前面利用链都是使用commons.collections都是3.x版本的,那么来看一下4.x版本有哪些利用方式,把cc4,cc2,cc5,cc7都进行分析
复现配置:pom.xml添加依赖:CC4版本
cc2中不通过实例化TrAXFilter进行类加载,而用InvokerTransformer
PriorityQueue#readObject
→PriorityQueue#heapify
→PriorityQueue#siftDown
→PriorityQueue#siftDownUsingComparator
→TransformingComparator#compare
→InvokerTransformer#transform
→TemplatesImpl#newTransformer
→ TemplatesImpl::getTransletInstance
→ TemplatesImpl::defineTransletClasses
→ TransletClassLoader::defineClass
CC4可以看成是对CC2的改造,用InstantiateTransformer来替代InvokerTransformer
PriorityQueue::readObject
→PriorityQueue#heapify
→PriorityQueue#siftDown
→PriorityQueue#siftDownUsingComparator
TransformingComparator::compare
ChainedTransformer::transform
ConstantTransformer::transform
InstantiateTransformer::transform
TrAXFilter::带参构造
TemplatesImpl::newTransformer
→ TemplatesImpl::getTransletInstance
→ TemplatesImpl::defineTransletClasses
→ TransletClassLoader::defineClass
基本和CC1一致,入口点换成BadAttributeValueExpException
Gadget chain:
ObjectInputStream.readObject()
BadAttributeValueExpException.readObject()
TiedMapEntry.toString()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
基本和CC1一致,入口点换成Hashtable
Gadget chain:
Hashtable.readObject
Hashtable.reconstitutionPut
AbstractMapDecorator.equals
AbstractMap.equals
LazyMap.get
ChainedTransformer.transform
ConstantTransformer::transform
InvokerTransformer.transform
疑点记录
- 59:00:00 ~ CC5链的分析