yso-cc5_java cc5

yso-cc5
1.从入口看

关键类BadAttributeValueExpException。

BadAttributeValueExpException类的readobject，调用 val = valObj.toString()
val已被赋值为TiedMapEntry类，toString方法如下：

 public String toString() {
        return this.getKey() + "=" + this.getValue();
    }
    //调用getValue()方法如下
        public Object getValue() {
        return this.map.get(this.key);
    }
    //this.map 被赋值为lazyMap ，
    //	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
1
2
3
4
5
6
7
8
9

lazyMap .class中方法实现如下：
1

     public static Map decorate(Map map, Transformer factory) {
        return new LazyMap(map, factory);
    }

    protected LazyMap(Map map, Factory factory) {
        super(map);
        if (factory == null) {
            throw new IllegalArgumentException("Factory must not be null");
        } else {
            this.factory = FactoryTransformer.getInstance(factory);
        }
    }
    
1
2
3
4
5
6
7
8
9
10
11
12
13

LazyMap的get方法，触发了transform方法。

    public Object get(Object key) {
        if (!super.map.containsKey(key)) {
            Object value = this.factory.transform(key);
            super.map.put(key, value);
            return value;
        } else {
            return super.map.get(key);
        }
    }
1
2
3
4
5
6
7
8
9

this.factory被赋值transform链，触发
jdk7中测试发现BadAttributeValueExpException类的tostring方法,无法触发漏洞

 public String toString()  {
      return "BadAttributeValueException: " + val;
  }
  ```
1
2
3
4