tag:blogger.com,1999:blog-2987759532072489303.post5804660873018215532..comments2024-03-15T14:06:19.970+08:00Comments on Orange: Pwn a CTF Platform with Java JRMP GadgetOrange Tsaihttp://www.blogger.com/profile/02779986309373771735noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-2987759532072489303.post-53898794799597757842021-03-08T00:12:05.369+08:002021-03-08T00:12:05.369+08:00rai4over.cn 这里这篇文章才是正解啊。rai4over.cn 这里这篇文章才是正解啊。Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-14972385874076663362020-06-25T11:38:36.455+08:002020-06-25T11:38:36.455+08:00在JDK中ClassLoader.loadClass确实不支持数组,但在shiro中并非如此,可以发...在JDK中ClassLoader.loadClass确实不支持数组,但在shiro中并非如此,可以发现[Ljava.lang; 等数组能加载,shiro中的loadClass最终会跳到tomcat上下文执行Class.forName,和loadClass应该是无关的,但是jdk和tomcat的classpath是相互独立的,所以在Tomcat上下文中无法加载第三方cc,添加tomcat启动设置,或者设置loader就行http://www.rai4over.cn/2020/Shiro-1-2-4-RememberMe%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90-CVE-2016-4437/#%E8%B7%B3%E5%9D%91Anonymoushttps://www.blogger.com/profile/01675405837888905820noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-58609479783287618502019-08-11T14:51:46.827+08:002019-08-11T14:51:46.827+08:00像文中说的JRMP就可以像文中说的JRMP就可以Anonymoushttps://www.blogger.com/profile/12855048551329468780noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-19152676364571582092019-03-28T03:43:09.794+08:002019-03-28T03:43:09.794+08:00问题来了,没有commons-collection的环境 是否只能自己挖依赖库的反序列化gadget...问题来了,没有commons-collection的环境 是否只能自己挖依赖库的反序列化gadgets来利用了呢。dropnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-7251733984610583882018-04-10T18:36:41.160+08:002018-04-10T18:36:41.160+08:00Nice Sh00t Nice Sh00t intx0x80https://www.blogger.com/profile/06870105569133267086noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-20278990438124689272018-03-27T16:09:32.797+08:002018-03-27T16:09:32.797+08:00「珍爱生命,少看二手文章」XDDD
我到是沒注意到原來他是自己加上 commons-collecti...「珍爱生命,少看二手文章」XDDD<br />我到是沒注意到原來他是自己加上 commons-collections4 難怪他實現 RCE 好像喝水一樣簡單...Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-90625055697358947832018-03-27T16:01:55.368+08:002018-03-27T16:01:55.368+08:00我仔细寻找了一下原因,的确是数组的问题,但实际上是由于 Tomcat 的 ClassLoader 的...我仔细寻找了一下原因,的确是数组的问题,但实际上是由于 Tomcat 的 ClassLoader 的 bug 实现……我刚写了一篇文章讲述最后debug出来的原因:https://blog.zsxsoft.com/post/35<br />zsxhttps://www.zsxsoft.comnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-63514446281714234432018-03-27T14:39:04.979+08:002018-03-27T14:39:04.979+08:00沒錯,是!沒錯,是!Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-78922393467416038812018-03-27T14:29:57.375+08:002018-03-27T14:29:57.375+08:00很精彩,已focus。大妈是但是有个疑惑,我想问问上面描述到的URLDNS这个payload,是在哪...很精彩,已focus。大妈是但是有个疑惑,我想问问上面描述到的URLDNS这个payload,是在哪个点触发的回显,或者说exp是把payload set到cookie,然后利用shiro的readObject?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-84960889289128174662018-03-27T10:36:41.136+08:002018-03-27T10:36:41.136+08:00原来如此,学习到了……再断点了下,cl.loadClass是#L228那个,它把forName定义成...原来如此,学习到了……再断点了下,cl.loadClass是#L228那个,它把forName定义成了loadClass……应该是像这个链接说的一样的缘故吧:https://stackoverflow.com/questions/30406524/loading-an-array-with-a-classloaderzsxhttps://www.zsxsoft.comnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-53796362261131639352018-03-27T10:18:12.097+08:002018-03-27T10:18:12.097+08:00已 update! 