获取public静态属性
ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@pubTestPrex' ognl -c 7cd84586 "@com.system.framework.ArtahsDemoClassLoader@pubfinalTestPrex"输出各式 @Type[属性值],内容如下
@String[static public] ... @String[final static public]获取private静态属性
ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@privTestPrex' ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@privFnalTestPrex'@String[static private] ... @String[final static private]修改public静态属性,被final修饰,不能被修改
// author:herbert qq:464884492 date:20220331 测试代码想修改FINAL修饰符,结果没有成功 @Test public void testModifyFinal() throws Exception { Field finalField = this.getClass().getDeclaredField("privFnalTestPrex"); finalField.setAccessible(true); System.out.println("==========初始值=========="); System.out.println(finalField.get(null)); Field modiField = Field.class.getDeclaredField("modifiers"); modiField.setAccessible(true); modiField.setInt(finalField, finalField.getModifiers() & ~Modifier.FINAL); finalField.set(null, "修改后FInal"); System.out.println("==========修改值=========="); System.out.println(privFnalTestPrex); }静态变量赋值,不能通过=直接赋值,需要采用反射的方式设置值
ognl '#c=@com.system.framework.ArtahsDemoClassLoader@class,#f=#c.getDeclaredField("pubTestPrex"),#f.set(#c,"modify static public ")'修改private静态属性,需要在反射时调用方法setAccessible,使private特殊转化为public
ognl '#c=@com.system.framework.ArtahsDemoClassLoader@class,#f=#c.getDeclaredField("privTestPrex"),#f.setAccessible(true),#f.set(#c,"modify static private ")'静态方法调用和静态属性一样,格式为@class@method(args)
无参数调用
ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@setPublicStaticMethod()' ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@modfiyPrivateStaticFiled()'... ======第5次输出====== 源文件初始输出==>static public/static private/testRefect--1/final static public/final static private 源文件初始输出==>static public/static private/testRefect--2/final static public/final static private ======第6次输出====== 源文件初始输出==>modify by method static public/static private/testRefect--1/final static public/final static private 源文件初始输出==>modify by method static public/static private/testRefect--2/final static public/final static private ... ======第11次输出====== 源文件初始输出==>modify by method static public/static private/testRefect--1/final static public/final static private 源文件初始输出==>modify by method static public/static private/testRefect--2/final static public/final static private ======第12次输出====== 源文件初始输出==>modify by method static public/modify by method static private/testRefect--1/final static public/final static private 源文件初始输出==>modify by method static public/modify by method static private/testRefect--2/final static public/final static private ... // author:herbert qq:464884492 date:20220331有参数调用
ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@getPublicStaticMethod("input params")' ... ognl -c 7cd84586 '@com.system.framework.ArtahsDemoClassLoader@getStaticPrivateMethod("input params")'@String[input params <==> public static method return string] ... @String[input params <==> private static method return string]从以上的测试结果来说,静态方法不管是public还是private都可以直接调用。
查看某个类实例,无 --limit 参数默认10个
vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express 'instances.length' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express 'instances[0]'@EncryptClass[][ @EncryptClass[com.system.framework.EncryptClass@3c573d32], @EncryptClass[com.system.framework.EncryptClass@68390fae], ] ... @Integer[2] ... @EncryptClass[ note=@String[testRefect--1], ]经过上边测试发现,一个类存在多个classloader加载时,需要指定classloader。但从返回结果看,返回了所有classloader加载的实例
调用实例getNote 和setNote 方法
vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances[0],#val.getNote()' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances[0],#val.setNote("modify by instance"+#val.getNote())'@String[testRefect--1] ======第7次输出====== 源文件初始输出==>static public/static private/testRefect--1/final static public/final static private 源文件初始输出==>static public/static private/testRefect--2/final static public/final static private ======第8次输出====== 源文件初始输出==>static public/static private/modify by instancetestRefect--1/final static public/final static private 源文件初始输出==>static public/static private/testRefect--2/final static public/final static private从控制台输出结果,对比第7次和8次输出,我们可以发现第一个loader加载的class实例已经成功修改了
获取或者修改第一个实例 note 属性
vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances[1].note' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances[1],#val.note="modify by instance"+#val.note'@String[testRefect--2] ... ======第121次输出====== 源文件初始输出==>static public/static private/modify by instancetestRefect--1/final static public/final static private 源文件初始输出==>static public/static private/testRefect--2/final static public/final static private ======第122次输出====== 源文件初始输出==>static public/static private/modify by instancetestRefect--1/final static public/final static private 源文件初始输出==>static public/static private/modify by instancetestRefect--2/final static public/final static private从控制台输出结果,对比第121次和122次输出,我们可以发现第二个loader加载的class实例已经成功修改了
返回的对象集合,可以做二次筛选投影操作,也可以带条件查询符合的数据
vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances.{note}' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances.{#this.note}' vmtool -c 3e2e18f2 -a getInstances --className *EncryptClass --express '#val=instances.{? #this.note.indexOf("1")>0}.{note}'@EncryptClass[][ @EncryptClass[com.system.framework.EncryptClass@52790e67], @EncryptClass[com.system.framework.EncryptClass@822cf83], ] ... @ArrayList[ @String[modify by instancetestRefect--1], @String[modify by instancetestRefect--2], ] ... @ArrayList[ @String[modify by instancetestRefect--1], @String[modify by instancetestRefect--2], ] ... @ArrayList[ @String[modify by instancetestRefect--1], ]