Shulou(Shulou.com)06/01 Report--

The TemplatesImpl class is a serializable class with an attribute _ bytecodes, and the data stored in it will be loaded into a class in the defineTransletClasses function:

There is such a chain of calls:

To put it simply, as long as you can call the getOutputProperties function, you can trigger the class constructor contained in _ bytecodes to be executed (this class is implemented by * *).

The first part of Payload:

You create a BeanComparator object, use it as a parameter to create a PriorityQueue, and add two large integer objects (placeholders) to the queue object.

Then through the reflection mechanism to set the comparator will compare the object's property to outputProperties.

The second part of Payload:

The comparison object saved in the array in queue is modified to be templates with built-in * * code through the reflection mechanism.

Return to queue and generate serialized data.

Vulnerability trigger logic:

When a queue is deserialized, its corresponding PriorityQueue class readObject function reads the elements in the serialized data in turn and puts them into the queue. Then, call the heapify function to sort the operation.

Eventually, the siftDownUsingComparator function is called, where the compare method of comparator is called:

The corresponding property get method of the object to be compared will be called in the compare method, where o1Powero2 is the templates object passed in before, and this.property is the outputProperties modified by reflection mechanism. So, eventually, the getOutputProperties function of TemplatesImpl is called, triggering the POC code execution:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.