CB1链的原理
1,调用链分析
jdk自带的文件PriorityQueue.java]
~>PriorityQueue.java#readObject(jdk自带,搜索PriorityQueue,展开结构,搜索readObject)[PriorityQueue.java]
~> heapify[PriorityQueue.java]
~>siftDown(size值大于等于2)[PriorityQueue.java]
~>siftDownUsingComparator[PriorityQueue.java]
~>comparator.compare,点击comparator[PriorityQueue.java]
~>Comparator<? super E> comparator,点击Comparator,它和Comparator.java在同一个报下,不用导包直接调用即可[PriorityQueue.java]
~>Comparator
CB链 Jar包类文件BeanComparator.class
~>点开接口,找到BeanComparator.class并点击跳转(jar包类文件,它来自org.apache.commons.beanutils)[BeanComparator.class]
链的交互TemplatesImpl.java
~>回到if (comparator.compare(x, (E) e) >= 0)[PriorityQueue.java]
~> 思路点BeanComparator.compare,BeanComparator.class构造器搜索compare,注意满足this.property条件不为空[BeanComparator.class]
~>PropertyUtils.getProperty[BeanComparator.class]
~>思路点TemplatesImpl#getOutputProperties(),让o1=TemplatesImpl,this=this.property[BeanComparator.class]
~>搜索TemplatesImpl,点击Scope,* ,构造器中定位getOutputProperties。
~> newTransformer().getOutputProperties(),点击newTransformer()[TemplatesImpl.java]
~>getTransletInstance()[TemplatesImpl.java]
~>defineTransletClasses()[TemplatesImpl.java]
~>loader.defineClass(_bytecodes[i])
~>字节码加载触发RCE代码块
2,条件控制
条件1:(size值大于等于2)
条件2:comparator != null
条件3:property != null
条件4:o1=TemplatesImpl,this.property=outputProperties
3,疑问
我想不通,PriorityQueue.java中调用了接口Comparator.java,BeanComparator.class调用了接口Comparator.java