reference:
- https://mp.weixin.qq.com/s/HskIJZtl4fPRyc2G36JFow
A lot of reflection knowledge is used in the deserialization vulnerability,
An ordinary new object:
// 先拿到Class对象
Class<?> aClass = Class.forName("org.chabug.entity.ReflectionClass");
// new这个Class对应的对象
Object o = aClass.newInstance();
Ordinary public methods can be called directly: here is the calling setNamemethod, and the parameter "jack" is passed in
Method setName = aClass.getDeclaredMethod("setName", String.class);
setName.invoke(o, "jack" );
If it is a private method, one more step is to setAccessiblemodify the modifier of the method:
Method evil = aClass.getDeclaredMethod("evil", String.class);
evil.setAccessible(true);
evil.invoke(o,"calc");
Test the javaassist function
First there is a Cqq.java file:
package ysoserial;
public class Cqq {
public static void main(String[] args){
System.out.println("test Cqq!");
}
}
Insert the static code block through the following code (execute before the main method):
public static void testJavaAssist2() throws Exception {
ClassPool pool = ClassPool.getDefault();
CtClass cc = pool.get(ysoserial.Cqq.class.getName());
String cmd = "System.out.println(\"evil code\");";
// 创建 static 代码块,并插入代码
cc.makeClassInitializer().insertBefore(cmd);
String randomClassName = "EvilCat" + System.nanoTime();
// 设置为随机的类名、文件名
cc.setName(randomClassName);
// 写入.class 文件
cc.writeFile();
}
After writing, it was found that the EvilCat17158211564099.classfile was generated , and the following java code was decompiled in IDEA:
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
public class EvilCat17158211564099 {
public EvilCat17158211564099() {
}
public static void main(String[] args) {
System.out.println("test Cqq!");
}
static {
System.out.println("evil code");
}
}
You can find that a static code block has been inserted, and the class name should also be.
Reference:
https://b1ngz.github.io/java-deserialization-jdk7u21-gadget-note/