yso-cc5
1.从入口看
关键类BadAttributevalueExpException。
BadAttributevalueExpException类的readobject,调用 val = valObj.toString()
val已被赋值为TiedMapEntry类,toString方法如下:
public String toString() {
return this.getKey() + "=" + this.getValue();
}
//调用getValue()方法如下
public Object getValue() {
return this.map.get(this.key);
}
//this.map 被赋值为lazyMap ,
// final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
lazyMap .class中方法实现如下:
public static Map decorate(Map map, Transformer factory) {
return new LazyMap(map, factory);
}
protected LazyMap(Map map, Factory factory) {
super(map);
if (factory == null) {
throw new IllegalArgumentException("Factory must not be null");
} else {
this.factory = FactoryTransformer.getInstance(factory);
}
}
LazyMap的get方法,触发了transform方法。
public Object get(Object key) {
if (!super.map.containsKey(key)) {
Object value = this.factory.transform(key);
super.map.put(key, value);
return value;
} else {
return super.map.get(key);
}
}
this.factory被赋值transform链,触发
jdk7中测试发现BadAttributevalueExpException类的tostring方法,无法触发漏洞
public String toString() {
return "BadAttributevalueException: " + val;
}
```
