Notes Site.

CC3

post @ 2023-11-20

CC3

ClassLoader

defineClass()

image-20231120165750378

TemplatesImpl

defineClass()

default,本类调用

image-20231120171117187

defineTransletClasses()

private,继续找

Read More

CC6

post @ 2023-11-17

CC6

Gadget chain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
	Gadget chain:
	    java.io.ObjectInputStream.readObject()
            java.util.HashSet.readObject()
                java.util.HashMap.put()
                java.util.HashMap.hash()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
                        org.apache.commons.collections.map.LazyMap.get()
                       		org.apache.commons.collections.functors.ChainedTransformer.transform()
                       		org.apache.commons.collections.functors.InvokerTransformer.transform()
                            java.lang.reflect.Method.invoke()
                                java.lang.Runtime.exec()

    From:
    	ysoserial
*/

后面跟CC1一样,关注变化

TiedMapEntry

hashCode()

image-20231117203128744

getValue()

利用成:LazyMap.get()

image-20231117203125346

Read More
⬆︎TOP