Closed day1team closed 2 years ago
veo
commented
2 years ago Thanks a lot for submitting this issue
Maybe your understanding of mem is different,I means that the Java Deserialization Vulnerability can be exploited, and can delete jsp webshell file
veo
commented
2 years ago defineClass maybe not compile multiple class files
veo
commented
2 years ago veo
commented
2 years ago 谢谢你的解释。我的意思是我将分离你的 WSProxy ProxyEndpoint 类并编译它。然后会有很多 ProxyEndpoint$class 文件。如果我只是转换 ProxyEndpoint. 类到类字节然后defineClass,在实例化类对象时,方法调用会因为没有内部类而导致代理不可用
Thank you for your explanation. What I mean is that I will separate your WSProxy ProxyEndpoint class and compile it. Then there will be a lot of ProxyEndpoint$class files. If I simply convert ProxyEndpoint. Class to class bytes and then defineClass, when instantiating the class object, the method call will render the proxy unusable because there is no inner class
You might have to google it, I haven't deserialized yet, just write jsp example
veo
commented
2 years ago Deserialization example https://github.com/veo/wsMemShell/blob/main/WsCmd.java
Hello, the fifth point you mentioned is that the inverse sequence can be directly implemented in memory, but this proxy class will compile multiple class files, including internal classes. If you define directly, there is a problem with the processing logic. Do you have a landing implementation scheme