluate中执行索引语句。
TargetObject = {org.apache.tomcat.util.threads.TaskThread}
---> group = {java.lang.ThreadGroup}
---> threads = {class [Ljava.lang.Thread;}
---> [14] = {java.lang.Thread}
---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
---> global = {org.apache.coyote.RequestGroupInfo}
根据得出结果在Evaluate中进行查看
获取group
编写代码获取该对象
Field group = Class.forName("org.apache.tomcat.util.threads.TaskThread").getDeclaredField("group");
group.setAccessible(true);
ThreadGroup threadGroup = (ThreadGroup) group.get(thread);
获取测试错误了,其原因是因为org.apache.tomcat.util.threads.TaskThread中并没有group变量,该类继承了Thread类, 该变量在Thread类中。
Field group = Class.forName("java.lang.Thread").getDeclaredField("group");
group.setAccessible(true);
ThreadGroup threadGroup = (ThreadGroup) group.get(thread);
获取成功。
获取thread
ThreadGroup threadGroup = (ThreadGroup) group.get(thread);
Field threads = Class.forName("java.lang.ThreadGroup").getDeclaredField("threads");
threads.setAccessible(true);
Thread[] thread1 = (Thread[])threads.get(threadGroup);
获取target
发现thread并不是每一次都是14,需要这里采用获取线程名称进行定位对于的thread。
if (thread2.getName().contains("http-nio")&&thread2.getName().contains("ClientPoller-1"))
最终代码
package com;
import org.apache.coyote.RequestGroupInfo;
import org.apache.coyote.RequestInfo;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.lang.reflect.Field;
//TargetObject = {org.apache.tomcat.util.threads.TaskThread}
// ---> group = {java.lang.ThreadGroup}
// ---> threads = {class [Ljava.lang.Thread;}
// ---> [14] = {java.lang.Thread}
// ---> target = {org.apache.tomcat.util.net.NioEndpoint$Poller}
// ---> this$0 = {org.apache.tomcat.util.net.NioEndpoint}
// ---> handler = {org.apache.coyote.AbstractProtocol$ConnectionHandler}
// ---> global = {org.apache.coyote.RequestGroupInfo}
@WebServlet("/test2Servlet")
public class test2Servlet extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
Thread thread = Thread.currentThread();
try {
Class<?> aClass = Class.forName("java.lang.Thread");
Field group = aClass.getDeclaredField("group");
group.setAccessible(true);
ThreadGroup threadGroup = (ThreadGroup) group.get(thread);
Field threads = Class.forName("java.lang.ThreadGroup").getDeclaredField("threads");
threads.setAccessible(true);
Thread[] thread1 = (Thread[])threads.get(threadGroup);
for (Thread thread2 : thread1) {
if (thread2.getName().contains("http-nio")&&thread2.getName().contains("ClientPoller-1")){
Field target = Class.forName("java.lang.Thread").getDeclaredField("target");
target.setAccessible(true);
Object o = target.get(thread2);
Field this$0 = o.getClass().getDeclaredField("this$0");
this$0.setAccessible(true);
Object o1 = this$0.get(o);
Field handler = Class.forName("org.apache.tomcat.util.net.AbstractEndpoint").getDeclaredField("handler");
handler.setAccessible(true);
Object handler1 = handler.get(o1);
Field global = handler1.getClass().getDeclaredField("global");
global.setAccessible(true);
RequestGroupInfo requestGroupInfo = (RequestGroupInfo)global.get(handler1);
Field processors = Class.forName("org.apache.coyote.RequestGroupInfo").getDeclaredField("processors");
processors.setAccessible(true);
java.util.List<RequestInfo> RequestInfo_list = (java.util.List<RequestInfo>) processors.get(requestGroupInfo);
Field req = Class.forName("org.apache.coyote.RequestInfo").getDeclaredField("req");
req.setAccessible(true);
for (RequestInfo requestInfo : RequestInfo_list) {
org.apache.coyote.Request request1 = (org.apache.coyote.Request) req.get(requestInfo);
org.apache.catalina.connector.Request request2 = ( org.apache.catalina.connector.Request)request1.getNote(1);
org.apache.catalina.connector.Response response2 = request2.getResponse();
response2.getWriter().write("Success!!!");
}
}
}
// for (Thread thread2 : thread1) {
// System.out.println(thread2.getName());
// }
// if ()
// thread1[14]
// Field target = Class.forName("java.lang.Thread").getDeclaredField("target");
// target.setAccessible(true);
// Runnable runnable = (Runnable)target.get(thread1[13]);
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (NoSuchFieldException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
}
}
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
this.doPost(request, response);
}
}
Reference
0x02 结尾
其他中间件也是同理,设置筛选条件。然后定位request进行一步步的反射获取即可。再次吹爆该项目。目前只会简单使用,其他用法待研究。
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/119867.html原文链接:https://javaforall.net
