0x03反射-补充零散知识点
文章目录
向大佬致敬: https://drun1baby.top
Runtime
类中有 exec
方法,可以用来命令执行。
一般情况下,我们使用反射机制不能对类的私有 private
字段进行操作,绕过私有权限的访问
package IOStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Map;
public class FileStreamTest {
public static void main(String[] args){
InputStream inputStream = null;
try {
//命令执行方法1
// inputStream = Runtime.getRuntime().exec("whoami").getInputStream();
//命令执行方法2
// inputStream = new ProcessBuilder("calc").start().getInputStream();
//命令执行方法3 反射间接调用
String[] cmds = new String[]{"calc"};
Class clazz = Class.forName("java.lang.ProcessImpl");
Method method = clazz.getDeclaredMethod("start", String[].class, Map.class, String.class, ProcessBuilder.Redirect[].class, boolean.class);
method.setAccessible(true);
Process e = (Process) method.invoke(null, cmds, null, ".", null, true);
inputStream = e.getInputStream();
} catch (ClassNotFoundException | NoSuchMethodException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
}
byte[] cache = new byte[1024]; //cache缓存
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
int readLen = 0;
while(true){
try {
if (!((readLen = inputStream.read(cache)) != -1)) break;
} catch (IOException e) {
e.printStackTrace();
}
byteArrayOutputStream.write(cache, 0, readLen);
}
//输出上面exec命令执行的结果
System.out.println(byteArrayOutputStream);
}
}
try catch中的内容是自动生成的
直接赋值
FinalPerson:
package ReflectPlus.pojo;
public class FinalPerson {
private final String name = "happySu";
public final int age = 18;
public void printInfo(){
System.out.println(name +" " + age);
}
}
FinalReflect:
package ReflectPlus.Service;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class FinalReflection {
public static void main(String[] args){
try{
//直接引入包的位置 不要再加src了
Class c = Class.forName("ReflectPlus.pojo.FinalPerson");
Object m = c.newInstance();
Method printMethod = c.getDeclaredMethod("printInfo");
printMethod.invoke(m);
Field nameField = c.getDeclaredField("name");
Field ageField = c.getDeclaredField("age");
nameField.setAccessible(true);
ageField.setAccessible(true);
System.out.println("================");
nameField.set(m,"111");
ageField.set(m,12);
printMethod.invoke(m);
}catch (Exception e){
e.printStackTrace();
}
}
}
但是根本无法修改成功 永远18!
Person:
package ReflectPlus.pojo;
public class InDirectPerson {
private final StringBuilder sex = new StringBuilder("male");
public final int age = (null != null ? 18 : 18);
//构造函数方法赋值
private final String name;
public InDirectPerson(){
name = "happy";
}
public void printInfo(){
System.out.println(name + " " + age + " " + sex);
}
}
Reflect:
package ReflectPlus.Service;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
public class InDirectReflect {
public static void main(String[] args){
try{
//调用
Class c = Class.forName("ReflectPlus.pojo.InDirectPerson");
Object m = c.newInstance();
Method printMethod = c.getDeclaredMethod("printInfo");
printMethod.invoke(m);
System.out.println("=================");
//修改
Field nameField = c.getDeclaredField("name");
Field ageField = c.getDeclaredField("age");
Field sexField = c.getDeclaredField("sex");
nameField.setAccessible(true);
ageField.setAccessible(true);
sexField.setAccessible(true);
nameField.set(m, "newhappy");
ageField.set(m,180);
sexField.set(m,new StringBuilder("female"));
printMethod.invoke(m);
}catch(Exception e){
e.printStackTrace();
}
}
}
直接成功
一点点想法:
这样看来能否修改成功的关键 不在于我们Reflect类是怎么写怎么构造的,而是Person类本身的情况
Person:
package ReflectPlus.pojo;
public class StaticFinalPerson {
static final StringBuilder name = new StringBuilder("happySu");
public void printInfo(){
System.out.println(name);
}
}
Reflect:
package ReflectPlus.Service;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
public class StaticFinalReflect {
public static void main(String[] args){
try{
//调用
Class c = Class.forName("ReflectPlus.pojo.StaticFinalPerson");
Object m = c.newInstance();
Method printMethod = c.getDeclaredMethod("printInfo");
printMethod.invoke(m);
//修改
Field nameField = c.getDeclaredField("name");
nameField.setAccessible(true);
Field nameModifyField = nameField.getClass().getDeclaredField("modifiers");
nameModifyField.setAccessible(true);
nameModifyField.setInt(nameField, nameField.getModifiers() & ~Modifier.FINAL);
nameField.set(m, new StringBuilder("newhappy"));
nameModifyField.setInt(nameField, nameField.getModifiers() & ~Modifier.FINAL);
printMethod.invoke(m);
}catch(Exception e){
e.printStackTrace();
}
}
}
在原始情况下 是无法利用的
报错解决
看到无法调用private的变量 发现修改的时候粗心了
成功