java-memshell-generator-release icon indicating copy to clipboard operation
java-memshell-generator-release copied to clipboard
verified publisher icon pen4uin

invokeMethod 方法 如果调用的目标无参方法不存在时 会出现死循环

Open burpheart opened this issue 5 months ago • 2 comments

注入器使用的invokeMethod 方法 如果调用无参方法不存在时 会出现死循环 paramClazz == null 时method 的结果同时 为null 会造成死循环匹配尝试类方法

https://github.com/pen4uin/java-memshell-generator/blob/2b16edb0e243a3032d7b2ea3ed27962b77419b08/jmg-core/src/main/java/jmg/core/template/TomcatFilterInjectorTpl.java#L253C1-L293C6

    public static synchronized Object invokeMethod(final Object obj, final String methodName, Class[] paramClazz, Object[] param) throws NoSuchMethodException, InvocationTargetException, IllegalAccessException {
        Class clazz = (obj instanceof Class) ? (Class) obj : obj.getClass();
        Method method = null;

        Class tempClass = clazz;
        while (method == null && tempClass != null) {
            try {
                if (paramClazz == null) {
                    // Get all declared methods of the class
                    Method[] methods = tempClass.getDeclaredMethods();
                    for (int i = 0; i < methods.length; i++) {
                        if (methods[i].getName().equals(methodName) && methods[i].getParameterTypes().length == 0) {
                            method = methods[i];
                            break;
                        }
                    }
                } else {
                    method = tempClass.getDeclaredMethod(methodName, paramClazz);
                }
            } catch (NoSuchMethodException e) {
                tempClass = tempClass.getSuperclass();
            }
        }
        if (method == null) {
            throw new NoSuchMethodException(methodName);
        }
        method.setAccessible(true);
        if (obj instanceof Class) {
            try {
                return method.invoke(null, param);
            } catch (IllegalAccessException e) {
                throw new RuntimeException(e.getMessage());
            }
        } else {
            try {
                return method.invoke(obj, param);
            } catch (IllegalAccessException e) {
                throw new RuntimeException(e.getMessage());
            }
        }
    }

burpheart avatar Jul 09 '25 09:07 burpheart 

@SuppressWarnings("all")
public static Object invokeMethod(Object obj, String methodName, Class<?>[] paramClazz, Object[] param) throws
        Exception {
    Class<?> clazz = (obj instanceof Class) ? (Class<?>) obj : obj.getClass();
    Method method = null;
    while (clazz != null && method == null) {
        try {
            if (paramClazz == null) {
                method = clazz.getDeclaredMethod(methodName);
            } else {
                method = clazz.getDeclaredMethod(methodName, paramClazz);
            }
        } catch (NoSuchMethodException e) {
            clazz = clazz.getSuperclass();
        }
    }
    if (method == null) {
        throw new NoSuchMethodException("Method not found: " + methodName);
    }
    method.setAccessible(true);
    return method.invoke(obj instanceof Class ? null : obj, param);
}

ReaJason avatar Jul 30 '25 08:07 ReaJason

我也遇到这个问题,编译后用tomcat的内存马会一直再跑循环,内存拉满

mssky9527 avatar Sep 03 '25 12:09 mssky9527