Investigator Veritatis

15-Ys项目Gadget链分析

2 min read

前面利用链都是使用 commons.collections 都是 3.x 版本的,那么来看一下 4.x 版本有哪些利用方式,把 cc4,cc2,cc5,cc7 都进行分析

复现配置:pom.xml 添加依赖:CC4 版本

org.apache.commons

commons-collections4

4.0

CC2

cc2 中不通过实例化 TrAXFilter 进行类加载,而用 InvokerTransformer

PriorityQueue#readObject

PriorityQueue#heapify

PriorityQueue#siftDown

PriorityQueue#siftDownUsingComparator

TransformingComparator#compare

InvokerTransformer#transform

TemplatesImpl#newTransformer

^learnkit-377676098 Q | TemplatesImpl | A | getTransletInstance |

^learnkit-428826015 Q | TemplatesImpl | A | defineTransletClasses |

^learnkit-115304088 Q | TransletClassLoader | A | defineClass |

CC4

CC4 可以看成是对 CC2 的改造,用 InstantiateTransformer 来替代 InvokerTransformer

^learnkit-736392937 Q | PriorityQueue | A | readObject |

PriorityQueue#heapify

PriorityQueue#siftDown

PriorityQueue#siftDownUsingComparator

^learnkit-624289469 Q | TransformingComparator | A | compare |

^learnkit-339329166 Q | ChainedTransformer | A | transform |

^learnkit-830558839 Q | ConstantTransformer | A | transform |

^learnkit-933509498 Q | InstantiateTransformer | A | transform |

^learnkit-823881067 Q | TrAXFilter | A | 带参构造 |

^learnkit-363822952 Q | TemplatesImpl | A | newTransformer |

^learnkit-459541519 Q | TemplatesImpl | A | getTransletInstance |

^learnkit-519276740 Q | TemplatesImpl | A | defineTransletClasses |

^learnkit-180174606 Q | TransletClassLoader | A | defineClass |

CC5

基本和 CC1 一致,入口点换成 BadAttributeValueExpException

Gadget chain:

        ObjectInputStream.readObject()

            BadAttributeValueExpException.readObject()

                TiedMapEntry.toString()

                    LazyMap.get()

                        ChainedTransformer.transform()

                            ConstantTransformer.transform()

                            InvokerTransformer.transform()

                                Method.invoke()

                                    Class.getMethod()

                            InvokerTransformer.transform()

                                Method.invoke()

                                    Runtime.getRuntime()

                            InvokerTransformer.transform()

                                Method.invoke()

                                    Runtime.exec()

CC7

基本和 CC1 一致,入口点换成 Hashtable

Gadget chain:

    Hashtable.readObject

     Hashtable.reconstitutionPut

     AbstractMapDecorator.equals

     AbstractMap.equals

     LazyMap.get

     ChainedTransformer.transform

^learnkit-468171219 Q | ConstantTransformer | A | transform |

     InvokerTransformer.transform

0.1 疑点记录

  • 59:00:00 ~ CC5 链的分析

Recent Notes

Graph View