再次感謝XD已 update! 再次感謝XDOrange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-91351288053416628342018-03-27T10:04:28.547+08:002018-03-27T10:04:28.547+08:00剛剛看了一下,Shiro 自己定義了一個 ClassUtil.forName 裡面實作的確是用到 l...剛剛看了一下,Shiro 自己定義了一個 ClassUtil.forName 裡面實作的確是用到 loadClass<br />https://github.com/apache/shiro/blob/8acc82ab4775b3af546e3bbde928f299be62dc23/lang/src/main/java/org/apache/shiro/util/ClassUtils.java#L129<br /><br />Code 應該沒追錯吧XD? 晚點再來 update 文章!Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-70910415981753105702018-03-27T10:02:57.854+08:002018-03-27T10:02:57.854+08:00喔喔喔!!! 感謝解惑!喔喔喔!!! 感謝解惑!Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-85344910353760476252018-03-27T09:23:33.029+08:002018-03-27T09:23:33.029+08:00Shiro resovleClass使用的是ClassLoader.loadClass()而非Cla...Shiro resovleClass使用的是ClassLoader.loadClass()而非Class.forName(),而ClassLoader.loadClass不支持装载数组类型的class。Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-10340911327419150182018-03-27T02:34:58.700+08:002018-03-27T02:34:58.700+08:00然後 URLDNS 以及 JRMPClient 可以使用的原因應該也是實做中沒有用到 Transfo...然後 URLDNS 以及 JRMPClient 可以使用的原因應該也是實做中沒有用到 Transformer XD<br />分別在<br />https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/JRMPClient.java<br />與<br />https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.javaOrange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-47278706890687531572018-03-27T02:29:45.753+08:002018-03-27T02:29:45.753+08:00主要是 https://bling.kapsi.fi/blog/jvm-deserializatio...主要是 https://bling.kapsi.fi/blog/jvm-deserialization-broken-classldr.html 這邊 "What made the ysoserial payloads fail?" 這段!Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-48431672590163046232018-03-27T02:24:57.696+08:002018-03-27T02:24:57.696+08:00不過感覺就是 Shiro 亂搞了一下 ClassLoader 才有這樣的問題? 自己把 Shiro ...不過感覺就是 Shiro 亂搞了一下 ClassLoader 才有這樣的問題? 自己把 Shiro DefaultSerializer 抓出來寫成一個獨立的 java 執行序列化也會遇到同樣問題的說!Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-25699585352577524282018-03-27T02:21:17.888+08:002018-03-27T02:21:17.888+08:00我有 update 了一下, 你的錯誤訊息是 `Unable to deserialize argu...我有 update 了一下, 你的錯誤訊息是 `Unable to deserialize argument byte array` 嗎?Orange Tsaihttps://www.blogger.com/profile/02779986309373771735noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-73824226075622109982018-03-27T01:48:53.266+08:002018-03-27T01:48:53.266+08:00Class Loader似乎不是Shiro的问题,我前天晚上跟踪了很久,是JRE里面的rt.jar里...Class Loader似乎不是Shiro的问题,我前天晚上跟踪了很久,是JRE里面的rt.jar里面的Class Loader在寻找某个类。ChainedTransformer是能正常找到的,但是在找“[Lorg.apache.common.collections.Transformer;”时找不到。从这个jvm标记看像是Transformer[],再调下去为啥找不到就要到jvm内部实现去了。。。zsxhttps://www.zsxsoft.comnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-13822138142338758002018-03-26T23:30:48.982+08:002018-03-26T23:30:48.982+08:00厉害厉害厉害厉害Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-57486410928051215922018-03-26T22:08:08.024+08:002018-03-26T22:08:08.024+08:00漂亮!漂亮!Anonymoushttps://www.blogger.com/profile/00097048863966056717noreply@blogger.com