commit https://github.com/apache/activemq/commit/958330df26cf3d5cdb63905dc2c6882e98781d8f
加了个验证
服务端61616服务org.apache.activemq.transport.tcp.TcpTransport#doRun接收command,在org.apache.activemq.openwire.OpenWireFormat#doUnmarshal根据dataType选择不同的反序列化器
在ExceptionResponseMarshaller反序列化器中其反序列化方法looseUnmarshal调用looseUnmarsalThrowable
然后分别从反序列化数据流中读取clazz和message
接着进入org.apache.activemq.openwire.v12.BaseDataStreamMarshaller#createThrowable
这里可以调用任意类的一个string类型的有参公有构造函数,很容易想到ClassPathXmlApplicationContext。
接着写一下poc,我们需要发送ExceptionResponse给服务端,直接用X1r0z的思路,patchorg.apache.activemq.transport.tcp.TcpTransport#oneway写入ExceptionResponse对象,然后patch org.springframework.context.support.ClassPathXmlApplicationContext继承Throwable就完事了
堆栈如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| start:1071, ProcessBuilder (java.lang)
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
invokeCustomInitMethod:1930, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
invokeInitMethods:1872, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
initializeBean:1800, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
doCreateBean:620, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
createBean:542, AbstractAutowireCapableBeanFactory (org.springframework.beans.factory.support)
lambda$doGetBean$0:335, AbstractBeanFactory (org.springframework.beans.factory.support)
getObject:-1, 1177721061 (org.springframework.beans.factory.support.AbstractBeanFactory$$Lambda$175)
getSingleton:234, DefaultSingletonBeanRegistry (org.springframework.beans.factory.support)
doGetBean:333, AbstractBeanFactory (org.springframework.beans.factory.support)
getBean:208, AbstractBeanFactory (org.springframework.beans.factory.support)
preInstantiateSingletons:955, DefaultListableBeanFactory (org.springframework.beans.factory.support)
finishBeanFactoryInitialization:920, AbstractApplicationContext (org.springframework.context.support)
refresh:583, AbstractApplicationContext (org.springframework.context.support)
<init>:144, ClassPathXmlApplicationContext (org.springframework.context.support)
<init>:85, ClassPathXmlApplicationContext (org.springframework.context.support)
oneway:144, TcpTransport (org.apache.activemq.transport.tcp)
doOnewaySend:336, AbstractInactivityMonitor (org.apache.activemq.transport)
oneway:318, AbstractInactivityMonitor (org.apache.activemq.transport)
sendWireFormat:181, WireFormatNegotiator (org.apache.activemq.transport)
sendWireFormat:84, WireFormatNegotiator (org.apache.activemq.transport)
start:74, WireFormatNegotiator (org.apache.activemq.transport)
start:64, TransportFilter (org.apache.activemq.transport)
start:1077, TransportConnection (org.apache.activemq.broker)
run:226, TransportConnector$1$1 (org.apache.activemq.broker)
runWorker:1128, ThreadPoolExecutor (java.util.concurrent)
run:628, ThreadPoolExecutor$Worker (java.util.concurrent)
run:834, Thread (java.lang)
|
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。
