search

wh1t3p1g / ysomap

A helpful Java Deserialization exploit framework.
Apache License 2.0
1.17k stars 150 forks source link

Hessian XString deserialisation stack trace #50

Closed br-sn closed 1 year ago

br-sn commented 1 year ago

When using several of the Hessian deserialisation payloads against a hessian endpoint, the tomcat server responds with the following stack trace:

java.lang.ClassCastException: com.sun.org.apache.xpath.internal.objects.XString cannot be cast to java.lang.String
    javax.naming.ldap.Rdn$RdnEntry.getValueComparable(Rdn.java:481)
    javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:444)
    javax.naming.ldap.Rdn$RdnEntry.compareTo(Rdn.java:420)
    java.util.TreeMap.put(TreeMap.java:568)
    java.util.TreeSet.add(TreeSet.java:255)
    com.caucho.hessian.io.CollectionDeserializer.readList(CollectionDeserializer.java:78)
    com.caucho.hessian.io.SerializerFactory.readList(SerializerFactory.java:341)
    com.caucho.hessian.io.Hessian2Input.readObject(Hessian2Input.java:1945)
    com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:131)
    com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:109)
    com.caucho.hessian.server.HessianServlet.service(HessianServlet.java:396)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
wh1t3p1g commented 1 year ago

这个堆栈是正常的,payload 已经触发了,RdnEntry 用到的是 compreTo -> equals

image
br-sn commented 1 year ago

Interesting - my payload didn't fire though. Any suggestions on how to get it to fire based on that stack trace?

wh1t3p1g commented 1 year ago
  1. 你是怎么生成当前的payload的?是否是用Hessian2的类型生成的?
  2. 你是怎么利用的?是否有考虑目标环境不出网的情况?
br-sn commented 1 year ago

Thank you for your response.

  1. it is generated using various payloads, all with the same stack trace: 
    ysomap payload(SpringPartiallyComparableAdvisorHolder) bullet(SpringJndiBullet1) > show options
[+] [2023-05-23 08:15:08] print current session settings!
[2023-05-23 08:15:08] Current Payload: SpringPartiallyComparableAdvisorHolder
[2023-05-23 08:15:08] Current SerializeType: hessian
[2023-05-23 08:15:08] Current Serializer Encoder: null
[2023-05-23 08:15:08] Current Serializer Output Type: file
[2023-05-23 08:15:08] Current Serializer serialVersionUID: null
[2023-05-23 08:15:08] Current Bullet: SpringJndiBullet1

if I use hessian2 as the serializerType I get the following error:

javax.servlet.ServletException: com.caucho.hessian.io.HessianProtocolException: expected hessian method ('m') at 0x43 (C)
    com.caucho.hessian.server.HessianServlet.service(HessianServlet.java:404)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
</pre><p><b>Root Cause</b></p><pre>com.caucho.hessian.io.HessianProtocolException: expected hessian method (&#39;m&#39;) at 0x43 (C)
    com.caucho.hessian.io.Hessian2Input.error(Hessian2Input.java:2705)
    com.caucho.hessian.io.Hessian2Input.readMethod(Hessian2Input.java:265)
    com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:136)
    com.caucho.hessian.server.HessianSkeleton.invoke(HessianSkeleton.java:109)
    com.caucho.hessian.server.HessianServlet.service(HessianServlet.java:396)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
  1. The target definitely has internet connectivity.
wh1t3p1g commented 1 year ago

我看堆栈错误应该是hessian2的类型,再试一次下面的流程

  1. git clone ysomap
  2. 修改core目录下的pom.xml image

    将sofa-hessian改为caucho-hessian

  3. 保持原来的配置再试一次
wh1t3p1g commented 1 year ago

需要在 jdk8 的环境下打包