Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Expand file tree

/

Jdk

/
Copy path

Directory actions

More options

More options

Directory actions

More options

More options

Latest commit

 

History

History
History
 
 
/

Jdk

/

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
dnsrebinding
dnsrebinding
 
 
Readme.md
Readme.md
 
 

Readme.md

JDK

jdk>12不能反射修改下面class的成员。 image 思路是通过unsafe api去修改Reflection类的成员,赋值为null.

import sun.misc.Unsafe;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.lang.reflect.Field;
import java.util.HashMap;

public class bypass {
    private static Unsafe getUnsafe() {
        Unsafe unsafe = null;
        try {
            Field field = Unsafe.class.getDeclaredField("theUnsafe");
            field.setAccessible(true);
            unsafe = (Unsafe) field.get(null);
        } catch (Exception e) {
            throw new AssertionError(e);
        }
        return unsafe;
    }
    public static byte[] readInputStream(InputStream inputStream) {
        byte[] temp = new byte[4096];
        int readOneNum = 0;
        ByteArrayOutputStream bos = new ByteArrayOutputStream();
        try {
            while ((readOneNum = inputStream.read(temp)) != -1) {
                bos.write(temp, 0, readOneNum);
            }
            inputStream.close();
        }catch (Exception e){
        }
        return bos.toByteArray();
    }

    public void bypassReflectionFilter()throws Exception{
        Unsafe unsafe = getUnsafe();
        Class reflectionClass=Class.forName("jdk.internal.reflect.Reflection");
        byte[] classBuffer = readInputStream(reflectionClass.getResourceAsStream("Reflection.class"));
        //定义一个类,但不让类加载器知道它。
        Class reflectionAnonymousClass = unsafe.defineAnonymousClass(reflectionClass,classBuffer,null);

        Field fieldFilterMapField=reflectionAnonymousClass.getDeclaredField("fieldFilterMap");
        //不需要
        //Field methodFilterMapField=reflectionAnonymousClass.getDeclaredField("methodFilterMap");

        if(fieldFilterMapField.getType().isAssignableFrom(HashMap.class)){
            unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(fieldFilterMapField),new HashMap());
        }
        //if(methodFilterMapField.getType().isAssignableFrom(HashMap.class)){
        //  unsafe.putObject(reflectionClass,unsafe.staticFieldOffset(methodFilterMapField),new HashMap());
        //}
    }
    public static void main(String[] args) throws Exception{
        //绕过Java 反射过滤获取ClassLoader私有字段
        //ClassLoader.class.getDeclaredField("parent");//在之前反射会报错
        new bypass().bypassReflectionFilter();
        ClassLoader.class.getDeclaredField("parent");//在之后反射可以bypass
    }
}

参考:https://github.com/BeichenDream/Kcon2021Code/blob/master/bypassJdk/JdkSecurityBypass.java
Morty Proxy This is a proxified and sanitized view of the page, visit original site.