Notes Site.

CC6

post @ 2023-11-17

CC6

Gadget chain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/*
	Gadget chain:
	    java.io.ObjectInputStream.readObject()
            java.util.HashSet.readObject()
                java.util.HashMap.put()
                java.util.HashMap.hash()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
                    org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
                        org.apache.commons.collections.map.LazyMap.get()
                       		org.apache.commons.collections.functors.ChainedTransformer.transform()
                       		org.apache.commons.collections.functors.InvokerTransformer.transform()
                            java.lang.reflect.Method.invoke()
                                java.lang.Runtime.exec()

    From:
    	ysoserial
*/

后面跟CC1一样,关注变化

TiedMapEntry

hashCode()

image-20231117203128744

getValue()

利用成:LazyMap.get()

image-20231117203125346

Read More

CC1-LazyMap

post @ 2023-11-15

CC1-LazyMap

Gadget chain

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
/*
	Gadget chain:
		ObjectInputStream.readObject()
			AnnotationInvocationHandler.readObject()
				Map(Proxy).entrySet()
					AnnotationInvocationHandler.invoke()
						LazyMap.get()
							ChainedTransformer.transform()
								ConstantTransformer.transform()
								InvokerTransformer.transform()
									Method.invoke()
										Class.getMethod()
								InvokerTransformer.transform()
									Method.invoke()
										Runtime.getRuntime()
									InvokerTransformer.transform()
									Method.invoke()
										Runtime.exec()
	From:
		ysoserial
 */

后面还是用 InvokerTransformer,这个类完成任意命令执行的操作,分析一下改变的地方

LazyMap.get()

也是查找哪里调用了 transform(),map 里没有 key 才能执行到 transform()

image-20231117154740737

构造方法

类型为 protected

image-20231117163738044

Read More
⬆︎TOP